synced/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2025-03-22 16:44:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

..

50 Commits
daniel/pre ... revert-249

Author SHA1 Message Date
Maidul Islam
4090c894fc Revert "feat(api): better errors and documentation" 2024-09-27 17:25:11 -04:00
Daniel Hougaard
d430293c66 Merge pull request from Infisical/daniel/api-errors 
feat(api): better errors and documentation
 2024-09-27 20:25:10 +04:00
Daniel Hougaard
180d2692cd Re-trigger tests 2024-09-27 20:17:17 +04:00
Daniel Hougaard
433e58655a Update add-errors-to-response-schemas.ts 2024-09-27 20:12:08 +04:00
Daniel Hougaard
5ffb6b7232 fixed tests 2024-09-27 20:02:43 +04:00
Daniel Hougaard
55ca9149d5 Re-trigger tests 2024-09-27 20:02:43 +04:00
Daniel Hougaard
4ea57ca9a0 requested changes 2024-09-27 20:02:43 +04:00
Daniel Hougaard
7ac4b0b79f feat(api-docs): add error responses to API documentation 2024-09-27 20:02:43 +04:00
Daniel Hougaard
2d51ed317f feat(api): improve errors and error handling 2024-09-27 20:02:43 +04:00
Maidul Islam
02c51b05b6 Update login.mdx to remove sentence 2024-09-27 10:33:36 -04:00
Maidul Islam
441b008709 Merge pull request from Infisical/fix/addressed-modal-close-unresponsive 
fix: address modal close unresponsive
 2024-09-27 10:15:27 -04:00
Daniel Hougaard
4d81a0251e Merge pull request from Infisical/misc/approval-policy-tf-resource-prereq-1 
misc: approval policy modifications for TF resource
 2024-09-27 16:42:04 +04:00
Sheen Capadngan
59da513481 fix: address modal close unresponsive 2024-09-27 20:30:28 +08:00
Akhil Mohan
c17047a193 Merge pull request from akhilmhdh/doc/auth-method-fix 
docs: added oidc method in login command method argument and changed order to make auth section first
 2024-09-27 15:45:03 +05:30
=
f50a881273 docs: added oidc method in login command method argument and changed order to make auth section first 2024-09-27 15:32:24 +05:30
Scott Wilson
c011d99b8b Merge pull request from scott-ray-wilson/secrets-overview-fix 
Fix: Secrets Overview Endpoint Filter Secrets for Read Permissive Environments
 2024-09-26 11:32:37 -07:00
Maidul Islam
adc3542750 Merge pull request from akhilmhdh/chore/disable-audit-log-in-cloud 
feat: disabled audit log for cloud due to maintainence mode
 2024-09-26 13:25:04 -04:00
=
82e3241f1b feat: disabled audit log for cloud due to maintainence mode 2024-09-26 22:32:16 +05:30
Sheen
2bca46886a Merge pull request from Infisical/misc/addressed-invalid-redirect-condition-signup-page 
misc: addressed invalid redirect condition in signup invite page
 2024-09-27 00:54:58 +08:00
Scott Wilson
971987c786 fix: display all envs in secrets overview header 2024-09-26 09:32:15 -07:00
Scott Wilson
cd71a13bb7 fix: refactor secrets overview endpoint to filter envs for secrets with read permissions 2024-09-26 09:24:29 -07:00
Maidul Islam
98290fe31b remove audit logs 2024-09-26 12:23:11 -04:00
Akhil Mohan
9f15fb1474 Merge pull request from akhilmhdh/feat/error-dashboard 
fix: resolved permission not defined for custom org role
 2024-09-26 21:36:50 +05:30
=
301a867f8b refactor: remove console 2024-09-26 21:13:31 +05:30
Maidul Islam
658a044e85 Merge pull request from Infisical/maidul-gdfvdfkw 
hide audit log filter in prod
 2024-09-26 11:42:37 -04:00
Maidul Islam
2c1e29445d hide audit log filter in prod 2024-09-26 11:34:30 -04:00
=
3f4c4f7418 fix: resolved permission not defined for custom org role 2024-09-26 20:43:08 +05:30
Maidul Islam
592cc13b1f Merge pull request from akhilmhdh/feat/fix-ui-paginated-secret 
fix: dashboard not showing when root accessn not provided
 2024-09-26 10:01:33 -04:00
Maidul Islam
e70c2f3d10 Merge pull request from akhilmhdh/feat/error-dashboard 
feat: added error feedback on secret items saving for debugging
 2024-09-26 07:35:37 -04:00
=
bac865eab1 feat: added error feedback on secret items saving for debugging 2024-09-26 16:42:31 +05:30
=
3d8fbc0a58 fix: dashboard not showing when root accessn not provided 2024-09-26 15:13:07 +05:30
Maidul Islam
a1f2629366 Merge pull request from Infisical/doc/add-groups-endpoints-to-api-reference 
doc: add groups endpoints to api reference documentation
 2024-09-25 09:50:40 -04:00
Sheen Capadngan
bf8e1f2bfd misc: added missing filter 2024-09-25 21:36:28 +08:00
Sheen Capadngan
f7d10ceeda Merge remote-tracking branch 'origin/main' into misc/approval-policy-tf-resource-prereq-1 2024-09-25 21:15:46 +08:00
Meet Shah
095883a94e Merge pull request from Infisical/meet/fix-group-members-fetch 
check user group membership correctly
 2024-09-25 18:24:14 +05:30
Meet
51638b7c71 fix: check user group membership correctly 2024-09-25 18:02:32 +05:30
Sheen Capadngan
adaddad370 misc: added rate limiting 2024-09-25 18:46:44 +08:00
Sheen Capadngan
cf6ff58f16 misc: access approval prerequisites 2024-09-25 18:38:06 +08:00
Sheen Capadngan
3e3f42a8f7 doc: add groups endpoints to api reference documentation 2024-09-25 15:31:54 +08:00
Sheen Capadngan
974e21d856 fix: addressed bugs 2024-09-25 14:30:22 +08:00
Daniel Hougaard
da86338bfe Merge pull request from Infisical/daniel/fix-better-not-found-error 
fix: throw not found when entity is not found
 2024-09-24 21:08:42 +04:00
Daniel Hougaard
3a9a6767a0 fix: throw not found when entity is not found 2024-09-24 21:01:09 +04:00
Vlad Matsiiako
fe8a1e6ce6 Merge pull request from Infisical/daniel/fix-missing-vars-count 
fix(dashboard): fix imports missing secrets counter
 2024-09-24 09:46:31 -07:00
Maidul Islam
55aa3f7b58 Merge pull request from Infisical/misc/audit-log-page-warning-and-auto-select 
misc: added maintenance notice to audit log page
 2024-09-24 12:41:49 -04:00
Sheen Capadngan
59f3581370 misc: made it specific for cloud 2024-09-25 00:31:13 +08:00
Sheen Capadngan
ccae63936c misc: added maintenance notice to audit log page and handled project auto-select 2024-09-25 00:27:36 +08:00
Sheen Capadngan
6733349af0 misc: updated secret approval policy api to support TF usecase 2024-09-25 00:07:11 +08:00
Daniel Hougaard
50b51f1810 Merge pull request from Infisical/daniel/prefix-secret-folders 
fix(folders-api): prefix paths
 2024-09-24 17:30:47 +04:00
Daniel Hougaard
fc39b3b0dd fix(dashboard): fix imports missing secrets counter 2024-09-24 17:24:38 +04:00
Sheen Capadngan
14c89c9be5 misc: addressed invalid redirect condition in signup invite page 2024-09-22 20:32:55 +08:00
52 changed files with 895 additions and 363 deletions

69
backend/src/ee/routes/v1/access-approval-policy-router.ts

@ -3,6 +3,7 @@ import { z } from "zod";
import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
import { EnforcementLevel } from "@app/lib/types";
import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
import { AuthMode } from "@app/services/auth/auth-type";
@ -11,6 +12,9 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
server.route({
url: "/",
method: "POST",
config: {
rateLimit: writeLimit
},
schema: {
body: z.object({
projectSlug: z.string().trim(),
@ -18,7 +22,10 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
secretPath: z.string().trim().default("/"),
environment: z.string(),
approvers: z
.object({ type: z.nativeEnum(ApproverType), id: z.string() })
.discriminatedUnion("type", [
z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
])
.array()
.min(1, { message: "At least one approver should be provided" }),
approvals: z.number().min(1).default(1),
@ -30,7 +37,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
})
}
},
onRequest: verifyAuth([AuthMode.JWT]),
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
handler: async (req) => {
const approval = await server.services.accessApprovalPolicy.createAccessApprovalPolicy({
actor: req.permission.type,
@ -49,6 +56,9 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
server.route({
url: "/",
method: "GET",
config: {
rateLimit: readLimit
},
schema: {
querystring: z.object({
projectSlug: z.string().trim()
@ -115,6 +125,9 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
server.route({
url: "/:policyId",
method: "PATCH",
config: {
rateLimit: writeLimit
},
schema: {
params: z.object({
policyId: z.string()
@ -127,7 +140,10 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
.optional()
.transform((val) => (val === "" ? "/" : val)),
approvers: z
.object({ type: z.nativeEnum(ApproverType), id: z.string() })
.discriminatedUnion("type", [
z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
])
.array()
.min(1, { message: "At least one approver should be provided" }),
approvals: z.number().min(1).optional(),
@ -139,7 +155,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
})
}
},
onRequest: verifyAuth([AuthMode.JWT]),
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
handler: async (req) => {
await server.services.accessApprovalPolicy.updateAccessApprovalPolicy({
policyId: req.params.policyId,
@ -155,6 +171,9 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
server.route({
url: "/:policyId",
method: "DELETE",
config: {
rateLimit: writeLimit
},
schema: {
params: z.object({
policyId: z.string()
@ -165,7 +184,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
})
}
},
onRequest: verifyAuth([AuthMode.JWT]),
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
handler: async (req) => {
const approval = await server.services.accessApprovalPolicy.deleteAccessApprovalPolicy({
actor: req.permission.type,
@ -177,4 +196,44 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
return { approval };
}
});
server.route({
url: "/:policyId",
method: "GET",
config: {
rateLimit: readLimit
},
schema: {
params: z.object({
policyId: z.string()
}),
response: {
200: z.object({
approval: sapPubSchema.extend({
approvers: z
.object({
type: z.nativeEnum(ApproverType),
id: z.string().nullable().optional(),
name: z.string().nullable().optional()
})
.array()
.nullable()
.optional()
})
})
}
},
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
handler: async (req) => {
const approval = await server.services.accessApprovalPolicy.getAccessApprovalPolicyById({
actor: req.permission.type,
actorId: req.permission.id,
actorAuthMethod: req.permission.authMethod,
actorOrgId: req.permission.orgId,
...req.params
});
return { approval };
}
});
};

