update relay health check

Revert "feat(api/secrets): view secret value permission"

.github/workflows/check-api-for-breaking-changes.yml

@@ -35,7 +35,20 @@ jobs:
           echo "SECRET_SCANNING_GIT_APP_ID=793712" >> .env
           echo "SECRET_SCANNING_PRIVATE_KEY=some-random" >> .env
           echo "SECRET_SCANNING_WEBHOOK_SECRET=some-random" >> .env
-          docker run --name infisical-api -d -p 4000:4000 -e DB_CONNECTION_URI=$DB_CONNECTION_URI -e REDIS_URL=$REDIS_URL -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET -e ENCRYPTION_KEY=$ENCRYPTION_KEY --env-file .env --entrypoint '/bin/sh' infisical-api
+
+          echo "Examining built image:"
+          docker image inspect infisical-api | grep -A 5 "Entrypoint"
+          
+          docker run --name infisical-api -d -p 4000:4000 \
+            -e DB_CONNECTION_URI=$DB_CONNECTION_URI \
+            -e REDIS_URL=$REDIS_URL \
+            -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET \
+            -e ENCRYPTION_KEY=$ENCRYPTION_KEY \
+            --env-file .env \
+            infisical-api
+          
+          echo "Container status right after creation:"
+          docker ps -a | grep infisical-api
         env:
           REDIS_URL: redis://172.17.0.1:6379
           DB_CONNECTION_URI: postgres://infisical:infisical@172.17.0.1:5432/infisical?sslmode=disable
@@ -49,21 +62,33 @@ jobs:
           SECONDS=0
           HEALTHY=0
           while [ $SECONDS -lt 60 ]; do
-            if docker ps | grep infisical-api | grep -q healthy; then
-              echo "Container is healthy."
-              HEALTHY=1
+            # Check if container is running
+            if docker ps | grep infisical-api; then
+              # Try to access the API endpoint
+              if curl -s -f http://localhost:4000/api/docs/json > /dev/null 2>&1; then
+                echo "API endpoint is responding. Container seems healthy."
+                HEALTHY=1
+                break
+              fi
+            else
+              echo "Container is not running!"
+              docker ps -a | grep infisical-api
               break
             fi
+            
             echo "Waiting for container to be healthy... ($SECONDS seconds elapsed)"
-
-            docker logs infisical-api
-
-            sleep 2
-            SECONDS=$((SECONDS+2))
+            sleep 5
+            SECONDS=$((SECONDS+5))
           done
-
+          
           if [ $HEALTHY -ne 1 ]; then
             echo "Container did not become healthy in time"
+            echo "Container status:"
+            docker ps -a | grep infisical-api
+            echo "Container logs (if any):"
+            docker logs infisical-api || echo "No logs available"
+            echo "Container inspection:"
+            docker inspect infisical-api | grep -A 5 "State"
             exit 1
           fi
       - name: Install openapi-diff
@@ -71,7 +96,8 @@ jobs:
       - name: Running OpenAPI Spec diff action
         run: oasdiff breaking https://app.infisical.com/api/docs/json http://localhost:4000/api/docs/json --fail-on ERR
       - name: cleanup
+        if: always()
         run: |
           docker compose -f "docker-compose.dev.yml" down
-          docker stop infisical-api
-          docker remove infisical-api
+          docker stop infisical-api || true
+          docker rm infisical-api || true

backend/src/ee/services/license/license-fns.ts

@@ -17,7 +17,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   environmentsUsed: 0,
   identityLimit: null,
   identitiesUsed: 0,
-  dynamicSecret: false,
+  dynamicSecret: true,
   secretVersioning: true,
   pitRecovery: false,
   ipAllowlisting: false,
@@ -52,7 +52,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   enforceMfa: false,
   projectTemplates: false,
   kmip: false,
-  gateway: false
+  gateway: true
 });
 
 export const setupLicenseRequestWithStore = (baseURL: string, refreshUrl: string, licenseKey: string) => {

backend/src/lib/gateway/index.ts

@@ -2,7 +2,7 @@
 import crypto from "node:crypto";
 import net from "node:net";
 
