mirror of
https://github.com/Infisical/infisical.git
synced 2025-07-29 22:37:44 +00:00
Compare commits
113 Commits
daniel/sso
...
daniel/fix
Author | SHA1 | Date | |
---|---|---|---|
|
527a727c1c | ||
|
0139064aaa | ||
|
a3859170fe | ||
|
984ffd2a53 | ||
|
a1c44bd7a2 | ||
|
d7860e2491 | ||
|
db33349f49 | ||
|
e14bb6b901 | ||
|
91d6d5d07b | ||
|
ac7b23da45 | ||
|
1fdc82e494 | ||
|
3daae6f965 | ||
|
833963af0c | ||
|
aa560b8199 | ||
|
a215b99b3c | ||
|
fbd9ecd980 | ||
|
3b839d4826 | ||
|
b52ec37f76 | ||
|
5709afe0d3 | ||
|
566a243520 | ||
|
147c21ab9f | ||
|
f62eb9f8a2 | ||
|
ec60080e27 | ||
|
9fdc56bd6c | ||
|
bb59bb1868 | ||
|
139f880be1 | ||
|
f6002d81b3 | ||
|
af240bd58c | ||
|
414de3c4d0 | ||
|
1a7b810bad | ||
|
0379ba4eb1 | ||
|
c2ce1aa5aa | ||
|
c8e155f0ca | ||
|
5ced43574d | ||
|
19ff045d2e | ||
|
4784f47a72 | ||
|
28a27daf29 | ||
|
83f0a500bd | ||
|
325d277021 | ||
|
9ca71f663a | ||
|
e5c7aba745 | ||
|
cada75bd0c | ||
|
a37689eeca | ||
|
38c9242e5b | ||
|
8dafa75aa2 | ||
|
aea61bae38 | ||
|
37a10d1435 | ||
|
a64c2173e7 | ||
|
ec0603a464 | ||
|
bf8d60fcdc | ||
|
b47846a780 | ||
|
ea403b0393 | ||
|
9ab89fdef6 | ||
|
dea22ab844 | ||
|
8bdf294a34 | ||
|
0b2c967e63 | ||
|
c89876aa10 | ||
|
76b3aab4c0 | ||
|
944319b9b6 | ||
|
ac6f79815a | ||
|
6734bf245f | ||
|
b32584ce73 | ||
|
3e41b359c5 | ||
|
2352bca03e | ||
|
9f3236b47d | ||
|
01c5f516f8 | ||
|
74067751a6 | ||
|
fa7318eeb1 | ||
|
fb9c580e53 | ||
|
1bfdbb7314 | ||
|
6b3279cbe5 | ||
|
48ac6b4aff | ||
|
b0c1c9ce26 | ||
|
d82d22a198 | ||
|
c66510f473 | ||
|
09cdd5ec91 | ||
|
e028b4e26d | ||
|
b8f7ffbf53 | ||
|
0d97fc27c7 | ||
|
098c1d840b | ||
|
cce2a54265 | ||
|
d1033cb324 | ||
|
7134e1dc66 | ||
|
8aa26b77ed | ||
|
4b06880320 | ||
|
124cd9f812 | ||
|
d531d069d1 | ||
|
522a5d477d | ||
|
d2f0db669a | ||
|
4dd78d745b | ||
|
4fef5c305d | ||
|
e5bbc46b0f | ||
|
30f3543850 | ||
|
114915f913 | ||
|
b5801af9a8 | ||
|
20366a8c07 | ||
|
60a4c72a5d | ||
|
447e28511c | ||
|
650ed656e3 | ||
|
54ac450b63 | ||
|
3871fa552c | ||
|
9c72ee7f10 | ||
|
22e8617661 | ||
|
2f29a513cc | ||
|
cb6c28ac26 | ||
|
978a3e5828 | ||
|
3723afe595 | ||
|
14d6f6c048 | ||
|
d79a6b8f25 | ||
|
217a09c97b | ||
|
a389ede03d | ||
|
10939fecc0 | ||
|
9af5a66bab |
@@ -83,7 +83,7 @@ jobs:
|
|||||||
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
|
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
|
||||||
|
|
||||||
goreleaser:
|
goreleaser:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest-8-cores
|
||||||
needs: [cli-integration-tests]
|
needs: [cli-integration-tests]
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@v3
|
||||||
|
@@ -110,7 +110,8 @@ export const initAuditLogDbConnection = ({
|
|||||||
},
|
},
|
||||||
migrations: {
|
migrations: {
|
||||||
tableName: "infisical_migrations"
|
tableName: "infisical_migrations"
|
||||||
}
|
},
|
||||||
|
pool: { min: 0, max: 10 }
|
||||||
});
|
});
|
||||||
|
|
||||||
// we add these overrides so that auditLogDb and the primary DB are interchangeable
|
// we add these overrides so that auditLogDb and the primary DB are interchangeable
|
||||||
|
@@ -0,0 +1,41 @@
|
|||||||
|
import { Knex } from "knex";
|
||||||
|
|
||||||
|
import { ProjectType, TableName } from "../schemas";
|
||||||
|
|
||||||
|
export async function up(knex: Knex): Promise<void> {
|
||||||
|
const hasTypeColumn = await knex.schema.hasColumn(TableName.Project, "type");
|
||||||
|
const hasDefaultTypeColumn = await knex.schema.hasColumn(TableName.Project, "defaultProduct");
|
||||||
|
if (hasTypeColumn && !hasDefaultTypeColumn) {
|
||||||
|
await knex.schema.alterTable(TableName.Project, (t) => {
|
||||||
|
t.string("type").nullable().alter();
|
||||||
|
t.string("defaultProduct").notNullable().defaultTo(ProjectType.SecretManager);
|
||||||
|
});
|
||||||
|
|
||||||
|
await knex(TableName.Project).update({
|
||||||
|
// eslint-disable-next-line
|
||||||
|
// @ts-ignore this is because this field is created later
|
||||||
|
defaultProduct: knex.raw(`
|
||||||
|
CASE
|
||||||
|
WHEN "type" IS NULL OR "type" = '' THEN 'secret-manager'
|
||||||
|
ELSE "type"
|
||||||
|
END
|
||||||
|
`)
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
const hasTemplateTypeColumn = await knex.schema.hasColumn(TableName.ProjectTemplates, "type");
|
||||||
|
if (hasTemplateTypeColumn) {
|
||||||
|
await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
|
||||||
|
t.string("type").nullable().alter();
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
export async function down(knex: Knex): Promise<void> {
|
||||||
|
const hasDefaultTypeColumn = await knex.schema.hasColumn(TableName.Project, "defaultProduct");
|
||||||
|
if (hasDefaultTypeColumn) {
|
||||||
|
await knex.schema.alterTable(TableName.Project, (t) => {
|
||||||
|
t.dropColumn("defaultProduct");
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
@@ -0,0 +1,21 @@
|
|||||||
|
import { Knex } from "knex";
|
||||||
|
|
||||||
|
import { TableName } from "../schemas";
|
||||||
|
|
||||||
|
export async function up(knex: Knex): Promise<void> {
|
||||||
|
const hasColumn = await knex.schema.hasColumn(TableName.OrgMembership, "lastInvitedAt");
|
||||||
|
await knex.schema.alterTable(TableName.OrgMembership, (t) => {
|
||||||
|
if (!hasColumn) {
|
||||||
|
t.datetime("lastInvitedAt").nullable();
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
export async function down(knex: Knex): Promise<void> {
|
||||||
|
const hasColumn = await knex.schema.hasColumn(TableName.OrgMembership, "lastInvitedAt");
|
||||||
|
await knex.schema.alterTable(TableName.OrgMembership, (t) => {
|
||||||
|
if (hasColumn) {
|
||||||
|
t.dropColumn("lastInvitedAt");
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
@@ -267,16 +267,6 @@ export enum ProjectType {
|
|||||||
SecretScanning = "secret-scanning"
|
SecretScanning = "secret-scanning"
|
||||||
}
|
}
|
||||||
|
|
||||||
export enum ActionProjectType {
|
|
||||||
SecretManager = ProjectType.SecretManager,
|
|
||||||
CertificateManager = ProjectType.CertificateManager,
|
|
||||||
KMS = ProjectType.KMS,
|
|
||||||
SSH = ProjectType.SSH,
|
|
||||||
SecretScanning = ProjectType.SecretScanning,
|
|
||||||
// project operations that happen on all types
|
|
||||||
Any = "any"
|
|
||||||
}
|
|
||||||
|
|
||||||
export enum SortDirection {
|
export enum SortDirection {
|
||||||
ASC = "asc",
|
ASC = "asc",
|
||||||
DESC = "desc"
|
DESC = "desc"
|
||||||
|
@@ -18,7 +18,8 @@ export const OrgMembershipsSchema = z.object({
|
|||||||
orgId: z.string().uuid(),
|
orgId: z.string().uuid(),
|
||||||
roleId: z.string().uuid().nullable().optional(),
|
roleId: z.string().uuid().nullable().optional(),
|
||||||
projectFavorites: z.string().array().nullable().optional(),
|
projectFavorites: z.string().array().nullable().optional(),
|
||||||
isActive: z.boolean().default(true)
|
isActive: z.boolean().default(true),
|
||||||
|
lastInvitedAt: z.date().nullable().optional()
|
||||||
});
|
});
|
||||||
|
|
||||||
export type TOrgMemberships = z.infer<typeof OrgMembershipsSchema>;
|
export type TOrgMemberships = z.infer<typeof OrgMembershipsSchema>;
|
||||||
|
@@ -16,7 +16,7 @@ export const ProjectTemplatesSchema = z.object({
|
|||||||
orgId: z.string().uuid(),
|
orgId: z.string().uuid(),
|
||||||
createdAt: z.date(),
|
createdAt: z.date(),
|
||||||
updatedAt: z.date(),
|
updatedAt: z.date(),
|
||||||
type: z.string().default("secret-manager")
|
type: z.string().nullable().optional()
|
||||||
});
|
});
|
||||||
|
|
||||||
export type TProjectTemplates = z.infer<typeof ProjectTemplatesSchema>;
|
export type TProjectTemplates = z.infer<typeof ProjectTemplatesSchema>;
|
||||||
|
@@ -25,11 +25,12 @@ export const ProjectsSchema = z.object({
|
|||||||
kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
|
kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
|
||||||
kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
|
kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
|
||||||
description: z.string().nullable().optional(),
|
description: z.string().nullable().optional(),
|
||||||
type: z.string(),
|
type: z.string().nullable().optional(),
|
||||||
enforceCapitalization: z.boolean().default(false),
|
enforceCapitalization: z.boolean().default(false),
|
||||||
hasDeleteProtection: z.boolean().default(false).nullable().optional(),
|
hasDeleteProtection: z.boolean().default(false).nullable().optional(),
|
||||||
secretSharing: z.boolean().default(true),
|
secretSharing: z.boolean().default(true),
|
||||||
showSnapshotsLegacy: z.boolean().default(false)
|
showSnapshotsLegacy: z.boolean().default(false),
|
||||||
|
defaultProduct: z.string().default("secret-manager")
|
||||||
});
|
});
|
||||||
|
|
||||||
export type TProjects = z.infer<typeof ProjectsSchema>;
|
export type TProjects = z.infer<typeof ProjectsSchema>;
|
||||||
|
@@ -60,7 +60,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
|
|||||||
method: "GET",
|
method: "GET",
|
||||||
schema: {
|
schema: {
|
||||||
querystring: z.object({
|
querystring: z.object({
|
||||||
projectSlug: z.string().trim()
|
projectSlug: z.string().trim(),
|
||||||
|
policyId: z.string().trim().optional()
|
||||||
}),
|
}),
|
||||||
response: {
|
response: {
|
||||||
200: z.object({
|
200: z.object({
|
||||||
@@ -73,6 +74,7 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
|
|||||||
handler: async (req) => {
|
handler: async (req) => {
|
||||||
const { count } = await server.services.accessApprovalRequest.getCount({
|
const { count } = await server.services.accessApprovalRequest.getCount({
|
||||||
projectSlug: req.query.projectSlug,
|
projectSlug: req.query.projectSlug,
|
||||||
|
policyId: req.query.policyId,
|
||||||
actor: req.permission.type,
|
actor: req.permission.type,
|
||||||
actorId: req.permission.id,
|
actorId: req.permission.id,
|
||||||
actorOrgId: req.permission.orgId,
|
actorOrgId: req.permission.orgId,
|
||||||
|
@@ -111,15 +111,38 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
|
|||||||
params: z.object({
|
params: z.object({
|
||||||
workspaceId: z.string().trim().describe(AUDIT_LOGS.EXPORT.projectId)
|
workspaceId: z.string().trim().describe(AUDIT_LOGS.EXPORT.projectId)
|
||||||
}),
|
}),
|
||||||
querystring: z.object({
|
querystring: z
|
||||||
eventType: z.nativeEnum(EventType).optional().describe(AUDIT_LOGS.EXPORT.eventType),
|
.object({
|
||||||
userAgentType: z.nativeEnum(UserAgentType).optional().describe(AUDIT_LOGS.EXPORT.userAgentType),
|
eventType: z.nativeEnum(EventType).optional().describe(AUDIT_LOGS.EXPORT.eventType),
|
||||||
startDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.startDate),
|
userAgentType: z.nativeEnum(UserAgentType).optional().describe(AUDIT_LOGS.EXPORT.userAgentType),
|
||||||
endDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.endDate),
|
startDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.startDate),
|
||||||
offset: z.coerce.number().default(0).describe(AUDIT_LOGS.EXPORT.offset),
|
endDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.endDate),
|
||||||
limit: z.coerce.number().default(20).describe(AUDIT_LOGS.EXPORT.limit),
|
offset: z.coerce.number().default(0).describe(AUDIT_LOGS.EXPORT.offset),
|
||||||
actor: z.string().optional().describe(AUDIT_LOGS.EXPORT.actor)
|
limit: z.coerce.number().max(1000).default(20).describe(AUDIT_LOGS.EXPORT.limit),
|
||||||
}),
|
actor: z.string().optional().describe(AUDIT_LOGS.EXPORT.actor)
|
||||||
|
})
|
||||||
|
.superRefine((el, ctx) => {
|
||||||
|
if (el.endDate && el.startDate) {
|
||||||
|
const startDate = new Date(el.startDate);
|
||||||
|
const endDate = new Date(el.endDate);
|
||||||
|
const maxAllowedDate = new Date(startDate);
|
||||||
|
maxAllowedDate.setMonth(maxAllowedDate.getMonth() + 3);
|
||||||
|
if (endDate < startDate) {
|
||||||
|
ctx.addIssue({
|
||||||
|
code: z.ZodIssueCode.custom,
|
||||||
|
path: ["endDate"],
|
||||||
|
message: "End date cannot be before start date"
|
||||||
|
});
|
||||||
|
}
|
||||||
|
if (endDate > maxAllowedDate) {
|
||||||
|
ctx.addIssue({
|
||||||
|
code: z.ZodIssueCode.custom,
|
||||||
|
path: ["endDate"],
|
||||||
|
message: "Dates must be within 3 months"
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}),
|
||||||
response: {
|
response: {
|
||||||
200: z.object({
|
200: z.object({
|
||||||
auditLogs: AuditLogsSchema.omit({
|
auditLogs: AuditLogsSchema.omit({
|
||||||
@@ -161,7 +184,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
|
|||||||
filter: {
|
filter: {
|
||||||
...req.query,
|
...req.query,
|
||||||
projectId: req.params.workspaceId,
|
projectId: req.params.workspaceId,
|
||||||
endDate: req.query.endDate,
|
endDate: req.query.endDate || new Date().toISOString(),
|
||||||
startDate: req.query.startDate || getLastMidnightDateISO(),
|
startDate: req.query.startDate || getLastMidnightDateISO(),
|
||||||
auditLogActorId: req.query.actor,
|
auditLogActorId: req.query.actor,
|
||||||
eventType: req.query.eventType ? [req.query.eventType] : undefined
|
eventType: req.query.eventType ? [req.query.eventType] : undefined
|
||||||
|
@@ -1,6 +1,6 @@
|
|||||||
import { z } from "zod";
|
import { z } from "zod";
|
||||||
|
|
||||||
import { ProjectMembershipRole, ProjectTemplatesSchema, ProjectType } from "@app/db/schemas";
|
import { ProjectMembershipRole, ProjectTemplatesSchema } from "@app/db/schemas";
|
||||||
import { EventType } from "@app/ee/services/audit-log/audit-log-types";
|
import { EventType } from "@app/ee/services/audit-log/audit-log-types";
|
||||||
import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
|
import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
|
||||||
import { isInfisicalProjectTemplate } from "@app/ee/services/project-template/project-template-fns";
|
import { isInfisicalProjectTemplate } from "@app/ee/services/project-template/project-template-fns";
|
||||||
@@ -104,9 +104,6 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
|
|||||||
hide: false,
|
hide: false,
|
||||||
tags: [ApiDocsTags.ProjectTemplates],
|
tags: [ApiDocsTags.ProjectTemplates],
|
||||||
description: "List project templates for the current organization.",
|
description: "List project templates for the current organization.",
|
||||||
querystring: z.object({
|
|
||||||
type: z.nativeEnum(ProjectType).optional().describe(ProjectTemplates.LIST.type)
|
|
||||||
}),
|
|
||||||
response: {
|
response: {
|
||||||
200: z.object({
|
200: z.object({
|
||||||
projectTemplates: SanitizedProjectTemplateSchema.array()
|
projectTemplates: SanitizedProjectTemplateSchema.array()
|
||||||
@@ -115,8 +112,7 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
|
|||||||
},
|
},
|
||||||
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
|
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
|
||||||
handler: async (req) => {
|
handler: async (req) => {
|
||||||
const { type } = req.query;
|
const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(req.permission);
|
||||||
const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(req.permission, type);
|
|
||||||
|
|
||||||
const auditTemplates = projectTemplates.filter((template) => !isInfisicalProjectTemplate(template.name));
|
const auditTemplates = projectTemplates.filter((template) => !isInfisicalProjectTemplate(template.name));
|
||||||
|
|
||||||
@@ -188,7 +184,6 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
|
|||||||
tags: [ApiDocsTags.ProjectTemplates],
|
tags: [ApiDocsTags.ProjectTemplates],
|
||||||
description: "Create a project template.",
|
description: "Create a project template.",
|
||||||
body: z.object({
|
body: z.object({
|
||||||
type: z.nativeEnum(ProjectType).describe(ProjectTemplates.CREATE.type),
|
|
||||||
name: slugSchema({ field: "name" })
|
name: slugSchema({ field: "name" })
|
||||||
.refine((val) => !isInfisicalProjectTemplate(val), {
|
.refine((val) => !isInfisicalProjectTemplate(val), {
|
||||||
message: `The requested project template name is reserved.`
|
message: `The requested project template name is reserved.`
|
||||||
@@ -284,7 +279,6 @@ export const registerProjectTemplateRouter = async (server: FastifyZodProvider)
|
|||||||
tags: [ApiDocsTags.ProjectTemplates],
|
tags: [ApiDocsTags.ProjectTemplates],
|
||||||
description: "Delete a project template.",
|
description: "Delete a project template.",
|
||||||
params: z.object({ templateId: z.string().uuid().describe(ProjectTemplates.DELETE.templateId) }),
|
params: z.object({ templateId: z.string().uuid().describe(ProjectTemplates.DELETE.templateId) }),
|
||||||
|
|
||||||
response: {
|
response: {
|
||||||
200: z.object({
|
200: z.object({
|
||||||
projectTemplate: SanitizedProjectTemplateSchema
|
projectTemplate: SanitizedProjectTemplateSchema
|
||||||
|
@@ -94,7 +94,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
|
|||||||
},
|
},
|
||||||
schema: {
|
schema: {
|
||||||
querystring: z.object({
|
querystring: z.object({
|
||||||
workspaceId: z.string().trim()
|
workspaceId: z.string().trim(),
|
||||||
|
policyId: z.string().trim().optional()
|
||||||
}),
|
}),
|
||||||
response: {
|
response: {
|
||||||
200: z.object({
|
200: z.object({
|
||||||
@@ -112,7 +113,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
|
|||||||
actorId: req.permission.id,
|
actorId: req.permission.id,
|
||||||
actorAuthMethod: req.permission.authMethod,
|
actorAuthMethod: req.permission.authMethod,
|
||||||
actorOrgId: req.permission.orgId,
|
actorOrgId: req.permission.orgId,
|
||||||
projectId: req.query.workspaceId
|
projectId: req.query.workspaceId,
|
||||||
|
policyId: req.query.policyId
|
||||||
});
|
});
|
||||||
return { approvals };
|
return { approvals };
|
||||||
}
|
}
|
||||||
|
@@ -1,6 +1,5 @@
|
|||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
||||||
import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
|
import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
|
||||||
@@ -97,8 +96,7 @@ export const accessApprovalPolicyServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: project.id,
|
projectId: project.id,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -248,8 +246,7 @@ export const accessApprovalPolicyServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: project.id,
|
projectId: project.id,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id, deletedAt: null });
|
const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id, deletedAt: null });
|
||||||
@@ -301,8 +298,7 @@ export const accessApprovalPolicyServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: accessApprovalPolicy.projectId,
|
projectId: accessApprovalPolicy.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
|
||||||
@@ -498,8 +494,7 @@ export const accessApprovalPolicyServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: policy.projectId,
|
projectId: policy.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionActions.Delete,
|
ProjectPermissionActions.Delete,
|
||||||
@@ -549,8 +544,7 @@ export const accessApprovalPolicyServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: project.id,
|
projectId: project.id,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
if (!membership) {
|
if (!membership) {
|
||||||
throw new ForbiddenRequestError({ message: "You are not a member of this project" });
|
throw new ForbiddenRequestError({ message: "You are not a member of this project" });
|
||||||
@@ -589,8 +583,7 @@ export const accessApprovalPolicyServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: policy.projectId,
|
projectId: policy.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
|
||||||
|
@@ -220,7 +220,7 @@ export interface TAccessApprovalRequestDALFactory extends Omit<TOrmify<TableName
|
|||||||
bypassers: string[];
|
bypassers: string[];
|
||||||
}[]
|
}[]
|
||||||
>;
|
>;
|
||||||
getCount: ({ projectId }: { projectId: string }) => Promise<{
|
getCount: ({ projectId }: { projectId: string; policyId?: string }) => Promise<{
|
||||||
pendingCount: number;
|
pendingCount: number;
|
||||||
finalizedCount: number;
|
finalizedCount: number;
|
||||||
}>;
|
}>;
|
||||||
@@ -702,7 +702,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
|
|||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
const getCount: TAccessApprovalRequestDALFactory["getCount"] = async ({ projectId }) => {
|
const getCount: TAccessApprovalRequestDALFactory["getCount"] = async ({ projectId, policyId }) => {
|
||||||
try {
|
try {
|
||||||
const accessRequests = await db
|
const accessRequests = await db
|
||||||
.replicaNode()(TableName.AccessApprovalRequest)
|
.replicaNode()(TableName.AccessApprovalRequest)
|
||||||
@@ -723,8 +723,10 @@ export const accessApprovalRequestDALFactory = (db: TDbClient): TAccessApprovalR
|
|||||||
`${TableName.AccessApprovalRequest}.id`,
|
`${TableName.AccessApprovalRequest}.id`,
|
||||||
`${TableName.AccessApprovalRequestReviewer}.requestId`
|
`${TableName.AccessApprovalRequestReviewer}.requestId`
|
||||||
)
|
)
|
||||||
|
|
||||||
.where(`${TableName.Environment}.projectId`, projectId)
|
.where(`${TableName.Environment}.projectId`, projectId)
|
||||||
|
.where((qb) => {
|
||||||
|
if (policyId) void qb.where(`${TableName.AccessApprovalPolicy}.id`, policyId);
|
||||||
|
})
|
||||||
.select(selectAllTableCols(TableName.AccessApprovalRequest))
|
.select(selectAllTableCols(TableName.AccessApprovalRequest))
|
||||||
.select(db.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus"))
|
.select(db.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus"))
|
||||||
.select(db.ref("reviewerUserId").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerUserId"))
|
.select(db.ref("reviewerUserId").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerUserId"))
|
||||||
|
@@ -1,7 +1,7 @@
|
|||||||
import slugify from "@sindresorhus/slugify";
|
import slugify from "@sindresorhus/slugify";
|
||||||
import msFn from "ms";
|
import msFn from "ms";
|
||||||
|
|
||||||
import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
|
import { ProjectMembershipRole } from "@app/db/schemas";
|
||||||
import { getConfig } from "@app/lib/config/env";
|
import { getConfig } from "@app/lib/config/env";
|
||||||
import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
|
import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
|
||||||
import { groupBy } from "@app/lib/fn";
|
import { groupBy } from "@app/lib/fn";
|
||||||
@@ -107,8 +107,7 @@ export const accessApprovalRequestServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: project.id,
|
projectId: project.id,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
if (!membership) {
|
if (!membership) {
|
||||||
throw new ForbiddenRequestError({ message: "You are not a member of this project" });
|
throw new ForbiddenRequestError({ message: "You are not a member of this project" });
|
||||||
@@ -217,7 +216,7 @@ export const accessApprovalRequestServiceFactory = ({
|
|||||||
);
|
);
|
||||||
|
|
||||||
const requesterFullName = `${requestedByUser.firstName} ${requestedByUser.lastName}`;
|
const requesterFullName = `${requestedByUser.firstName} ${requestedByUser.lastName}`;
|
||||||
const approvalUrl = `${cfg.SITE_URL}/secret-manager/${project.id}/approval`;
|
const approvalUrl = `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`;
|
||||||
|
|
||||||
await triggerWorkflowIntegrationNotification({
|
await triggerWorkflowIntegrationNotification({
|
||||||
input: {
|
input: {
|
||||||
@@ -290,8 +289,7 @@ export const accessApprovalRequestServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: project.id,
|
projectId: project.id,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
if (!membership) {
|
if (!membership) {
|
||||||
throw new ForbiddenRequestError({ message: "You are not a member of this project" });
|
throw new ForbiddenRequestError({ message: "You are not a member of this project" });
|
||||||
@@ -337,8 +335,7 @@ export const accessApprovalRequestServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: accessApprovalRequest.projectId,
|
projectId: accessApprovalRequest.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
if (!membership) {
|
if (!membership) {
|
||||||
@@ -548,7 +545,7 @@ export const accessApprovalRequestServiceFactory = ({
|
|||||||
bypassReason: bypassReason || "No reason provided",
|
bypassReason: bypassReason || "No reason provided",
|
||||||
secretPath: policy.secretPath || "/",
|
secretPath: policy.secretPath || "/",
|
||||||
environment,
|
environment,
|
||||||
approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval`,
|
approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`,
|
||||||
requestType: "access"
|
requestType: "access"
|
||||||
},
|
},
|
||||||
template: SmtpTemplates.AccessSecretRequestBypassed
|
template: SmtpTemplates.AccessSecretRequestBypassed
|
||||||
@@ -565,6 +562,7 @@ export const accessApprovalRequestServiceFactory = ({
|
|||||||
|
|
||||||
const getCount: TAccessApprovalRequestServiceFactory["getCount"] = async ({
|
const getCount: TAccessApprovalRequestServiceFactory["getCount"] = async ({
|
||||||
projectSlug,
|
projectSlug,
|
||||||
|
policyId,
|
||||||
actor,
|
actor,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorId,
|
actorId,
|
||||||
@@ -578,14 +576,13 @@ export const accessApprovalRequestServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: project.id,
|
projectId: project.id,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
if (!membership) {
|
if (!membership) {
|
||||||
throw new ForbiddenRequestError({ message: "You are not a member of this project" });
|
throw new ForbiddenRequestError({ message: "You are not a member of this project" });
|
||||||
}
|
}
|
||||||
|
|
||||||
const count = await accessApprovalRequestDAL.getCount({ projectId: project.id });
|
const count = await accessApprovalRequestDAL.getCount({ projectId: project.id, policyId });
|
||||||
|
|
||||||
return { count };
|
return { count };
|
||||||
};
|
};
|
||||||
|
@@ -12,6 +12,7 @@ export type TVerifyPermission = {
|
|||||||
|
|
||||||
export type TGetAccessRequestCountDTO = {
|
export type TGetAccessRequestCountDTO = {
|
||||||
projectSlug: string;
|
projectSlug: string;
|
||||||
|
policyId?: string;
|
||||||
} & Omit<TProjectPermission, "projectId">;
|
} & Omit<TProjectPermission, "projectId">;
|
||||||
|
|
||||||
export type TReviewAccessRequestDTO = {
|
export type TReviewAccessRequestDTO = {
|
||||||
|
@@ -1,7 +1,6 @@
|
|||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
import jwt from "jsonwebtoken";
|
import jwt from "jsonwebtoken";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { getConfig } from "@app/lib/config/env";
|
import { getConfig } from "@app/lib/config/env";
|
||||||
import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
|
import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
|
||||||
import { ActorType } from "@app/services/auth/auth-type";
|
import { ActorType } from "@app/services/auth/auth-type";
|
||||||
@@ -38,8 +37,7 @@ export const assumePrivilegeServiceFactory = ({
|
|||||||
actorId: actorPermissionDetails.id,
|
actorId: actorPermissionDetails.id,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod: actorPermissionDetails.authMethod,
|
actorAuthMethod: actorPermissionDetails.authMethod,
|
||||||
actorOrgId: actorPermissionDetails.orgId,
|
actorOrgId: actorPermissionDetails.orgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
if (targetActorType === ActorType.USER) {
|
if (targetActorType === ActorType.USER) {
|
||||||
@@ -60,8 +58,7 @@ export const assumePrivilegeServiceFactory = ({
|
|||||||
actorId: targetActorId,
|
actorId: targetActorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod: actorPermissionDetails.authMethod,
|
actorAuthMethod: actorPermissionDetails.authMethod,
|
||||||
actorOrgId: actorPermissionDetails.orgId,
|
actorOrgId: actorPermissionDetails.orgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const appCfg = getConfig();
|
const appCfg = getConfig();
|
||||||
|
@@ -30,10 +30,10 @@ type TFindQuery = {