2
backend/src/ee/routes/v1/group-router.ts

@ -48,7 +48,7 @@ export const registerGroupRouter = async (server: FastifyZodProvider) => {
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: {
params: z.object({
id: z.string()
id: z.string().trim().describe(GROUPS.GET_BY_ID.id)
}),
response: {
200: GroupsSchema

54
backend/src/ee/routes/v1/secret-approval-policy-router.ts

@ -28,7 +28,10 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
.default("/")
.transform((val) => (val ? removeTrailingSlash(val) : val)),
approvers: z
.object({ type: z.nativeEnum(ApproverType), id: z.string() })
.discriminatedUnion("type", [
z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
])
.array()
.min(1, { message: "At least one approver should be provided" }),
approvals: z.number().min(1).default(1),
@ -40,7 +43,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
})
}
},
onRequest: verifyAuth([AuthMode.JWT]),
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
handler: async (req) => {
const approval = await server.services.secretApprovalPolicy.createSecretApprovalPolicy({
actor: req.permission.type,
@ -69,7 +72,10 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
body: z.object({
name: z.string().optional(),
approvers: z
.object({ type: z.nativeEnum(ApproverType), id: z.string() })
.discriminatedUnion("type", [
z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
z.object({ type: z.literal(ApproverType.User), id: z.string().optional(), name: z.string().optional() })
])
.array()
.min(1, { message: "At least one approver should be provided" }),
approvals: z.number().min(1).default(1),
@ -87,7 +93,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
})
}
},
onRequest: verifyAuth([AuthMode.JWT]),
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
handler: async (req) => {
const approval = await server.services.secretApprovalPolicy.updateSecretApprovalPolicy({
actor: req.permission.type,
@ -117,7 +123,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
})
}
},
onRequest: verifyAuth([AuthMode.JWT]),
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
handler: async (req) => {
const approval = await server.services.secretApprovalPolicy.deleteSecretApprovalPolicy({
actor: req.permission.type,
@ -168,6 +174,44 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
}
});
server.route({
url: "/:sapId",
method: "GET",
config: {
rateLimit: readLimit
},
schema: {
params: z.object({
sapId: z.string()
}),
response: {
200: z.object({
approval: sapPubSchema.extend({
approvers: z
.object({
id: z.string().nullable().optional(),
type: z.nativeEnum(ApproverType),
name: z.string().nullable().optional()
})
.array()
})
})
}
},
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
handler: async (req) => {
const approval = await server.services.secretApprovalPolicy.getSecretApprovalPolicyById({
actor: req.permission.type,
actorId: req.permission.id,
actorAuthMethod: req.permission.authMethod,
actorOrgId: req.permission.orgId,
...req.params
});
return { approval };
}
});
server.route({
url: "/board",
method: "GET",

30
backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts

@ -12,16 +12,29 @@ export type TAccessApprovalPolicyDALFactory = ReturnType<typeof accessApprovalPo
export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
const accessApprovalPolicyOrm = ormify(db, TableName.AccessApprovalPolicy);
const accessApprovalPolicyFindQuery = async (tx: Knex, filter: TFindFilter<TAccessApprovalPolicies>) => {
const accessApprovalPolicyFindQuery = async (
tx: Knex,
filter: TFindFilter<TAccessApprovalPolicies>,
customFilter?: {
policyId?: string;
}
) => {
const result = await tx(TableName.AccessApprovalPolicy)
// eslint-disable-next-line
.where(buildFindFilter(filter))
.where((qb) => {
if (customFilter?.policyId) {
void qb.where(`${TableName.AccessApprovalPolicy}.id`, "=", customFilter.policyId);
}
})
.join(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
.leftJoin(
TableName.AccessApprovalPolicyApprover,
`${TableName.AccessApprovalPolicy}.id`,
`${TableName.AccessApprovalPolicyApprover}.policyId`
)
.leftJoin(TableName.Users, `${TableName.AccessApprovalPolicyApprover}.approverUserId`, `${TableName.Users}.id`)
.select(tx.ref("username").withSchema(TableName.Users).as("approverUsername"))
.select(tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
.select(tx.ref("approverGroupId").withSchema(TableName.AccessApprovalPolicyApprover))
.select(tx.ref("name").withSchema(TableName.Environment).as("envName"))
@ -76,9 +89,15 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
}
};
const find = async (filter: TFindFilter<TAccessApprovalPolicies & { projectId: string }>, tx?: Knex) => {
const find = async (
filter: TFindFilter<TAccessApprovalPolicies & { projectId: string }>,
customFilter?: {
policyId?: string;
},
tx?: Knex
) => {
try {
const docs = await accessApprovalPolicyFindQuery(tx || db.replicaNode(), filter);
const docs = await accessApprovalPolicyFindQuery(tx || db.replicaNode(), filter, customFilter);
const formattedDocs = sqlNestRelationships({
data: docs,
@ -97,9 +116,10 @@ export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
{
key: "approverUserId",
label: "approvers" as const,
mapper: ({ approverUserId: id }) => ({
mapper: ({ approverUserId: id, approverUsername }) => ({
id,
type: ApproverType.User
type: ApproverType.User,
name: approverUsername
})
},
{

138
backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@ -2,10 +2,11 @@ import { ForbiddenError } from "@casl/ability";
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
import { BadRequestError } from "@app/lib/errors";
import { BadRequestError, NotFoundError } from "@app/lib/errors";
import { TProjectDALFactory } from "@app/services/project/project-dal";
import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
import { TUserDALFactory } from "@app/services/user/user-dal";
import { TGroupDALFactory } from "../group/group-dal";
import { TAccessApprovalPolicyApproverDALFactory } from "./access-approval-policy-approver-dal";
@ -15,6 +16,7 @@ import {
ApproverType,
TCreateAccessApprovalPolicy,
TDeleteAccessApprovalPolicy,
TGetAccessApprovalPolicyByIdDTO,
TGetAccessPolicyCountByEnvironmentDTO,
TListAccessApprovalPoliciesDTO,
TUpdateAccessApprovalPolicy
@ -28,6 +30,7 @@ type TSecretApprovalPolicyServiceFactoryDep = {
accessApprovalPolicyApproverDAL: TAccessApprovalPolicyApproverDALFactory;
projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find">;
groupDAL: TGroupDALFactory;
userDAL: Pick<TUserDALFactory, "find">;
};
export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprovalPolicyServiceFactory>;
@ -38,7 +41,8 @@ export const accessApprovalPolicyServiceFactory = ({
groupDAL,
permissionService,
projectEnvDAL,
projectDAL
projectDAL,
userDAL
}: TSecretApprovalPolicyServiceFactoryDep) => {
const createAccessApprovalPolicy = async ({
name,
@ -59,12 +63,18 @@ export const accessApprovalPolicyServiceFactory = ({
// If there is a group approver people might be added to the group later to meet the approvers quota
const groupApprovers = approvers
.filter((approver) => approver.type === ApproverType.Group)
.map((approver) => approver.id);
.map((approver) => approver.id) as string[];
const userApprovers = approvers
.filter((approver) => approver.type === ApproverType.User)
.map((approver) => approver.id);
.map((approver) => approver.id)
.filter(Boolean) as string[];
if (!groupApprovers && approvals > userApprovers.length)
const userApproverNames = approvers
.map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
.filter(Boolean) as string[];
if (!groupApprovers && approvals > userApprovers.length + userApproverNames.length)
throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
const { permission } = await permissionService.getProjectPermission(
@ -81,7 +91,26 @@ export const accessApprovalPolicyServiceFactory = ({
const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
if (!env) throw new BadRequestError({ message: "Environment not found" });
const verifyAllApprovers = userApprovers;
let approverUserIds = userApprovers;
if (userApproverNames.length) {
const approverUsers = await userDAL.find({
$in: {
username: userApproverNames
}
});
const approverNamesFromDb = approverUsers.map((user) => user.username);
const invalidUsernames = userApproverNames.filter((username) => !approverNamesFromDb.includes(username));
if (invalidUsernames.length) {
throw new BadRequestError({
message: `Invalid approver user: ${invalidUsernames.join(", ")}`
});
}
approverUserIds = approverUserIds.concat(approverUsers.map((user) => user.id));
}
const usersPromises: Promise<
{
id: string;
@ -92,11 +121,15 @@ export const accessApprovalPolicyServiceFactory = ({
isPartOfGroup: boolean;
}[]
>[] = [];
const verifyAllApprovers = [...approverUserIds];
for (const groupId of groupApprovers) {
usersPromises.push(groupDAL.findAllGroupMembers({ orgId: actorOrgId, groupId, offset: 0 }));
usersPromises.push(groupDAL.findAllGroupPossibleMembers({ orgId: actorOrgId, groupId, offset: 0 }));
}
const verifyGroupApprovers = (await Promise.all(usersPromises)).flat().map((user) => user.id);
const verifyGroupApprovers = (await Promise.all(usersPromises))
.flat()
.filter((user) => user.isPartOfGroup)
.map((user) => user.id);
verifyAllApprovers.push(...verifyGroupApprovers);
await verifyApprovers({
@ -120,9 +153,9 @@ export const accessApprovalPolicyServiceFactory = ({
},
tx
);
if (userApprovers) {
if (approverUserIds.length) {
await accessApprovalPolicyApproverDAL.insertMany(
userApprovers.map((userId) => ({
approverUserIds.map((userId) => ({
approverUserId: userId,
policyId: doc.id
})),
@ -182,15 +215,25 @@ export const accessApprovalPolicyServiceFactory = ({
enforcementLevel
}: TUpdateAccessApprovalPolicy) => {
const groupApprovers = approvers
?.filter((approver) => approver.type === ApproverType.Group)
.map((approver) => approver.id);
.filter((approver) => approver.type === ApproverType.Group)
.map((approver) => approver.id) as string[];
const userApprovers = approvers
?.filter((approver) => approver.type === ApproverType.User)
.map((approver) => approver.id);
.filter((approver) => approver.type === ApproverType.User)
.map((approver) => approver.id)
.filter(Boolean) as string[];
const userApproverNames = approvers
.map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
.filter(Boolean) as string[];
const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
const currentAppovals = approvals || accessApprovalPolicy.approvals;
if (groupApprovers?.length === 0 && userApprovers && currentAppovals > userApprovers.length) {
if (
groupApprovers?.length === 0 &&
userApprovers &&
currentAppovals > userApprovers.length + userApproverNames.length
) {
throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
}
@ -219,7 +262,27 @@ export const accessApprovalPolicyServiceFactory = ({
await accessApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
if (userApprovers) {
if (userApprovers.length || userApproverNames.length) {
let userApproverIds = userApprovers;
if (userApproverNames.length) {
const approverUsers = await userDAL.find({
$in: {
username: userApproverNames
}
});
const approverNamesFromDb = approverUsers.map((user) => user.username);
const invalidUsernames = userApproverNames.filter((username) => !approverNamesFromDb.includes(username));
if (invalidUsernames.length) {
throw new BadRequestError({
message: `Invalid approver user: ${invalidUsernames.join(", ")}`
});
}
userApproverIds = userApproverIds.concat(approverUsers.map((user) => user.id));
}
await verifyApprovers({
projectId: accessApprovalPolicy.projectId,
orgId: actorOrgId,
@ -227,10 +290,11 @@ export const accessApprovalPolicyServiceFactory = ({
secretPath: doc.secretPath!,
actorAuthMethod,
permissionService,
userIds: userApprovers
userIds: userApproverIds
});
await accessApprovalPolicyApproverDAL.insertMany(
userApprovers.map((userId) => ({
userApproverIds.map((userId) => ({
approverUserId: userId,
policyId: doc.id
})),
@ -251,9 +315,12 @@ export const accessApprovalPolicyServiceFactory = ({
>[] = [];
for (const groupId of groupApprovers) {
usersPromises.push(groupDAL.findAllGroupMembers({ orgId: actorOrgId, groupId, offset: 0 }));
usersPromises.push(groupDAL.findAllGroupPossibleMembers({ orgId: actorOrgId, groupId, offset: 0 }));
}
const verifyGroupApprovers = (await Promise.all(usersPromises)).flat().map((user) => user.id);
const verifyGroupApprovers = (await Promise.all(usersPromises))
.flat()
.filter((user) => user.isPartOfGroup)
.map((user) => user.id);
await verifyApprovers({
projectId: accessApprovalPolicy.projectId,
@ -338,11 +405,40 @@ export const accessApprovalPolicyServiceFactory = ({
return { count: policies.length };
};
const getAccessApprovalPolicyById = async ({
actorId,
actor,
actorOrgId,
actorAuthMethod,
policyId
}: TGetAccessApprovalPolicyByIdDTO) => {
const [policy] = await accessApprovalPolicyDAL.find({}, { policyId });
if (!policy) {
throw new NotFoundError({
message: "Cannot find access approval policy"
});
}
const { permission } = await permissionService.getProjectPermission(
actor,
actorId,
policy.projectId,
actorAuthMethod,
actorOrgId
);
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
return policy;
};
return {
getAccessPolicyCountByEnvSlug,
createAccessApprovalPolicy,
deleteAccessApprovalPolicy,
updateAccessApprovalPolicy,
getAccessApprovalPolicyByProjectSlug
getAccessApprovalPolicyByProjectSlug,
getAccessApprovalPolicyById
};
};