-import * as quic from "@infisical/quic";
+import quicDefault, * as quicModule from "@infisical/quic";
 
 import { BadRequestError } from "../errors";
 import { logger } from "../logger";
@@ -10,6 +10,8 @@ import { logger } from "../logger";
 const DEFAULT_MAX_RETRIES = 3;
 const DEFAULT_RETRY_DELAY = 1000; // 1 second
 
+const quic = quicDefault || quicModule;
+
 const parseSubjectDetails = (data: string) => {
   const values: Record<string, string> = {};
   data.split("\n").forEach((el) => {

backend/src/server/lib/utils.ts

@@ -1,8 +0,0 @@
-export const QUERY_TIMEOUT = 121000; // 2 mins (query timeout) with padding
-
-export const extendTimeout =
-  (timeoutMs: number) =>
-  (request: { raw: { socket: { setTimeout: (ms: number) => void } } }, reply: unknown, done: () => void) => {
-    request.raw.socket.setTimeout(timeoutMs);
-    done();
-  };

backend/src/server/routes/v1/organization-router.ts

@@ -14,7 +14,6 @@ import { AUDIT_LOGS, ORGANIZATIONS } from "@app/lib/api-docs";
 import { getLastMidnightDateISO, removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
-import { extendTimeout, QUERY_TIMEOUT } from "@app/server/lib/utils";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode, MfaMethod } from "@app/services/auth/auth-type";
 import { sanitizedOrganizationSchema } from "@app/services/org/org-schema";
@@ -109,7 +108,6 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
     config: {
       rateLimit: readLimit
     },
-    preHandler: extendTimeout(QUERY_TIMEOUT),
     schema: {
       description: "Get all audit logs for an organization",
       querystring: z.object({

cli/config/example-infisical-relay.yaml

@@ -0,0 +1,8 @@
+public_ip: 127.0.0.1
+auth_secret: example-auth-secret
+realm: infisical.org
+# set port 5349 for tls
+# port: 5349
+# tls_private_key_path: /full-path
+# tls_ca_path:  /full-path
+# tls_cert_path: /full-path

cli/go.mod

@@ -28,8 +28,9 @@ require (
 	github.com/rs/zerolog v1.26.1
 	github.com/spf13/cobra v1.6.1
 	github.com/spf13/viper v1.8.1
-	github.com/stretchr/testify v1.9.0
+	github.com/stretchr/testify v1.10.0
 	golang.org/x/crypto v0.35.0
+	golang.org/x/sys v0.30.0
 	golang.org/x/term v0.29.0
 	gopkg.in/yaml.v2 v2.4.0
 )
@@ -115,7 +116,6 @@ require (
 	golang.org/x/net v0.35.0 // indirect
 	golang.org/x/oauth2 v0.21.0 // indirect
 	golang.org/x/sync v0.11.0 // indirect
-	golang.org/x/sys v0.30.0 // indirect
 	golang.org/x/text v0.22.0 // indirect
 	golang.org/x/time v0.6.0 // indirect
 	golang.org/x/tools v0.30.0 // indirect
@@ -139,3 +139,5 @@ require (
 )
 
 replace github.com/zalando/go-keyring => github.com/Infisical/go-keyring v1.0.2
+
+replace github.com/pion/turn/v4 => github.com/Infisical/turn/v4 v4.0.1