|
|||||||
actor?: string;
|
actor?: string;
|
||||||
projectId?: string;
|
projectId?: string;
|
||||||
environment?: string;
|
environment?: string;
|
||||||
orgId?: string;
|
orgId: string;
|
||||||
eventType?: string;
|
eventType?: string;
|
||||||
startDate?: string;
|
startDate: string;
|
||||||
endDate?: string;
|
endDate: string;
|
||||||
userAgentType?: string;
|
userAgentType?: string;
|
||||||
limit?: number;
|
limit?: number;
|
||||||
offset?: number;
|
offset?: number;
|
||||||
@@ -61,18 +61,15 @@ export const auditLogDALFactory = (db: TDbClient) => {
|
|||||||
},
|
},
|
||||||
tx
|
tx
|
||||||
) => {
|
) => {
|
||||||
if (!orgId && !projectId) {
|
|
||||||
throw new Error("Either orgId or projectId must be provided");
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
try {
|
||||||
// Find statements
|
// Find statements
|
||||||
const sqlQuery = (tx || db.replicaNode())(TableName.AuditLog)
|
const sqlQuery = (tx || db.replicaNode())(TableName.AuditLog)
|
||||||
|
.where(`${TableName.AuditLog}.orgId`, orgId)
|
||||||
|
.whereRaw(`"${TableName.AuditLog}"."createdAt" >= ?::timestamptz`, [startDate])
|
||||||
|
.andWhereRaw(`"${TableName.AuditLog}"."createdAt" < ?::timestamptz`, [endDate])
|
||||||
// eslint-disable-next-line func-names
|
// eslint-disable-next-line func-names
|
||||||
.where(function () {
|
.where(function () {
|
||||||
if (orgId) {
|
if (projectId) {
|
||||||
void this.where(`${TableName.AuditLog}.orgId`, orgId);
|
|
||||||
} else if (projectId) {
|
|
||||||
void this.where(`${TableName.AuditLog}.projectId`, projectId);
|
void this.where(`${TableName.AuditLog}.projectId`, projectId);
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
@@ -135,14 +132,6 @@ export const auditLogDALFactory = (db: TDbClient) => {
|
|||||||
void sqlQuery.whereIn("eventType", eventType);
|
void sqlQuery.whereIn("eventType", eventType);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Filter by date range
|
|
||||||
if (startDate) {
|
|
||||||
void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" >= ?::timestamptz`, [startDate]);
|
|
||||||
}
|
|
||||||
if (endDate) {
|
|
||||||
void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" <= ?::timestamptz`, [endDate]);
|
|
||||||
}
|
|
||||||
|
|
||||||
// we timeout long running queries to prevent DB resource issues (2 minutes)
|
// we timeout long running queries to prevent DB resource issues (2 minutes)
|
||||||
const docs = await sqlQuery.timeout(1000 * 120);
|
const docs = await sqlQuery.timeout(1000 * 120);
|
||||||
|
|
||||||
@@ -174,6 +163,8 @@ export const auditLogDALFactory = (db: TDbClient) => {
|
|||||||
try {
|
try {
|
||||||
const findExpiredLogSubQuery = (tx || db)(TableName.AuditLog)
|
const findExpiredLogSubQuery = (tx || db)(TableName.AuditLog)
|
||||||
.where("expiresAt", "<", today)
|
.where("expiresAt", "<", today)
|
||||||
|
.where("createdAt", "<", today) // to use audit log partition
|
||||||
|
.orderBy(`${TableName.AuditLog}.createdAt`, "desc")
|
||||||
.select("id")
|
.select("id")
|
||||||
.limit(AUDIT_LOG_PRUNE_BATCH_SIZE);
|
.limit(AUDIT_LOG_PRUNE_BATCH_SIZE);
|
||||||
|
|
||||||
|
@@ -1,7 +1,6 @@
|
|||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
import { requestContext } from "@fastify/request-context";
|
import { requestContext } from "@fastify/request-context";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { getConfig } from "@app/lib/config/env";
|
import { getConfig } from "@app/lib/config/env";
|
||||||
import { BadRequestError } from "@app/lib/errors";
|
import { BadRequestError } from "@app/lib/errors";
|
||||||
import { ActorType } from "@app/services/auth/auth-type";
|
import { ActorType } from "@app/services/auth/auth-type";
|
||||||
@@ -38,8 +37,7 @@ export const auditLogServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: filter.projectId,
|
projectId: filter.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
|
||||||
} else {
|
} else {
|
||||||
@@ -69,7 +67,8 @@ export const auditLogServiceFactory = ({
|
|||||||
secretPath: filter.secretPath,
|
secretPath: filter.secretPath,
|
||||||
secretKey: filter.secretKey,
|
secretKey: filter.secretKey,
|
||||||
environment: filter.environment,
|
environment: filter.environment,
|
||||||
...(filter.projectId ? { projectId: filter.projectId } : { orgId: actorOrgId })
|
orgId: actorOrgId,
|
||||||
|
...(filter.projectId ? { projectId: filter.projectId } : {})
|
||||||
});
|
});
|
||||||
|
|
||||||
return auditLogs.map(({ eventType: logEventType, actor: eActor, actorMetadata, eventMetadata, ...el }) => ({
|
return auditLogs.map(({ eventType: logEventType, actor: eActor, actorMetadata, eventMetadata, ...el }) => ({
|
||||||
|
@@ -56,8 +56,8 @@ export type TListProjectAuditLogDTO = {
|
|||||||
eventType?: EventType[];
|
eventType?: EventType[];
|
||||||
offset?: number;
|
offset?: number;
|
||||||
limit: number;
|
limit: number;
|
||||||
endDate?: string;
|
endDate: string;
|
||||||
startDate?: string;
|
startDate: string;
|
||||||
projectId?: string;
|
projectId?: string;
|
||||||
environment?: string;
|
environment?: string;
|
||||||
auditLogActorId?: string;
|
auditLogActorId?: string;
|
||||||
|
@@ -1,7 +1,6 @@
|
|||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
import * as x509 from "@peculiar/x509";
|
import * as x509 from "@peculiar/x509";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
|
import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
||||||
@@ -78,8 +77,7 @@ export const certificateAuthorityCrlServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: ca.projectId,
|
projectId: ca.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
|
@@ -1,7 +1,6 @@
|
|||||||
import { ForbiddenError, subject } from "@casl/ability";
|
import { ForbiddenError, subject } from "@casl/ability";
|
||||||
import RE2 from "re2";
|
import RE2 from "re2";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
|
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import {
|
import {
|
||||||
@@ -85,8 +84,7 @@ export const dynamicSecretLeaseServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const plan = await licenseService.getPlan(actorOrgId);
|
const plan = await licenseService.getPlan(actorOrgId);
|
||||||
@@ -202,8 +200,7 @@ export const dynamicSecretLeaseServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
|
const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
|
||||||
@@ -300,8 +297,7 @@ export const dynamicSecretLeaseServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
|
const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
|
||||||
@@ -389,8 +385,7 @@ export const dynamicSecretLeaseServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
|
const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
|
||||||
@@ -437,8 +432,7 @@ export const dynamicSecretLeaseServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
|
const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
|
||||||
|
@@ -1,6 +1,5 @@
|
|||||||
import { ForbiddenError, subject } from "@casl/ability";
|
import { ForbiddenError, subject } from "@casl/ability";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
|
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import {
|
import {
|
||||||
@@ -78,8 +77,7 @@ export const dynamicSecretServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -202,8 +200,7 @@ export const dynamicSecretServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const plan = await licenseService.getPlan(actorOrgId);
|
const plan = await licenseService.getPlan(actorOrgId);
|
||||||
@@ -354,8 +351,7 @@ export const dynamicSecretServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
|
const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
|
||||||
@@ -420,8 +416,7 @@ export const dynamicSecretServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
|
const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
|
||||||
@@ -485,8 +480,7 @@ export const dynamicSecretServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
// verify user has access to each env in request
|
// verify user has access to each env in request
|
||||||
@@ -529,8 +523,7 @@ export const dynamicSecretServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionDynamicSecretActions.ReadRootCredential,
|
ProjectPermissionDynamicSecretActions.ReadRootCredential,
|
||||||
@@ -578,8 +571,7 @@ export const dynamicSecretServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
|
const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
|
||||||
@@ -616,8 +608,7 @@ export const dynamicSecretServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const userAccessibleFolderMappings = folderMappings.filter(({ path, environment }) =>
|
const userAccessibleFolderMappings = folderMappings.filter(({ path, environment }) =>
|
||||||
@@ -661,8 +652,7 @@ export const dynamicSecretServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);
|
const folders = await folderDAL.findBySecretPathMultiEnv(projectId, environmentSlugs, path);
|
||||||
|
@@ -1,5 +1,5 @@
|
|||||||
import axios from "axios";
|
import axios from "axios";
|
||||||
import * as jwt from "jsonwebtoken";
|
import jwt from "jsonwebtoken";
|
||||||
|
|
||||||
import { BadRequestError, InternalServerError } from "@app/lib/errors";
|
import { BadRequestError, InternalServerError } from "@app/lib/errors";
|
||||||
import { alphaNumericNanoId } from "@app/lib/nanoid";
|
import { alphaNumericNanoId } from "@app/lib/nanoid";
|
||||||
|
@@ -1,7 +1,7 @@
|
|||||||
import { ForbiddenError, subject } from "@casl/ability";
|
import { ForbiddenError, subject } from "@casl/ability";
|
||||||
import { packRules } from "@casl/ability/extra";
|
import { packRules } from "@casl/ability/extra";
|
||||||
|
|
||||||
import { ActionProjectType, TableName } from "@app/db/schemas";
|
import { TableName } from "@app/db/schemas";
|
||||||
import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
|
import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
|
||||||
import { ms } from "@app/lib/ms";
|
import { ms } from "@app/lib/ms";
|
||||||
import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
|
import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
|
||||||
@@ -61,8 +61,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: identityProjectMembership.projectId,
|
projectId: identityProjectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionIdentityActions.Edit,
|
ProjectPermissionIdentityActions.Edit,
|
||||||
@@ -73,8 +72,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
|
|||||||
actorId: identityId,
|
actorId: identityId,
|
||||||
projectId: identityProjectMembership.projectId,
|
projectId: identityProjectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
// we need to validate that the privilege given is not higher than the assigning users permission
|
// we need to validate that the privilege given is not higher than the assigning users permission
|
||||||
@@ -160,8 +158,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: identityProjectMembership.projectId,
|
projectId: identityProjectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionIdentityActions.Edit,
|
ProjectPermissionIdentityActions.Edit,
|
||||||
@@ -172,8 +169,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
|
|||||||
actorId: identityProjectMembership.identityId,
|
actorId: identityProjectMembership.identityId,
|
||||||
projectId: identityProjectMembership.projectId,
|
projectId: identityProjectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
// we need to validate that the privilege given is not higher than the assigning users permission
|
// we need to validate that the privilege given is not higher than the assigning users permission
|
||||||
@@ -260,8 +256,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: identityProjectMembership.projectId,
|
projectId: identityProjectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionIdentityActions.Edit,
|
ProjectPermissionIdentityActions.Edit,
|
||||||
@@ -272,8 +267,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
|
|||||||
actorId: identityProjectMembership.identityId,
|
actorId: identityProjectMembership.identityId,
|
||||||
projectId: identityProjectMembership.projectId,
|
projectId: identityProjectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
const permissionBoundary = validatePrivilegeChangeOperation(
|
const permissionBoundary = validatePrivilegeChangeOperation(
|
||||||
membership.shouldUseNewPrivilegeSystem,
|
membership.shouldUseNewPrivilegeSystem,
|
||||||
@@ -321,8 +315,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: identityProjectMembership.projectId,
|
projectId: identityProjectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionIdentityActions.Read,
|
ProjectPermissionIdentityActions.Read,
|
||||||
@@ -356,8 +349,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: identityProjectMembership.projectId,
|
projectId: identityProjectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionIdentityActions.Read,
|
ProjectPermissionIdentityActions.Read,
|
||||||
@@ -392,8 +384,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: identityProjectMembership.projectId,
|
projectId: identityProjectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionIdentityActions.Read,
|
ProjectPermissionIdentityActions.Read,
|
||||||
|
@@ -1,7 +1,6 @@
|
|||||||
import { ForbiddenError, MongoAbility, RawRuleOf, subject } from "@casl/ability";
|
import { ForbiddenError, MongoAbility, RawRuleOf, subject } from "@casl/ability";
|
||||||
import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
|
import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
|
import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
|
||||||
import { ms } from "@app/lib/ms";
|
import { ms } from "@app/lib/ms";
|
||||||
import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
|
import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
|
||||||
@@ -73,8 +72,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: identityProjectMembership.projectId,
|
projectId: identityProjectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -87,8 +85,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
|
|||||||
actorId: identityId,
|
actorId: identityId,
|
||||||
projectId: identityProjectMembership.projectId,
|
projectId: identityProjectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
// we need to validate that the privilege given is not higher than the assigning users permission
|
// we need to validate that the privilege given is not higher than the assigning users permission
|
||||||
@@ -175,8 +172,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: identityProjectMembership.projectId,
|
projectId: identityProjectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -189,8 +185,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
|
|||||||
actorId: identityProjectMembership.identityId,
|
actorId: identityProjectMembership.identityId,
|
||||||
projectId: identityProjectMembership.projectId,
|
projectId: identityProjectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
// we need to validate that the privilege given is not higher than the assigning users permission
|
// we need to validate that the privilege given is not higher than the assigning users permission
|
||||||
@@ -293,8 +288,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: identityProjectMembership.projectId,
|
projectId: identityProjectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionIdentityActions.Edit,
|
ProjectPermissionIdentityActions.Edit,
|
||||||
@@ -306,8 +300,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
|
|||||||
actorId: identityProjectMembership.identityId,
|
actorId: identityProjectMembership.identityId,
|
||||||
projectId: identityProjectMembership.projectId,
|
projectId: identityProjectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
const permissionBoundary = validatePrivilegeChangeOperation(
|
const permissionBoundary = validatePrivilegeChangeOperation(
|
||||||
membership.shouldUseNewPrivilegeSystem,
|
membership.shouldUseNewPrivilegeSystem,
|
||||||
@@ -366,8 +359,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: identityProjectMembership.projectId,
|
projectId: identityProjectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionIdentityActions.Read,
|
ProjectPermissionIdentityActions.Read,
|
||||||
@@ -409,8 +401,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: identityProjectMembership.projectId,
|
projectId: identityProjectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
|
@@ -24,7 +24,7 @@ type TKmipOperationServiceFactoryDep = {
|
|||||||
kmsService: TKmsServiceFactory;
|
kmsService: TKmsServiceFactory;
|
||||||
kmsDAL: TKmsKeyDALFactory;
|
kmsDAL: TKmsKeyDALFactory;
|
||||||
kmipClientDAL: TKmipClientDALFactory;
|
kmipClientDAL: TKmipClientDALFactory;
|
||||||
projectDAL: Pick<TProjectDALFactory, "getProjectFromSplitId" | "findById">;
|
projectDAL: Pick<TProjectDALFactory, "findById">;
|
||||||
permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
|
permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@@ -2,7 +2,6 @@ import { ForbiddenError } from "@casl/ability";
|
|||||||
import * as x509 from "@peculiar/x509";
|
import * as x509 from "@peculiar/x509";
|
||||||
import crypto, { KeyObject } from "crypto";
|
import crypto, { KeyObject } from "crypto";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
|
import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
|
||||||
import { isValidIp } from "@app/lib/ip";
|
import { isValidIp } from "@app/lib/ip";
|
||||||
import { ms } from "@app/lib/ms";
|
import { ms } from "@app/lib/ms";
|
||||||
@@ -73,8 +72,7 @@ export const kmipServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.KMS
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -127,8 +125,7 @@ export const kmipServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: kmipClient.projectId,
|
projectId: kmipClient.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.KMS
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -159,8 +156,7 @@ export const kmipServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: kmipClient.projectId,
|
projectId: kmipClient.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.KMS
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -193,8 +189,7 @@ export const kmipServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: kmipClient.projectId,
|
projectId: kmipClient.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.KMS
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
|
||||||
@@ -215,8 +210,7 @@ export const kmipServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.KMS
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionKmipActions.ReadClients, ProjectPermissionSub.Kmip);
|
||||||
@@ -252,8 +246,7 @@ export const kmipServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: kmipClient.projectId,
|
projectId: kmipClient.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.KMS
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
|
@@ -91,7 +91,7 @@ export interface TPermissionDALFactory {
|
|||||||
userId: string;
|
userId: string;
|
||||||
projectId: string;
|
projectId: string;
|
||||||
username: string;
|
username: string;
|
||||||
projectType: string;
|
projectType?: string | null;
|
||||||
id: string;
|
id: string;
|
||||||
createdAt: Date;
|
createdAt: Date;
|
||||||
updatedAt: Date;
|
updatedAt: Date;
|
||||||
@@ -163,7 +163,7 @@ export interface TPermissionDALFactory {
|
|||||||
createdAt: Date;
|
createdAt: Date;
|
||||||
updatedAt: Date;
|
updatedAt: Date;
|
||||||
orgId: string;
|
orgId: string;
|
||||||
projectType: string;
|
projectType?: string | null;
|
||||||
shouldUseNewPrivilegeSystem: boolean;
|
shouldUseNewPrivilegeSystem: boolean;
|
||||||
orgAuthEnforced: boolean;
|
orgAuthEnforced: boolean;
|
||||||
metadata: {
|
metadata: {
|
||||||
@@ -201,7 +201,7 @@ export interface TPermissionDALFactory {
|
|||||||
userId: string;
|
userId: string;
|
||||||
projectId: string;
|
projectId: string;
|
||||||
username: string;
|
username: string;
|
||||||
projectType: string;
|
projectType?: string | null;
|
||||||
id: string;
|
id: string;
|
||||||
createdAt: Date;
|
createdAt: Date;
|
||||||
updatedAt: Date;
|
updatedAt: Date;
|
||||||
@@ -267,7 +267,7 @@ export interface TPermissionDALFactory {
|
|||||||
createdAt: Date;
|
createdAt: Date;
|
||||||
updatedAt: Date;
|
updatedAt: Date;
|
||||||
orgId: string;
|
orgId: string;
|
||||||
projectType: string;
|
projectType?: string | null;
|
||||||
orgAuthEnforced: boolean;
|
orgAuthEnforced: boolean;
|
||||||
metadata: {
|
metadata: {
|
||||||
id: string;
|
id: string;
|
||||||
|
@@ -1,7 +1,6 @@
|
|||||||
import { MongoAbility, RawRuleOf } from "@casl/ability";
|
import { MongoAbility, RawRuleOf } from "@casl/ability";
|
||||||
import { MongoQuery } from "@ucast/mongo2js";
|
import { MongoQuery } from "@ucast/mongo2js";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
|
import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
|
||||||
|
|
||||||
import { OrgPermissionSet } from "./org-permission";
|
import { OrgPermissionSet } from "./org-permission";
|
||||||
@@ -21,7 +20,6 @@ export type TGetUserProjectPermissionArg = {
|
|||||||
userId: string;
|
userId: string;
|
||||||
projectId: string;
|
projectId: string;
|
||||||
authMethod: ActorAuthMethod;
|
authMethod: ActorAuthMethod;
|
||||||
actionProjectType: ActionProjectType;
|
|
||||||
userOrgId?: string;
|
userOrgId?: string;
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -29,14 +27,12 @@ export type TGetIdentityProjectPermissionArg = {
|
|||||||
identityId: string;
|
identityId: string;
|
||||||
projectId: string;
|
projectId: string;
|
||||||
identityOrgId?: string;
|
identityOrgId?: string;
|
||||||
actionProjectType: ActionProjectType;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
export type TGetServiceTokenProjectPermissionArg = {
|
export type TGetServiceTokenProjectPermissionArg = {
|
||||||
serviceTokenId: string;
|
serviceTokenId: string;
|
||||||
projectId: string;
|
projectId: string;
|
||||||
actorOrgId?: string;
|
actorOrgId?: string;
|
||||||
actionProjectType: ActionProjectType;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
export type TGetProjectPermissionArg = {
|
export type TGetProjectPermissionArg = {
|
||||||
@@ -45,7 +41,6 @@ export type TGetProjectPermissionArg = {
|
|||||||
projectId: string;
|
projectId: string;
|
||||||
actorAuthMethod: ActorAuthMethod;
|
actorAuthMethod: ActorAuthMethod;
|
||||||
actorOrgId?: string;
|
actorOrgId?: string;
|
||||||
actionProjectType: ActionProjectType;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
export type TPermissionServiceFactory = {
|
export type TPermissionServiceFactory = {
|
||||||
@@ -143,13 +138,7 @@ export type TPermissionServiceFactory = {
|
|||||||
};
|
};
|
||||||
}
|
}
|
||||||
>;
|
>;
|
||||||
getUserProjectPermission: ({
|
getUserProjectPermission: ({ userId, projectId, authMethod, userOrgId }: TGetUserProjectPermissionArg) => Promise<{
|
||||||
userId,
|
|
||||||
projectId,
|
|
||||||
authMethod,
|
|
||||||
userOrgId,
|
|
||||||
actionProjectType
|
|
||||||
}: TGetUserProjectPermissionArg) => Promise<{
|
|
||||||
permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
|
permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
|
||||||
membership: {
|
membership: {
|
||||||
id: string;
|
id: string;
|
||||||
|
@@ -5,7 +5,6 @@ import { MongoQuery } from "@ucast/mongo2js";
|
|||||||
import handlebars from "handlebars";
|
import handlebars from "handlebars";
|
||||||
|
|
||||||
import {
|
import {
|
||||||
ActionProjectType,
|
|
||||||
OrgMembershipRole,
|
OrgMembershipRole,
|
||||||
ProjectMembershipRole,
|
ProjectMembershipRole,
|
||||||
ServiceTokenScopes,
|
ServiceTokenScopes,
|
||||||
@@ -214,8 +213,7 @@ export const permissionServiceFactory = ({
|
|||||||
userId,
|
userId,
|
||||||
projectId,
|
projectId,
|
||||||
authMethod,
|
authMethod,
|
||||||
userOrgId,
|
userOrgId
|
||||||
actionProjectType
|
|
||||||
}: TGetUserProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.USER>> => {
|
}: TGetUserProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.USER>> => {
|
||||||
const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
|
const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
|
||||||
if (!userProjectPermission) throw new ForbiddenRequestError({ name: "User not a part of the specified project" });
|
if (!userProjectPermission) throw new ForbiddenRequestError({ name: "User not a part of the specified project" });
|
||||||
@@ -242,12 +240,6 @@ export const permissionServiceFactory = ({
|
|||||||
userProjectPermission.orgRole
|
userProjectPermission.orgRole
|
||||||
);
|
);
|
||||||
|
|
||||||
if (actionProjectType !== ActionProjectType.Any && actionProjectType !== userProjectPermission.projectType) {
|
|
||||||
throw new BadRequestError({
|
|
||||||
message: `The project is of type ${userProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
|
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
// join two permissions and pass to build the final permission set
|
// join two permissions and pass to build the final permission set
|
||||||
const rolePermissions = userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
|
const rolePermissions = userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
|
||||||
const additionalPrivileges =
|
const additionalPrivileges =
|
||||||
@@ -295,8 +287,7 @@ export const permissionServiceFactory = ({
|
|||||||
const getIdentityProjectPermission = async ({
|
const getIdentityProjectPermission = async ({
|
||||||
identityId,
|
identityId,
|
||||||
projectId,
|
projectId,
|
||||||
identityOrgId,
|
identityOrgId
|
||||||
actionProjectType
|
|
||||||
}: TGetIdentityProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
|
}: TGetIdentityProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
|
||||||
const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
|
const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
|
||||||
if (!identityProjectPermission)
|
if (!identityProjectPermission)
|
||||||
@@ -316,12 +307,6 @@ export const permissionServiceFactory = ({
|
|||||||
throw new ForbiddenRequestError({ name: "Identity is not a member of the specified organization" });
|
throw new ForbiddenRequestError({ name: "Identity is not a member of the specified organization" });
|
||||||
}
|
}
|
||||||
|
|
||||||
if (actionProjectType !== ActionProjectType.Any && actionProjectType !== identityProjectPermission.projectType) {
|
|
||||||
throw new BadRequestError({
|
|
||||||
message: `The project is of type ${identityProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
|
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
const rolePermissions =
|
const rolePermissions =
|
||||||
identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
|
identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
|
||||||
const additionalPrivileges =
|
const additionalPrivileges =
|
||||||
@@ -376,8 +361,7 @@ export const permissionServiceFactory = ({
|
|||||||
const getServiceTokenProjectPermission = async ({
|
const getServiceTokenProjectPermission = async ({
|
||||||
serviceTokenId,
|
serviceTokenId,
|
||||||
projectId,
|
projectId,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType
|
|
||||||
}: TGetServiceTokenProjectPermissionArg) => {
|
}: TGetServiceTokenProjectPermissionArg) => {
|
||||||
const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
|
const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
|
||||||
if (!serviceToken) throw new NotFoundError({ message: `Service token with ID '${serviceTokenId}' not found` });
|
if (!serviceToken) throw new NotFoundError({ message: `Service token with ID '${serviceTokenId}' not found` });
|
||||||
@@ -402,12 +386,6 @@ export const permissionServiceFactory = ({
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