8
backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@ -22,7 +22,7 @@ export type TCreateAccessApprovalPolicy = {
approvals: number;
secretPath: string;
environment: string;
approvers: { type: ApproverType; id: string }[];
approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
projectSlug: string;
name: string;
enforcementLevel: EnforcementLevel;
@ -31,7 +31,7 @@ export type TCreateAccessApprovalPolicy = {
export type TUpdateAccessApprovalPolicy = {
policyId: string;
approvals?: number;
approvers?: { type: ApproverType; id: string }[];
approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
secretPath?: string;
name?: string;
enforcementLevel?: EnforcementLevel;
@ -46,6 +46,10 @@ export type TGetAccessPolicyCountByEnvironmentDTO = {
projectSlug: string;
} & Omit<TProjectPermission, "projectId">;
export type TGetAccessApprovalPolicyByIdDTO = {
policyId: string;
} & Omit<TProjectPermission, "projectId">;
export type TListAccessApprovalPoliciesDTO = {
projectSlug: string;
} & Omit<TProjectPermission, "projectId">;

6
backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@ -58,7 +58,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
TAccessApprovalRequestReviewerDALFactory,
"create" | "find" | "findOne" | "transaction"
>;
groupDAL: Pick<TGroupDALFactory, "findAllGroupMembers">;
groupDAL: Pick<TGroupDALFactory, "findAllGroupPossibleMembers">;
projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findById">;
smtpService: Pick<TSmtpService, "sendMail">;
userDAL: Pick<
@ -145,14 +145,14 @@ export const accessApprovalRequestServiceFactory = ({
const groupUsers = (
await Promise.all(
approverGroupIds.map((groupApproverId) =>
groupDAL.findAllGroupMembers({
groupDAL.findAllGroupPossibleMembers({
orgId: actorOrgId,
groupId: groupApproverId
})
)
)
).flat();
approverIds.push(...groupUsers.map((user) => user.id));
approverIds.push(...groupUsers.filter((user) => user.isPartOfGroup).map((user) => user.id));
const approverUsers = await userDAL.find({
$in: {

64
backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@ -313,23 +313,26 @@ export const dynamicSecretServiceFactory = ({
projectId,
path,
environmentSlugs,
search
search,
isInternal
}: TListDynamicSecretsMultiEnvDTO) => {
const { permission } = await permissionService.getProjectPermission(
actor,
actorId,
projectId,
actorAuthMethod,
actorOrgId
);
if (!isInternal) {
const { permission } = await permissionService.getProjectPermission(
actor,
actorId,
projectId,
actorAuthMethod,
actorOrgId
);
// verify user has access to each env in request
environmentSlugs.forEach((environmentSlug) =>
ForbiddenError.from(permission).throwUnlessCan(
ProjectPermissionActions.Read,
subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
)
);
// verify user has access to each env in request
environmentSlugs.forEach((environmentSlug) =>
ForbiddenError.from(permission).throwUnlessCan(
ProjectPermissionActions.Read,
subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
)
);
}
const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);
if (!folders.length) throw new BadRequestError({ message: "Folders not found" });
@ -434,23 +437,26 @@ export const dynamicSecretServiceFactory = ({
path,
environmentSlugs,
projectId,
isInternal,
...params
}: TListDynamicSecretsMultiEnvDTO) => {
const { permission } = await permissionService.getProjectPermission(
actor,
actorId,
projectId,
actorAuthMethod,
actorOrgId
);
if (!isInternal) {
const { permission } = await permissionService.getProjectPermission(
actor,
actorId,
projectId,
actorAuthMethod,
actorOrgId
);
// verify user has access to each env in request
environmentSlugs.forEach((environmentSlug) =>
ForbiddenError.from(permission).throwUnlessCan(
ProjectPermissionActions.Read,
subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
)
);
// verify user has access to each env in request
environmentSlugs.forEach((environmentSlug) =>
ForbiddenError.from(permission).throwUnlessCan(
ProjectPermissionActions.Read,
subject(ProjectPermissionSub.Secrets, { environment: environmentSlug, secretPath: path })
)
);
}
const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);
if (!folders.length) throw new BadRequestError({ message: "Folders not found" });

2
backend/src/ee/services/dynamic-secret/dynamic-secret-types.ts

@ -63,7 +63,7 @@ export type TListDynamicSecretsDTO = {
export type TListDynamicSecretsMultiEnvDTO = Omit<
TListDynamicSecretsDTO,
"projectId" | "environmentSlug" | "projectSlug"
> & { projectId: string; environmentSlugs: string[] };
> & { projectId: string; environmentSlugs: string[]; isInternal?: boolean };
export type TGetDynamicSecretsCountDTO = Omit<TListDynamicSecretsDTO, "projectSlug" | "projectId"> & {
projectId: string;

4
backend/src/ee/services/group/group-dal.ts

@ -60,7 +60,7 @@ export const groupDALFactory = (db: TDbClient) => {
};
// special query
const findAllGroupMembers = async ({
const findAllGroupPossibleMembers = async ({
orgId,
groupId,
offset = 0,
@ -125,7 +125,7 @@ export const groupDALFactory = (db: TDbClient) => {
return {
findGroups,
findByOrgId,
findAllGroupMembers,
findAllGroupPossibleMembers,
...groupOrm
};
};

7
backend/src/ee/services/group/group-service.ts

@ -30,7 +30,10 @@ import { TUserGroupMembershipDALFactory } from "./user-group-membership-dal";
type TGroupServiceFactoryDep = {
userDAL: Pick<TUserDALFactory, "find" | "findUserEncKeyByUserIdsBatch" | "transaction" | "findOne">;
groupDAL: Pick<TGroupDALFactory, "create" | "findOne" | "update" | "delete" | "findAllGroupMembers" | "findById">;
groupDAL: Pick<
TGroupDALFactory,
"create" | "findOne" | "update" | "delete" | "findAllGroupPossibleMembers" | "findById"
>;
groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
orgDAL: Pick<TOrgDALFactory, "findMembership" | "countAllOrgMembers">;
userGroupMembershipDAL: Pick<
@ -242,7 +245,7 @@ export const groupServiceFactory = ({
message: `Failed to find group with ID ${id}`
});
const users = await groupDAL.findAllGroupMembers({
const users = await groupDAL.findAllGroupPossibleMembers({
orgId: group.orgId,
groupId: group.id,
offset,