cli/go.sum

@@ -49,6 +49,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Infisical/go-keyring v1.0.2 h1:dWOkI/pB/7RocfSJgGXbXxLDcVYsdslgjEPmVhb+nl8=
 github.com/Infisical/go-keyring v1.0.2/go.mod h1:LWOnn/sw9FxDW/0VY+jHFAfOFEe03xmwBVSfJnBowto=
+github.com/Infisical/turn/v4 v4.0.1 h1:omdelNsnFfzS5cu86W5OBR68by68a8sva4ogR0lQQnw=
+github.com/Infisical/turn/v4 v4.0.1/go.mod h1:pMMKP/ieNAG/fN5cZiN4SDuyKsXtNTr0ccN7IToA1zs=
 github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0=
 github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
@@ -365,8 +367,6 @@ github.com/pion/stun/v3 v3.0.0 h1:4h1gwhWLWuZWOJIJR9s2ferRO+W3zA/b6ijOI6mKzUw=
 github.com/pion/stun/v3 v3.0.0/go.mod h1:HvCN8txt8mwi4FBvS3EmDghW6aQJ24T+y+1TKjB5jyU=
 github.com/pion/transport/v3 v3.0.7 h1:iRbMH05BzSNwhILHoBoAPxoB9xQgOaJk+591KC9P1o0=
 github.com/pion/transport/v3 v3.0.7/go.mod h1:YleKiTZ4vqNxVwh77Z0zytYi7rXHl7j6uPLGhhz9rwo=
-github.com/pion/turn/v4 v4.0.0 h1:qxplo3Rxa9Yg1xXDxxH8xaqcyGUtbHYw4QSCvmFWvhM=
-github.com/pion/turn/v4 v4.0.0/go.mod h1:MuPDkm15nYSklKpN8vWJ9W2M0PlyQZqYt1McGuxG7mA=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -425,8 +425,8 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4=

cli/packages/cmd/gateway.go

@@ -137,15 +137,10 @@ var gatewayRelayCmd = &cobra.Command{
 }
 
 func init() {
-	gatewayCmd.SetHelpFunc(func(command *cobra.Command, strings []string) {
-		command.Flags().MarkHidden("domain")
-		command.Parent().HelpFunc()(command, strings)
-	})
 	gatewayCmd.Flags().String("token", "", "Connect with Infisical using machine identity access token")
 
 	gatewayRelayCmd.Flags().String("config", "", "Relay config yaml file path")
 
 	gatewayCmd.AddCommand(gatewayRelayCmd)
-
 	rootCmd.AddCommand(gatewayCmd)
 }

cli/packages/gateway/gateway.go

@@ -176,7 +176,7 @@ func (g *Gateway) Listen(ctx context.Context) error {
 		KeepAlivePeriod: 2 * time.Second,
 	}
 
-	g.registerRelayIsActive(ctx, relayUdpConnection.LocalAddr().String(), errCh)
+	g.registerRelayIsActive(ctx, errCh)
 	quicListener, err := quic.Listen(relayUdpConnection, tlsConfig, quicConfig)
 	if err != nil {
 		return fmt.Errorf("Failed to listen for QUIC: %w", err)
@@ -320,39 +320,49 @@ func (g *Gateway) createPermissionForStaticIps(staticIps string) error {
 	return nil
 }
 
-func (g *Gateway) registerRelayIsActive(ctx context.Context, relayAddress string, errCh chan error) error {
-	ticker := time.NewTicker(10 * time.Second)
+func (g *Gateway) registerRelayIsActive(ctx context.Context, errCh chan error) error {
+	ticker := time.NewTicker(15 * time.Second)
 	maxFailures := 3
 	failures := 0
 