if (actionProjectType !== ActionProjectType.Any && actionProjectType !== serviceTokenProject.type) {
|
|
||||||
throw new BadRequestError({
|
|
||||||
message: `The project is of type ${serviceTokenProject.type}. Operations of type ${actionProjectType} are not allowed.`
|
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
|
const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
|
||||||
return {
|
return {
|
||||||
permission: buildServiceTokenProjectPermission(scopes, serviceToken.permissions),
|
permission: buildServiceTokenProjectPermission(scopes, serviceToken.permissions),
|
||||||
@@ -559,8 +537,7 @@ export const permissionServiceFactory = ({
|
|||||||
actorId: inputActorId,
|
actorId: inputActorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType
|
|
||||||
}: TGetProjectPermissionArg): Promise<TProjectPermissionRT<T>> => {
|
}: TGetProjectPermissionArg): Promise<TProjectPermissionRT<T>> => {
|
||||||
let actor = inputActor;
|
let actor = inputActor;
|
||||||
let actorId = inputActorId;
|
let actorId = inputActorId;
|
||||||
@@ -581,22 +558,19 @@ export const permissionServiceFactory = ({
|
|||||||
userId: actorId,
|
userId: actorId,
|
||||||
projectId,
|
projectId,
|
||||||
authMethod: actorAuthMethod,
|
authMethod: actorAuthMethod,
|
||||||
userOrgId: actorOrgId,
|
userOrgId: actorOrgId
|
||||||
actionProjectType
|
|
||||||
}) as Promise<TProjectPermissionRT<T>>;
|
}) as Promise<TProjectPermissionRT<T>>;
|
||||||
case ActorType.SERVICE:
|
case ActorType.SERVICE:
|
||||||
return getServiceTokenProjectPermission({
|
return getServiceTokenProjectPermission({
|
||||||
serviceTokenId: actorId,
|
serviceTokenId: actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType
|
|
||||||
}) as Promise<TProjectPermissionRT<T>>;
|
}) as Promise<TProjectPermissionRT<T>>;
|
||||||
case ActorType.IDENTITY:
|
case ActorType.IDENTITY:
|
||||||
return getIdentityProjectPermission({
|
return getIdentityProjectPermission({
|
||||||
identityId: actorId,
|
identityId: actorId,
|
||||||
projectId,
|
projectId,
|
||||||
identityOrgId: actorOrgId,
|
identityOrgId: actorOrgId
|
||||||
actionProjectType
|
|
||||||
}) as Promise<TProjectPermissionRT<T>>;
|
}) as Promise<TProjectPermissionRT<T>>;
|
||||||
default:
|
default:
|
||||||
throw new BadRequestError({
|
throw new BadRequestError({
|
||||||
|
@@ -1,7 +1,6 @@
|
|||||||
/* eslint-disable no-await-in-loop */
|
/* eslint-disable no-await-in-loop */
|
||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { ProjectPermissionCommitsActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
import { ProjectPermissionCommitsActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
||||||
import { NotFoundError } from "@app/lib/errors";
|
import { NotFoundError } from "@app/lib/errors";
|
||||||
import { logger } from "@app/lib/logger";
|
import { logger } from "@app/lib/logger";
|
||||||
@@ -321,8 +320,7 @@ export const pitServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(userPermission).throwUnlessCan(
|
ForbiddenError.from(userPermission).throwUnlessCan(
|
||||||
|
@@ -1,4 +1,3 @@
|
|||||||
import { ProjectType } from "@app/db/schemas";
|
|
||||||
import {
|
import {
|
||||||
InfisicalProjectTemplate,
|
InfisicalProjectTemplate,
|
||||||
TUnpackedPermission
|
TUnpackedPermission
|
||||||
@@ -7,21 +6,18 @@ import { getPredefinedRoles } from "@app/services/project-role/project-role-fns"
|
|||||||
|
|
||||||
import { ProjectTemplateDefaultEnvironments } from "./project-template-constants";
|
import { ProjectTemplateDefaultEnvironments } from "./project-template-constants";
|
||||||
|
|
||||||
export const getDefaultProjectTemplate = (orgId: string, type: ProjectType) => ({
|
export const getDefaultProjectTemplate = (orgId: string) => ({
|
||||||
id: "b11b49a9-09a9-4443-916a-4246f9ff2c69", // random ID to appease zod
|
id: "b11b49a9-09a9-4443-916a-4246f9ff2c69", // random ID to appease zod
|
||||||
type,
|
|
||||||
name: InfisicalProjectTemplate.Default,
|
name: InfisicalProjectTemplate.Default,
|
||||||
createdAt: new Date(),
|
createdAt: new Date(),
|
||||||
updatedAt: new Date(),
|
updatedAt: new Date(),
|
||||||
description: `Infisical's ${type} default project template`,
|
description: `Infisical's default project template`,
|
||||||
environments: type === ProjectType.SecretManager ? ProjectTemplateDefaultEnvironments : null,
|
environments: ProjectTemplateDefaultEnvironments,
|
||||||
roles: [...getPredefinedRoles({ projectId: "project-template", projectType: type })].map(
|
roles: getPredefinedRoles({ projectId: "project-template" }) as Array<{
|
||||||
({ name, slug, permissions }) => ({
|
name: string;
|
||||||
name,
|
slug: string;
|
||||||
slug,
|
permissions: TUnpackedPermission[];
|
||||||
permissions: permissions as TUnpackedPermission[]
|
}>,
|
||||||
})
|
|
||||||
),
|
|
||||||
orgId
|
orgId
|
||||||
});
|
});
|
||||||
|
|
||||||
|
@@ -1,7 +1,7 @@
|
|||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
import { packRules } from "@casl/ability/extra";
|
import { packRules } from "@casl/ability/extra";
|
||||||
|
|
||||||
import { ProjectType, TProjectTemplates } from "@app/db/schemas";
|
import { TProjectTemplates } from "@app/db/schemas";
|
||||||
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
|
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
|
||||||
import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
|
import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
@@ -29,13 +29,11 @@ const $unpackProjectTemplate = ({ roles, environments, ...rest }: TProjectTempla
|
|||||||
...rest,
|
...rest,
|
||||||
environments: environments as TProjectTemplateEnvironment[],
|
environments: environments as TProjectTemplateEnvironment[],
|
||||||
roles: [
|
roles: [
|
||||||
...getPredefinedRoles({ projectId: "project-template", projectType: rest.type as ProjectType }).map(
|
...getPredefinedRoles({ projectId: "project-template" }).map(({ name, slug, permissions }) => ({
|
||||||
({ name, slug, permissions }) => ({
|
name,
|
||||||
name,
|
slug,
|
||||||
slug,
|
permissions: permissions as TUnpackedPermission[]
|
||||||
permissions: permissions as TUnpackedPermission[]
|
})),
|
||||||
})
|
|
||||||
),
|
|
||||||
...(roles as TProjectTemplateRole[]).map((role) => ({
|
...(roles as TProjectTemplateRole[]).map((role) => ({
|
||||||
...role,
|
...role,
|
||||||
permissions: unpackPermissions(role.permissions)
|
permissions: unpackPermissions(role.permissions)
|
||||||
@@ -48,10 +46,7 @@ export const projectTemplateServiceFactory = ({
|
|||||||
permissionService,
|
permissionService,
|
||||||
projectTemplateDAL
|
projectTemplateDAL
|
||||||
}: TProjectTemplatesServiceFactoryDep): TProjectTemplateServiceFactory => {
|
}: TProjectTemplatesServiceFactoryDep): TProjectTemplateServiceFactory => {
|
||||||
const listProjectTemplatesByOrg: TProjectTemplateServiceFactory["listProjectTemplatesByOrg"] = async (
|
const listProjectTemplatesByOrg: TProjectTemplateServiceFactory["listProjectTemplatesByOrg"] = async (actor) => {
|
||||||
actor,
|
|
||||||
type
|
|
||||||
) => {
|
|
||||||
const plan = await licenseService.getPlan(actor.orgId);
|
const plan = await licenseService.getPlan(actor.orgId);
|
||||||
|
|
||||||
if (!plan.projectTemplates)
|
if (!plan.projectTemplates)
|
||||||
@@ -70,14 +65,11 @@ export const projectTemplateServiceFactory = ({
|
|||||||
ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.ProjectTemplates);
|
ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.ProjectTemplates);
|
||||||
|
|
||||||
const projectTemplates = await projectTemplateDAL.find({
|
const projectTemplates = await projectTemplateDAL.find({
|
||||||
orgId: actor.orgId,
|
orgId: actor.orgId
|
||||||
...(type ? { type } : {})
|
|
||||||
});
|
});
|
||||||
|
|
||||||
return [
|
return [
|
||||||
...(type
|
getDefaultProjectTemplate(actor.orgId),
|
||||||
? [getDefaultProjectTemplate(actor.orgId, type)]
|
|
||||||
: Object.values(ProjectType).map((projectType) => getDefaultProjectTemplate(actor.orgId, projectType))),
|
|
||||||
...projectTemplates.map((template) => $unpackProjectTemplate(template))
|
...projectTemplates.map((template) => $unpackProjectTemplate(template))
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
@@ -142,7 +134,7 @@ export const projectTemplateServiceFactory = ({
|
|||||||
};
|
};
|
||||||
|
|
||||||
const createProjectTemplate: TProjectTemplateServiceFactory["createProjectTemplate"] = async (
|
const createProjectTemplate: TProjectTemplateServiceFactory["createProjectTemplate"] = async (
|
||||||
{ roles, environments, type, ...params },
|
{ roles, environments, ...params },
|
||||||
actor
|
actor
|
||||||
) => {
|
) => {
|
||||||
const plan = await licenseService.getPlan(actor.orgId);
|
const plan = await licenseService.getPlan(actor.orgId);
|
||||||
@@ -162,10 +154,6 @@ export const projectTemplateServiceFactory = ({
|
|||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.ProjectTemplates);
|
ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.ProjectTemplates);
|
||||||
|
|
||||||
if (environments && type !== ProjectType.SecretManager) {
|
|
||||||
throw new BadRequestError({ message: "Cannot configure environments for non-SecretManager project templates" });
|
|
||||||
}
|
|
||||||
|
|
||||||
if (environments && plan.environmentLimit !== null && environments.length > plan.environmentLimit) {
|
if (environments && plan.environmentLimit !== null && environments.length > plan.environmentLimit) {
|
||||||
throw new BadRequestError({
|
throw new BadRequestError({
|
||||||
// eslint-disable-next-line @typescript-eslint/restrict-template-expressions
|
// eslint-disable-next-line @typescript-eslint/restrict-template-expressions
|
||||||
@@ -188,10 +176,8 @@ export const projectTemplateServiceFactory = ({
|
|||||||
const projectTemplate = await projectTemplateDAL.create({
|
const projectTemplate = await projectTemplateDAL.create({
|
||||||
...params,
|
...params,
|
||||||
roles: JSON.stringify(roles.map((role) => ({ ...role, permissions: packRules(role.permissions) }))),
|
roles: JSON.stringify(roles.map((role) => ({ ...role, permissions: packRules(role.permissions) }))),
|
||||||
environments:
|
environments: environments ? JSON.stringify(environments ?? ProjectTemplateDefaultEnvironments) : null,
|
||||||
type === ProjectType.SecretManager ? JSON.stringify(environments ?? ProjectTemplateDefaultEnvironments) : null,
|
orgId: actor.orgId
|
||||||
orgId: actor.orgId,
|
|
||||||
type
|
|
||||||
});
|
});
|
||||||
|
|
||||||
return $unpackProjectTemplate(projectTemplate);
|
return $unpackProjectTemplate(projectTemplate);
|
||||||
@@ -223,12 +209,6 @@ export const projectTemplateServiceFactory = ({
|
|||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.ProjectTemplates);
|
ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.ProjectTemplates);
|
||||||
|
|
||||||
if (projectTemplate.type !== ProjectType.SecretManager && environments)
|
|
||||||
throw new BadRequestError({ message: "Cannot configure environments for non-SecretManager project templates" });
|
|
||||||
|
|
||||||
if (projectTemplate.type === ProjectType.SecretManager && environments === null)
|
|
||||||
throw new BadRequestError({ message: "Environments cannot be removed for SecretManager project templates" });
|
|
||||||
|
|
||||||
if (environments && plan.environmentLimit !== null && environments.length > plan.environmentLimit) {
|
if (environments && plan.environmentLimit !== null && environments.length > plan.environmentLimit) {
|
||||||
throw new BadRequestError({
|
throw new BadRequestError({
|
||||||
// eslint-disable-next-line @typescript-eslint/restrict-template-expressions
|
// eslint-disable-next-line @typescript-eslint/restrict-template-expressions
|
||||||
|
@@ -1,6 +1,6 @@
|
|||||||
import { z } from "zod";
|
import { z } from "zod";
|
||||||
|
|
||||||
import { ProjectMembershipRole, ProjectType, TProjectEnvironments } from "@app/db/schemas";
|
import { ProjectMembershipRole, TProjectEnvironments } from "@app/db/schemas";
|
||||||
import { TProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
|
import { TProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
|
||||||
import { OrgServiceActor } from "@app/lib/types";
|
import { OrgServiceActor } from "@app/lib/types";
|
||||||
import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
|
import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
|
||||||
@@ -16,7 +16,6 @@ export type TProjectTemplateRole = {
|
|||||||
export type TCreateProjectTemplateDTO = {
|
export type TCreateProjectTemplateDTO = {
|
||||||
name: string;
|
name: string;
|
||||||
description?: string;
|
description?: string;
|
||||||
type: ProjectType;
|
|
||||||
roles: TProjectTemplateRole[];
|
roles: TProjectTemplateRole[];
|
||||||
environments?: TProjectTemplateEnvironment[] | null;
|
environments?: TProjectTemplateEnvironment[] | null;
|
||||||
};
|
};
|
||||||
@@ -30,14 +29,10 @@ export enum InfisicalProjectTemplate {
|
|||||||
}
|
}
|
||||||
|
|
||||||
export type TProjectTemplateServiceFactory = {
|
export type TProjectTemplateServiceFactory = {
|
||||||
listProjectTemplatesByOrg: (
|
listProjectTemplatesByOrg: (actor: OrgServiceActor) => Promise<
|
||||||
actor: OrgServiceActor,
|
|
||||||
type?: ProjectType
|
|
||||||
) => Promise<
|
|
||||||
(
|
(
|
||||||
| {
|
| {
|
||||||
id: string;
|
id: string;
|
||||||
type: ProjectType;
|
|
||||||
name: InfisicalProjectTemplate;
|
name: InfisicalProjectTemplate;
|
||||||
createdAt: Date;
|
createdAt: Date;
|
||||||
updatedAt: Date;
|
updatedAt: Date;
|
||||||
@@ -74,7 +69,6 @@ export type TProjectTemplateServiceFactory = {
|
|||||||
name: string;
|
name: string;
|
||||||
}[];
|
}[];
|
||||||
name: string;
|
name: string;
|
||||||
type: string;
|
|
||||||
orgId: string;
|
orgId: string;
|
||||||
id: string;
|
id: string;
|
||||||
createdAt: Date;
|
createdAt: Date;
|
||||||
@@ -99,7 +93,6 @@ export type TProjectTemplateServiceFactory = {
|
|||||||
name: string;
|
name: string;
|
||||||
}[];
|
}[];
|
||||||
name: string;
|
name: string;
|
||||||
type: string;
|
|
||||||
orgId: string;
|
orgId: string;
|
||||||
id: string;
|
id: string;
|
||||||
createdAt: Date;
|
createdAt: Date;
|
||||||
@@ -123,7 +116,6 @@ export type TProjectTemplateServiceFactory = {
|
|||||||
name: string;
|
name: string;
|
||||||
}[];
|
}[];
|
||||||
name: string;
|
name: string;
|
||||||
type: string;
|
|
||||||
orgId: string;
|
orgId: string;
|
||||||
id: string;
|
id: string;
|
||||||
createdAt: Date;
|
createdAt: Date;
|
||||||
@@ -146,7 +138,6 @@ export type TProjectTemplateServiceFactory = {
|
|||||||
name: string;
|
name: string;
|
||||||
}[];
|
}[];
|
||||||
name: string;
|
name: string;
|
||||||
type: string;
|
|
||||||
orgId: string;
|
orgId: string;
|
||||||
id: string;
|
id: string;
|
||||||
createdAt: Date;
|
createdAt: Date;
|
||||||
@@ -170,7 +161,6 @@ export type TProjectTemplateServiceFactory = {
|
|||||||
name: string;
|
name: string;
|
||||||
}[];
|
}[];
|
||||||
name: string;
|
name: string;
|
||||||
type: string;
|
|
||||||
orgId: string;
|
orgId: string;
|
||||||
id: string;
|
id: string;
|
||||||
createdAt: Date;
|
createdAt: Date;
|
||||||
@@ -194,7 +184,6 @@ export type TProjectTemplateServiceFactory = {
|
|||||||
name: string;
|
name: string;
|
||||||
}[];
|
}[];
|
||||||
name: string;
|
name: string;
|
||||||
type: string;
|
|
||||||
orgId: string;
|
orgId: string;
|
||||||
id: string;
|
id: string;
|
||||||
createdAt: Date;
|
createdAt: Date;
|
||||||
|
@@ -1,7 +1,7 @@
|
|||||||
import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
|
import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
|
||||||
import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
|
import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
|
||||||
|
|
||||||
import { ActionProjectType, TableName } from "@app/db/schemas";
|
import { TableName } from "@app/db/schemas";
|
||||||
import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
|
import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
|
||||||
import { ms } from "@app/lib/ms";
|
import { ms } from "@app/lib/ms";
|
||||||
import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
|
import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
|
||||||
@@ -61,8 +61,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: projectMembership.projectId,
|
projectId: projectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
|
||||||
const { permission: targetUserPermission, membership } = await permissionService.getProjectPermission({
|
const { permission: targetUserPermission, membership } = await permissionService.getProjectPermission({
|
||||||
@@ -70,8 +69,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
|
|||||||
actorId: projectMembership.userId,
|
actorId: projectMembership.userId,
|
||||||
projectId: projectMembership.projectId,
|
projectId: projectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
// we need to validate that the privilege given is not higher than the assigning users permission
|
// we need to validate that the privilege given is not higher than the assigning users permission
|
||||||
@@ -166,8 +164,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: projectMembership.projectId,
|
projectId: projectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
|
||||||
const { permission: targetUserPermission } = await permissionService.getProjectPermission({
|
const { permission: targetUserPermission } = await permissionService.getProjectPermission({
|
||||||
@@ -175,8 +172,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
|
|||||||
actorId: projectMembership.userId,
|
actorId: projectMembership.userId,
|
||||||
projectId: projectMembership.projectId,
|
projectId: projectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
// we need to validate that the privilege given is not higher than the assigning users permission
|
// we need to validate that the privilege given is not higher than the assigning users permission
|
||||||
@@ -276,8 +272,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: projectMembership.projectId,
|
projectId: projectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
|
||||||
|
|
||||||
@@ -322,8 +317,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: projectMembership.projectId,
|
projectId: projectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
|
||||||
|
|
||||||
@@ -349,8 +343,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: projectMembership.projectId,
|
projectId: projectMembership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
|
||||||
|
|
||||||
|
@@ -1,7 +1,6 @@
|
|||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
import picomatch from "picomatch";
|
import picomatch from "picomatch";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
||||||
import { BadRequestError, NotFoundError } from "@app/lib/errors";
|
import { BadRequestError, NotFoundError } from "@app/lib/errors";
|
||||||
@@ -91,8 +90,7 @@ export const secretApprovalPolicyServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionActions.Create,
|
ProjectPermissionActions.Create,
|
||||||
@@ -267,8 +265,7 @@ export const secretApprovalPolicyServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: secretApprovalPolicy.projectId,
|
projectId: secretApprovalPolicy.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
|
||||||
|
|
||||||
@@ -423,8 +420,7 @@ export const secretApprovalPolicyServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: sapPolicy.projectId,
|
projectId: sapPolicy.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionActions.Delete,
|
ProjectPermissionActions.Delete,
|
||||||
@@ -463,8 +459,7 @@ export const secretApprovalPolicyServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
|
||||||
|
|
||||||
@@ -508,8 +503,7 @@ export const secretApprovalPolicyServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
return getSecretApprovalPolicy(projectId, environment, secretPath);
|
return getSecretApprovalPolicy(projectId, environment, secretPath);
|
||||||
@@ -535,8 +529,7 @@ export const secretApprovalPolicyServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: sapPolicy.projectId,
|
projectId: sapPolicy.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
|
||||||
|
@@ -290,7 +290,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
|
|||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
const findProjectRequestCount = async (projectId: string, userId: string, tx?: Knex) => {
|
const findProjectRequestCount = async (projectId: string, userId: string, policyId?: string, tx?: Knex) => {
|
||||||
try {
|
try {
|
||||||
const docs = await (tx || db)
|
const docs = await (tx || db)
|
||||||
.with(
|
.with(
|
||||||
@@ -309,6 +309,9 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
|
|||||||
`${TableName.SecretApprovalPolicy}.id`
|
`${TableName.SecretApprovalPolicy}.id`
|
||||||
)
|
)
|
||||||
.where({ projectId })
|
.where({ projectId })
|
||||||
|
.where((qb) => {
|
||||||
|
if (policyId) void qb.where(`${TableName.SecretApprovalPolicy}.id`, policyId);
|
||||||
|
})
|
||||||
.andWhere(
|
.andWhere(
|
||||||
(bd) =>
|
(bd) =>
|
||||||
void bd
|
void bd
|
||||||
|
@@ -36,7 +36,7 @@ export const sendApprovalEmailsFn = async ({
|
|||||||
firstName: reviewerUser.firstName,
|
firstName: reviewerUser.firstName,
|
||||||
projectName: project.name,
|
projectName: project.name,
|
||||||
organizationName: project.organization.name,
|
organizationName: project.organization.name,
|
||||||
approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval?requestId=${secretApprovalRequest.id}`
|
approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval?requestId=${secretApprovalRequest.id}`
|
||||||
},
|
},
|
||||||
template: SmtpTemplates.SecretApprovalRequestNeedsReview
|
template: SmtpTemplates.SecretApprovalRequestNeedsReview
|
||||||
});
|
});
|
||||||
|
@@ -2,7 +2,6 @@
|
|||||||
import { ForbiddenError, subject } from "@casl/ability";
|
import { ForbiddenError, subject } from "@casl/ability";
|
||||||
|
|
||||||
import {
|
import {
|
||||||
ActionProjectType,
|
|
||||||
ProjectMembershipRole,
|
ProjectMembershipRole,
|
||||||
SecretEncryptionAlgo,
|
SecretEncryptionAlgo,
|
||||||
SecretKeyEncoding,
|
SecretKeyEncoding,
|
||||||
@@ -168,7 +167,14 @@ export const secretApprovalRequestServiceFactory = ({
|
|||||||
microsoftTeamsService,
|
microsoftTeamsService,
|
||||||
folderCommitService
|
folderCommitService
|
||||||
}: TSecretApprovalRequestServiceFactoryDep) => {
|
}: TSecretApprovalRequestServiceFactoryDep) => {
|
||||||
const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
|
const requestCount = async ({
|
||||||
|
projectId,
|
||||||
|
policyId,
|
||||||
|
actor,
|
||||||
|
actorId,
|
||||||
|
actorOrgId,
|
||||||
|
actorAuthMethod
|
||||||
|
}: TApprovalRequestCountDTO) => {
|
||||||
if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
|
if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
|
||||||
|
|
||||||
await permissionService.getProjectPermission({
|
await permissionService.getProjectPermission({
|
||||||
@@ -176,11 +182,10 @@ export const secretApprovalRequestServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const count = await secretApprovalRequestDAL.findProjectRequestCount(projectId, actorId);
|
const count = await secretApprovalRequestDAL.findProjectRequestCount(projectId, actorId, policyId);
|
||||||
return count;
|
return count;
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -204,8 +209,7 @@ export const secretApprovalRequestServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
|
const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
|
||||||
@@ -257,8 +261,7 @@ export const secretApprovalRequestServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
if (
|
if (
|
||||||
!hasRole(ProjectMembershipRole.Admin) &&
|
!hasRole(ProjectMembershipRole.Admin) &&
|
||||||
@@ -407,8 +410,7 @@ export const secretApprovalRequestServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: secretApprovalRequest.projectId,
|
projectId: secretApprovalRequest.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
if (
|
if (
|
||||||
!hasRole(ProjectMembershipRole.Admin) &&
|
!hasRole(ProjectMembershipRole.Admin) &&
|
||||||
@@ -477,8 +479,7 @@ export const secretApprovalRequestServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: secretApprovalRequest.projectId,
|
projectId: secretApprovalRequest.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
if (
|
if (
|
||||||
!hasRole(ProjectMembershipRole.Admin) &&
|
!hasRole(ProjectMembershipRole.Admin) &&
|
||||||
@@ -534,8 +535,7 @@ export const secretApprovalRequestServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
if (
|
if (
|
||||||
@@ -951,7 +951,7 @@ export const secretApprovalRequestServiceFactory = ({
|
|||||||
bypassReason,
|
bypassReason,
|
||||||
secretPath: policy.secretPath,
|
secretPath: policy.secretPath,
|
||||||
environment: env.name,
|
environment: env.name,
|
||||||
approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval`
|
approvalUrl: `${cfg.SITE_URL}/projects/${project.id}/secret-manager/approval`
|
||||||
},
|
},
|
||||||
template: SmtpTemplates.AccessSecretRequestBypassed
|
template: SmtpTemplates.AccessSecretRequestBypassed
|
||||||
});
|
});
|
||||||
@@ -980,8 +980,7 @@ export const secretApprovalRequestServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
|
throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.ReadValue, {
|
||||||
@@ -1271,8 +1270,7 @@ export const secretApprovalRequestServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
|
const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
|
||||||
if (!folder)
|
if (!folder)
|
||||||
|
@@ -84,7 +84,7 @@ export type TReviewRequestDTO = {
|
|||||||
comment?: string;
|
comment?: string;
|
||||||
} & Omit<TProjectPermission, "projectId">;
|
} & Omit<TProjectPermission, "projectId">;
|
||||||
|
|
||||||
export type TApprovalRequestCountDTO = TProjectPermission;
|
export type TApprovalRequestCountDTO = TProjectPermission & { policyId?: string };
|
||||||
|
|
||||||
export type TListApprovalsDTO = {
|
export type TListApprovalsDTO = {
|
||||||
projectId: string;
|
projectId: string;
|
||||||
|
@@ -166,7 +166,9 @@ export const secretRotationV2QueueServiceFactory = async ({
|
|||||||
secretPath: folder.path,
|
secretPath: folder.path,
|
||||||
environment: environment.name,
|
environment: environment.name,
|
||||||
projectName: project.name,
|
projectName: project.name,
|
||||||
rotationUrl: encodeURI(`${appCfg.SITE_URL}/secret-manager/${projectId}/secrets/${environment.slug}`)
|
rotationUrl: encodeURI(
|
||||||
|
`${appCfg.SITE_URL}/projects/${projectId}/secret-manager/secrets/${environment.slug}`
|
||||||
|
)
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
|
@@ -2,7 +2,7 @@ import { ForbiddenError, subject } from "@casl/ability";
|
|||||||
import { Knex } from "knex";
|
import { Knex } from "knex";
|
||||||
import isEqual from "lodash.isequal";
|
import isEqual from "lodash.isequal";
|
||||||
|
|
||||||
import { ActionProjectType, SecretType, TableName } from "@app/db/schemas";
|
import { SecretType, TableName } from "@app/db/schemas";
|
||||||
import { EventType, TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-types";
|
import { EventType, TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-types";
|
||||||
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
|
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
|
||||||
import { hasSecretReadValueOrDescribePermission } from "@app/ee/services/permission/permission-fns";
|
import { hasSecretReadValueOrDescribePermission } from "@app/ee/services/permission/permission-fns";
|
||||||
@@ -218,7 +218,7 @@ export const secretRotationV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretManager,
|
|
||||||
projectId
|
projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -269,7 +269,7 @@ export const secretRotationV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretManager,
|
|
||||||
projectId
|
projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -315,7 +315,7 @@ export const secretRotationV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretManager,
|
|
||||||
projectId
|
projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -380,7 +380,7 @@ export const secretRotationV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretManager,
|
|
||||||
projectId
|
projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -424,7 +424,7 @@ export const secretRotationV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretManager,
|
|
||||||
projectId
|
projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -625,7 +625,7 @@ export const secretRotationV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretManager,
|
|
||||||
projectId
|
projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -775,7 +775,7 @@ export const secretRotationV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretManager,
|
|
||||||
projectId
|
projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -1105,7 +1105,7 @@ export const secretRotationV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretManager,
|
|
||||||
projectId
|
projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -1152,7 +1152,7 @@ export const secretRotationV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretManager,
|
|
||||||
projectId
|
projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -1204,7 +1204,7 @@ export const secretRotationV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretManager,
|
|
||||||
projectId
|
projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -1320,8 +1320,7 @@ export const secretRotationV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const permissiveFolderMappings = folderMappings.filter(({ path, environment }) =>
|
const permissiveFolderMappings = folderMappings.filter(({ path, environment }) =>
|
||||||
|
@@ -1,7 +1,7 @@
|
|||||||
import { ForbiddenError, subject } from "@casl/ability";
|
import { ForbiddenError, subject } from "@casl/ability";
|
||||||
import Ajv from "ajv";
|
import Ajv from "ajv";
|
||||||
|
|
||||||
import { ActionProjectType, ProjectVersion, TableName } from "@app/db/schemas";
|
import { ProjectVersion, TableName } from "@app/db/schemas";
|
||||||
import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto/encryption";
|
import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto/encryption";
|
||||||
import { BadRequestError, NotFoundError } from "@app/lib/errors";
|
import { BadRequestError, NotFoundError } from "@app/lib/errors";
|
||||||
import { TProjectPermission } from "@app/lib/types";
|
import { TProjectPermission } from "@app/lib/types";
|
||||||
@@ -66,8 +66,7 @@ export const secretRotationServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionSecretRotationActions.Read,
|
ProjectPermissionSecretRotationActions.Read,
|
||||||
@@ -98,8 +97,7 @@ export const secretRotationServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionSecretRotationActions.Read,
|
ProjectPermissionSecretRotationActions.Read,
|
||||||
@@ -215,8 +213,7 @@ export const secretRotationServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionSecretRotationActions.Read,
|
ProjectPermissionSecretRotationActions.Read,
|
||||||
@@ -264,8 +261,7 @@ export const secretRotationServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: project.id,
|
projectId: project.id,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionSecretRotationActions.Edit,
|
ProjectPermissionSecretRotationActions.Edit,
|
||||||
@@ -285,8 +281,7 @@ export const secretRotationServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: doc.projectId,
|
projectId: doc.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionSecretRotationActions.Delete,
|
ProjectPermissionSecretRotationActions.Delete,
|
||||||
|
@@ -318,7 +318,7 @@ export const secretScanningV2QueueServiceFactory = async ({
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
batchSize: 1,
|
batchSize: 1,
|
||||||
workerCount: 20,
|
workerCount: 2,
|
||||||
pollingIntervalSeconds: 1
|
pollingIntervalSeconds: 1
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
@@ -539,7 +539,7 @@ export const secretScanningV2QueueServiceFactory = async ({
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
batchSize: 1,
|
batchSize: 1,
|
||||||
workerCount: 20,
|
workerCount: 2,
|
||||||
pollingIntervalSeconds: 1
|
pollingIntervalSeconds: 1
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
@@ -588,7 +588,7 @@ export const secretScanningV2QueueServiceFactory = async ({
|
|||||||
numberOfSecrets: payload.numberOfSecrets,
|
numberOfSecrets: payload.numberOfSecrets,
|
||||||
isDiffScan: payload.isDiffScan,
|
isDiffScan: payload.isDiffScan,
|
||||||
url: encodeURI(
|
url: encodeURI(
|
||||||
`${appCfg.SITE_URL}/secret-scanning/${projectId}/findings?search=scanId:${payload.scanId}`
|
`${appCfg.SITE_URL}/projects/${projectId}/secret-scanning/findings?search=scanId:${payload.scanId}`
|
||||||
),
|
),
|
||||||
timestamp
|
timestamp
|
||||||
}
|
}
|
||||||
@@ -599,7 +599,7 @@ export const secretScanningV2QueueServiceFactory = async ({
|
|||||||
timestamp,
|
timestamp,
|
||||||
errorMessage: payload.errorMessage,
|
errorMessage: payload.errorMessage,
|
||||||
url: encodeURI(
|
url: encodeURI(
|
||||||
`${appCfg.SITE_URL}/secret-scanning/${projectId}/data-sources/${dataSource.type}/${dataSource.id}`
|
`${appCfg.SITE_URL}/projects/${projectId}/secret-scanning/data-sources/${dataSource.type}/${dataSource.id}`
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
@@ -613,7 +613,7 @@ export const secretScanningV2QueueServiceFactory = async ({
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
batchSize: 1,
|
batchSize: 1,
|
||||||
workerCount: 5,
|
workerCount: 2,
|
||||||
pollingIntervalSeconds: 1
|
pollingIntervalSeconds: 1
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
@@ -1,7 +1,6 @@
|
|||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
import { join } from "path";
|
import { join } from "path";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
|
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import {
|
import {
|
||||||
@@ -92,7 +91,7 @@ export const secretScanningV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretScanning,
|
|
||||||
projectId
|
projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -154,7 +153,7 @@ export const secretScanningV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretScanning,
|
|
||||||
projectId: dataSource.projectId
|
projectId: dataSource.projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -199,7 +198,7 @@ export const secretScanningV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretScanning,
|
|
||||||
projectId
|
projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -233,7 +232,7 @@ export const secretScanningV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretScanning,
|
|
||||||
projectId: payload.projectId
|
projectId: payload.projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -346,7 +345,7 @@ export const secretScanningV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretScanning,
|
|
||||||
projectId: dataSource.projectId
|
projectId: dataSource.projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -399,7 +398,7 @@ export const secretScanningV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretScanning,
|
|
||||||
projectId: dataSource.projectId
|
projectId: dataSource.projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -444,7 +443,7 @@ export const secretScanningV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretScanning,
|
|
||||||
projectId: dataSource.projectId
|
projectId: dataSource.projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -508,7 +507,7 @@ export const secretScanningV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretScanning,
|
|
||||||
projectId: dataSource.projectId
|
projectId: dataSource.projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -553,7 +552,7 @@ export const secretScanningV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretScanning,
|
|
||||||
projectId: dataSource.projectId
|
projectId: dataSource.projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -596,7 +595,7 @@ export const secretScanningV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretScanning,
|
|
||||||
projectId: dataSource.projectId
|
projectId: dataSource.projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -639,7 +638,7 @@ export const secretScanningV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretScanning,
|
|
||||||
projectId: dataSource.projectId
|
projectId: dataSource.projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -672,7 +671,7 @@ export const secretScanningV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretScanning,
|
|
||||||
projectId
|
projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -706,7 +705,7 @@ export const secretScanningV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretScanning,
|
|
||||||
projectId
|
projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -746,7 +745,7 @@ export const secretScanningV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretScanning,
|
|
||||||
projectId: finding.projectId
|
projectId: finding.projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -777,7 +776,7 @@ export const secretScanningV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretScanning,
|
|
||||||
projectId
|
projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -812,7 +811,7 @@ export const secretScanningV2ServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretScanning,
|
|
||||||
projectId
|
projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
|
@@ -2,7 +2,7 @@
|
|||||||
// akhilmhdh: I did this, quite strange bug with eslint. Everything do have a type stil has this error
|
// akhilmhdh: I did this, quite strange bug with eslint. Everything do have a type stil has this error
|
||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
|
|
||||||
import { ActionProjectType, TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
|
import { TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
|
||||||
import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
|
import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
|
||||||
import { InternalServerError, NotFoundError } from "@app/lib/errors";
|
import { InternalServerError, NotFoundError } from "@app/lib/errors";
|
||||||
import { groupBy } from "@app/lib/fn";
|
import { groupBy } from "@app/lib/fn";
|
||||||
@@ -103,8 +103,7 @@ export const secretSnapshotServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
|
||||||
|
|
||||||
@@ -140,8 +139,7 @@ export const secretSnapshotServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
|
||||||
|
|
||||||
@@ -169,8 +167,7 @@ export const secretSnapshotServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: snapshot.projectId,
|
projectId: snapshot.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
|
||||||
@@ -390,8 +387,7 @@ export const secretSnapshotServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: snapshot.projectId,
|
projectId: snapshot.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionActions.Create,
|
ProjectPermissionActions.Create,
|
||||||
|
@@ -1,6 +1,5 @@
|
|||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
||||||
import { BadRequestError, NotFoundError } from "@app/lib/errors";
|
import { BadRequestError, NotFoundError } from "@app/lib/errors";
|
||||||
@@ -59,8 +58,7 @@ export const sshCertificateTemplateServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: ca.projectId,
|
projectId: ca.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -132,8 +130,7 @@ export const sshCertificateTemplateServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: certTemplate.projectId,
|
projectId: certTemplate.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -201,8 +198,7 @@ export const sshCertificateTemplateServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: certificateTemplate.projectId,
|
projectId: certificateTemplate.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -228,8 +224,7 @@ export const sshCertificateTemplateServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: certTemplate.projectId,
|
projectId: certTemplate.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
|
@@ -1,6 +1,5 @@
|
|||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
||||||
import { TSshHostDALFactory } from "@app/ee/services/ssh-host/ssh-host-dal";
|
import { TSshHostDALFactory } from "@app/ee/services/ssh-host/ssh-host-dal";
|
||||||
@@ -80,8 +79,7 @@ export const sshHostGroupServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.SshHostGroups);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.SshHostGroups);
|
||||||
@@ -173,8 +171,7 @@ export const sshHostGroupServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: sshHostGroup.projectId,
|
projectId: sshHostGroup.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SshHostGroups);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SshHostGroups);
|
||||||
@@ -270,8 +267,7 @@ export const sshHostGroupServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: sshHostGroup.projectId,
|
projectId: sshHostGroup.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SshHostGroups);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SshHostGroups);
|
||||||
@@ -294,8 +290,7 @@ export const sshHostGroupServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: sshHostGroup.projectId,
|
projectId: sshHostGroup.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.SshHostGroups);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.SshHostGroups);
|
||||||
@@ -321,8 +316,7 @@ export const sshHostGroupServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: sshHostGroup.projectId,
|
projectId: sshHostGroup.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SshHostGroups);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SshHostGroups);
|
||||||
@@ -360,8 +354,7 @@ export const sshHostGroupServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: sshHostGroup.projectId,
|
projectId: sshHostGroup.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SshHostGroups);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SshHostGroups);
|
||||||
@@ -400,8 +393,7 @@ export const sshHostGroupServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: sshHostGroup.projectId,
|
projectId: sshHostGroup.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SshHostGroups);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SshHostGroups);
|
||||||
|
@@ -1,6 +1,5 @@
|
|||||||
import { Knex } from "knex";
|
import { Knex } from "knex";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { BadRequestError } from "@app/lib/errors";
|
import { BadRequestError } from "@app/lib/errors";
|
||||||
|
|
||||||
import { ProjectPermissionSshHostActions, ProjectPermissionSub } from "../permission/project-permission";
|
import { ProjectPermissionSshHostActions, ProjectPermissionSub } from "../permission/project-permission";
|
||||||
@@ -63,8 +62,7 @@ export const createSshLoginMappings = async ({
|
|||||||
userId: user.id,
|
userId: user.id,
|
||||||
projectId,
|
projectId,
|
||||||
authMethod: actorAuthMethod,
|
authMethod: actorAuthMethod,
|
||||||
userOrgId: actorOrgId,
|
userOrgId: actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@@ -1,6 +1,5 @@
|
|||||||
import { ForbiddenError, subject } from "@casl/ability";
|
import { ForbiddenError, subject } from "@casl/ability";
|
||||||
|
|
||||||
import { ActionProjectType, ProjectType } from "@app/db/schemas";
|
|
||||||
import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
|
import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import { ProjectPermissionSshHostActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
import { ProjectPermissionSshHostActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
||||||
@@ -12,11 +11,13 @@ import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certif
|
|||||||
import { TSshHostDALFactory } from "@app/ee/services/ssh-host/ssh-host-dal";
|
import { TSshHostDALFactory } from "@app/ee/services/ssh-host/ssh-host-dal";
|
||||||
import { TSshHostLoginUserMappingDALFactory } from "@app/ee/services/ssh-host/ssh-host-login-user-mapping-dal";
|
import { TSshHostLoginUserMappingDALFactory } from "@app/ee/services/ssh-host/ssh-host-login-user-mapping-dal";
|
||||||
import { TSshHostLoginUserDALFactory } from "@app/ee/services/ssh-host/ssh-login-user-dal";
|
import { TSshHostLoginUserDALFactory } from "@app/ee/services/ssh-host/ssh-login-user-dal";
|
||||||
|
import { PgSqlLock } from "@app/keystore/keystore";
|
||||||
import { BadRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
|
import { BadRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
|
||||||
import { ActorType } from "@app/services/auth/auth-type";
|
import { ActorType } from "@app/services/auth/auth-type";
|
||||||
import { TKmsServiceFactory } from "@app/services/kms/kms-service";
|
import { TKmsServiceFactory } from "@app/services/kms/kms-service";
|
||||||
import { KmsDataKey } from "@app/services/kms/kms-types";
|
import { KmsDataKey } from "@app/services/kms/kms-types";
|
||||||
import { TProjectDALFactory } from "@app/services/project/project-dal";
|
import { TProjectDALFactory } from "@app/services/project/project-dal";
|
||||||
|
import { bootstrapSshProject } from "@app/services/project/project-fns";
|
||||||
import { TProjectSshConfigDALFactory } from "@app/services/project/project-ssh-config-dal";
|
import { TProjectSshConfigDALFactory } from "@app/services/project/project-ssh-config-dal";
|
||||||
import { TUserDALFactory } from "@app/services/user/user-dal";
|
import { TUserDALFactory } from "@app/services/user/user-dal";
|
||||||
|
|
||||||
@@ -43,9 +44,9 @@ type TSshHostServiceFactoryDep = {
|
|||||||
userDAL: Pick<TUserDALFactory, "findById" | "find">;
|
userDAL: Pick<TUserDALFactory, "findById" | "find">;
|
||||||
groupDAL: Pick<TGroupDALFactory, "findGroupsByProjectId">;
|
groupDAL: Pick<TGroupDALFactory, "findGroupsByProjectId">;
|
||||||
projectDAL: Pick<TProjectDALFactory, "find">;
|
projectDAL: Pick<TProjectDALFactory, "find">;
|
||||||
projectSshConfigDAL: Pick<TProjectSshConfigDALFactory, "findOne">;
|
projectSshConfigDAL: Pick<TProjectSshConfigDALFactory, "findOne" | "transaction" | "create">;
|
||||||
sshCertificateAuthorityDAL: Pick<TSshCertificateAuthorityDALFactory, "findOne">;
|
sshCertificateAuthorityDAL: Pick<TSshCertificateAuthorityDALFactory, "findOne" | "transaction" | "create">;
|
||||||
sshCertificateAuthoritySecretDAL: Pick<TSshCertificateAuthoritySecretDALFactory, "findOne">;
|
sshCertificateAuthoritySecretDAL: Pick<TSshCertificateAuthoritySecretDALFactory, "findOne" | "create">;
|
||||||
sshCertificateDAL: Pick<TSshCertificateDALFactory, "create" | "transaction">;
|
sshCertificateDAL: Pick<TSshCertificateDALFactory, "create" | "transaction">;
|
||||||
sshCertificateBodyDAL: Pick<TSshCertificateBodyDALFactory, "create">;
|
sshCertificateBodyDAL: Pick<TSshCertificateBodyDALFactory, "create">;
|
||||||
userGroupMembershipDAL: Pick<TUserGroupMembershipDALFactory, "findGroupMembershipsByUserIdInOrg">;
|
userGroupMembershipDAL: Pick<TUserGroupMembershipDALFactory, "findGroupMembershipsByUserIdInOrg">;
|
||||||
@@ -98,8 +99,7 @@ export const sshHostServiceFactory = ({
|
|||||||
}
|
}
|
||||||
|
|
||||||
const sshProjects = await projectDAL.find({
|
const sshProjects = await projectDAL.find({
|
||||||
orgId: actorOrgId,
|
orgId: actorOrgId
|
||||||
type: ProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const allowedHosts = [];
|
const allowedHosts = [];
|
||||||
@@ -111,8 +111,7 @@ export const sshHostServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: project.id,
|
projectId: project.id,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const projectHosts = await sshHostDAL.findUserAccessibleSshHosts([project.id], actorId);
|
const projectHosts = await sshHostDAL.findUserAccessibleSshHosts([project.id], actorId);
|
||||||
@@ -145,8 +144,7 @@ export const sshHostServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -184,7 +182,25 @@ export const sshHostServiceFactory = ({
|
|||||||
return ca.id;
|
return ca.id;
|
||||||
};
|
};
|
||||||
|
|
||||||
const projectSshConfig = await projectSshConfigDAL.findOne({ projectId });
|
let projectSshConfig = await projectSshConfigDAL.findOne({ projectId });
|
||||||
|
if (!projectSshConfig) {
|
||||||
|
projectSshConfig = await projectSshConfigDAL.transaction(async (tx) => {
|
||||||
|
await tx.raw("SELECT pg_advisory_xact_lock(?)", [PgSqlLock.SshInit(projectId)]);
|
||||||
|
|
||||||
|
let sshConfig = await projectSshConfigDAL.findOne({ projectId }, tx);
|
||||||
|
if (sshConfig) return sshConfig;
|
||||||
|
|
||||||
|
sshConfig = await bootstrapSshProject({
|
||||||
|
projectId,
|
||||||
|
sshCertificateAuthorityDAL,
|
||||||
|
sshCertificateAuthoritySecretDAL,
|
||||||
|
kmsService,
|
||||||
|
projectSshConfigDAL,
|
||||||
|
tx
|
||||||
|
});
|
||||||
|
return sshConfig;
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
const userSshCaId = await resolveSshCaId({
|
const userSshCaId = await resolveSshCaId({
|
||||||
requestedId: requestedUserSshCaId,
|
requestedId: requestedUserSshCaId,
|
||||||
@@ -257,8 +273,7 @@ export const sshHostServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: host.projectId,
|
projectId: host.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -319,8 +334,7 @@ export const sshHostServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: host.projectId,
|
projectId: host.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -348,8 +362,7 @@ export const sshHostServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: host.projectId,
|
projectId: host.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -388,8 +401,7 @@ export const sshHostServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: host.projectId,
|
projectId: host.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const internalPrincipals = await convertActorToPrincipals({
|
const internalPrincipals = await convertActorToPrincipals({
|
||||||
@@ -508,8 +520,7 @@ export const sshHostServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: host.projectId,
|
projectId: host.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
|
@@ -1,6 +1,5 @@
|
|||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
||||||
import { TSshCertificateAuthorityDALFactory } from "@app/ee/services/ssh/ssh-certificate-authority-dal";
|
import { TSshCertificateAuthorityDALFactory } from "@app/ee/services/ssh/ssh-certificate-authority-dal";
|
||||||
@@ -73,8 +72,7 @@ export const sshCertificateAuthorityServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -109,8 +107,7 @@ export const sshCertificateAuthorityServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: ca.projectId,
|
projectId: ca.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -178,8 +175,7 @@ export const sshCertificateAuthorityServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: ca.projectId,
|
projectId: ca.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -217,8 +213,7 @@ export const sshCertificateAuthorityServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: ca.projectId,
|
projectId: ca.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -259,8 +254,7 @@ export const sshCertificateAuthorityServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: sshCertificateTemplate.projectId,
|
projectId: sshCertificateTemplate.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -381,8 +375,7 @@ export const sshCertificateAuthorityServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: sshCertificateTemplate.projectId,
|
projectId: sshCertificateTemplate.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -479,8 +472,7 @@ export const sshCertificateAuthorityServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: ca.projectId,
|
projectId: ca.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
|
@@ -1,6 +1,5 @@
|
|||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { BadRequestError } from "@app/lib/errors";
|
import { BadRequestError } from "@app/lib/errors";
|
||||||
import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
|
import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
|
||||||
import { TProjectDALFactory } from "@app/services/project/project-dal";
|
import { TProjectDALFactory } from "@app/services/project/project-dal";
|
||||||
@@ -36,8 +35,7 @@ export const trustedIpServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
|
||||||
const trustedIps = await trustedIpDAL.find({
|
const trustedIps = await trustedIpDAL.find({
|
||||||
@@ -61,8 +59,7 @@ export const trustedIpServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
|
||||||
|
|
||||||
@@ -107,8 +104,7 @@ export const trustedIpServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
|
||||||
|
|
||||||
@@ -153,8 +149,7 @@ export const trustedIpServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
|
||||||
|
|
||||||
|
@@ -12,7 +12,8 @@ export const PgSqlLock = {
|
|||||||
OrgGatewayCertExchange: (orgId: string) => pgAdvisoryLockHashText(`org-gateway-cert-exchange:${orgId}`),
|
OrgGatewayCertExchange: (orgId: string) => pgAdvisoryLockHashText(`org-gateway-cert-exchange:${orgId}`),
|
||||||
SecretRotationV2Creation: (folderId: string) => pgAdvisoryLockHashText(`secret-rotation-v2-creation:${folderId}`),
|
SecretRotationV2Creation: (folderId: string) => pgAdvisoryLockHashText(`secret-rotation-v2-creation:${folderId}`),
|
||||||
CreateProject: (orgId: string) => pgAdvisoryLockHashText(`create-project:${orgId}`),
|
CreateProject: (orgId: string) => pgAdvisoryLockHashText(`create-project:${orgId}`),
|
||||||
CreateFolder: (envId: string, projectId: string) => pgAdvisoryLockHashText(`create-folder:${envId}-${projectId}`)
|
CreateFolder: (envId: string, projectId: string) => pgAdvisoryLockHashText(`create-folder:${envId}-${projectId}`),
|
||||||
|
SshInit: (projectId: string) => pgAdvisoryLockHashText(`ssh-bootstrap:${projectId}`)
|
||||||
} as const;
|
} as const;
|
||||||
|
|
||||||
// all the key prefixes used must be set here to avoid conflict
|
// all the key prefixes used must be set here to avoid conflict
|
||||||
|
@@ -700,7 +700,8 @@ export const PROJECTS = {
|
|||||||
slug: "An optional slug for the project. (must be unique within the organization)",
|
slug: "An optional slug for the project. (must be unique within the organization)",
|
||||||
hasDeleteProtection: "Enable or disable delete protection for the project.",
|
hasDeleteProtection: "Enable or disable delete protection for the project.",
|
||||||
secretSharing: "Enable or disable secret sharing for the project.",
|
secretSharing: "Enable or disable secret sharing for the project.",
|
||||||
showSnapshotsLegacy: "Enable or disable legacy snapshots for the project."
|
showSnapshotsLegacy: "Enable or disable legacy snapshots for the project.",
|
||||||
|
defaultProduct: "The default product in which the project will open"
|
||||||
},
|
},
|
||||||
GET_KEY: {
|
GET_KEY: {
|
||||||
workspaceId: "The ID of the project to get the key from."
|
workspaceId: "The ID of the project to get the key from."
|
||||||
@@ -2427,7 +2428,8 @@ export const SecretSyncs = {
|
|||||||
keyOcid: "The OCID (Oracle Cloud Identifier) of the encryption key to use when creating secrets in the vault."
|
keyOcid: "The OCID (Oracle Cloud Identifier) of the encryption key to use when creating secrets in the vault."
|
||||||
},
|
},
|
||||||
ONEPASS: {
|
ONEPASS: {
|
||||||
vaultId: "The ID of the 1Password vault to sync secrets to."
|
vaultId: "The ID of the 1Password vault to sync secrets to.",
|
||||||
|
valueLabel: "The label of the entry that holds the secret value."