1
backend/src/ee/services/permission/permission-dal.ts

@ -50,6 +50,7 @@ export const permissionDALFactory = (db: TDbClient) => {
.select(
selectAllTableCols(TableName.OrgMembership),
db.ref("slug").withSchema(TableName.OrgRoles).withSchema(TableName.OrgRoles).as("customRoleSlug"),
db.ref("permissions").withSchema(TableName.OrgRoles),
db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
db.ref("groupId").withSchema("userGroups"),
db.ref("groupOrgId").withSchema("userGroups"),

11
backend/src/ee/services/scim/scim-service.ts

@ -75,7 +75,14 @@ type TScimServiceFactoryDep = {
projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find" | "delete" | "findProjectMembershipsByUserId">;
groupDAL: Pick<
TGroupDALFactory,
"create" | "findOne" | "findAllGroupMembers" | "delete" | "findGroups" | "transaction" | "updateById" | "update"
| "create"
| "findOne"
| "findAllGroupPossibleMembers"
| "delete"
| "findGroups"
| "transaction"
| "updateById"
| "update"
>;
groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
userGroupMembershipDAL: Pick<
@ -775,7 +782,7 @@ export const scimServiceFactory = ({
});
}
const users = await groupDAL.findAllGroupMembers({
const users = await groupDAL.findAllGroupPossibleMembers({
orgId: group.orgId,
groupId: group.id
});

27
backend/src/ee/services/secret-approval-policy/secret-approval-policy-dal.ts

@ -12,10 +12,21 @@ export type TSecretApprovalPolicyDALFactory = ReturnType<typeof secretApprovalPo
export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
const secretApprovalPolicyOrm = ormify(db, TableName.SecretApprovalPolicy);
const secretApprovalPolicyFindQuery = (tx: Knex, filter: TFindFilter<TSecretApprovalPolicies>) =>
const secretApprovalPolicyFindQuery = (
tx: Knex,
filter: TFindFilter<TSecretApprovalPolicies>,
customFilter?: {
sapId?: string;
}
) =>
tx(TableName.SecretApprovalPolicy)
// eslint-disable-next-line
.where(buildFindFilter(filter))
.where((qb) => {
if (customFilter?.sapId) {
void qb.where(`${TableName.SecretApprovalPolicy}.id`, "=", customFilter.sapId);
}
})
.join(TableName.Environment, `${TableName.SecretApprovalPolicy}.envId`, `${TableName.Environment}.id`)
.leftJoin(
TableName.SecretApprovalPolicyApprover,
@ -37,6 +48,7 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
tx.ref("id").withSchema("secretApprovalPolicyApproverUser").as("approverUserId"),
tx.ref("email").withSchema("secretApprovalPolicyApproverUser").as("approverEmail"),
tx.ref("firstName").withSchema("secretApprovalPolicyApproverUser").as("approverFirstName"),
tx.ref("username").withSchema("secretApprovalPolicyApproverUser").as("approverUsername"),
tx.ref("lastName").withSchema("secretApprovalPolicyApproverUser").as("approverLastName")
)
.select(
@ -108,9 +120,15 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
}
};
const find = async (filter: TFindFilter<TSecretApprovalPolicies & { projectId: string }>, tx?: Knex) => {
const find = async (
filter: TFindFilter<TSecretApprovalPolicies & { projectId: string }>,
customFilter?: {
sapId?: string;
},
tx?: Knex
) => {
try {
const docs = await secretApprovalPolicyFindQuery(tx || db.replicaNode(), filter);
const docs = await secretApprovalPolicyFindQuery(tx || db.replicaNode(), filter, customFilter);
const formatedDoc = sqlNestRelationships({
data: docs,
key: "id",
@ -123,8 +141,9 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
{
key: "approverUserId",
label: "approvers" as const,
mapper: ({ approverUserId: id }) => ({
mapper: ({ approverUserId: id, approverUsername }) => ({
type: ApproverType.User,
name: approverUsername,
id
})
},

105
backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@ -3,10 +3,11 @@ import picomatch from "picomatch";
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
import { BadRequestError } from "@app/lib/errors";
import { BadRequestError, NotFoundError } from "@app/lib/errors";
import { removeTrailingSlash } from "@app/lib/fn";
import { containsGlobPatterns } from "@app/lib/picomatch";
import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
import { TUserDALFactory } from "@app/services/user/user-dal";
import { ApproverType } from "../access-approval-policy/access-approval-policy-types";
import { TLicenseServiceFactory } from "../license/license-service";
@ -16,6 +17,7 @@ import {
TCreateSapDTO,
TDeleteSapDTO,
TGetBoardSapDTO,
TGetSapByIdDTO,
TListSapDTO,
TUpdateSapDTO
} from "./secret-approval-policy-types";
@ -29,6 +31,7 @@ type TSecretApprovalPolicyServiceFactoryDep = {
permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
secretApprovalPolicyDAL: TSecretApprovalPolicyDALFactory;
projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
userDAL: Pick<TUserDALFactory, "find">;
secretApprovalPolicyApproverDAL: TSecretApprovalPolicyApproverDALFactory;
licenseService: Pick<TLicenseServiceFactory, "getPlan">;
};
@ -40,6 +43,7 @@ export const secretApprovalPolicyServiceFactory = ({
permissionService,
secretApprovalPolicyApproverDAL,
projectEnvDAL,
userDAL,
licenseService
}: TSecretApprovalPolicyServiceFactoryDep) => {
const createSecretApprovalPolicy = async ({
@ -60,9 +64,14 @@ export const secretApprovalPolicyServiceFactory = ({
.map((approver) => approver.id);
const userApprovers = approvers
?.filter((approver) => approver.type === ApproverType.User)
.map((approver) => approver.id);
.map((approver) => approver.id)
.filter(Boolean) as string[];
if (!groupApprovers && approvals > approvers.length)
const userApproverNames = approvers
.map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
.filter(Boolean) as string[];
if (!groupApprovers.length && approvals > approvers.length)
throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
const { permission } = await permissionService.getProjectPermission(
@ -100,8 +109,31 @@ export const secretApprovalPolicyServiceFactory = ({
tx
);
let userApproverIds = userApprovers;
if (userApproverNames.length) {
const approverUsers = await userDAL.find(
{
$in: {
username: userApproverNames
}
},
{ tx }
);
const approverNamesFromDb = approverUsers.map((user) => user.username);
const invalidUsernames = userApproverNames?.filter((username) => !approverNamesFromDb.includes(username));
if (invalidUsernames?.length) {
throw new BadRequestError({
message: `Invalid approver user: ${invalidUsernames.join(", ")}`
});
}
userApproverIds = userApproverIds.concat(approverUsers.map((user) => user.id));
}
await secretApprovalPolicyApproverDAL.insertMany(
userApprovers.map((approverUserId) => ({
userApproverIds.map((approverUserId) => ({
approverUserId,
policyId: doc.id
})),
@ -117,6 +149,7 @@ export const secretApprovalPolicyServiceFactory = ({
);
return doc;
});
return { ...secretApproval, environment: env, projectId };
};
@ -137,7 +170,12 @@ export const secretApprovalPolicyServiceFactory = ({
.map((approver) => approver.id);
const userApprovers = approvers
?.filter((approver) => approver.type === ApproverType.User)
.map((approver) => approver.id);
.map((approver) => approver.id)
.filter(Boolean) as string[];
const userApproverNames = approvers
.map((approver) => (approver.type === ApproverType.User ? approver.name : undefined))
.filter(Boolean) as string[];
const secretApprovalPolicy = await secretApprovalPolicyDAL.findById(secretPolicyId);
if (!secretApprovalPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
@ -174,8 +212,31 @@ export const secretApprovalPolicyServiceFactory = ({
await secretApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
if (approvers) {
let userApproverIds = userApprovers;
if (userApproverNames) {
const approverUsers = await userDAL.find(
{
$in: {
username: userApproverNames
}
},
{ tx }
);
const approverNamesFromDb = approverUsers.map((user) => user.username);
const invalidUsernames = userApproverNames?.filter((username) => !approverNamesFromDb.includes(username));
if (invalidUsernames?.length) {
throw new BadRequestError({
message: `Invalid approver user: ${invalidUsernames.join(", ")}`
});
}
userApproverIds = userApproverIds.concat(approverUsers.map((user) => user.id));
}
await secretApprovalPolicyApproverDAL.insertMany(
userApprovers.map((approverUserId) => ({
userApproverIds.map((approverUserId) => ({
approverUserId,
policyId: doc.id
})),
@ -192,6 +253,7 @@ export const secretApprovalPolicyServiceFactory = ({
tx
);
}
return doc;
});
return {
@ -296,12 +358,41 @@ export const secretApprovalPolicyServiceFactory = ({
return getSecretApprovalPolicy(projectId, environment, secretPath);
};
const getSecretApprovalPolicyById = async ({
actorId,
actor,
actorOrgId,
actorAuthMethod,
sapId
}: TGetSapByIdDTO) => {
const [sapPolicy] = await secretApprovalPolicyDAL.find({}, { sapId });
if (!sapPolicy) {
throw new NotFoundError({
message: "Cannot find secret approval policy"
});
}
const { permission } = await permissionService.getProjectPermission(
actor,
actorId,
sapPolicy.projectId,
actorAuthMethod,
actorOrgId
);
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
return sapPolicy;
};
return {
createSecretApprovalPolicy,
updateSecretApprovalPolicy,
deleteSecretApprovalPolicy,
getSecretApprovalPolicy,
getSecretApprovalPolicyByProjectId,
getSecretApprovalPolicyOfFolder
getSecretApprovalPolicyOfFolder,
getSecretApprovalPolicyById
};
};

6
backend/src/ee/services/secret-approval-policy/secret-approval-policy-types.ts

@ -6,7 +6,7 @@ export type TCreateSapDTO = {
approvals: number;
secretPath?: string | null;
environment: string;
approvers: { type: ApproverType; id: string }[];
approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
projectId: string;
name: string;
enforcementLevel: EnforcementLevel;
@ -16,7 +16,7 @@ export type TUpdateSapDTO = {
secretPolicyId: string;
approvals?: number;
secretPath?: string | null;
approvers: { type: ApproverType; id: string }[];
approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; name?: string })[];
name?: string;
enforcementLevel?: EnforcementLevel;
} & Omit<TProjectPermission, "projectId">;
@ -27,6 +27,8 @@ export type TDeleteSapDTO = {
export type TListSapDTO = TProjectPermission;
export type TGetSapByIdDTO = Omit<TProjectPermission, "projectId"> & { sapId: string };
export type TGetBoardSapDTO = {
projectId: string;
environment: string;

3
backend/src/lib/api-docs/constants.ts

@ -24,6 +24,9 @@ export const GROUPS = {
id: "The id of the group to add the user to.",
username: "The username of the user to add to the group."
},
GET_BY_ID: {
id: "The id of the group to fetch"
},
DELETE_USER: {
id: "The id of the group to remove the user from.",
username: "The username of the user to remove from the group."