+	log.Info().Msg("Starting relay connection health check")
+
 	go func() {
-		time.Sleep(2 * time.Second)
+		time.Sleep(5 * time.Second)
 		for {
 			select {
 			case <-ctx.Done():
+				log.Info().Msg("Stopping relay connection health check")
 				return
 			case <-ticker.C:
-				// Configure TLS to skip verification
-				tlsConfig := &tls.Config{
-					InsecureSkipVerify: true,
-					NextProtos:         []string{"infisical-gateway"},
-				}
-				quicConfig := &quic.Config{
-					EnableDatagrams: true,
-				}
 				func() {
-					checkCtx, cancel := context.WithTimeout(ctx, 3*time.Second)
-					defer cancel()
-					conn, err := quic.DialAddr(checkCtx, relayAddress, tlsConfig, quicConfig)
-					if err != nil {
+					log.Debug().Msg("Performing relay connection health check")
+
+					if g.client == nil {
 						failures++
-						log.Warn().Err(err).Int("failures", failures).Msg("Relay connection check failed")
+						log.Warn().Int("failures", failures).Msg("TURN client is nil")
+						if failures >= maxFailures {
+							errCh <- fmt.Errorf("relay connection check failed: TURN client is nil")
+						}
+						return
+					}
+
+					// we try to refresh permissions - this is a lightweight operation
+					// that will fail immediately if the UDP connection is broken. good for health check
+					log.Debug().Msg("Refreshing TURN permissions to verify connection")
+					if err := g.createPermissionForStaticIps(g.config.InfisicalStaticIp); err != nil {
+						failures++
+						log.Warn().Err(err).Int("failures", failures).Msg("Failed to refresh TURN permissions")
 						if failures >= maxFailures {
 							errCh <- fmt.Errorf("relay connection check failed: %w", err)
 						}
+						return
 					}
-					if conn != nil {
-						conn.CloseWithError(0, "closed")
+
+					log.Debug().Msg("Successfully refreshed TURN permissions - connection is healthy")
+					if failures > 0 {
+						log.Info().Int("previous_failures", failures).Msg("Relay connection restored")
+						failures = 0
 					}
 				}()
 			}

cli/packages/gateway/relay.go

@@ -1,3 +1,6 @@
+//go:build !windows
+// +build !windows
+
 package gateway
 
 import (

cli/packages/gateway/relay_windows.go

@@ -0,0 +1,37 @@
+//go:build windows
+// +build windows
+
+package gateway
+
+import (
+	"errors"
+)
+
+var (
+	errMissingTlsCert      = errors.New("Missing TLS files")
+	errWindowsNotSupported = errors.New("Relay is not supported on Windows")
+)
+
+type GatewayRelay struct {
+	Config *GatewayRelayConfig
+}
+
+type GatewayRelayConfig struct {
+	PublicIP          string
+	Port              int
+	Realm             string
+	AuthSecret        string
+	RelayMinPort      uint16
+	RelayMaxPort      uint16
+	TlsCertPath       string
+	TlsPrivateKeyPath string
+	TlsCaPath         string
+}
+
+func NewGatewayRelay(configFilePath string) (*GatewayRelay, error) {
+	return nil, errWindowsNotSupported
+}
+
+func (g *GatewayRelay) Run() error {
+	return errWindowsNotSupported
+}

frontend/src/pages/organization/AuditLogsPage/components/LogsTable.tsx

@@ -106,7 +106,7 @@ export const LogsTable = ({
           className="mb-20 mt-4 px-4 py-3 text-sm"
           isFullWidth
           variant="star"
-          isLoading={isFetchingNextPage || isPending}
+          isLoading={isFetchingNextPage}
           isDisabled={isFetchingNextPage || !hasNextPage}
           onClick={() => fetchNextPage()}
         >

nginx/default.conf

@@ -15,21 +15,6 @@ server {
         proxy_cookie_path / "/; HttpOnly; SameSite=strict";
     }
 
-     location /api/v1/organization/audit-logs {
-        proxy_set_header X-Real-RIP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-        proxy_set_header Host $http_host;
-        proxy_set_header X-NginX-Proxy true;
-
-        proxy_pass http://backend:4000;
-        proxy_redirect off;
-
-        proxy_cookie_path / "/; HttpOnly; SameSite=strict";
-
-        proxy_read_timeout 121s; # query timeout with padding
-     }
-
     location /api/v3/migrate {
         client_max_body_size 25M;
 

nginx/default.dev.conf

@@ -17,21 +17,6 @@ server {
         proxy_cookie_path / "/; HttpOnly; SameSite=strict";
     }
 
-     location /api/v1/organization/audit-logs {
-        proxy_set_header X-Real-RIP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-        proxy_set_header Host $http_host;
-        proxy_set_header X-NginX-Proxy true;
-
-        proxy_pass http://backend:4000;
-        proxy_redirect off;
-
-        proxy_cookie_path / "/; HttpOnly; SameSite=strict";
-
-        proxy_read_timeout 121s; # query timeout with padding
-    }
-
 		location /runtime-ui-env.js {
         proxy_set_header X-Real-RIP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;