|
||||||
},
|
},
|
||||||
HEROKU: {
|
HEROKU: {
|
||||||
app: "The ID of the Heroku app to sync secrets to.",
|
app: "The ID of the Heroku app to sync secrets to.",
|
||||||
|
@@ -995,8 +995,7 @@ export const registerRoutes = async (
|
|||||||
pkiAlertDAL,
|
pkiAlertDAL,
|
||||||
pkiCollectionDAL,
|
pkiCollectionDAL,
|
||||||
permissionService,
|
permissionService,
|
||||||
smtpService,
|
smtpService
|
||||||
projectDAL
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const pkiCollectionService = pkiCollectionServiceFactory({
|
const pkiCollectionService = pkiCollectionServiceFactory({
|
||||||
@@ -1004,8 +1003,7 @@ export const registerRoutes = async (
|
|||||||
pkiCollectionItemDAL,
|
pkiCollectionItemDAL,
|
||||||
certificateAuthorityDAL,
|
certificateAuthorityDAL,
|
||||||
certificateDAL,
|
certificateDAL,
|
||||||
permissionService,
|
permissionService
|
||||||
projectDAL
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const projectTemplateService = projectTemplateServiceFactory({
|
const projectTemplateService = projectTemplateServiceFactory({
|
||||||
@@ -1189,7 +1187,9 @@ export const registerRoutes = async (
|
|||||||
projectEnvDAL,
|
projectEnvDAL,
|
||||||
snapshotService,
|
snapshotService,
|
||||||
projectDAL,
|
projectDAL,
|
||||||
folderCommitService
|
folderCommitService,
|
||||||
|
secretApprovalPolicyService,
|
||||||
|
secretV2BridgeDAL
|
||||||
});
|
});
|
||||||
|
|
||||||
const secretImportService = secretImportServiceFactory({
|
const secretImportService = secretImportServiceFactory({
|
||||||
@@ -1615,7 +1615,8 @@ export const registerRoutes = async (
|
|||||||
secretSharingDAL,
|
secretSharingDAL,
|
||||||
secretVersionV2DAL: secretVersionV2BridgeDAL,
|
secretVersionV2DAL: secretVersionV2BridgeDAL,
|
||||||
identityUniversalAuthClientSecretDAL: identityUaClientSecretDAL,
|
identityUniversalAuthClientSecretDAL: identityUaClientSecretDAL,
|
||||||
serviceTokenService
|
serviceTokenService,
|
||||||
|
orgService
|
||||||
});
|
});
|
||||||
|
|
||||||
const dailyExpiringPkiItemAlert = dailyExpiringPkiItemAlertQueueServiceFactory({
|
const dailyExpiringPkiItemAlert = dailyExpiringPkiItemAlertQueueServiceFactory({
|
||||||
@@ -1663,8 +1664,7 @@ export const registerRoutes = async (
|
|||||||
const cmekService = cmekServiceFactory({
|
const cmekService = cmekServiceFactory({
|
||||||
kmsDAL,
|
kmsDAL,
|
||||||
kmsService,
|
kmsService,
|
||||||
permissionService,
|
permissionService
|
||||||
projectDAL
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const externalMigrationQueue = externalMigrationQueueFactory({
|
const externalMigrationQueue = externalMigrationQueueFactory({
|
||||||
@@ -1806,7 +1806,6 @@ export const registerRoutes = async (
|
|||||||
|
|
||||||
const certificateAuthorityService = certificateAuthorityServiceFactory({
|
const certificateAuthorityService = certificateAuthorityServiceFactory({
|
||||||
certificateAuthorityDAL,
|
certificateAuthorityDAL,
|
||||||
projectDAL,
|
|
||||||
permissionService,
|
permissionService,
|
||||||
appConnectionDAL,
|
appConnectionDAL,
|
||||||
appConnectionService,
|
appConnectionService,
|
||||||
@@ -1816,7 +1815,8 @@ export const registerRoutes = async (
|
|||||||
certificateBodyDAL,
|
certificateBodyDAL,
|
||||||
certificateSecretDAL,
|
certificateSecretDAL,
|
||||||
kmsService,
|
kmsService,
|
||||||
pkiSubscriberDAL
|
pkiSubscriberDAL,
|
||||||
|
projectDAL
|
||||||
});
|
});
|
||||||
|
|
||||||
const internalCaFns = InternalCertificateAuthorityFns({
|
const internalCaFns = InternalCertificateAuthorityFns({
|
||||||
|
@@ -251,6 +251,7 @@ export const SanitizedProjectSchema = ProjectsSchema.pick({
|
|||||||
name: true,
|
name: true,
|
||||||
description: true,
|
description: true,
|
||||||
type: true,
|
type: true,
|
||||||
|
defaultProduct: true,
|
||||||
slug: true,
|
slug: true,
|
||||||
autoCapitalization: true,
|
autoCapitalization: true,
|
||||||
orgId: true,
|
orgId: true,
|
||||||
|
@@ -113,52 +113,73 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
|
|||||||
hide: false,
|
hide: false,
|
||||||
tags: [ApiDocsTags.AuditLogs],
|
tags: [ApiDocsTags.AuditLogs],
|
||||||
description: "Get all audit logs for an organization",
|
description: "Get all audit logs for an organization",
|
||||||
querystring: z.object({
|
querystring: z
|
||||||
projectId: z.string().optional().describe(AUDIT_LOGS.EXPORT.projectId),
|
.object({
|
||||||
environment: z.string().optional().describe(AUDIT_LOGS.EXPORT.environment),
|
projectId: z.string().optional().describe(AUDIT_LOGS.EXPORT.projectId),
|
||||||
actorType: z.nativeEnum(ActorType).optional(),
|
environment: z.string().optional().describe(AUDIT_LOGS.EXPORT.environment),
|
||||||
secretPath: z
|
actorType: z.nativeEnum(ActorType).optional(),
|
||||||
.string()
|
secretPath: z
|
||||||
.optional()
|
.string()
|
||||||
.transform((val) => (!val ? val : removeTrailingSlash(val)))
|
.optional()
|
||||||
.describe(AUDIT_LOGS.EXPORT.secretPath),
|
.transform((val) => (!val ? val : removeTrailingSlash(val)))
|
||||||
secretKey: z.string().optional().describe(AUDIT_LOGS.EXPORT.secretKey),
|
.describe(AUDIT_LOGS.EXPORT.secretPath),
|
||||||
|
secretKey: z.string().optional().describe(AUDIT_LOGS.EXPORT.secretKey),
|
||||||
|
// eventType is split with , for multiple values, we need to transform it to array
|
||||||
|
eventType: z
|
||||||
|
.string()
|
||||||
|
.optional()
|
||||||
|
.transform((val) => (val ? val.split(",") : undefined)),
|
||||||
|
userAgentType: z.nativeEnum(UserAgentType).optional().describe(AUDIT_LOGS.EXPORT.userAgentType),
|
||||||
|
eventMetadata: z
|
||||||
|
.string()
|
||||||
|
.optional()
|
||||||
|
.transform((val) => {
|
||||||
|
if (!val) {
|
||||||
|
return undefined;
|
||||||
|
}
|
||||||
|
|
||||||
// eventType is split with , for multiple values, we need to transform it to array
|
const pairs = val.split(",");
|
||||||
eventType: z
|
|
||||||
.string()
|
return pairs.reduce(
|
||||||
.optional()
|
(acc, pair) => {
|
||||||
.transform((val) => (val ? val.split(",") : undefined)),
|
const [key, value] = pair.split("=");
|
||||||
userAgentType: z.nativeEnum(UserAgentType).optional().describe(AUDIT_LOGS.EXPORT.userAgentType),
|
if (key && value) {
|
||||||
eventMetadata: z
|
acc[key] = value;
|
||||||
.string()
|
}
|
||||||
.optional()
|
return acc;
|
||||||
.transform((val) => {
|
},
|
||||||
if (!val) {
|
{} as Record<string, string>
|
||||||
return undefined;
|
);
|
||||||
|
})
|
||||||
|
.describe(AUDIT_LOGS.EXPORT.eventMetadata),
|
||||||
|
startDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.startDate),
|
||||||
|
endDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.endDate),
|
||||||
|
offset: z.coerce.number().default(0).describe(AUDIT_LOGS.EXPORT.offset),
|
||||||
|
limit: z.coerce.number().max(1000).default(20).describe(AUDIT_LOGS.EXPORT.limit),
|
||||||
|
actor: z.string().optional().describe(AUDIT_LOGS.EXPORT.actor)
|
||||||
|
})
|
||||||
|
.superRefine((el, ctx) => {
|
||||||
|
if (el.endDate && el.startDate) {
|
||||||
|
const startDate = new Date(el.startDate);
|
||||||
|
const endDate = new Date(el.endDate);
|
||||||
|
const maxAllowedDate = new Date(startDate);
|
||||||
|
maxAllowedDate.setMonth(maxAllowedDate.getMonth() + 3);
|
||||||
|
if (endDate < startDate) {
|
||||||
|
ctx.addIssue({
|
||||||
|
code: z.ZodIssueCode.custom,
|
||||||
|
path: ["endDate"],
|
||||||
|
message: "End date cannot be before start date"
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
if (endDate > maxAllowedDate) {
|
||||||
const pairs = val.split(",");
|
ctx.addIssue({
|
||||||
|
code: z.ZodIssueCode.custom,
|
||||||
return pairs.reduce(
|
path: ["endDate"],
|
||||||
(acc, pair) => {
|
message: "Dates must be within 3 months"
|
||||||
const [key, value] = pair.split("=");
|
});
|
||||||
if (key && value) {
|
}
|
||||||
acc[key] = value;
|
}
|
||||||
}
|
}),
|
||||||
return acc;
|
|
||||||
},
|
|
||||||
{} as Record<string, string>
|
|
||||||
);
|
|
||||||
})
|
|
||||||
.describe(AUDIT_LOGS.EXPORT.eventMetadata),
|
|
||||||
startDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.startDate),
|
|
||||||
endDate: z.string().datetime().optional().describe(AUDIT_LOGS.EXPORT.endDate),
|
|
||||||
offset: z.coerce.number().default(0).describe(AUDIT_LOGS.EXPORT.offset),
|
|
||||||
limit: z.coerce.number().default(20).describe(AUDIT_LOGS.EXPORT.limit),
|
|
||||||
actor: z.string().optional().describe(AUDIT_LOGS.EXPORT.actor)
|
|
||||||
}),
|
|
||||||
|
|
||||||
response: {
|
response: {
|
||||||
200: z.object({
|
200: z.object({
|
||||||
auditLogs: AuditLogsSchema.omit({
|
auditLogs: AuditLogsSchema.omit({
|
||||||
@@ -188,14 +209,13 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
|
|||||||
const auditLogs = await server.services.auditLog.listAuditLogs({
|
const auditLogs = await server.services.auditLog.listAuditLogs({
|
||||||
filter: {
|
filter: {
|
||||||
...req.query,
|
...req.query,
|
||||||
endDate: req.query.endDate,
|
endDate: req.query.endDate || new Date().toISOString(),
|
||||||
projectId: req.query.projectId,
|
projectId: req.query.projectId,
|
||||||
startDate: req.query.startDate || getLastMidnightDateISO(),
|
startDate: req.query.startDate || getLastMidnightDateISO(),
|
||||||
auditLogActorId: req.query.actor,
|
auditLogActorId: req.query.actor,
|
||||||
actorType: req.query.actorType,
|
actorType: req.query.actorType,
|
||||||
eventType: req.query.eventType as EventType[] | undefined
|
eventType: req.query.eventType as EventType[] | undefined
|
||||||
},
|
},
|
||||||
|
|
||||||
actorId: req.permission.id,
|
actorId: req.permission.id,
|
||||||
actorOrgId: req.permission.orgId,
|
actorOrgId: req.permission.orgId,
|
||||||
actorAuthMethod: req.permission.authMethod,
|
actorAuthMethod: req.permission.authMethod,
|
||||||
|
@@ -158,17 +158,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
|
|||||||
includeRoles: z
|
includeRoles: z
|
||||||
.enum(["true", "false"])
|
.enum(["true", "false"])
|
||||||
.default("false")
|
.default("false")
|
||||||
.transform((value) => value === "true"),
|
.transform((value) => value === "true")
|
||||||
type: z
|
|
||||||
.enum([
|
|
||||||
ProjectType.SecretManager,
|
|
||||||
ProjectType.KMS,
|
|
||||||
ProjectType.CertificateManager,
|
|
||||||
ProjectType.SSH,
|
|
||||||
ProjectType.SecretScanning,
|
|
||||||
"all"
|
|
||||||
])
|
|
||||||
.optional()
|
|
||||||
}),
|
}),
|
||||||
response: {
|
response: {
|
||||||
200: z.object({
|
200: z.object({
|
||||||
@@ -187,8 +177,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
|
|||||||
actorId: req.permission.id,
|
actorId: req.permission.id,
|
||||||
actorAuthMethod: req.permission.authMethod,
|
actorAuthMethod: req.permission.authMethod,
|
||||||
actor: req.permission.type,
|
actor: req.permission.type,
|
||||||
actorOrgId: req.permission.orgId,
|
actorOrgId: req.permission.orgId
|
||||||
type: req.query.type
|
|
||||||
});
|
});
|
||||||
return { workspaces };
|
return { workspaces };
|
||||||
}
|
}
|
||||||
@@ -377,7 +366,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
|
|||||||
.optional()
|
.optional()
|
||||||
.describe(PROJECTS.UPDATE.slug),
|
.describe(PROJECTS.UPDATE.slug),
|
||||||
secretSharing: z.boolean().optional().describe(PROJECTS.UPDATE.secretSharing),
|
secretSharing: z.boolean().optional().describe(PROJECTS.UPDATE.secretSharing),
|
||||||
showSnapshotsLegacy: z.boolean().optional().describe(PROJECTS.UPDATE.showSnapshotsLegacy)
|
showSnapshotsLegacy: z.boolean().optional().describe(PROJECTS.UPDATE.showSnapshotsLegacy),
|
||||||
|
defaultProduct: z.nativeEnum(ProjectType).optional().describe(PROJECTS.UPDATE.defaultProduct)
|
||||||
}),
|
}),
|
||||||
response: {
|
response: {
|
||||||
200: z.object({
|
200: z.object({
|
||||||
@@ -396,6 +386,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
|
|||||||
name: req.body.name,
|
name: req.body.name,
|
||||||
description: req.body.description,
|
description: req.body.description,
|
||||||
autoCapitalization: req.body.autoCapitalization,
|
autoCapitalization: req.body.autoCapitalization,
|
||||||
|
defaultProduct: req.body.defaultProduct,
|
||||||
hasDeleteProtection: req.body.hasDeleteProtection,
|
hasDeleteProtection: req.body.hasDeleteProtection,
|
||||||
slug: req.body.slug,
|
slug: req.body.slug,
|
||||||
secretSharing: req.body.secretSharing,
|
secretSharing: req.body.secretSharing,
|
||||||
@@ -1059,7 +1050,6 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
|
|||||||
body: z.object({
|
body: z.object({
|
||||||
limit: z.number().default(100),
|
limit: z.number().default(100),
|
||||||
offset: z.number().default(0),
|
offset: z.number().default(0),
|
||||||
type: z.nativeEnum(ProjectType).optional(),
|
|
||||||
orderBy: z.nativeEnum(SearchProjectSortBy).optional().default(SearchProjectSortBy.NAME),
|
orderBy: z.nativeEnum(SearchProjectSortBy).optional().default(SearchProjectSortBy.NAME),
|
||||||
orderDirection: z.nativeEnum(SortDirection).optional().default(SortDirection.ASC),
|
orderDirection: z.nativeEnum(SortDirection).optional().default(SortDirection.ASC),
|
||||||
name: z
|
name: z
|
||||||
|
@@ -4,7 +4,6 @@ import {
|
|||||||
OrgMembershipsSchema,
|
OrgMembershipsSchema,
|
||||||
ProjectMembershipsSchema,
|
ProjectMembershipsSchema,
|
||||||
ProjectsSchema,
|
ProjectsSchema,
|
||||||
ProjectType,
|
|
||||||
UserEncryptionKeysSchema,
|
UserEncryptionKeysSchema,
|
||||||
UsersSchema
|
UsersSchema
|
||||||
} from "@app/db/schemas";
|
} from "@app/db/schemas";
|
||||||
@@ -85,9 +84,6 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
|
|||||||
params: z.object({
|
params: z.object({
|
||||||
organizationId: z.string().trim().describe(ORGANIZATIONS.GET_PROJECTS.organizationId)
|
organizationId: z.string().trim().describe(ORGANIZATIONS.GET_PROJECTS.organizationId)
|
||||||
}),
|
}),
|
||||||
querystring: z.object({
|
|
||||||
type: z.nativeEnum(ProjectType).optional().describe(ORGANIZATIONS.GET_PROJECTS.type)
|
|
||||||
}),
|
|
||||||
response: {
|
response: {
|
||||||
200: z.object({
|
200: z.object({
|
||||||
workspaces: z
|
workspaces: z
|
||||||
@@ -114,8 +110,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
|
|||||||
actorId: req.permission.id,
|
actorId: req.permission.id,
|
||||||
actorOrgId: req.permission.orgId,
|
actorOrgId: req.permission.orgId,
|
||||||
actorAuthMethod: req.permission.authMethod,
|
actorAuthMethod: req.permission.authMethod,
|
||||||
orgId: req.params.organizationId,
|
orgId: req.params.organizationId
|
||||||
type: req.query.type
|
|
||||||
});
|
});
|
||||||
|
|
||||||
return { workspaces };
|
return { workspaces };
|
||||||
|
@@ -457,6 +457,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
|
|||||||
rateLimit: readLimit
|
rateLimit: readLimit
|
||||||
},
|
},
|
||||||
schema: {
|
schema: {
|
||||||
|
hide: false,
|
||||||
|
tags: [ApiDocsTags.PkiAlerting],
|
||||||
params: z.object({
|
params: z.object({
|
||||||
projectId: z.string().trim()
|
projectId: z.string().trim()
|
||||||
}),
|
}),
|
||||||
@@ -487,6 +489,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
|
|||||||
rateLimit: readLimit
|
rateLimit: readLimit
|
||||||
},
|
},
|
||||||
schema: {
|
schema: {
|
||||||
|
hide: false,
|
||||||
|
tags: [ApiDocsTags.PkiCertificateCollections],
|
||||||
params: z.object({
|
params: z.object({
|
||||||
projectId: z.string().trim()
|
projectId: z.string().trim()
|
||||||
}),
|
}),
|
||||||
@@ -549,6 +553,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
|
|||||||
rateLimit: readLimit
|
rateLimit: readLimit
|
||||||
},
|
},
|
||||||
schema: {
|
schema: {
|
||||||
|
hide: false,
|
||||||
|
tags: [ApiDocsTags.PkiCertificateTemplates],
|
||||||
params: z.object({
|
params: z.object({
|
||||||
projectId: z.string().trim()
|
projectId: z.string().trim()
|
||||||
}),
|
}),
|
||||||
|
@@ -1,6 +1,6 @@
|
|||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
|
|
||||||
import { ActionProjectType, ProjectType, TableName } from "@app/db/schemas";
|
import { TableName } from "@app/db/schemas";
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
||||||
import { BadRequestError, NotFoundError } from "@app/lib/errors";
|
import { BadRequestError, NotFoundError } from "@app/lib/errors";
|
||||||
@@ -50,10 +50,7 @@ type TCertificateAuthorityServiceFactoryDep = {
|
|||||||
>;
|
>;
|
||||||
externalCertificateAuthorityDAL: Pick<TExternalCertificateAuthorityDALFactory, "create" | "update">;
|
externalCertificateAuthorityDAL: Pick<TExternalCertificateAuthorityDALFactory, "create" | "update">;
|
||||||
internalCertificateAuthorityService: TInternalCertificateAuthorityServiceFactory;
|
internalCertificateAuthorityService: TInternalCertificateAuthorityServiceFactory;
|
||||||
projectDAL: Pick<
|
projectDAL: Pick<TProjectDALFactory, "findProjectBySlug" | "findOne" | "updateById" | "findById" | "transaction">;
|
||||||
TProjectDALFactory,
|
|
||||||
"findProjectBySlug" | "findOne" | "updateById" | "findById" | "transaction" | "getProjectFromSplitId"
|
|
||||||
>;
|
|
||||||
permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
|
permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
|
||||||
certificateDAL: Pick<TCertificateDALFactory, "create" | "transaction">;
|
certificateDAL: Pick<TCertificateDALFactory, "create" | "transaction">;
|
||||||
certificateBodyDAL: Pick<TCertificateBodyDALFactory, "create">;
|
certificateBodyDAL: Pick<TCertificateBodyDALFactory, "create">;
|
||||||
@@ -98,23 +95,12 @@ export const certificateAuthorityServiceFactory = ({
|
|||||||
{ type, projectId, name, enableDirectIssuance, configuration, status }: TCreateCertificateAuthorityDTO,
|
{ type, projectId, name, enableDirectIssuance, configuration, status }: TCreateCertificateAuthorityDTO,
|
||||||
actor: OrgServiceActor
|
actor: OrgServiceActor
|
||||||
) => {
|
) => {
|
||||||
let finalProjectId: string = projectId;
|
|
||||||
const certManagerProjectFromSplit = await projectDAL.getProjectFromSplitId(
|
|
||||||
projectId,
|
|
||||||
ProjectType.CertificateManager
|
|
||||||
);
|
|
||||||
|
|
||||||
if (certManagerProjectFromSplit) {
|
|
||||||
finalProjectId = certManagerProjectFromSplit.id;
|
|
||||||
}
|
|
||||||
|
|
||||||
const { permission } = await permissionService.getProjectPermission({
|
const { permission } = await permissionService.getProjectPermission({
|
||||||
actor: actor.type,
|
actor: actor.type,
|
||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
projectId: finalProjectId,
|
projectId,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -126,7 +112,7 @@ export const certificateAuthorityServiceFactory = ({
|
|||||||
const ca = await internalCertificateAuthorityService.createCa({
|
const ca = await internalCertificateAuthorityService.createCa({
|
||||||
...(configuration as TCreateInternalCertificateAuthorityDTO["configuration"]),
|
...(configuration as TCreateInternalCertificateAuthorityDTO["configuration"]),
|
||||||
isInternal: true,
|
isInternal: true,
|
||||||
projectId: finalProjectId,
|
projectId,
|
||||||
enableDirectIssuance,
|
enableDirectIssuance,
|
||||||
name
|
name
|
||||||
});
|
});
|
||||||
@@ -142,7 +128,7 @@ export const certificateAuthorityServiceFactory = ({
|
|||||||
type,
|
type,
|
||||||
enableDirectIssuance: ca.enableDirectIssuance,
|
enableDirectIssuance: ca.enableDirectIssuance,
|
||||||
name: ca.name,
|
name: ca.name,
|
||||||
projectId: finalProjectId,
|
projectId,
|
||||||
status,
|
status,
|
||||||
configuration: ca.internalCa
|
configuration: ca.internalCa
|
||||||
} as TCertificateAuthority;
|
} as TCertificateAuthority;
|
||||||
@@ -151,7 +137,7 @@ export const certificateAuthorityServiceFactory = ({
|
|||||||
if (type === CaType.ACME) {
|
if (type === CaType.ACME) {
|
||||||
return acmeFns.createCertificateAuthority({
|
return acmeFns.createCertificateAuthority({
|
||||||
name,
|
name,
|
||||||
projectId: finalProjectId,
|
projectId,
|
||||||
configuration: configuration as TCreateAcmeCertificateAuthorityDTO["configuration"],
|
configuration: configuration as TCreateAcmeCertificateAuthorityDTO["configuration"],
|
||||||
enableDirectIssuance,
|
enableDirectIssuance,
|
||||||
status,
|
status,
|
||||||
@@ -181,8 +167,7 @@ export const certificateAuthorityServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
projectId: certificateAuthority.projectId,
|
projectId: certificateAuthority.projectId,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -225,23 +210,12 @@ export const certificateAuthorityServiceFactory = ({
|
|||||||
{ projectId, type }: { projectId: string; type: CaType },
|
{ projectId, type }: { projectId: string; type: CaType },
|
||||||
actor: OrgServiceActor
|
actor: OrgServiceActor
|
||||||
) => {
|
) => {
|
||||||
let finalProjectId: string = projectId;
|
|
||||||
const certManagerProjectFromSplit = await projectDAL.getProjectFromSplitId(
|
|
||||||
projectId,
|
|
||||||
ProjectType.CertificateManager
|
|
||||||
);
|
|
||||||
|
|
||||||
if (certManagerProjectFromSplit) {
|
|
||||||
finalProjectId = certManagerProjectFromSplit.id;
|
|
||||||
}
|
|
||||||
|
|
||||||
const { permission } = await permissionService.getProjectPermission({
|
const { permission } = await permissionService.getProjectPermission({
|
||||||
actor: actor.type,
|
actor: actor.type,
|
||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
projectId: finalProjectId,
|
projectId,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -251,7 +225,7 @@ export const certificateAuthorityServiceFactory = ({
|
|||||||
|
|
||||||
if (type === CaType.INTERNAL) {
|
if (type === CaType.INTERNAL) {
|
||||||
const cas = await certificateAuthorityDAL.findWithAssociatedCa({
|
const cas = await certificateAuthorityDAL.findWithAssociatedCa({
|
||||||
[`${TableName.CertificateAuthority}.projectId` as "projectId"]: finalProjectId,
|
[`${TableName.CertificateAuthority}.projectId` as "projectId"]: projectId,
|
||||||
$notNull: [`${TableName.InternalCertificateAuthority}.id` as "id"]
|
$notNull: [`${TableName.InternalCertificateAuthority}.id` as "id"]
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -269,7 +243,7 @@ export const certificateAuthorityServiceFactory = ({
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (type === CaType.ACME) {
|
if (type === CaType.ACME) {
|
||||||
return acmeFns.listCertificateAuthorities({ projectId: finalProjectId });
|
return acmeFns.listCertificateAuthorities({ projectId });
|
||||||
}
|
}
|
||||||
|
|
||||||
throw new BadRequestError({ message: "Invalid certificate authority type" });
|
throw new BadRequestError({ message: "Invalid certificate authority type" });
|
||||||
@@ -294,8 +268,7 @@ export const certificateAuthorityServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
projectId: certificateAuthority.projectId,
|
projectId: certificateAuthority.projectId,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -368,8 +341,7 @@ export const certificateAuthorityServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
projectId: certificateAuthority.projectId,
|
projectId: certificateAuthority.projectId,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
|
@@ -5,13 +5,7 @@ import slugify from "@sindresorhus/slugify";
|
|||||||
import crypto, { KeyObject } from "crypto";
|
import crypto, { KeyObject } from "crypto";
|
||||||
import { z } from "zod";
|
import { z } from "zod";
|
||||||
|
|
||||||
import {
|
import { TableName, TCertificateAuthorities, TCertificateTemplates } from "@app/db/schemas";
|
||||||
ActionProjectType,
|
|
||||||
ProjectType,
|
|
||||||
TableName,
|
|
||||||
TCertificateAuthorities,
|
|
||||||
TCertificateTemplates
|
|
||||||
} from "@app/db/schemas";
|
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import {
|
import {
|
||||||
ProjectPermissionActions,
|
ProjectPermissionActions,
|
||||||
@@ -105,10 +99,7 @@ type TInternalCertificateAuthorityServiceFactoryDep = {
|
|||||||
certificateBodyDAL: Pick<TCertificateBodyDALFactory, "create">;
|
certificateBodyDAL: Pick<TCertificateBodyDALFactory, "create">;
|
||||||
pkiCollectionDAL: Pick<TPkiCollectionDALFactory, "findById">;
|
pkiCollectionDAL: Pick<TPkiCollectionDALFactory, "findById">;
|
||||||
pkiCollectionItemDAL: Pick<TPkiCollectionItemDALFactory, "create">;
|
pkiCollectionItemDAL: Pick<TPkiCollectionItemDALFactory, "create">;
|
||||||
projectDAL: Pick<
|
projectDAL: Pick<TProjectDALFactory, "findProjectBySlug" | "findOne" | "updateById" | "findById" | "transaction">;
|
||||||
TProjectDALFactory,
|
|
||||||
"findProjectBySlug" | "findOne" | "updateById" | "findById" | "transaction" | "getProjectFromSplitId"
|
|
||||||
>;
|
|
||||||
kmsService: Pick<TKmsServiceFactory, "generateKmsKey" | "encryptWithKmsKey" | "decryptWithKmsKey">;
|
kmsService: Pick<TKmsServiceFactory, "generateKmsKey" | "encryptWithKmsKey" | "decryptWithKmsKey">;
|
||||||
permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
|
permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
|
||||||
};
|
};
|
||||||
@@ -154,21 +145,12 @@ export const internalCertificateAuthorityServiceFactory = ({
|
|||||||
if (!project) throw new NotFoundError({ message: `Project with slug '${dto.projectSlug}' not found` });
|
if (!project) throw new NotFoundError({ message: `Project with slug '${dto.projectSlug}' not found` });
|
||||||
projectId = project.id;
|
projectId = project.id;
|
||||||
|
|
||||||
const certManagerProjectFromSplit = await projectDAL.getProjectFromSplitId(
|
|
||||||
projectId,
|
|
||||||
ProjectType.CertificateManager
|
|
||||||
);
|
|
||||||
if (certManagerProjectFromSplit) {
|
|
||||||
projectId = certManagerProjectFromSplit.id;
|
|
||||||
}
|
|
||||||
|
|
||||||
const { permission } = await permissionService.getProjectPermission({
|
const { permission } = await permissionService.getProjectPermission({
|
||||||
actor: dto.actor,
|
actor: dto.actor,
|
||||||
actorId: dto.actorId,
|
actorId: dto.actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod: dto.actorAuthMethod,
|
actorAuthMethod: dto.actorAuthMethod,
|
||||||
actorOrgId: dto.actorOrgId,
|
actorOrgId: dto.actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -351,8 +333,7 @@ export const internalCertificateAuthorityServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: ca.projectId,
|
projectId: ca.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionActions.Read,
|
ProjectPermissionActions.Read,
|
||||||
@@ -376,8 +357,7 @@ export const internalCertificateAuthorityServiceFactory = ({
|
|||||||
actorId: dto.actorId,
|
actorId: dto.actorId,
|
||||||
projectId: ca.projectId,
|
projectId: ca.projectId,
|
||||||
actorAuthMethod: dto.actorAuthMethod,
|
actorAuthMethod: dto.actorAuthMethod,
|
||||||
actorOrgId: dto.actorOrgId,
|
actorOrgId: dto.actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -409,8 +389,7 @@ export const internalCertificateAuthorityServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: ca.projectId,
|
projectId: ca.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -435,8 +414,7 @@ export const internalCertificateAuthorityServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: ca.projectId,
|
projectId: ca.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -499,8 +477,7 @@ export const internalCertificateAuthorityServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: ca.projectId,
|
projectId: ca.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -786,8 +763,7 @@ export const internalCertificateAuthorityServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: ca.projectId,
|
projectId: ca.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -823,8 +799,7 @@ export const internalCertificateAuthorityServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: ca.projectId,
|
projectId: ca.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -904,8 +879,7 @@ export const internalCertificateAuthorityServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: ca.projectId,