6
backend/src/server/routes/index.ts

@ -380,7 +380,8 @@ export const registerRoutes = async (
secretApprovalPolicyApproverDAL: sapApproverDAL,
permissionService,
secretApprovalPolicyDAL,
licenseService
licenseService,
userDAL
});
const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL, orgMembershipDAL });
@ -927,7 +928,8 @@ export const registerRoutes = async (
permissionService,
projectEnvDAL,
projectMembershipDAL,
projectDAL
projectDAL,
userDAL
});
const accessApprovalRequestService = accessApprovalRequestServiceFactory({

7
backend/src/server/routes/v1/organization-router.ts

@ -11,6 +11,8 @@ import {
} from "@app/db/schemas";
import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
import { AUDIT_LOGS, ORGANIZATIONS } from "@app/lib/api-docs";
import { getConfig } from "@app/lib/config/env";
import { BadRequestError } from "@app/lib/errors";
import { getLastMidnightDateISO } from "@app/lib/fn";
import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@ -143,6 +145,11 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
},
onRequest: verifyAuth([AuthMode.JWT]),
handler: async (req) => {
const appCfg = getConfig();
if (appCfg.isCloud) {
throw new BadRequestError({ message: "Infisical cloud audit log is in maintenance mode." });
}
const auditLogs = await server.services.auditLog.listAuditLogs({
filter: {
...req.query,

187
backend/src/server/routes/v3/dashboard-router.ts

@ -1,7 +1,9 @@
import { ForbiddenError, subject } from "@casl/ability";
import { z } from "zod";
import { SecretFoldersSchema, SecretImportsSchema, SecretTagsSchema } from "@app/db/schemas";
import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
import { DASHBOARD } from "@app/lib/api-docs";
import { BadRequestError } from "@app/lib/errors";
import { removeTrailingSlash } from "@app/lib/fn";
@ -173,6 +175,29 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
}
}
if (!includeDynamicSecrets && !includeSecrets)
return {
folders,
totalFolderCount,
totalCount: totalFolderCount ?? 0
};
const { permission } = await server.services.permission.getProjectPermission(
req.permission.type,
req.permission.id,
projectId,
req.permission.authMethod,
req.permission.orgId
);
const permissiveEnvs = // filter envs user has access to
environments.filter((environment) =>
permission.can(
ProjectPermissionActions.Read,
subject(ProjectPermissionSub.Secrets, { environment, secretPath })
)
);
if (includeDynamicSecrets) {
// this is the unique count, ie duplicate secrets across envs only count as 1
totalDynamicSecretCount = await server.services.dynamicSecret.getCountMultiEnv({
@ -182,8 +207,9 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
actorOrgId: req.permission.orgId,
projectId,
search,
environmentSlugs: environments,
path: secretPath
environmentSlugs: permissiveEnvs,
path: secretPath,
isInternal: true
});
if (remainingLimit > 0 && totalDynamicSecretCount > adjustedOffset) {
@ -196,10 +222,11 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
search,
orderBy,
orderDirection,
environmentSlugs: environments,
environmentSlugs: permissiveEnvs,
path: secretPath,
limit: remainingLimit,
offset: adjustedOffset
offset: adjustedOffset,
isInternal: true
});
// get the count of unique dynamic secret names to properly adjust remaining limit
@ -218,11 +245,12 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
actorId: req.permission.id,
actor: req.permission.type,
actorOrgId: req.permission.orgId,
environments,
environments: permissiveEnvs,
actorAuthMethod: req.permission.authMethod,
projectId,
path: secretPath,
search
search,
isInternal: true
});
if (remainingLimit > 0 && totalSecretCount > adjustedOffset) {
@ -230,7 +258,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
actorId: req.permission.id,
actor: req.permission.type,
actorOrgId: req.permission.orgId,
environments,
environments: permissiveEnvs,
actorAuthMethod: req.permission.authMethod,
projectId,
path: secretPath,
@ -238,10 +266,11 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
orderDirection,
search,
limit: remainingLimit,
offset: adjustedOffset
offset: adjustedOffset,
isInternal: true
});
for await (const environment of environments) {
for await (const environment of permissiveEnvs) {
const secretCountFromEnv = secrets.filter((secret) => secret.environment === environment).length;
if (secretCountFromEnv) {
@ -498,56 +527,44 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
}
}
if (includeDynamicSecrets) {
totalDynamicSecretCount = await server.services.dynamicSecret.getDynamicSecretCount({
actor: req.permission.type,
actorId: req.permission.id,
actorAuthMethod: req.permission.authMethod,
actorOrgId: req.permission.orgId,
projectId,
search,
environmentSlug: environment,
path: secretPath
});
if (remainingLimit > 0 && totalDynamicSecretCount > adjustedOffset) {
dynamicSecrets = await server.services.dynamicSecret.listDynamicSecretsByEnv({
try {
if (includeDynamicSecrets) {
totalDynamicSecretCount = await server.services.dynamicSecret.getDynamicSecretCount({
actor: req.permission.type,
actorId: req.permission.id,
actorAuthMethod: req.permission.authMethod,
actorOrgId: req.permission.orgId,
projectId,
search,
orderBy,
orderDirection,
environmentSlug: environment,
path: secretPath,
limit: remainingLimit,
offset: adjustedOffset
path: secretPath
});
remainingLimit -= dynamicSecrets.length;
adjustedOffset = 0;
} else {
adjustedOffset = Math.max(0, adjustedOffset - totalDynamicSecretCount);
if (remainingLimit > 0 && totalDynamicSecretCount > adjustedOffset) {
dynamicSecrets = await server.services.dynamicSecret.listDynamicSecretsByEnv({
actor: req.permission.type,
actorId: req.permission.id,
actorAuthMethod: req.permission.authMethod,
actorOrgId: req.permission.orgId,
projectId,
search,
orderBy,
orderDirection,
environmentSlug: environment,
path: secretPath,
limit: remainingLimit,
offset: adjustedOffset
});
remainingLimit -= dynamicSecrets.length;
adjustedOffset = 0;
} else {
adjustedOffset = Math.max(0, adjustedOffset - totalDynamicSecretCount);
}
}
}
if (includeSecrets) {
totalSecretCount = await server.services.secret.getSecretsCount({
actorId: req.permission.id,
actor: req.permission.type,
actorOrgId: req.permission.orgId,
environment,
actorAuthMethod: req.permission.authMethod,
projectId,
path: secretPath,
search,
tagSlugs: tags
});
if (remainingLimit > 0 && totalSecretCount > adjustedOffset) {
const secretsRaw = await server.services.secret.getSecretsRaw({
if (includeSecrets) {
totalSecretCount = await server.services.secret.getSecretsCount({
actorId: req.permission.id,
actor: req.permission.type,
actorOrgId: req.permission.orgId,
@ -555,44 +572,62 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
actorAuthMethod: req.permission.authMethod,
projectId,
path: secretPath,
orderBy,
orderDirection,
search,
limit: remainingLimit,
offset: adjustedOffset,
tagSlugs: tags
});
secrets = secretsRaw.secrets;
if (remainingLimit > 0 && totalSecretCount > adjustedOffset) {
const secretsRaw = await server.services.secret.getSecretsRaw({
actorId: req.permission.id,
actor: req.permission.type,
actorOrgId: req.permission.orgId,
environment,
actorAuthMethod: req.permission.authMethod,
projectId,
path: secretPath,
orderBy,
orderDirection,
search,
limit: remainingLimit,
offset: adjustedOffset,
tagSlugs: tags
});
await server.services.auditLog.createAuditLog({
projectId,
...req.auditLogInfo,
event: {
type: EventType.GET_SECRETS,
metadata: {
environment,
secretPath,
numberOfSecrets: secrets.length
}
}
});
secrets = secretsRaw.secrets;
if (getUserAgentType(req.headers["user-agent"]) !== UserAgentType.K8_OPERATOR) {
await server.services.telemetry.sendPostHogEvents({
event: PostHogEventTypes.SecretPulled,
distinctId: getTelemetryDistinctId(req),
properties: {
numberOfSecrets: secrets.length,
workspaceId: projectId,
environment,
secretPath,
channel: getUserAgentType(req.headers["user-agent"]),
...req.auditLogInfo
await server.services.auditLog.createAuditLog({
projectId,
...req.auditLogInfo,
event: {
type: EventType.GET_SECRETS,
metadata: {
environment,
secretPath,
numberOfSecrets: secrets.length
}
}
});
if (getUserAgentType(req.headers["user-agent"]) !== UserAgentType.K8_OPERATOR) {
await server.services.telemetry.sendPostHogEvents({
event: PostHogEventTypes.SecretPulled,
distinctId: getTelemetryDistinctId(req),
properties: {
numberOfSecrets: secrets.length,
workspaceId: projectId,
environment,
secretPath,
channel: getUserAgentType(req.headers["user-agent"]),
...req.auditLogInfo
}
});
}
}
}
} catch (error) {
if (!(error instanceof ForbiddenError)) {
throw error;
}
}
return {

4
backend/src/services/project-membership/project-membership-service.ts

@ -8,7 +8,7 @@ import { TPermissionServiceFactory } from "@app/ee/services/permission/permissio
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
import { TProjectUserAdditionalPrivilegeDALFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-dal";
import { getConfig } from "@app/lib/config/env";
import { BadRequestError } from "@app/lib/errors";
import { BadRequestError, NotFoundError } from "@app/lib/errors";
import { groupBy } from "@app/lib/fn";
import { TUserGroupMembershipDALFactory } from "../../ee/services/group/user-group-membership-dal";
@ -129,7 +129,7 @@ export const projectMembershipServiceFactory = ({
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
const [membership] = await projectMembershipDAL.findAllProjectMembers(projectId, { username });
if (!membership) throw new BadRequestError({ message: `Project membership not found for user ${username}` });
if (!membership) throw new NotFoundError({ message: `Project membership not found for user ${username}` });
return membership;
};

67
backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts

@ -455,31 +455,34 @@ export const secretV2BridgeServiceFactory = ({
const getSecretsCountMultiEnv = async ({
actorId,
path,
projectId,
actor,
actorOrgId,
actorAuthMethod,
environments,
isInternal,
...params
}: Pick<TGetSecretsDTO, "actorId" | "actor" | "path" | "projectId" | "actorOrgId" | "actorAuthMethod" | "search"> & {
environments: string[];
isInternal?: boolean;
}) => {
const { permission } = await permissionService.getProjectPermission(
actor,
actorId,
projectId,
actorAuthMethod,
actorOrgId
);
if (!isInternal) {
const { permission } = await permissionService.getProjectPermission(
actor,
actorId,
projectId,
actorAuthMethod,
actorOrgId
);
// verify user has access to all environments
environments.forEach((environment) =>
ForbiddenError.from(permission).throwUnlessCan(
ProjectPermissionActions.Read,
subject(ProjectPermissionSub.Secrets, { environment, secretPath: path })
)
);
// verify user has access to all environments
environments.forEach((environment) =>
ForbiddenError.from(permission).throwUnlessCan(
ProjectPermissionActions.Read,
subject(ProjectPermissionSub.Secrets, { environment, secretPath: path })
)
);
}
const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environments, path);
if (!folders.length) return 0;
@ -546,28 +549,32 @@ export const secretV2BridgeServiceFactory = ({
actor,
actorOrgId,
actorAuthMethod,
isInternal,
...params
}: Pick<TGetSecretsDTO, "actorId" | "actor" | "path" | "projectId" | "actorOrgId" | "actorAuthMethod" | "search"> & {
environments: string[];
isInternal?: boolean;
}) => {
const { permission } = await permissionService.getProjectPermission(
actor,
actorId,
projectId,
actorAuthMethod,
actorOrgId
);
if (!isInternal) {
const { permission } = await permissionService.getProjectPermission(
actor,
actorId,
projectId,
actorAuthMethod,
actorOrgId
);
// verify user has access to all environments
environments.forEach((environment) =>
ForbiddenError.from(permission).throwUnlessCan(
ProjectPermissionActions.Read,
subject(ProjectPermissionSub.Secrets, { environment, secretPath: path })
)
);
}
let paths: { folderId: string; path: string; environment: string }[] = [];
// verify user has access to all environments
environments.forEach((environment) =>
ForbiddenError.from(permission).throwUnlessCan(
ProjectPermissionActions.Read,
subject(ProjectPermissionSub.Secrets, { environment, secretPath: path })
)
);
const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environments, path);
if (!folders.length) {

3
backend/src/services/secret/secret-service.ts

@ -1011,7 +1011,7 @@ export const secretServiceFactory = ({
}: Pick<
TGetSecretsRawDTO,
"projectId" | "path" | "actor" | "actorId" | "actorOrgId" | "actorAuthMethod" | "search"
> & { environments: string[] }) => {
> & { environments: string[]; isInternal?: boolean }) => {
const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
if (!shouldUseSecretV2Bridge)
@ -1045,6 +1045,7 @@ export const secretServiceFactory = ({
...params
}: Omit<TGetSecretsRawDTO, "environment" | "includeImports" | "expandSecretReferences" | "recursive" | "tagSlugs"> & {
environments: string[];
isInternal?: boolean;
}) => {
const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);

4
docs/api-reference/endpoints/groups/add-group-user.mdx Normal file

@ -0,0 +1,4 @@
---
title: "Add Group User"
openapi: "POST /api/v1/groups/{id}/users/{username}"
---

4
docs/api-reference/endpoints/groups/create.mdx Normal file

@ -0,0 +1,4 @@
---
title: "Create"
openapi: "POST /api/v1/groups"
---

4
docs/api-reference/endpoints/groups/delete.mdx Normal file

@ -0,0 +1,4 @@
---
title: "Delete"
openapi: "DELETE /api/v1/groups/{id}"
---

4
docs/api-reference/endpoints/groups/get-by-id.mdx Normal file

@ -0,0 +1,4 @@
---
title: "Get By ID"
openapi: "GET /api/v1/groups/{id}"
---

4
docs/api-reference/endpoints/groups/get.mdx Normal file

@ -0,0 +1,4 @@
---
title: "Get Groups in Organization"
openapi: "GET /api/v1/groups"
---

4
docs/api-reference/endpoints/groups/list-group-users.mdx Normal file

@ -0,0 +1,4 @@
---
title: "List Group Users"
openapi: "GET /api/v1/groups/{id}/users"
---

4
docs/api-reference/endpoints/groups/remove-group-user.mdx Normal file

@ -0,0 +1,4 @@
---
title: "Remove Group User"
openapi: "DELETE /api/v1/groups/{id}/users/{username}"
---

4
docs/api-reference/endpoints/groups/update.mdx Normal file

@ -0,0 +1,4 @@
---
title: "Update"
openapi: "PATCH /api/v1/groups/{id}"
---

4
docs/api-reference/endpoints/project-groups/create.mdx Normal file

@ -0,0 +1,4 @@
---
title: "Create Project Membership"
openapi: "POST /api/v2/workspace/{projectId}/groups/{groupId}"
---

4
docs/api-reference/endpoints/project-groups/delete.mdx Normal file

@ -0,0 +1,4 @@
---
title: "Delete Project Membership"
openapi: "DELETE /api/v2/workspace/{projectId}/groups/{groupId}"
---

4
docs/api-reference/endpoints/project-groups/get-by-id.mdx Normal file

@ -0,0 +1,4 @@
---
title: "Get Project Membership"
openapi: "GET /api/v2/workspace/{projectId}/groups/{groupId}"
---

4
docs/api-reference/endpoints/project-groups/list.mdx Normal file

@ -0,0 +1,4 @@
---
title: "List Project Memberships"
openapi: "GET /api/v2/workspace/{projectId}/groups"
---

4
docs/api-reference/endpoints/project-groups/update.mdx Normal file

@ -0,0 +1,4 @@
---
title: "Update Project Membership"
openapi: "PATCH /api/v2/workspace/{projectId}/groups/{groupId}"
---