|
projectId: ca.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -1052,8 +1026,7 @@ export const internalCertificateAuthorityServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: ca.projectId,
|
projectId: ca.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -1224,8 +1197,7 @@ export const internalCertificateAuthorityServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: ca.projectId,
|
projectId: ca.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -1581,8 +1553,7 @@ export const internalCertificateAuthorityServiceFactory = ({
|
|||||||
actorId: dto.actorId,
|
actorId: dto.actorId,
|
||||||
projectId: ca.projectId,
|
projectId: ca.projectId,
|
||||||
actorAuthMethod: dto.actorAuthMethod,
|
actorAuthMethod: dto.actorAuthMethod,
|
||||||
actorOrgId: dto.actorOrgId,
|
actorOrgId: dto.actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -1949,8 +1920,7 @@ export const internalCertificateAuthorityServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: ca.projectId,
|
projectId: ca.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const certificateTemplates = await certificateTemplateDAL.find({ caId });
|
const certificateTemplates = await certificateTemplateDAL.find({ caId });
|
||||||
|
@@ -2,7 +2,7 @@ import { ForbiddenError, subject } from "@casl/ability";
|
|||||||
import * as x509 from "@peculiar/x509";
|
import * as x509 from "@peculiar/x509";
|
||||||
import bcrypt from "bcrypt";
|
import bcrypt from "bcrypt";
|
||||||
|
|
||||||
import { ActionProjectType, TCertificateTemplateEstConfigsUpdate } from "@app/db/schemas";
|
import { TCertificateTemplateEstConfigsUpdate } from "@app/db/schemas";
|
||||||
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
|
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import {
|
import {
|
||||||
@@ -76,8 +76,7 @@ export const certificateTemplateServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: ca.projectId,
|
projectId: ca.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -138,8 +137,7 @@ export const certificateTemplateServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: certTemplate.projectId,
|
projectId: certTemplate.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -203,8 +201,7 @@ export const certificateTemplateServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: certTemplate.projectId,
|
projectId: certTemplate.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -230,8 +227,7 @@ export const certificateTemplateServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: certTemplate.projectId,
|
projectId: certTemplate.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -272,8 +268,7 @@ export const certificateTemplateServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: certTemplate.projectId,
|
projectId: certTemplate.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -355,8 +350,7 @@ export const certificateTemplateServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: certTemplate.projectId,
|
projectId: certTemplate.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -435,8 +429,7 @@ export const certificateTemplateServiceFactory = ({
|
|||||||
actorId: dto.actorId,
|
actorId: dto.actorId,
|
||||||
projectId: certTemplate.projectId,
|
projectId: certTemplate.projectId,
|
||||||
actorAuthMethod: dto.actorAuthMethod,
|
actorAuthMethod: dto.actorAuthMethod,
|
||||||
actorOrgId: dto.actorOrgId,
|
actorOrgId: dto.actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
|
@@ -2,7 +2,6 @@ import { ForbiddenError } from "@casl/ability";
|
|||||||
import * as x509 from "@peculiar/x509";
|
import * as x509 from "@peculiar/x509";
|
||||||
import { createPrivateKey, createPublicKey, sign, verify } from "crypto";
|
import { createPrivateKey, createPublicKey, sign, verify } from "crypto";
|
||||||
|
|
||||||
import { ActionProjectType, ProjectType } from "@app/db/schemas";
|
|
||||||
import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
|
import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import {
|
import {
|
||||||
@@ -48,10 +47,7 @@ type TCertificateServiceFactoryDep = {
|
|||||||
certificateAuthoritySecretDAL: Pick<TCertificateAuthoritySecretDALFactory, "findOne">;
|
certificateAuthoritySecretDAL: Pick<TCertificateAuthoritySecretDALFactory, "findOne">;
|
||||||
pkiCollectionDAL: Pick<TPkiCollectionDALFactory, "findById">;
|
pkiCollectionDAL: Pick<TPkiCollectionDALFactory, "findById">;
|
||||||
pkiCollectionItemDAL: Pick<TPkiCollectionItemDALFactory, "create">;
|
pkiCollectionItemDAL: Pick<TPkiCollectionItemDALFactory, "create">;
|
||||||
projectDAL: Pick<
|
projectDAL: Pick<TProjectDALFactory, "findProjectBySlug" | "findOne" | "updateById" | "findById" | "transaction">;
|
||||||
TProjectDALFactory,
|
|
||||||
"findProjectBySlug" | "findOne" | "updateById" | "findById" | "transaction" | "getProjectFromSplitId"
|
|
||||||
>;
|
|
||||||
kmsService: Pick<TKmsServiceFactory, "generateKmsKey" | "encryptWithKmsKey" | "decryptWithKmsKey">;
|
kmsService: Pick<TKmsServiceFactory, "generateKmsKey" | "encryptWithKmsKey" | "decryptWithKmsKey">;
|
||||||
permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
|
permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
|
||||||
};
|
};
|
||||||
@@ -83,8 +79,7 @@ export const certificateServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: cert.projectId,
|
projectId: cert.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -114,8 +109,7 @@ export const certificateServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: cert.projectId,
|
projectId: cert.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -148,8 +142,7 @@ export const certificateServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: cert.projectId,
|
projectId: cert.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -198,8 +191,7 @@ export const certificateServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: ca.projectId,
|
projectId: ca.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -247,8 +239,7 @@ export const certificateServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: cert.projectId,
|
projectId: cert.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -321,23 +312,14 @@ export const certificateServiceFactory = ({
|
|||||||
|
|
||||||
const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
|
const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
|
||||||
if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
|
if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
|
||||||
let projectId = project.id;
|
const projectId = project.id;
|
||||||
|
|
||||||
const certManagerProjectFromSplit = await projectDAL.getProjectFromSplitId(
|
|
||||||
projectId,
|
|
||||||
ProjectType.CertificateManager
|
|
||||||
);
|
|
||||||
if (certManagerProjectFromSplit) {
|
|
||||||
projectId = certManagerProjectFromSplit.id;
|
|
||||||
}
|
|
||||||
|
|
||||||
const { permission } = await permissionService.getProjectPermission({
|
const { permission } = await permissionService.getProjectPermission({
|
||||||
actor,
|
actor,
|
||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -541,8 +523,7 @@ export const certificateServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: cert.projectId,
|
projectId: cert.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
|
@@ -1,6 +1,5 @@
|
|||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
|
|
||||||
import { ActionProjectType, ProjectType } from "@app/db/schemas";
|
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import { ProjectPermissionCmekActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
import { ProjectPermissionCmekActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
||||||
import { SigningAlgorithm } from "@app/lib/crypto/sign";
|
import { SigningAlgorithm } from "@app/lib/crypto/sign";
|
||||||
@@ -23,32 +22,23 @@ import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
|
|||||||
import { TKmsServiceFactory } from "@app/services/kms/kms-service";
|
import { TKmsServiceFactory } from "@app/services/kms/kms-service";
|
||||||
|
|
||||||
import { KmsKeyUsage } from "../kms/kms-types";
|
import { KmsKeyUsage } from "../kms/kms-types";
|
||||||
import { TProjectDALFactory } from "../project/project-dal";
|
|
||||||
|
|
||||||
type TCmekServiceFactoryDep = {
|
type TCmekServiceFactoryDep = {
|
||||||
kmsService: TKmsServiceFactory;
|
kmsService: TKmsServiceFactory;
|
||||||
kmsDAL: TKmsKeyDALFactory;
|
kmsDAL: TKmsKeyDALFactory;
|
||||||
permissionService: TPermissionServiceFactory;
|
permissionService: TPermissionServiceFactory;
|
||||||
projectDAL: Pick<TProjectDALFactory, "getProjectFromSplitId">;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
export type TCmekServiceFactory = ReturnType<typeof cmekServiceFactory>;
|
export type TCmekServiceFactory = ReturnType<typeof cmekServiceFactory>;
|
||||||
|
|
||||||
export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, projectDAL }: TCmekServiceFactoryDep) => {
|
export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TCmekServiceFactoryDep) => {
|
||||||
const createCmek = async ({ projectId: preSplitProjectId, ...dto }: TCreateCmekDTO, actor: OrgServiceActor) => {
|
const createCmek = async ({ projectId, ...dto }: TCreateCmekDTO, actor: OrgServiceActor) => {
|
||||||
let projectId = preSplitProjectId;
|
|
||||||
const cmekProjectFromSplit = await projectDAL.getProjectFromSplitId(projectId, ProjectType.KMS);
|
|
||||||
if (cmekProjectFromSplit) {
|
|
||||||
projectId = cmekProjectFromSplit.id;
|
|
||||||
}
|
|
||||||
|
|
||||||
const { permission } = await permissionService.getProjectPermission({
|
const { permission } = await permissionService.getProjectPermission({
|
||||||
actor: actor.type,
|
actor: actor.type,
|
||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId
|
||||||
actionProjectType: ActionProjectType.KMS
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Create, ProjectPermissionSub.Cmek);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Create, ProjectPermissionSub.Cmek);
|
||||||
|
|
||||||
@@ -87,8 +77,7 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
projectId: key.projectId,
|
projectId: key.projectId,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId
|
||||||
actionProjectType: ActionProjectType.KMS
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Edit, ProjectPermissionSub.Cmek);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Edit, ProjectPermissionSub.Cmek);
|
||||||
@@ -124,8 +113,7 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
projectId: key.projectId,
|
projectId: key.projectId,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId
|
||||||
actionProjectType: ActionProjectType.KMS
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Delete, ProjectPermissionSub.Cmek);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Delete, ProjectPermissionSub.Cmek);
|
||||||
@@ -135,23 +123,13 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
|
|||||||
return key;
|
return key;
|
||||||
};
|
};
|
||||||
|
|
||||||
const listCmeksByProjectId = async (
|
const listCmeksByProjectId = async ({ projectId, ...filters }: TListCmeksByProjectIdDTO, actor: OrgServiceActor) => {
|
||||||
{ projectId: preSplitProjectId, ...filters }: TListCmeksByProjectIdDTO,
|
|
||||||
actor: OrgServiceActor
|
|
||||||
) => {
|
|
||||||
let projectId = preSplitProjectId;
|
|
||||||
const cmekProjectFromSplit = await projectDAL.getProjectFromSplitId(preSplitProjectId, ProjectType.KMS);
|
|
||||||
if (cmekProjectFromSplit) {
|
|
||||||
projectId = cmekProjectFromSplit.id;
|
|
||||||
}
|
|
||||||
|
|
||||||
const { permission } = await permissionService.getProjectPermission({
|
const { permission } = await permissionService.getProjectPermission({
|
||||||
actor: actor.type,
|
actor: actor.type,
|
||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId
|
||||||
actionProjectType: ActionProjectType.KMS
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
|
||||||
@@ -173,8 +151,7 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
projectId: key.projectId,
|
projectId: key.projectId,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId
|
||||||
actionProjectType: ActionProjectType.KMS
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
|
||||||
@@ -195,8 +172,7 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
projectId: key.projectId,
|
projectId: key.projectId,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId
|
||||||
actionProjectType: ActionProjectType.KMS
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
|
||||||
@@ -218,8 +194,7 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
projectId: key.projectId,
|
projectId: key.projectId,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId
|
||||||
actionProjectType: ActionProjectType.KMS
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Encrypt, ProjectPermissionSub.Cmek);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Encrypt, ProjectPermissionSub.Cmek);
|
||||||
@@ -246,8 +221,7 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
projectId: key.projectId,
|
projectId: key.projectId,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId
|
||||||
actionProjectType: ActionProjectType.KMS
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
|
||||||
@@ -294,8 +268,7 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
projectId: key.projectId,
|
projectId: key.projectId,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId
|
||||||
actionProjectType: ActionProjectType.KMS
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
|
||||||
@@ -318,8 +291,7 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
projectId: key.projectId,
|
projectId: key.projectId,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId
|
||||||
actionProjectType: ActionProjectType.KMS
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Sign, ProjectPermissionSub.Cmek);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Sign, ProjectPermissionSub.Cmek);
|
||||||
@@ -353,8 +325,7 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
projectId: key.projectId,
|
projectId: key.projectId,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId
|
||||||
actionProjectType: ActionProjectType.KMS
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Verify, ProjectPermissionSub.Cmek);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Verify, ProjectPermissionSub.Cmek);
|
||||||
@@ -389,8 +360,7 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
projectId: key.projectId,
|
projectId: key.projectId,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId
|
||||||
actionProjectType: ActionProjectType.KMS
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Decrypt, ProjectPermissionSub.Cmek);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Decrypt, ProjectPermissionSub.Cmek);
|
||||||
|
@@ -4,7 +4,7 @@
|
|||||||
import { Knex } from "knex";
|
import { Knex } from "knex";
|
||||||
import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
|
import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
|
||||||
|
|
||||||
import { ProjectType, TSecretFolderVersions, TSecretVersionsV2 } from "@app/db/schemas";
|
import { TSecretFolderVersions, TSecretVersionsV2 } from "@app/db/schemas";
|
||||||
import { BadRequestError, NotFoundError } from "@app/lib/errors";
|
import { BadRequestError, NotFoundError } from "@app/lib/errors";
|
||||||
|
|
||||||
import { ActorType } from "../auth/auth-type";
|
import { ActorType } from "../auth/auth-type";
|
||||||
@@ -433,8 +433,7 @@ describe("folderCommitServiceFactory", () => {
|
|||||||
mockFolderCommitDAL.findCommitsToRecreate.mockResolvedValue([]);
|
mockFolderCommitDAL.findCommitsToRecreate.mockResolvedValue([]);
|
||||||
mockProjectDAL.findProjectByEnvId.mockResolvedValue({
|
mockProjectDAL.findProjectByEnvId.mockResolvedValue({
|
||||||
id: "project-id",
|
id: "project-id",
|
||||||
name: "test-project",
|
name: "test-project"
|
||||||
type: ProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
// Act
|
// Act
|
||||||
|
@@ -2,13 +2,7 @@
|
|||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
import { Knex } from "knex";
|
import { Knex } from "knex";
|
||||||
|
|
||||||
import {
|
import { TSecretFolders, TSecretFolderVersions, TSecretV2TagJunctionInsert, TSecretVersionsV2 } from "@app/db/schemas";
|
||||||
ActionProjectType,
|
|
||||||
TSecretFolders,
|
|
||||||
TSecretFolderVersions,
|
|
||||||
TSecretV2TagJunctionInsert,
|
|
||||||
TSecretVersionsV2
|
|
||||||
} from "@app/db/schemas";
|
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import { ProjectPermissionCommitsActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
import { ProjectPermissionCommitsActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
||||||
import { getConfig } from "@app/lib/config/env";
|
import { getConfig } from "@app/lib/config/env";
|
||||||
@@ -223,8 +217,7 @@ export const folderCommitServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCommitsActions.Read, ProjectPermissionSub.Commits);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCommitsActions.Read, ProjectPermissionSub.Commits);
|
||||||
@@ -2067,8 +2060,7 @@ export const folderCommitServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
|
@@ -1,6 +1,6 @@
|
|||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
|
|
||||||
import { ActionProjectType, ProjectMembershipRole, SecretKeyEncoding, TGroups } from "@app/db/schemas";
|
import { ProjectMembershipRole, SecretKeyEncoding, TGroups } from "@app/db/schemas";
|
||||||
import { TListProjectGroupUsersDTO } from "@app/ee/services/group/group-types";
|
import { TListProjectGroupUsersDTO } from "@app/ee/services/group/group-types";
|
||||||
import {
|
import {
|
||||||
constructPermissionErrorMessage,
|
constructPermissionErrorMessage,
|
||||||
@@ -79,8 +79,7 @@ export const groupProjectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Create, ProjectPermissionSub.Groups);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Create, ProjectPermissionSub.Groups);
|
||||||
|
|
||||||
@@ -267,8 +266,7 @@ export const groupProjectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Edit, ProjectPermissionSub.Groups);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Edit, ProjectPermissionSub.Groups);
|
||||||
|
|
||||||
@@ -381,8 +379,7 @@ export const groupProjectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Delete, ProjectPermissionSub.Groups);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Delete, ProjectPermissionSub.Groups);
|
||||||
|
|
||||||
@@ -426,8 +423,7 @@ export const groupProjectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Read, ProjectPermissionSub.Groups);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Read, ProjectPermissionSub.Groups);
|
||||||
|
|
||||||
@@ -454,8 +450,7 @@ export const groupProjectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Read, ProjectPermissionSub.Groups);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Read, ProjectPermissionSub.Groups);
|
||||||
|
|
||||||
@@ -496,8 +491,7 @@ export const groupProjectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Read, ProjectPermissionSub.Groups);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Read, ProjectPermissionSub.Groups);
|
||||||
|
|
||||||
|
@@ -1,6 +1,6 @@
|
|||||||
import { ForbiddenError, subject } from "@casl/ability";
|
import { ForbiddenError, subject } from "@casl/ability";
|
||||||
|
|
||||||
import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
|
import { ProjectMembershipRole } from "@app/db/schemas";
|
||||||
import {
|
import {
|
||||||
constructPermissionErrorMessage,
|
constructPermissionErrorMessage,
|
||||||
validatePrivilegeChangeOperation
|
validatePrivilegeChangeOperation
|
||||||
@@ -62,8 +62,7 @@ export const identityProjectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionIdentityActions.Create,
|
ProjectPermissionIdentityActions.Create,
|
||||||
@@ -180,8 +179,7 @@ export const identityProjectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionIdentityActions.Edit,
|
ProjectPermissionIdentityActions.Edit,
|
||||||
@@ -291,8 +289,7 @@ export const identityProjectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionIdentityActions.Delete,
|
ProjectPermissionIdentityActions.Delete,
|
||||||
@@ -320,8 +317,7 @@ export const identityProjectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionIdentityActions.Read,
|
ProjectPermissionIdentityActions.Read,
|
||||||
@@ -354,8 +350,7 @@ export const identityProjectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -391,8 +386,7 @@ export const identityProjectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: membership.projectId,
|
projectId: membership.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
|
@@ -4,13 +4,7 @@ import { Octokit } from "@octokit/rest";
|
|||||||
import { Client as OctopusClient, SpaceRepository as OctopusSpaceRepository } from "@octopusdeploy/api-client";
|
import { Client as OctopusClient, SpaceRepository as OctopusSpaceRepository } from "@octopusdeploy/api-client";
|
||||||
import AWS from "aws-sdk";
|
import AWS from "aws-sdk";
|
||||||
|
|
||||||
import {
|
import { SecretEncryptionAlgo, SecretKeyEncoding, TIntegrationAuths, TIntegrationAuthsInsert } from "@app/db/schemas";
|
||||||
ActionProjectType,
|
|
||||||
SecretEncryptionAlgo,
|
|
||||||
SecretKeyEncoding,
|
|
||||||
TIntegrationAuths,
|
|
||||||
TIntegrationAuthsInsert
|
|
||||||
} from "@app/db/schemas";
|
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
||||||
import { getConfig } from "@app/lib/config/env";
|
import { getConfig } from "@app/lib/config/env";
|
||||||
@@ -103,8 +97,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
const authorizations = await integrationAuthDAL.find({ projectId });
|
const authorizations = await integrationAuthDAL.find({ projectId });
|
||||||
@@ -122,8 +115,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: auth.projectId,
|
projectId: auth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
return permission.can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations) ? auth : null;
|
return permission.can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations) ? auth : null;
|
||||||
@@ -146,8 +138,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
return integrationAuth;
|
return integrationAuth;
|
||||||
@@ -172,8 +163,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);
|
||||||
|
|
||||||
@@ -282,8 +272,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);
|
||||||
|
|
||||||
@@ -417,8 +406,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations);
|
||||||
|
|
||||||
@@ -679,8 +667,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
|
|
||||||
@@ -714,8 +701,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
|
|
||||||
@@ -745,8 +731,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
||||||
@@ -787,8 +772,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
||||||
@@ -816,8 +800,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
||||||
@@ -891,8 +874,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
||||||
@@ -939,8 +921,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
||||||
@@ -974,8 +955,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
||||||
@@ -1033,8 +1013,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
||||||
@@ -1070,8 +1049,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
||||||
@@ -1112,8 +1090,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
||||||
@@ -1153,8 +1130,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
||||||
@@ -1194,8 +1170,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
||||||
@@ -1234,8 +1209,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
||||||
@@ -1275,8 +1249,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
||||||
@@ -1344,8 +1317,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
||||||
@@ -1419,8 +1391,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
||||||
@@ -1470,8 +1441,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
||||||
@@ -1519,8 +1489,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
||||||
@@ -1588,8 +1557,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
||||||
@@ -1630,8 +1598,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
||||||
@@ -1743,8 +1710,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);
|
||||||
|
|
||||||
@@ -1767,8 +1733,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);
|
||||||
|
|
||||||
@@ -1801,8 +1766,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(sourcePermission).throwUnlessCan(
|
ForbiddenError.from(sourcePermission).throwUnlessCan(
|
||||||
@@ -1815,8 +1779,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(targetPermission).throwUnlessCan(
|
ForbiddenError.from(targetPermission).throwUnlessCan(
|
||||||
@@ -1849,8 +1812,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
|
|
||||||
@@ -1884,8 +1846,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
||||||
@@ -1925,8 +1886,7 @@ export const integrationAuthServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
|
||||||
|
@@ -1,6 +1,5 @@
|
|||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { throwIfMissingSecretReadValueOrDescribePermission } from "@app/ee/services/permission/permission-fns";
|
import { throwIfMissingSecretReadValueOrDescribePermission } from "@app/ee/services/permission/permission-fns";
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import {
|
import {
|
||||||
@@ -91,8 +90,7 @@ export const integrationServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integrationAuth.projectId,
|
projectId: integrationAuth.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);
|
||||||
|
|
||||||
@@ -167,8 +165,7 @@ export const integrationServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integration.projectId,
|
projectId: integration.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations);
|
||||||
|
|
||||||
@@ -231,8 +228,7 @@ export const integrationServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integration.projectId,
|
projectId: integration.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
|
|
||||||
@@ -259,8 +255,7 @@ export const integrationServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integration.projectId,
|
projectId: integration.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
|
|
||||||
@@ -302,8 +297,7 @@ export const integrationServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integration.projectId,
|
projectId: integration.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);
|
||||||
|
|
||||||
@@ -339,8 +333,7 @@ export const integrationServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
|
|
||||||
@@ -359,8 +352,7 @@ export const integrationServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: integration.projectId,
|
projectId: integration.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
|
|
||||||
|
@@ -400,7 +400,7 @@ export const buildTeamsPayload = (notification: TNotification) => {
|
|||||||
{
|
{
|
||||||
type: "Action.OpenUrl",
|
type: "Action.OpenUrl",
|
||||||
title: "View request in Infisical",
|
title: "View request in Infisical",
|
||||||
url: `${appCfg.SITE_URL}/secret-manager/${payload.projectId}/approval?requestId=${payload.requestId}`
|
url: `${appCfg.SITE_URL}/projects/${payload.projectId}/secret-manager/approval?requestId=${payload.requestId}`
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
};
|
};
|
||||||
|
@@ -103,8 +103,41 @@ export const orgMembershipDALFactory = (db: TDbClient) => {
|
|||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
|
const findRecentInvitedMemberships = async () => {
|
||||||
|
try {
|
||||||
|
const now = new Date();
|
||||||
|
const oneWeekAgo = new Date(now.getTime() - 7 * 24 * 60 * 60 * 1000);
|
||||||
|
const oneMonthAgo = new Date(now.getTime() - 30 * 24 * 60 * 60 * 1000);
|
||||||
|