206
docs/cli/commands/login.mdx

@ -22,107 +22,6 @@ If you have added multiple users, you can switch between the users by using the
</Info>
### Flags
The login command supports a number of flags that you can use for different authentication methods. Below is a list of all the flags that can be used with the login command.
<AccordionGroup>
<Accordion title="--method">
```bash
infisical login --method=<auth-method> # Optional, will default to 'user'.
```
#### Valid values for the `method` flag are:
- `user`: Login using email and password. (default)
- `universal-auth`: Login using a universal auth client ID and client secret.
- `kubernetes`: Login using a Kubernetes native auth.
- `azure`: Login using an Azure native auth.
- `gcp-id-token`: Login using a GCP ID token native auth.
- `gcp-iam`: Login using a GCP IAM.
- `aws-iam`: Login using an AWS IAM native auth.
</Accordion>
<Accordion title="--client-id">
```bash
infisical login --client-id=<client-id> # Optional, required if --method=universal-auth.
```
#### Description
The client ID of the universal auth machine identity. This is required if the `--method` flag is set to `universal-auth`.
<Tip>
The `client-id` flag can be substituted with the `INFISICAL_UNIVERSAL_AUTH_CLIENT_ID` environment variable.
</Tip>
</Accordion>
<Accordion title="--client-secret">
```bash
infisical login --client-secret=<client-secret> # Optional, required if --method=universal-auth.
```
#### Description
The client secret of the universal auth machine identity. This is required if the `--method` flag is set to `universal-auth`.
<Tip>
The `client-secret` flag can be substituted with the `INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET` environment variable.
</Tip>
</Accordion>
<Accordion title="--machine-identity-id">
```bash
infisical login --machine-identity-id=<your-machine-identity-id> # Optional, required if --method=kubernetes, azure, gcp-id-token, gcp-iam, or aws-iam.
```
#### Description
The ID of the machine identity. This is required if the `--method` flag is set to `kubernetes`, `azure`, `gcp-id-token`, `gcp-iam`, or `aws-iam`.
<Tip>
The `machine-identity-id` flag can be substituted with the `INFISICAL_MACHINE_IDENTITY_ID` environment variable.
</Tip>
</Accordion>
<Accordion title="--service-account-token-path">
```bash
infisical login --service-account-token-path=<service-account-token-path> # Optional Will default to '/var/run/secrets/kubernetes.io/serviceaccount/token'.
```
#### Description
The path to the Kubernetes service account token to use for authentication.
This is optional and will default to `/var/run/secrets/kubernetes.io/serviceaccount/token`.
<Tip>
The `service-account-token-path` flag can be substituted with the `INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH` environment variable.
</Tip>
</Accordion>
<Accordion title="--service-account-key-file-path">
```bash
infisical login --service-account-key-file-path=<gcp-service-account-key-file-path> # Optional, but required if --method=gcp-iam.
```
#### Description
The path to your GCP service account key file. This is required if the `--method` flag is set to `gcp-iam`.
<Tip>
The `service-account-key-path` flag can be substituted with the `INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH` environment variable.
</Tip>
</Accordion>
</AccordionGroup>
<Accordion title="--oidc-jwt">
```bash
infisical login --oidc-jwt=<oidc-jwt-token>
```
#### Description
The JWT provided by an identity provider for OIDC authentication.
<Tip>
The `oidc-jwt` flag can be substituted with the `INFISICAL_OIDC_AUTH_JWT` environment variable.
</Tip>
</Accordion>
### Authentication Methods
The Infisical CLI supports multiple authentication methods. Below are the available authentication methods, with their respective flags.
@ -321,6 +220,109 @@ The Infisical CLI supports multiple authentication methods. Below are the availa
</Accordion>
</AccordionGroup>
### Flags
The login command supports a number of flags that you can use for different authentication methods. Below is a list of all the flags that can be used with the login command.
<AccordionGroup>
<Accordion title="--method">
```bash
infisical login --method=<auth-method> # Optional, will default to 'user'.
```
#### Valid values for the `method` flag are:
- `user`: Login using email and password. (default)
- `universal-auth`: Login using a universal auth client ID and client secret.
- `kubernetes`: Login using a Kubernetes native auth.
- `azure`: Login using an Azure native auth.
- `gcp-id-token`: Login using a GCP ID token native auth.
- `gcp-iam`: Login using a GCP IAM.
- `aws-iam`: Login using an AWS IAM native auth.
- `oidc-auth`: Login using oidc auth.
</Accordion>
<Accordion title="--client-id">
```bash
infisical login --client-id=<client-id> # Optional, required if --method=universal-auth.
```
#### Description
The client ID of the universal auth machine identity. This is required if the `--method` flag is set to `universal-auth`.
<Tip>
The `client-id` flag can be substituted with the `INFISICAL_UNIVERSAL_AUTH_CLIENT_ID` environment variable.
</Tip>
</Accordion>
<Accordion title="--client-secret">
```bash
infisical login --client-secret=<client-secret> # Optional, required if --method=universal-auth.
```
#### Description
The client secret of the universal auth machine identity. This is required if the `--method` flag is set to `universal-auth`.
<Tip>
The `client-secret` flag can be substituted with the `INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET` environment variable.
</Tip>
</Accordion>
<Accordion title="--machine-identity-id">
```bash
infisical login --machine-identity-id=<your-machine-identity-id> # Optional, required if --method=kubernetes, azure, gcp-id-token, gcp-iam, or aws-iam.
```
#### Description
The ID of the machine identity. This is required if the `--method` flag is set to `kubernetes`, `azure`, `gcp-id-token`, `gcp-iam`, or `aws-iam`.
<Tip>
The `machine-identity-id` flag can be substituted with the `INFISICAL_MACHINE_IDENTITY_ID` environment variable.
</Tip>
</Accordion>
<Accordion title="--service-account-token-path">
```bash
infisical login --service-account-token-path=<service-account-token-path> # Optional Will default to '/var/run/secrets/kubernetes.io/serviceaccount/token'.
```
#### Description
The path to the Kubernetes service account token to use for authentication.
This is optional and will default to `/var/run/secrets/kubernetes.io/serviceaccount/token`.
<Tip>
The `service-account-token-path` flag can be substituted with the `INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH` environment variable.
</Tip>
</Accordion>
<Accordion title="--service-account-key-file-path">
```bash
infisical login --service-account-key-file-path=<gcp-service-account-key-file-path> # Optional, but required if --method=gcp-iam.
```
#### Description
The path to your GCP service account key file. This is required if the `--method` flag is set to `gcp-iam`.
<Tip>
The `service-account-key-path` flag can be substituted with the `INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH` environment variable.
</Tip>
</Accordion>
</AccordionGroup>
<Accordion title="--oidc-jwt">
```bash
infisical login --oidc-jwt=<oidc-jwt-token>
```
#### Description
The JWT provided by an identity provider for OIDC authentication.
<Tip>
The `oidc-jwt` flag can be substituted with the `INFISICAL_OIDC_AUTH_JWT` environment variable.
</Tip>
</Accordion>
### Machine Identity Authentication Quick Start
In this example we'll be using the `universal-auth` method to login to obtain an Infisical access token, which we will then use to fetch secrets with.
@ -354,5 +356,3 @@ In this example we'll be using the `universal-auth` method to login to obtain an
</Step>
</Steps>
And that's it! Now you're ready to start using the Infisical CLI to interact with your secrets, with the use of Machine Identities.

23
docs/mint.json

@ -546,6 +546,19 @@
"api-reference/endpoints/oidc-auth/revoke"
]
},
{
"group": "Groups",
"pages": [
"api-reference/endpoints/groups/create",
"api-reference/endpoints/groups/update",
"api-reference/endpoints/groups/delete",
"api-reference/endpoints/groups/get",
"api-reference/endpoints/groups/get-by-id",
"api-reference/endpoints/groups/add-group-user",
"api-reference/endpoints/groups/remove-group-user",
"api-reference/endpoints/groups/list-group-users"
]
},
{
"group": "Organizations",
"pages": [
@ -577,6 +590,16 @@
"api-reference/endpoints/project-users/update-membership"
]
},
{
"group": "Project Groups",
"pages": [
"api-reference/endpoints/project-groups/create",
"api-reference/endpoints/project-groups/delete",
"api-reference/endpoints/project-groups/get-by-id",
"api-reference/endpoints/project-groups/list",
"api-reference/endpoints/project-groups/update"
]
},
{
"group": "Project Identities",
"pages": [

3
frontend/src/hooks/api/kms/queries.tsx

@ -10,9 +10,10 @@ export const kmsKeys = {
getActiveProjectKms: (projectId: string) => ["get-active-project-kms", { projectId }]
};
export const useGetExternalKmsList = (orgId: string) => {
export const useGetExternalKmsList = (orgId: string, { enabled }: { enabled?: boolean } = {}) => {
return useQuery({
queryKey: kmsKeys.getExternalKmsList(orgId),
enabled,
queryFn: async () => {
const {
data: { externalKmsList }

23
frontend/src/hooks/api/secretImports/queries.tsx

@ -189,6 +189,22 @@ export const useGetImportedSecretsAllEnvs = ({
}))
});
const getEnvImportedSecretKeyCount = useCallback(
(env: string) => {
const selectedEnvIndex = environments.indexOf(env);
let totalSecrets = 0;
if (selectedEnvIndex !== -1) {
secretImports?.[selectedEnvIndex]?.data?.forEach((secret) => {
totalSecrets += secret.secrets.length;
});
}
return totalSecrets;
},
[(secretImports || []).map((response) => response.data)]
);
const isImportedSecretPresentInEnv = useCallback(
(envSlug: string, secretName: string) => {
const selectedEnvIndex = environments.indexOf(envSlug);
@ -226,7 +242,12 @@ export const useGetImportedSecretsAllEnvs = ({
[(secretImports || []).map((response) => response.data)]
);
return { secretImports, isImportedSecretPresentInEnv, getImportedSecretByKey };
return {
secretImports,
isImportedSecretPresentInEnv,
getImportedSecretByKey,
getEnvImportedSecretKeyCount
};
};
export const useGetImportedFoldersByEnv = ({

6
frontend/src/layouts/AppLayout/AppLayout.tsx

@ -59,6 +59,7 @@ import {
OrgPermissionActions,
OrgPermissionSubjects,
useOrganization,
useOrgPermission,
useSubscription,
useUser,
useWorkspace
@ -153,7 +154,10 @@ export const AppLayout = ({ children }: LayoutProps) => {
const { data: secretApprovalReqCount } = useGetSecretApprovalRequestCount({ workspaceId });
const { data: accessApprovalRequestCount } = useGetAccessRequestsCount({ projectSlug });
const { data: externalKmsList } = useGetExternalKmsList(currentOrg?.id!);
const { permission } = useOrgPermission();
const { data: externalKmsList } = useGetExternalKmsList(currentOrg?.id!, {
enabled: permission.can(OrgPermissionActions.Read, OrgPermissionSubjects.Kms)
});
const pendingRequestsCount = useMemo(() => {
return (secretApprovalReqCount?.open || 0) + (accessApprovalRequestCount?.pendingCount || 0);

6
frontend/src/pages/org/[id]/overview/index.tsx

@ -56,6 +56,7 @@ import {
OrgPermissionActions,
OrgPermissionSubjects,
useOrganization,
useOrgPermission,
useSubscription,
useUser,
useWorkspace
@ -494,6 +495,7 @@ const OrganizationPage = () => {
const { workspaces, isLoading: isWorkspaceLoading } = useWorkspace();
const { currentOrg } = useOrganization();
const { permission } = useOrgPermission();
const routerOrgId = String(router.query.id);
const orgWorkspaces = workspaces?.filter((workspace) => workspace.orgId === routerOrgId) || [];
const { data: projectFavorites, isLoading: isProjectFavoritesLoading } =
@ -531,7 +533,9 @@ const OrganizationPage = () => {
(localStorage.getItem("projectsViewMode") as ProjectsViewMode) || ProjectsViewMode.GRID
);
const { data: externalKmsList } = useGetExternalKmsList(currentOrg?.id!);
const { data: externalKmsList } = useGetExternalKmsList(currentOrg?.id!, {
enabled: permission.can(OrgPermissionActions.Read, OrgPermissionSubjects.Kms)
});
const onCreateProject = async ({ name, addMembers, kmsKeyId }: TAddProjectFormData) => {
// type check

6
frontend/src/pages/signupinvite.tsx

@ -70,12 +70,6 @@ export default function SignupInvite() {
const { mutateAsync: selectOrganization } = useSelectOrganization();
useEffect(() => {
if (!config.allowSignUp) {
router.push("/login");
}
}, [config.allowSignUp]);
// Verifies if the information that the users entered (name, workspace) is there, and if the password matched the criteria.
const signupErrorCheck = async () => {
setIsLoading(true);