const threeMonthsAgo = new Date(now.getTime() - 90 * 24 * 60 * 60 * 1000);
|
||||||
|
|
||||||
|
const memberships = await db
|
||||||
|
.replicaNode()(TableName.OrgMembership)
|
||||||
|
.where("status", "invited")
|
||||||
|
.where((qb) => {
|
||||||
|
// lastInvitedAt is null AND createdAt is between 1 week and 3 months ago
|
||||||
|
void qb
|
||||||
|
.whereNull(`${TableName.OrgMembership}.lastInvitedAt`)
|
||||||
|
.whereBetween(`${TableName.OrgMembership}.createdAt`, [threeMonthsAgo, oneWeekAgo]);
|
||||||
|
})
|
||||||
|
.orWhere((qb) => {
|
||||||
|
// lastInvitedAt is older than 1 week ago AND createdAt is younger than 1 month ago
|
||||||
|
void qb
|
||||||
|
.where(`${TableName.OrgMembership}.lastInvitedAt`, "<", oneMonthAgo)
|
||||||
|
.where(`${TableName.OrgMembership}.createdAt`, ">", oneWeekAgo);
|
||||||
|
});
|
||||||
|
|
||||||
|
return memberships;
|
||||||
|
} catch (error) {
|
||||||
|
throw new DatabaseError({
|
||||||
|
error,
|
||||||
|
name: "Find recent invited memberships"
|
||||||
|
});
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
return {
|
return {
|
||||||
...orgMembershipOrm,
|
...orgMembershipOrm,
|
||||||
findOrgMembershipById
|
findOrgMembershipById,
|
||||||
|
findRecentInvitedMemberships
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@@ -5,7 +5,6 @@ import jwt from "jsonwebtoken";
|
|||||||
import { Knex } from "knex";
|
import { Knex } from "knex";
|
||||||
|
|
||||||
import {
|
import {
|
||||||
ActionProjectType,
|
|
||||||
OrgMembershipRole,
|
OrgMembershipRole,
|
||||||
OrgMembershipStatus,
|
OrgMembershipStatus,
|
||||||
ProjectMembershipRole,
|
ProjectMembershipRole,
|
||||||
@@ -108,7 +107,10 @@ type TOrgServiceFactoryDep = {
|
|||||||
"findProjectMembershipsByUserId" | "delete" | "create" | "find" | "insertMany" | "transaction"
|
"findProjectMembershipsByUserId" | "delete" | "create" | "find" | "insertMany" | "transaction"
|
||||||
>;
|
>;
|
||||||
projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "delete" | "insertMany" | "findLatestProjectKey" | "create">;
|
projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "delete" | "insertMany" | "findLatestProjectKey" | "create">;
|
||||||
orgMembershipDAL: Pick<TOrgMembershipDALFactory, "findOrgMembershipById" | "findOne" | "findById">;
|
orgMembershipDAL: Pick<
|
||||||
|
TOrgMembershipDALFactory,
|
||||||
|
"findOrgMembershipById" | "findOne" | "findById" | "findRecentInvitedMemberships" | "updateById"
|
||||||
|
>;
|
||||||
incidentContactDAL: TIncidentContactsDALFactory;
|
incidentContactDAL: TIncidentContactsDALFactory;
|
||||||
samlConfigDAL: Pick<TSamlConfigDALFactory, "findOne">;
|
samlConfigDAL: Pick<TSamlConfigDALFactory, "findOne">;
|
||||||
oidcConfigDAL: Pick<TOidcConfigDALFactory, "findOne">;
|
oidcConfigDAL: Pick<TOidcConfigDALFactory, "findOne">;
|
||||||
@@ -235,14 +237,14 @@ export const orgServiceFactory = ({
|
|||||||
return org;
|
return org;
|
||||||
};
|
};
|
||||||
|
|
||||||
const findAllWorkspaces = async ({ actor, actorId, orgId, type }: TFindAllWorkspacesDTO) => {
|
const findAllWorkspaces = async ({ actor, actorId, orgId }: TFindAllWorkspacesDTO) => {
|
||||||
if (actor === ActorType.USER) {
|
if (actor === ActorType.USER) {
|
||||||
const workspaces = await projectDAL.findUserProjects(actorId, orgId, type || "all");
|
const workspaces = await projectDAL.findUserProjects(actorId, orgId);
|
||||||
return workspaces;
|
return workspaces;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (actor === ActorType.IDENTITY) {
|
if (actor === ActorType.IDENTITY) {
|
||||||
const workspaces = await projectDAL.findAllProjectsByIdentity(actorId, type);
|
const workspaces = await projectDAL.findAllProjectsByIdentity(actorId);
|
||||||
return workspaces;
|
return workspaces;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -972,8 +974,7 @@ export const orgServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(projectPermission).throwUnlessCan(
|
ForbiddenError.from(projectPermission).throwUnlessCan(
|
||||||
ProjectPermissionMemberActions.Create,
|
ProjectPermissionMemberActions.Create,
|
||||||
@@ -1424,6 +1425,53 @@ export const orgServiceFactory = ({
|
|||||||
return incidentContact;
|
return incidentContact;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Re-send emails to users who haven't accepted an invite yet
|
||||||
|
*/
|
||||||
|
const notifyInvitedUsers = async () => {
|
||||||
|
const invitedUsers = await orgMembershipDAL.findRecentInvitedMemberships();
|
||||||
|
const appCfg = getConfig();
|
||||||
|
|
||||||
|
const orgCache: Record<string, { name: string; id: string } | undefined> = {};
|
||||||
|
|
||||||
|
await Promise.all(
|
||||||
|
invitedUsers.map(async (invitedUser) => {
|
||||||
|
let org = orgCache[invitedUser.orgId];
|
||||||
|
if (!org) {
|
||||||
|
org = await orgDAL.findById(invitedUser.orgId);
|
||||||
|
orgCache[invitedUser.orgId] = org;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!org || !invitedUser.userId) return;
|
||||||
|
|
||||||
|
const token = await tokenService.createTokenForUser({
|
||||||
|
type: TokenType.TOKEN_EMAIL_ORG_INVITATION,
|
||||||
|
userId: invitedUser.userId,
|
||||||
|
orgId: org.id
|
||||||
|
});
|
||||||
|
|
||||||
|
if (invitedUser.inviteEmail) {
|
||||||
|
await smtpService.sendMail({
|
||||||
|
template: SmtpTemplates.OrgInvite,
|
||||||
|
subjectLine: `Reminder: You have been invited to ${org.name} on Infisical`,
|
||||||
|
recipients: [invitedUser.inviteEmail],
|
||||||
|
substitutions: {
|
||||||
|
organizationName: org.name,
|
||||||
|
email: invitedUser.inviteEmail,
|
||||||
|
organizationId: org.id.toString(),
|
||||||
|
token,
|
||||||
|
callback_url: `${appCfg.SITE_URL}/signupinvite`
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
await orgMembershipDAL.updateById(invitedUser.id, {
|
||||||
|
lastInvitedAt: new Date()
|
||||||
|
});
|
||||||
|
})
|
||||||
|
);
|
||||||
|
};
|
||||||
|
|
||||||
return {
|
return {
|
||||||
findOrganizationById,
|
findOrganizationById,
|
||||||
findAllOrgMembers,
|
findAllOrgMembers,
|
||||||
@@ -1447,6 +1495,7 @@ export const orgServiceFactory = ({
|
|||||||
listProjectMembershipsByOrgMembershipId,
|
listProjectMembershipsByOrgMembershipId,
|
||||||
findOrgBySlug,
|
findOrgBySlug,
|
||||||
resendOrgMemberInvitation,
|
resendOrgMemberInvitation,
|
||||||
upgradePrivilegeSystem
|
upgradePrivilegeSystem,
|
||||||
|
notifyInvitedUsers
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@@ -1,4 +1,3 @@
|
|||||||
import { ProjectType } from "@app/db/schemas";
|
|
||||||
import { TOrgPermission } from "@app/lib/types";
|
import { TOrgPermission } from "@app/lib/types";
|
||||||
|
|
||||||
import { ActorAuthMethod, ActorType, MfaMethod } from "../auth/auth-type";
|
import { ActorAuthMethod, ActorType, MfaMethod } from "../auth/auth-type";
|
||||||
@@ -60,7 +59,6 @@ export type TFindAllWorkspacesDTO = {
|
|||||||
actorOrgId: string | undefined;
|
actorOrgId: string | undefined;
|
||||||
actorAuthMethod: ActorAuthMethod;
|
actorAuthMethod: ActorAuthMethod;
|
||||||
orgId: string;
|
orgId: string;
|
||||||
type?: ProjectType;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
export type TUpdateOrgDTO = {
|
export type TUpdateOrgDTO = {
|
||||||
|
@@ -1,6 +1,5 @@
|
|||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
|
|
||||||
import { ActionProjectType, ProjectType } from "@app/db/schemas";
|
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
||||||
import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
|
import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
|
||||||
@@ -9,7 +8,6 @@ import { TPkiCollectionDALFactory } from "@app/services/pki-collection/pki-colle
|
|||||||
import { pkiItemTypeToNameMap } from "@app/services/pki-collection/pki-collection-types";
|
import { pkiItemTypeToNameMap } from "@app/services/pki-collection/pki-collection-types";
|
||||||
import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
|
import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
|
||||||
|
|
||||||
import { TProjectDALFactory } from "../project/project-dal";
|
|
||||||
import { TPkiAlertDALFactory } from "./pki-alert-dal";
|
import { TPkiAlertDALFactory } from "./pki-alert-dal";
|
||||||
import { TCreateAlertDTO, TDeleteAlertDTO, TGetAlertByIdDTO, TUpdateAlertDTO } from "./pki-alert-types";
|
import { TCreateAlertDTO, TDeleteAlertDTO, TGetAlertByIdDTO, TUpdateAlertDTO } from "./pki-alert-types";
|
||||||
|
|
||||||
@@ -21,7 +19,6 @@ type TPkiAlertServiceFactoryDep = {
|
|||||||
pkiCollectionDAL: Pick<TPkiCollectionDALFactory, "findById">;
|
pkiCollectionDAL: Pick<TPkiCollectionDALFactory, "findById">;
|
||||||
permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
|
permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
|
||||||
smtpService: Pick<TSmtpService, "sendMail">;
|
smtpService: Pick<TSmtpService, "sendMail">;
|
||||||
projectDAL: Pick<TProjectDALFactory, "getProjectFromSplitId">;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
export type TPkiAlertServiceFactory = ReturnType<typeof pkiAlertServiceFactory>;
|
export type TPkiAlertServiceFactory = ReturnType<typeof pkiAlertServiceFactory>;
|
||||||
@@ -30,8 +27,7 @@ export const pkiAlertServiceFactory = ({
|
|||||||
pkiAlertDAL,
|
pkiAlertDAL,
|
||||||
pkiCollectionDAL,
|
pkiCollectionDAL,
|
||||||
permissionService,
|
permissionService,
|
||||||
smtpService,
|
smtpService
|
||||||
projectDAL
|
|
||||||
}: TPkiAlertServiceFactoryDep) => {
|
}: TPkiAlertServiceFactoryDep) => {
|
||||||
const sendPkiItemExpiryNotices = async () => {
|
const sendPkiItemExpiryNotices = async () => {
|
||||||
const allAlertItems = await pkiAlertDAL.getExpiringPkiCollectionItemsForAlerting();
|
const allAlertItems = await pkiAlertDAL.getExpiringPkiCollectionItemsForAlerting();
|
||||||
@@ -67,7 +63,7 @@ export const pkiAlertServiceFactory = ({
|
|||||||
};
|
};
|
||||||
|
|
||||||
const createPkiAlert = async ({
|
const createPkiAlert = async ({
|
||||||
projectId: preSplitProjectId,
|
projectId,
|
||||||
name,
|
name,
|
||||||
pkiCollectionId,
|
pkiCollectionId,
|
||||||
alertBeforeDays,
|
alertBeforeDays,
|
||||||
@@ -77,22 +73,12 @@ export const pkiAlertServiceFactory = ({
|
|||||||
actor,
|
actor,
|
||||||
actorOrgId
|
actorOrgId
|
||||||
}: TCreateAlertDTO) => {
|
}: TCreateAlertDTO) => {
|
||||||
let projectId = preSplitProjectId;
|
|
||||||
const certManagerProjectFromSplit = await projectDAL.getProjectFromSplitId(
|
|
||||||
projectId,
|
|
||||||
ProjectType.CertificateManager
|
|
||||||
);
|
|
||||||
if (certManagerProjectFromSplit) {
|
|
||||||
projectId = certManagerProjectFromSplit.id;
|
|
||||||
}
|
|
||||||
|
|
||||||
const { permission } = await permissionService.getProjectPermission({
|
const { permission } = await permissionService.getProjectPermission({
|
||||||
actor,
|
actor,
|
||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.PkiAlerts);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.PkiAlerts);
|
||||||
@@ -121,8 +107,7 @@ export const pkiAlertServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: alert.projectId,
|
projectId: alert.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.PkiAlerts);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.PkiAlerts);
|
||||||
@@ -148,8 +133,7 @@ export const pkiAlertServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: alert.projectId,
|
projectId: alert.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.PkiAlerts);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.PkiAlerts);
|
||||||
@@ -181,8 +165,7 @@ export const pkiAlertServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: alert.projectId,
|
projectId: alert.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.PkiAlerts);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.PkiAlerts);
|
||||||
|
@@ -1,13 +1,12 @@
|
|||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
|
|
||||||
import { ActionProjectType, ProjectType, TPkiCollectionItems } from "@app/db/schemas";
|
import { TPkiCollectionItems } from "@app/db/schemas";
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
||||||
import { BadRequestError, NotFoundError } from "@app/lib/errors";
|
import { BadRequestError, NotFoundError } from "@app/lib/errors";
|
||||||
import { TCertificateDALFactory } from "@app/services/certificate/certificate-dal";
|
import { TCertificateDALFactory } from "@app/services/certificate/certificate-dal";
|
||||||
import { TCertificateAuthorityDALFactory } from "@app/services/certificate-authority/certificate-authority-dal";
|
import { TCertificateAuthorityDALFactory } from "@app/services/certificate-authority/certificate-authority-dal";
|
||||||
|
|
||||||
import { TProjectDALFactory } from "../project/project-dal";
|
|
||||||
import { TPkiCollectionDALFactory } from "./pki-collection-dal";
|
import { TPkiCollectionDALFactory } from "./pki-collection-dal";
|
||||||
import { transformPkiCollectionItem } from "./pki-collection-fns";
|
import { transformPkiCollectionItem } from "./pki-collection-fns";
|
||||||
import { TPkiCollectionItemDALFactory } from "./pki-collection-item-dal";
|
import { TPkiCollectionItemDALFactory } from "./pki-collection-item-dal";
|
||||||
@@ -31,7 +30,6 @@ type TPkiCollectionServiceFactoryDep = {
|
|||||||
certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "find" | "findOne">;
|
certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "find" | "findOne">;
|
||||||
certificateDAL: Pick<TCertificateDALFactory, "find">;
|
certificateDAL: Pick<TCertificateDALFactory, "find">;
|
||||||
permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
|
permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
|
||||||
projectDAL: Pick<TProjectDALFactory, "getProjectFromSplitId">;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
export type TPkiCollectionServiceFactory = ReturnType<typeof pkiCollectionServiceFactory>;
|
export type TPkiCollectionServiceFactory = ReturnType<typeof pkiCollectionServiceFactory>;
|
||||||
@@ -41,34 +39,23 @@ export const pkiCollectionServiceFactory = ({
|
|||||||
pkiCollectionItemDAL,
|
pkiCollectionItemDAL,
|
||||||
certificateAuthorityDAL,
|
certificateAuthorityDAL,
|
||||||
certificateDAL,
|
certificateDAL,
|
||||||
permissionService,
|
permissionService
|
||||||
projectDAL
|
|
||||||
}: TPkiCollectionServiceFactoryDep) => {
|
}: TPkiCollectionServiceFactoryDep) => {
|
||||||
const createPkiCollection = async ({
|
const createPkiCollection = async ({
|
||||||
name,
|
name,
|
||||||
description,
|
description,
|
||||||
projectId: preSplitProjectId,
|
projectId,
|
||||||
actorId,
|
actorId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actor,
|
actor,
|
||||||
actorOrgId
|
actorOrgId
|
||||||
}: TCreatePkiCollectionDTO) => {
|
}: TCreatePkiCollectionDTO) => {
|
||||||
let projectId = preSplitProjectId;
|
|
||||||
const certManagerProjectFromSplit = await projectDAL.getProjectFromSplitId(
|
|
||||||
projectId,
|
|
||||||
ProjectType.CertificateManager
|
|
||||||
);
|
|
||||||
if (certManagerProjectFromSplit) {
|
|
||||||
projectId = certManagerProjectFromSplit.id;
|
|
||||||
}
|
|
||||||
|
|
||||||
const { permission } = await permissionService.getProjectPermission({
|
const { permission } = await permissionService.getProjectPermission({
|
||||||
actor,
|
actor,
|
||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -100,8 +87,7 @@ export const pkiCollectionServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: pkiCollection.projectId,
|
projectId: pkiCollection.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.PkiCollections);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.PkiCollections);
|
||||||
@@ -125,8 +111,7 @@ export const pkiCollectionServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: pkiCollection.projectId,
|
projectId: pkiCollection.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.PkiCollections);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.PkiCollections);
|
||||||
@@ -153,8 +138,7 @@ export const pkiCollectionServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: pkiCollection.projectId,
|
projectId: pkiCollection.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -183,8 +167,7 @@ export const pkiCollectionServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: pkiCollection.projectId,
|
projectId: pkiCollection.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.PkiCollections);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.PkiCollections);
|
||||||
@@ -227,8 +210,7 @@ export const pkiCollectionServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: pkiCollection.projectId,
|
projectId: pkiCollection.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -315,8 +297,7 @@ export const pkiCollectionServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: pkiCollection.projectId,
|
projectId: pkiCollection.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
|
@@ -2,7 +2,6 @@
|
|||||||
import { ForbiddenError, subject } from "@casl/ability";
|
import { ForbiddenError, subject } from "@casl/ability";
|
||||||
import * as x509 from "@peculiar/x509";
|
import * as x509 from "@peculiar/x509";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
|
import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import {
|
import {
|
||||||
@@ -120,8 +119,7 @@ export const pkiSubscriberServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -183,8 +181,7 @@ export const pkiSubscriberServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: subscriber.projectId,
|
projectId: subscriber.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -237,8 +234,7 @@ export const pkiSubscriberServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: subscriber.projectId,
|
projectId: subscriber.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -300,8 +296,7 @@ export const pkiSubscriberServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: subscriber.projectId,
|
projectId: subscriber.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -337,8 +332,7 @@ export const pkiSubscriberServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: subscriber.projectId,
|
projectId: subscriber.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -393,8 +387,7 @@ export const pkiSubscriberServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: subscriber.projectId,
|
projectId: subscriber.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -440,8 +433,7 @@ export const pkiSubscriberServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: ca.projectId,
|
projectId: ca.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -699,8 +691,7 @@ export const pkiSubscriberServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: subscriber.projectId,
|
projectId: subscriber.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -747,8 +738,7 @@ export const pkiSubscriberServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: subscriber.projectId,
|
projectId: subscriber.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
|
@@ -3,7 +3,6 @@ import { ForbiddenError, subject } from "@casl/ability";
|
|||||||
import * as x509 from "@peculiar/x509";
|
import * as x509 from "@peculiar/x509";
|
||||||
import RE2 from "re2";
|
import RE2 from "re2";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
|
import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import {
|
import {
|
||||||
@@ -119,8 +118,7 @@ export const pkiTemplatesServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: ca.projectId,
|
projectId: ca.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -172,8 +170,7 @@ export const pkiTemplatesServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: certTemplate.projectId,
|
projectId: certTemplate.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -236,8 +233,7 @@ export const pkiTemplatesServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: certTemplate.projectId,
|
projectId: certTemplate.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -269,8 +265,7 @@ export const pkiTemplatesServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: certTemplate.projectId,
|
projectId: certTemplate.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -295,8 +290,7 @@ export const pkiTemplatesServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const certTemplate = await pkiTemplatesDAL.find({ projectId }, { limit, offset, count: true });
|
const certTemplate = await pkiTemplatesDAL.find({ projectId }, { limit, offset, count: true });
|
||||||
@@ -338,8 +332,7 @@ export const pkiTemplatesServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: certTemplate.projectId,
|
projectId: certTemplate.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -385,8 +378,7 @@ export const pkiTemplatesServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: certTemplate.projectId,
|
projectId: certTemplate.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
|
@@ -1,6 +1,6 @@
|
|||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
|
|
||||||
import { ActionProjectType, ProjectVersion } from "@app/db/schemas";
|
import { ProjectVersion } from "@app/db/schemas";
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
||||||
import { generateAsymmetricKeyPair } from "@app/lib/crypto";
|
import { generateAsymmetricKeyPair } from "@app/lib/crypto";
|
||||||
@@ -46,8 +46,7 @@ export const projectBotServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
|
||||||
|
|
||||||
@@ -113,8 +112,7 @@ export const projectBotServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: bot.projectId,
|
projectId: bot.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations);
|
||||||
|
|
||||||
|
@@ -1,6 +1,5 @@
|
|||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
|
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
||||||
@@ -47,8 +46,7 @@ export const projectEnvServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Environments);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Environments);
|
||||||
|
|
||||||
@@ -136,8 +134,7 @@ export const projectEnvServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Environments);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Environments);
|
||||||
|
|
||||||
@@ -200,8 +197,7 @@ export const projectEnvServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Environments);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Environments);
|
||||||
|
|
||||||
@@ -256,8 +252,7 @@ export const projectEnvServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: environment.projectId,
|
projectId: environment.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Environments);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Environments);
|
||||||
|
@@ -1,6 +1,5 @@
|
|||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import { ProjectPermissionMemberActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
import { ProjectPermissionMemberActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
||||||
import { BadRequestError } from "@app/lib/errors";
|
import { BadRequestError } from "@app/lib/errors";
|
||||||
@@ -37,8 +36,7 @@ export const projectKeyServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
|
||||||
|
|
||||||
@@ -67,8 +65,7 @@ export const projectKeyServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
const latestKey = await projectKeyDAL.findLatestProjectKey(actorId, projectId);
|
const latestKey = await projectKeyDAL.findLatestProjectKey(actorId, projectId);
|
||||||
return latestKey;
|
return latestKey;
|
||||||
@@ -86,8 +83,7 @@ export const projectKeyServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
|
||||||
return projectKeyDAL.findAllProjectUserPubKeys(projectId);
|
return projectKeyDAL.findAllProjectUserPubKeys(projectId);
|
||||||
|
@@ -1,7 +1,7 @@
|
|||||||
/* eslint-disable no-await-in-loop */
|
/* eslint-disable no-await-in-loop */
|
||||||
import { ForbiddenError } from "@casl/ability";
|
import { ForbiddenError } from "@casl/ability";
|
||||||
|
|
||||||
import { ActionProjectType, ProjectMembershipRole, ProjectVersion, TableName } from "@app/db/schemas";
|
import { ProjectMembershipRole, ProjectVersion, TableName } from "@app/db/schemas";
|
||||||
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
|
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
|
||||||
import {
|
import {
|
||||||
constructPermissionErrorMessage,
|
constructPermissionErrorMessage,
|
||||||
@@ -90,8 +90,7 @@ export const projectMembershipServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
|
||||||
|
|
||||||
@@ -134,8 +133,7 @@ export const projectMembershipServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
|
||||||
|
|
||||||
@@ -157,8 +155,7 @@ export const projectMembershipServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
|
||||||
|
|
||||||
@@ -184,8 +181,7 @@ export const projectMembershipServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Create, ProjectPermissionSub.Member);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Create, ProjectPermissionSub.Member);
|
||||||
const orgMembers = await orgDAL.findMembership({
|
const orgMembers = await orgDAL.findMembership({
|
||||||
@@ -265,8 +261,7 @@ export const projectMembershipServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
|
||||||
|
|
||||||
@@ -375,8 +370,7 @@ export const projectMembershipServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Delete, ProjectPermissionSub.Member);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Delete, ProjectPermissionSub.Member);
|
||||||
|
|
||||||
@@ -418,8 +412,7 @@ export const projectMembershipServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Delete, ProjectPermissionSub.Member);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Delete, ProjectPermissionSub.Member);
|
||||||
|
|
||||||
|
@@ -11,7 +11,7 @@ import {
|
|||||||
} from "@app/ee/services/permission/default-roles";
|
} from "@app/ee/services/permission/default-roles";
|
||||||
import { TGetPredefinedRolesDTO } from "@app/services/project-role/project-role-types";
|
import { TGetPredefinedRolesDTO } from "@app/services/project-role/project-role-types";
|
||||||
|
|
||||||
export const getPredefinedRoles = ({ projectId, projectType, roleFilter }: TGetPredefinedRolesDTO) => {
|
export const getPredefinedRoles = ({ projectId, roleFilter }: TGetPredefinedRolesDTO) => {
|
||||||
return [
|
return [
|
||||||
{
|
{
|
||||||
id: uuidv4(),
|
id: uuidv4(),
|
||||||
@@ -75,5 +75,5 @@ export const getPredefinedRoles = ({ projectId, projectType, roleFilter }: TGetP
|
|||||||
createdAt: new Date(),
|
createdAt: new Date(),
|
||||||
updatedAt: new Date()
|
updatedAt: new Date()
|
||||||
}
|
}
|
||||||
].filter(({ slug, type }) => (type ? type === projectType : true) && (!roleFilter || roleFilter === slug));
|
].filter(({ slug }) => !roleFilter || roleFilter === slug);
|
||||||
};
|
};
|
||||||
|
@@ -2,7 +2,7 @@ import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
|
|||||||
import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
|
import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
|
||||||
import { requestContext } from "@fastify/request-context";
|
import { requestContext } from "@fastify/request-context";
|
||||||
|
|
||||||
import { ActionProjectType, ProjectMembershipRole, ProjectType, TableName, TProjects } from "@app/db/schemas";
|
import { ProjectMembershipRole, TableName, TProjects } from "@app/db/schemas";
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import {
|
import {
|
||||||
ProjectPermissionActions,
|
ProjectPermissionActions,
|
||||||
@@ -71,8 +71,7 @@ export const projectRoleServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Role);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Role);
|
||||||
const existingRole = await projectRoleDAL.findOne({ slug: data.slug, projectId });
|
const existingRole = await projectRoleDAL.findOne({ slug: data.slug, projectId });
|
||||||