9
frontend/src/views/Org/AuditLogsPage/AuditLogsPage.tsx

@ -1,3 +1,4 @@
import { NoticeBanner } from "@app/components/v2";
import { OrgPermissionActions, OrgPermissionSubjects } from "@app/context";
import { withPermission } from "@app/hoc";
@ -10,9 +11,15 @@ export const AuditLogsPage = withPermission(
<div className="w-full max-w-7xl px-6">
<div className="bg-bunker-800 py-6">
<p className="text-3xl font-semibold text-gray-200">Audit Logs</p>
{(window.location.origin.includes("https://app.infisical.com") ||
window.location.origin.includes("https://gamma.infisical.com")) && (
<NoticeBanner title="The audit logs page is in maintenance" className="mt-4">
We are currently working on improving the performance of audit log queries. During this time, querying logs is temporarily disabled. However, audit logs are still being generated as usual, so there is no disruption to log collection.
</NoticeBanner>
)}
<div />
</div>
<LogsSection filterClassName="static p-2" showFilters isOrgAuditLogs />
{!window.location.origin.includes("https://app.infisical.com") && <LogsSection filterClassName="static p-2" showFilters isOrgAuditLogs />}
</div>
</div>
);

22
frontend/src/views/Org/AuditLogsPage/components/LogsFilter.tsx

@ -1,6 +1,6 @@
/* eslint-disable no-nested-ternary */
import { useState } from "react";
import { Control, Controller, UseFormReset, UseFormWatch } from "react-hook-form";
import { useEffect, useState } from "react";
import { Control, Controller, UseFormReset, UseFormSetValue, UseFormWatch } from "react-hook-form";
import {
faCheckCircle,
faChevronDown,
@ -41,6 +41,7 @@ type Props = {
};
className?: string;
isOrgAuditLogs?: boolean;
setValue: UseFormSetValue<AuditLogFilterFormData>;
control: Control<AuditLogFilterFormData>;
reset: UseFormReset<AuditLogFilterFormData>;
watch: UseFormWatch<AuditLogFilterFormData>;
@ -51,6 +52,7 @@ export const LogsFilter = ({
isOrgAuditLogs,
className,
control,
setValue,
reset,
watch
}: Props) => {
@ -60,6 +62,12 @@ export const LogsFilter = ({
const { currentWorkspace, workspaces } = useWorkspace();
const { data, isLoading } = useGetAuditLogActorFilterOpts(currentWorkspace?.id ?? "");
useEffect(() => {
if (workspaces.length) {
setValue("projectId", workspaces[0].id);
}
}, [workspaces]);
const renderActorSelectItem = (actor: Actor) => {
switch (actor.type) {
case ActorType.USER:
@ -243,20 +251,14 @@ export const LogsFilter = ({
className="w-40"
>
<Select
value={value === undefined ? "all" : value}
value={value}
{...field}
onValueChange={(e) => {
if (e === "all") onChange(undefined);
else onChange(e);
}}
onValueChange={(e) => onChange(e)}
className={twMerge(
"w-full border border-mineshaft-500 bg-mineshaft-700 text-mineshaft-100",
value === undefined && "text-mineshaft-400"
)}
>
<SelectItem value="all" key="all">
All projects
</SelectItem>
{workspaces.map((project) => (
<SelectItem value={String(project.id || "")} key={project.id}>
{project.name}

3
frontend/src/views/Org/AuditLogsPage/components/LogsSection.tsx

@ -44,7 +44,7 @@ export const LogsSection = ({
const { popUp, handlePopUpOpen, handlePopUpToggle } = usePopUp(["upgradePlan"] as const);
const { control, reset, watch } = useForm<AuditLogFilterFormData>({
const { control, reset, watch, setValue } = useForm<AuditLogFilterFormData>({
resolver: yupResolver(auditLogFilterFormSchema),
defaultValues: {
projectId: undefined,
@ -79,6 +79,7 @@ export const LogsSection = ({
className={filterClassName}
presets={presets}
control={control}
setValue={setValue}
watch={watch}
reset={reset}
/>

6
frontend/src/views/Project/CertificatesPage/components/CertificatesTab/components/CertificateModal.tsx

@ -514,7 +514,11 @@ export const CertificateModal = ({ popUp, handlePopUpToggle }: Props) => {
>
Create
</Button>
<Button colorSchema="secondary" variant="plain">
<Button
colorSchema="secondary"
variant="plain"
onClick={() => handlePopUpToggle("certificate", false)}
>
Cancel
</Button>
</div>

6
frontend/src/views/Project/CertificatesPage/components/PkiAlertsTab/components/PkiAlertModal.tsx

@ -280,7 +280,11 @@ export const PkiAlertModal = ({ popUp, handlePopUpToggle }: Props) => {
>
{alert ? "Update" : "Create"}
</Button>
<Button colorSchema="secondary" variant="plain">
<Button
colorSchema="secondary"
variant="plain"
onClick={() => handlePopUpToggle("pkiAlert", false)}
>
Cancel
</Button>
</div>

6
frontend/src/views/Project/CertificatesPage/components/PkiAlertsTab/components/PkiCollectionModal.tsx

@ -149,7 +149,11 @@ export const PkiCollectionModal = ({ popUp, handlePopUpToggle }: Props) => {
>
{pkiCollection ? "Update" : "Create"}
</Button>
<Button colorSchema="secondary" variant="plain">
<Button
colorSchema="secondary"
variant="plain"
onClick={() => handlePopUpToggle("pkiCollection", false)}
>
Cancel
</Button>
</div>

23
frontend/src/views/SecretMainPage/SecretMainPage.tsx

@ -91,6 +91,19 @@ export const SecretMainPage = () => {
});
const debouncedSearchFilter = useDebounce(filter.searchFilter);
// change filters if permissions change at different paths/env
useEffect(() => {
setFilter((prev) => ({
...prev,
include: {
[RowType.Folder]: true,
[RowType.Import]: canReadSecret,
[RowType.DynamicSecret]: canReadSecret,
[RowType.Secret]: canReadSecret
}
}));
}, [canReadSecret]);
useEffect(() => {
if (
!isWorkspaceLoading &&
@ -254,15 +267,7 @@ export const SecretMainPage = () => {
<NavHeader
pageName={t("dashboard.title")}
currentEnv={environment}
userAvailableEnvs={currentWorkspace?.environments.filter(({ slug }) =>
permission.can(
ProjectPermissionActions.Read,
subject(ProjectPermissionSub.Secrets, {
environment: slug,
secretPath
})
)
)}
userAvailableEnvs={currentWorkspace?.environments}
isFolderMode
secretPath={secretPath}
isProjectRelated

12
frontend/src/views/SecretMainPage/components/SecretListView/SecretItem.tsx

@ -549,7 +549,15 @@ export const SecretItem = memo(
animate={{ x: 0, opacity: 1 }}
exit={{ x: -10, opacity: 0 }}
>
<Tooltip content={errors.key ? errors.key?.message : "Save"}>
<Tooltip
content={
Object.keys(errors || {}).length
? Object.entries(errors)
.map(([key, { message }]) => `Field ${key}: ${message}`)
.join("\n")
: "Save"
}
>
<IconButton
ariaLabel="more"
variant="plain"
@ -568,7 +576,7 @@ export const SecretItem = memo(
symbolName={FontAwesomeSpriteName.Check}
className={twMerge(
"h-4 w-4 text-primary",
errors.key && "text-mineshaft-300"
Boolean(Object.keys(errors || {}).length) && "text-red"
)}
/>
)}

35
frontend/src/views/SecretOverviewPage/SecretOverviewPage.tsx

@ -191,27 +191,18 @@ export const SecretOverviewPage = () => {
const userAvailableEnvs = currentWorkspace?.environments || [];
const readableEnvs = userAvailableEnvs?.filter(({ slug }) =>
permission.can(
ProjectPermissionActions.Read,
subject(ProjectPermissionSub.Secrets, {
environment: slug,
secretPath
})
)
);
const [visibleEnvs, setVisibleEnvs] = useState(readableEnvs);
const [visibleEnvs, setVisibleEnvs] = useState(userAvailableEnvs);
useEffect(() => {
setVisibleEnvs(readableEnvs);
setVisibleEnvs(userAvailableEnvs);
}, [userAvailableEnvs, secretPath]);
const { isImportedSecretPresentInEnv, getImportedSecretByKey } = useGetImportedSecretsAllEnvs({
projectId: workspaceId,
path: secretPath,
environments: userAvailableEnvs.map(({ slug }) => slug)
});
const { isImportedSecretPresentInEnv, getImportedSecretByKey, getEnvImportedSecretKeyCount } =
useGetImportedSecretsAllEnvs({
projectId: workspaceId,
path: secretPath,
environments: userAvailableEnvs.map(({ slug }) => slug)
});
const paginationOffset = (page - 1) * perPage;
@ -529,9 +520,7 @@ export const SecretOverviewPage = () => {
const isTableEmpty = totalCount === 0;
const isTableFiltered =
Boolean(Object.values(filter).filter((enabled) => !enabled).length) ||
visibleEnvs.length !== readableEnvs?.length;
const isTableFiltered = Boolean(Object.values(filter).filter((enabled) => !enabled).length);
if (!isProjectV3)
return (
@ -611,7 +600,7 @@ export const SecretOverviewPage = () => {
</DropdownMenuTrigger>
<DropdownMenuContent align="end">
<DropdownMenuLabel>Choose visible environments</DropdownMenuLabel>
{readableEnvs.map((availableEnv) => {
{userAvailableEnvs.map((availableEnv) => {
const { id: envId, name } = availableEnv;
const isEnvSelected = visibleEnvs.map((env) => env.id).includes(envId);
@ -784,7 +773,9 @@ export const SecretOverviewPage = () => {
</Th>
{visibleEnvs?.map(({ name, slug }, index) => {
const envSecKeyCount = getEnvSecretKeyCount(slug);
const missingKeyCount = secKeys.length - envSecKeyCount;
const importedSecKeyCount = getEnvImportedSecretKeyCount(slug);
const missingKeyCount = secKeys.length - envSecKeyCount - importedSecKeyCount;
return (
<Th
className="min-table-row min-w-[11rem] border-b-0 p-0 text-center"