@@ -112,14 +111,12 @@ export const projectRoleServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: project.id,
|
projectId: project.id,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
|
||||||
if (roleSlug !== "custom" && Object.values(ProjectMembershipRole).includes(roleSlug as ProjectMembershipRole)) {
|
if (roleSlug !== "custom" && Object.values(ProjectMembershipRole).includes(roleSlug as ProjectMembershipRole)) {
|
||||||
const [predefinedRole] = getPredefinedRoles({
|
const [predefinedRole] = getPredefinedRoles({
|
||||||
projectId: project.id,
|
projectId: project.id,
|
||||||
projectType: project.type as ProjectType,
|
|
||||||
roleFilter: roleSlug as ProjectMembershipRole
|
roleFilter: roleSlug as ProjectMembershipRole
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -142,8 +139,7 @@ export const projectRoleServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: projectRole.projectId,
|
projectId: projectRole.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Role);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Role);
|
||||||
|
|
||||||
@@ -173,8 +169,7 @@ export const projectRoleServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: projectRole.projectId,
|
projectId: projectRole.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Role);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Role);
|
||||||
|
|
||||||
@@ -215,18 +210,14 @@ export const projectRoleServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: project.id,
|
projectId: project.id,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
|
||||||
const customRoles = await projectRoleDAL.find(
|
const customRoles = await projectRoleDAL.find(
|
||||||
{ projectId: project.id },
|
{ projectId: project.id },
|
||||||
{ sort: [[`${TableName.ProjectRoles}.slug` as "slug", "asc"]] }
|
{ sort: [[`${TableName.ProjectRoles}.slug` as "slug", "asc"]] }
|
||||||
);
|
);
|
||||||
const roles = [
|
const roles = [...getPredefinedRoles({ projectId: project.id }), ...(customRoles || [])];
|
||||||
...getPredefinedRoles({ projectId: project.id, projectType: project.type as ProjectType }),
|
|
||||||
...(customRoles || [])
|
|
||||||
];
|
|
||||||
|
|
||||||
return roles;
|
return roles;
|
||||||
};
|
};
|
||||||
@@ -242,8 +233,7 @@ export const projectRoleServiceFactory = ({
|
|||||||
actorId: userId,
|
actorId: userId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
// just to satisfy ts
|
// just to satisfy ts
|
||||||
if (!("roles" in membership)) throw new BadRequestError({ message: "Service token not allowed" });
|
if (!("roles" in membership)) throw new BadRequestError({ message: "Service token not allowed" });
|
||||||
|
@@ -1,4 +1,4 @@
|
|||||||
import { ProjectMembershipRole, ProjectType, TOrgRolesUpdate, TProjectRolesInsert } from "@app/db/schemas";
|
import { ProjectMembershipRole, TOrgRolesUpdate, TProjectRolesInsert } from "@app/db/schemas";
|
||||||
import { TProjectPermission } from "@app/lib/types";
|
import { TProjectPermission } from "@app/lib/types";
|
||||||
|
|
||||||
export enum ProjectRoleServiceIdentifierType {
|
export enum ProjectRoleServiceIdentifierType {
|
||||||
@@ -37,6 +37,5 @@ export type TListRolesDTO = {
|
|||||||
|
|
||||||
export type TGetPredefinedRolesDTO = {
|
export type TGetPredefinedRolesDTO = {
|
||||||
projectId: string;
|
projectId: string;
|
||||||
projectType: ProjectType;
|
|
||||||
roleFilter?: ProjectMembershipRole;
|
roleFilter?: ProjectMembershipRole;
|
||||||
};
|
};
|
||||||
|
@@ -3,7 +3,6 @@ import { Knex } from "knex";
|
|||||||
import { TDbClient } from "@app/db";
|
import { TDbClient } from "@app/db";
|
||||||
import {
|
import {
|
||||||
ProjectsSchema,
|
ProjectsSchema,
|
||||||
ProjectType,
|
|
||||||
ProjectUpgradeStatus,
|
ProjectUpgradeStatus,
|
||||||
ProjectVersion,
|
ProjectVersion,
|
||||||
SortDirection,
|
SortDirection,
|
||||||
@@ -22,17 +21,12 @@ export type TProjectDALFactory = ReturnType<typeof projectDALFactory>;
|
|||||||
export const projectDALFactory = (db: TDbClient) => {
|
export const projectDALFactory = (db: TDbClient) => {
|
||||||
const projectOrm = ormify(db, TableName.Project);
|
const projectOrm = ormify(db, TableName.Project);
|
||||||
|
|
||||||
const findIdentityProjects = async (identityId: string, orgId: string, projectType: ProjectType | "all") => {
|
const findIdentityProjects = async (identityId: string, orgId: string) => {
|
||||||
try {
|
try {
|
||||||
const workspaces = await db(TableName.IdentityProjectMembership)
|
const workspaces = await db(TableName.IdentityProjectMembership)
|
||||||
.where({ identityId })
|
.where({ identityId })
|
||||||
.join(TableName.Project, `${TableName.IdentityProjectMembership}.projectId`, `${TableName.Project}.id`)
|
.join(TableName.Project, `${TableName.IdentityProjectMembership}.projectId`, `${TableName.Project}.id`)
|
||||||
.where(`${TableName.Project}.orgId`, orgId)
|
.where(`${TableName.Project}.orgId`, orgId)
|
||||||
.andWhere((qb) => {
|
|
||||||
if (projectType !== "all") {
|
|
||||||
void qb.where(`${TableName.Project}.type`, projectType);
|
|
||||||
}
|
|
||||||
})
|
|
||||||
.leftJoin(TableName.Environment, `${TableName.Environment}.projectId`, `${TableName.Project}.id`)
|
.leftJoin(TableName.Environment, `${TableName.Environment}.projectId`, `${TableName.Project}.id`)
|
||||||
.select(
|
.select(
|
||||||
selectAllTableCols(TableName.Project),
|
selectAllTableCols(TableName.Project),
|
||||||
@@ -72,18 +66,13 @@ export const projectDALFactory = (db: TDbClient) => {
|
|||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
const findUserProjects = async (userId: string, orgId: string, projectType: ProjectType | "all") => {
|
const findUserProjects = async (userId: string, orgId: string) => {
|
||||||
try {
|
try {
|
||||||
const workspaces = await db
|
const workspaces = await db
|
||||||
.replicaNode()(TableName.ProjectMembership)
|
.replicaNode()(TableName.ProjectMembership)
|
||||||
.where({ userId })
|
.where({ userId })
|
||||||
.join(TableName.Project, `${TableName.ProjectMembership}.projectId`, `${TableName.Project}.id`)
|
.join(TableName.Project, `${TableName.ProjectMembership}.projectId`, `${TableName.Project}.id`)
|
||||||
.where(`${TableName.Project}.orgId`, orgId)
|
.where(`${TableName.Project}.orgId`, orgId)
|
||||||
.andWhere((qb) => {
|
|
||||||
if (projectType !== "all") {
|
|
||||||
void qb.where(`${TableName.Project}.type`, projectType);
|
|
||||||
}
|
|
||||||
})
|
|
||||||
.leftJoin(TableName.Environment, `${TableName.Environment}.projectId`, `${TableName.Project}.id`)
|
.leftJoin(TableName.Environment, `${TableName.Environment}.projectId`, `${TableName.Project}.id`)
|
||||||
.select(
|
.select(
|
||||||
selectAllTableCols(TableName.Project),
|
selectAllTableCols(TableName.Project),
|
||||||
@@ -103,11 +92,6 @@ export const projectDALFactory = (db: TDbClient) => {
|
|||||||
.whereIn("groupId", groups)
|
.whereIn("groupId", groups)
|
||||||
.join(TableName.Project, `${TableName.GroupProjectMembership}.projectId`, `${TableName.Project}.id`)
|
.join(TableName.Project, `${TableName.GroupProjectMembership}.projectId`, `${TableName.Project}.id`)
|
||||||
.where(`${TableName.Project}.orgId`, orgId)
|
.where(`${TableName.Project}.orgId`, orgId)
|
||||||
.andWhere((qb) => {
|
|
||||||
if (projectType !== "all") {
|
|
||||||
void qb.where(`${TableName.Project}.type`, projectType);
|
|
||||||
}
|
|
||||||
})
|
|
||||||
.whereNotIn(
|
.whereNotIn(
|
||||||
`${TableName.Project}.id`,
|
`${TableName.Project}.id`,
|
||||||
workspaces.map(({ id }) => id)
|
workspaces.map(({ id }) => id)
|
||||||
@@ -177,17 +161,12 @@ export const projectDALFactory = (db: TDbClient) => {
|
|||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
const findAllProjectsByIdentity = async (identityId: string, projectType?: ProjectType) => {
|
const findAllProjectsByIdentity = async (identityId: string) => {
|
||||||
try {
|
try {
|
||||||
const workspaces = await db
|
const workspaces = await db
|
||||||
.replicaNode()(TableName.IdentityProjectMembership)
|
.replicaNode()(TableName.IdentityProjectMembership)
|
||||||
.where({ identityId })
|
.where({ identityId })
|
||||||
.join(TableName.Project, `${TableName.IdentityProjectMembership}.projectId`, `${TableName.Project}.id`)
|
.join(TableName.Project, `${TableName.IdentityProjectMembership}.projectId`, `${TableName.Project}.id`)
|
||||||
.andWhere((qb) => {
|
|
||||||
if (projectType) {
|
|
||||||
void qb.where(`${TableName.Project}.type`, projectType);
|
|
||||||
}
|
|
||||||
})
|
|
||||||
.leftJoin(TableName.Environment, `${TableName.Environment}.projectId`, `${TableName.Project}.id`)
|
.leftJoin(TableName.Environment, `${TableName.Environment}.projectId`, `${TableName.Project}.id`)
|
||||||
.select(
|
.select(
|
||||||
selectAllTableCols(TableName.Project),
|
selectAllTableCols(TableName.Project),
|
||||||
@@ -389,27 +368,10 @@ export const projectDALFactory = (db: TDbClient) => {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
const getProjectFromSplitId = async (projectId: string, projectType: ProjectType) => {
|
|
||||||
try {
|
|
||||||
const project = await db(TableName.ProjectSplitBackfillIds)
|
|
||||||
.where({
|
|
||||||
sourceProjectId: projectId,
|
|
||||||
destinationProjectType: projectType
|
|
||||||
})
|
|
||||||
.join(TableName.Project, `${TableName.Project}.id`, `${TableName.ProjectSplitBackfillIds}.destinationProjectId`)
|
|
||||||
.select(selectAllTableCols(TableName.Project))
|
|
||||||
.first();
|
|
||||||
return project;
|
|
||||||
} catch (error) {
|
|
||||||
throw new DatabaseError({ error, name: `Failed to find split project with id ${projectId}` });
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
const searchProjects = async (dto: {
|
const searchProjects = async (dto: {
|
||||||
orgId: string;
|
orgId: string;
|
||||||
actor: ActorType;
|
actor: ActorType;
|
||||||
actorId: string;
|
actorId: string;
|
||||||
type?: ProjectType;
|
|
||||||
limit?: number;
|
limit?: number;
|
||||||
offset?: number;
|
offset?: number;
|
||||||
name?: string;
|
name?: string;
|
||||||
@@ -464,9 +426,6 @@ export const projectDALFactory = (db: TDbClient) => {
|
|||||||
void query.orderBy([{ column: `${TableName.Project}.name`, order: sortDir }]);
|
void query.orderBy([{ column: `${TableName.Project}.name`, order: sortDir }]);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (dto.type) {
|
|
||||||
void query.where(`${TableName.Project}.type`, dto.type);
|
|
||||||
}
|
|
||||||
if (dto.name) {
|
if (dto.name) {
|
||||||
void query.whereILike(`${TableName.Project}.name`, `%${dto.name}%`);
|
void query.whereILike(`${TableName.Project}.name`, `%${dto.name}%`);
|
||||||
}
|
}
|
||||||
@@ -512,7 +471,6 @@ export const projectDALFactory = (db: TDbClient) => {
|
|||||||
findProjectBySlug,
|
findProjectBySlug,
|
||||||
findProjectWithOrg,
|
findProjectWithOrg,
|
||||||
checkProjectUpgradeStatus,
|
checkProjectUpgradeStatus,
|
||||||
getProjectFromSplitId,
|
|
||||||
searchProjects,
|
searchProjects,
|
||||||
findProjectByEnvId,
|
findProjectByEnvId,
|
||||||
countOfOrgProjects
|
countOfOrgProjects
|
||||||
|
@@ -141,7 +141,7 @@ export const bootstrapSshProject = async ({
|
|||||||
tx
|
tx
|
||||||
});
|
});
|
||||||
|
|
||||||
await projectSshConfigDAL.create(
|
const sshConfig = await projectSshConfigDAL.create(
|
||||||
{
|
{
|
||||||
projectId,
|
projectId,
|
||||||
defaultHostSshCaId: hostSshCa.id,
|
defaultHostSshCaId: hostSshCa.id,
|
||||||
@@ -149,4 +149,5 @@ export const bootstrapSshProject = async ({
|
|||||||
},
|
},
|
||||||
tx
|
tx
|
||||||
);
|
);
|
||||||
|
return sshConfig;
|
||||||
};
|
};
|
||||||
|
@@ -1,14 +1,7 @@
|
|||||||
import { ForbiddenError, subject } from "@casl/ability";
|
import { ForbiddenError, subject } from "@casl/ability";
|
||||||
import slugify from "@sindresorhus/slugify";
|
import slugify from "@sindresorhus/slugify";
|
||||||
|
|
||||||
import {
|
import { ProjectMembershipRole, ProjectVersion, TableName, TProjectEnvironments } from "@app/db/schemas";
|
||||||
ActionProjectType,
|
|
||||||
ProjectMembershipRole,
|
|
||||||
ProjectType,
|
|
||||||
ProjectVersion,
|
|
||||||
TableName,
|
|
||||||
TProjectEnvironments
|
|
||||||
} from "@app/db/schemas";
|
|
||||||
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
|
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
|
||||||
import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
|
import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
|
||||||
import { throwIfMissingSecretReadValueOrDescribePermission } from "@app/ee/services/permission/permission-fns";
|
import { throwIfMissingSecretReadValueOrDescribePermission } from "@app/ee/services/permission/permission-fns";
|
||||||
@@ -249,8 +242,7 @@ export const projectServiceFactory = ({
|
|||||||
kmsKeyId,
|
kmsKeyId,
|
||||||
tx: trx,
|
tx: trx,
|
||||||
createDefaultEnvs = true,
|
createDefaultEnvs = true,
|
||||||
template = InfisicalProjectTemplate.Default,
|
template = InfisicalProjectTemplate.Default
|
||||||
type = ProjectType.SecretManager
|
|
||||||
}: TCreateProjectDTO) => {
|
}: TCreateProjectDTO) => {
|
||||||
const organization = await orgDAL.findOne({ id: actorOrgId });
|
const organization = await orgDAL.findOne({ id: actorOrgId });
|
||||||
const { permission, membership: orgMembership } = await permissionService.getOrgPermission(
|
const { permission, membership: orgMembership } = await permissionService.getOrgPermission(
|
||||||
@@ -266,11 +258,7 @@ export const projectServiceFactory = ({
|
|||||||
await tx.raw("SELECT pg_advisory_xact_lock(?)", [PgSqlLock.CreateProject(organization.id)]);
|
await tx.raw("SELECT pg_advisory_xact_lock(?)", [PgSqlLock.CreateProject(organization.id)]);
|
||||||
|
|
||||||
const plan = await licenseService.getPlan(organization.id);
|
const plan = await licenseService.getPlan(organization.id);
|
||||||
if (
|
if (plan.workspaceLimit !== null && plan.workspacesUsed >= plan.workspaceLimit) {
|
||||||
plan.workspaceLimit !== null &&
|
|
||||||
plan.workspacesUsed >= plan.workspaceLimit &&
|
|
||||||
type === ProjectType.SecretManager
|
|
||||||
) {
|
|
||||||
// case: limit imposed on number of workspaces allowed
|
// case: limit imposed on number of workspaces allowed
|
||||||
// case: number of workspaces used exceeds the number of workspaces allowed
|
// case: number of workspaces used exceeds the number of workspaces allowed
|
||||||
throw new BadRequestError({
|
throw new BadRequestError({
|
||||||
@@ -307,7 +295,6 @@ export const projectServiceFactory = ({
|
|||||||
const project = await projectDAL.create(
|
const project = await projectDAL.create(
|
||||||
{
|
{
|
||||||
name: workspaceName,
|
name: workspaceName,
|
||||||
type,
|
|
||||||
description: workspaceDescription,
|
description: workspaceDescription,
|
||||||
orgId: organization.id,
|
orgId: organization.id,
|
||||||
slug: projectSlug || slugify(`${workspaceName}-${alphaNumericNanoId(4)}`),
|
slug: projectSlug || slugify(`${workspaceName}-${alphaNumericNanoId(4)}`),
|
||||||
@@ -318,16 +305,14 @@ export const projectServiceFactory = ({
|
|||||||
tx
|
tx
|
||||||
);
|
);
|
||||||
|
|
||||||
if (type === ProjectType.SSH) {
|
await bootstrapSshProject({
|
||||||
await bootstrapSshProject({
|
projectId: project.id,
|
||||||
projectId: project.id,
|
sshCertificateAuthorityDAL,
|
||||||
sshCertificateAuthorityDAL,
|
sshCertificateAuthoritySecretDAL,
|
||||||
sshCertificateAuthoritySecretDAL,
|
kmsService,
|
||||||
kmsService,
|
projectSshConfigDAL,
|
||||||
projectSshConfigDAL,
|
tx
|
||||||
tx
|
});
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
// set ghost user as admin of project
|
// set ghost user as admin of project
|
||||||
const projectMembership = await projectMembershipDAL.create(
|
const projectMembership = await projectMembershipDAL.create(
|
||||||
@@ -524,8 +509,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: project.id,
|
projectId: project.id,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Project);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Project);
|
||||||
|
|
||||||
@@ -583,18 +567,11 @@ export const projectServiceFactory = ({
|
|||||||
return deletedProject;
|
return deletedProject;
|
||||||
};
|
};
|
||||||
|
|
||||||
const getProjects = async ({
|
const getProjects = async ({ actorId, actor, includeRoles, actorAuthMethod, actorOrgId }: TListProjectsDTO) => {
|
||||||
actorId,
|
|
||||||
actor,
|
|
||||||
includeRoles,
|
|
||||||
actorAuthMethod,
|
|
||||||
actorOrgId,
|
|
||||||
type = ProjectType.SecretManager
|
|
||||||
}: TListProjectsDTO) => {
|
|
||||||
const workspaces =
|
const workspaces =
|
||||||
actor === ActorType.IDENTITY
|
actor === ActorType.IDENTITY
|
||||||
? await projectDAL.findIdentityProjects(actorId, actorOrgId, type)
|
? await projectDAL.findIdentityProjects(actorId, actorOrgId)
|
||||||
: await projectDAL.findUserProjects(actorId, actorOrgId, type);
|
: await projectDAL.findUserProjects(actorId, actorOrgId);
|
||||||
|
|
||||||
if (includeRoles) {
|
if (includeRoles) {
|
||||||
const { permission } = await permissionService.getUserOrgPermission(
|
const { permission } = await permissionService.getUserOrgPermission(
|
||||||
@@ -618,10 +595,7 @@ export const projectServiceFactory = ({
|
|||||||
workspaces.map(async (workspace) => {
|
workspaces.map(async (workspace) => {
|
||||||
return {
|
return {
|
||||||
...workspace,
|
...workspace,
|
||||||
roles: [
|
roles: [...(workspaceMappedToRoles[workspace.id] || []), ...getPredefinedRoles({ projectId: workspace.id })]
|
||||||
...(workspaceMappedToRoles[workspace.id] || []),
|
|
||||||
...getPredefinedRoles({ projectId: workspace.id, projectType: workspace.type as ProjectType })
|
|
||||||
]
|
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
);
|
);
|
||||||
@@ -640,8 +614,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: project.id,
|
projectId: project.id,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
return project;
|
return project;
|
||||||
};
|
};
|
||||||
@@ -654,8 +627,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: project.id,
|
projectId: project.id,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
|
||||||
|
|
||||||
@@ -679,6 +651,7 @@ export const projectServiceFactory = ({
|
|||||||
hasDeleteProtection: update.hasDeleteProtection,
|
hasDeleteProtection: update.hasDeleteProtection,
|
||||||
slug: update.slug,
|
slug: update.slug,
|
||||||
secretSharing: update.secretSharing,
|
secretSharing: update.secretSharing,
|
||||||
|
defaultProduct: update.defaultProduct,
|
||||||
showSnapshotsLegacy: update.showSnapshotsLegacy
|
showSnapshotsLegacy: update.showSnapshotsLegacy
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -698,8 +671,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
|
||||||
|
|
||||||
@@ -724,8 +696,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
|
||||||
|
|
||||||
@@ -754,8 +725,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: project.id,
|
projectId: project.id,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
if (!hasRole(ProjectMembershipRole.Admin))
|
if (!hasRole(ProjectMembershipRole.Admin))
|
||||||
@@ -786,8 +756,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: project.id,
|
projectId: project.id,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
if (!hasRole(ProjectMembershipRole.Admin)) {
|
if (!hasRole(ProjectMembershipRole.Admin)) {
|
||||||
@@ -819,8 +788,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
|
||||||
|
|
||||||
@@ -841,8 +809,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Project);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Project);
|
||||||
@@ -912,8 +879,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.DescribeSecret);
|
throwIfMissingSecretReadValueOrDescribePermission(permission, ProjectPermissionSecretActions.DescribeSecret);
|
||||||
|
|
||||||
@@ -944,22 +910,14 @@ export const projectServiceFactory = ({
|
|||||||
actor
|
actor
|
||||||
}: TListProjectCasDTO) => {
|
}: TListProjectCasDTO) => {
|
||||||
const project = await projectDAL.findProjectByFilter(filter);
|
const project = await projectDAL.findProjectByFilter(filter);
|
||||||
let projectId = project.id;
|
const projectId = project.id;
|
||||||
const certManagerProjectFromSplit = await projectDAL.getProjectFromSplitId(
|
|
||||||
projectId,
|
|
||||||
ProjectType.CertificateManager
|
|
||||||
);
|
|
||||||
if (certManagerProjectFromSplit) {
|
|
||||||
projectId = certManagerProjectFromSplit.id;
|
|
||||||
}
|
|
||||||
|
|
||||||
const { permission } = await permissionService.getProjectPermission({
|
const { permission } = await permissionService.getProjectPermission({
|
||||||
actor,
|
actor,
|
||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -998,22 +956,14 @@ export const projectServiceFactory = ({
|
|||||||
actor
|
actor
|
||||||
}: TListProjectCertsDTO) => {
|
}: TListProjectCertsDTO) => {
|
||||||
const project = await projectDAL.findProjectByFilter(filter);
|
const project = await projectDAL.findProjectByFilter(filter);
|
||||||
let projectId = project.id;
|
const projectId = project.id;
|
||||||
const certManagerProjectFromSplit = await projectDAL.getProjectFromSplitId(
|
|
||||||
projectId,
|
|
||||||
ProjectType.CertificateManager
|
|
||||||
);
|
|
||||||
if (certManagerProjectFromSplit) {
|
|
||||||
projectId = certManagerProjectFromSplit.id;
|
|
||||||
}
|
|
||||||
|
|
||||||
const { permission } = await permissionService.getProjectPermission({
|
const { permission } = await permissionService.getProjectPermission({
|
||||||
actor,
|
actor,
|
||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -1046,28 +996,18 @@ export const projectServiceFactory = ({
|
|||||||
* Return list of (PKI) alerts configured for project
|
* Return list of (PKI) alerts configured for project
|
||||||
*/
|
*/
|
||||||
const listProjectAlerts = async ({
|
const listProjectAlerts = async ({
|
||||||
projectId: preSplitProjectId,
|
projectId,
|
||||||
actor,
|
actor,
|
||||||
actorId,
|
actorId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId
|
actorOrgId
|
||||||
}: TListProjectAlertsDTO) => {
|
}: TListProjectAlertsDTO) => {
|
||||||
let projectId = preSplitProjectId;
|
|
||||||
const certManagerProjectFromSplit = await projectDAL.getProjectFromSplitId(
|
|
||||||
projectId,
|
|
||||||
ProjectType.CertificateManager
|
|
||||||
);
|
|
||||||
if (certManagerProjectFromSplit) {
|
|
||||||
projectId = certManagerProjectFromSplit.id;
|
|
||||||
}
|
|
||||||
|
|
||||||
const { permission } = await permissionService.getProjectPermission({
|
const { permission } = await permissionService.getProjectPermission({
|
||||||
actor,
|
actor,
|
||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.PkiAlerts);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.PkiAlerts);
|
||||||
@@ -1083,27 +1023,18 @@ export const projectServiceFactory = ({
|
|||||||
* Return list of PKI collections for project
|
* Return list of PKI collections for project
|
||||||
*/
|
*/
|
||||||
const listProjectPkiCollections = async ({
|
const listProjectPkiCollections = async ({
|
||||||
projectId: preSplitProjectId,
|
projectId,
|
||||||
actor,
|
actor,
|
||||||
actorId,
|
actorId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId
|
actorOrgId
|
||||||
}: TListProjectAlertsDTO) => {
|
}: TListProjectAlertsDTO) => {
|
||||||
let projectId = preSplitProjectId;
|
|
||||||
const certManagerProjectFromSplit = await projectDAL.getProjectFromSplitId(
|
|
||||||
projectId,
|
|
||||||
ProjectType.CertificateManager
|
|
||||||
);
|
|
||||||
if (certManagerProjectFromSplit) {
|
|
||||||
projectId = certManagerProjectFromSplit.id;
|
|
||||||
}
|
|
||||||
const { permission } = await permissionService.getProjectPermission({
|
const { permission } = await permissionService.getProjectPermission({
|
||||||
actor,
|
actor,
|
||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.PkiCollections);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.PkiCollections);
|
||||||
@@ -1130,8 +1061,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const allowedSubscribers = [];
|
const allowedSubscribers = [];
|
||||||
@@ -1158,28 +1088,18 @@ export const projectServiceFactory = ({
|
|||||||
* Return list of certificate templates for project
|
* Return list of certificate templates for project
|
||||||
*/
|
*/
|
||||||
const listProjectCertificateTemplates = async ({
|
const listProjectCertificateTemplates = async ({
|
||||||
projectId: preSplitProjectId,
|
projectId,
|
||||||
actorId,
|
actorId,
|
||||||
actorOrgId,
|
actorOrgId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actor
|
actor
|
||||||
}: TListProjectCertificateTemplatesDTO) => {
|
}: TListProjectCertificateTemplatesDTO) => {
|
||||||
let projectId = preSplitProjectId;
|
|
||||||
const certManagerProjectFromSplit = await projectDAL.getProjectFromSplitId(
|
|
||||||
projectId,
|
|
||||||
ProjectType.CertificateManager
|
|
||||||
);
|
|
||||||
if (certManagerProjectFromSplit) {
|
|
||||||
projectId = certManagerProjectFromSplit.id;
|
|
||||||
}
|
|
||||||
|
|
||||||
const { permission } = await permissionService.getProjectPermission({
|
const { permission } = await permissionService.getProjectPermission({
|
||||||
actor,
|
actor,
|
||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.CertificateManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const certificateTemplates = await certificateTemplateDAL.getCertTemplatesByProjectId(projectId);
|
const certificateTemplates = await certificateTemplateDAL.getCertTemplatesByProjectId(projectId);
|
||||||
@@ -1209,8 +1129,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -1243,8 +1162,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const allowedHosts = [];
|
const allowedHosts = [];
|
||||||
@@ -1283,8 +1201,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SshHostGroups);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SshHostGroups);
|
||||||
@@ -1311,8 +1228,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificates);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificates);
|
||||||
@@ -1350,8 +1266,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -1385,8 +1300,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Kms);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Kms);
|
||||||
@@ -1413,8 +1327,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Kms);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Kms);
|
||||||
@@ -1443,8 +1356,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Kms);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Kms);
|
||||||
@@ -1466,8 +1378,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
if (!membership) {
|
if (!membership) {
|
||||||
@@ -1499,8 +1410,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Settings);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Settings);
|
||||||
@@ -1539,8 +1449,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SSH
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
|
||||||
@@ -1623,8 +1532,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Settings);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Settings);
|
||||||
@@ -1696,8 +1604,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
|
||||||
@@ -1774,8 +1681,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
|
||||||
@@ -1898,8 +1804,7 @@ export const projectServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.Any
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Settings);
|
ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Settings);
|
||||||
@@ -1927,15 +1832,7 @@ export const projectServiceFactory = ({
|
|||||||
});
|
});
|
||||||
};
|
};
|
||||||
|
|
||||||
const searchProjects = async ({
|
const searchProjects = async ({ name, offset, permission, limit, orderBy, orderDirection }: TSearchProjectsDTO) => {
|
||||||
name,
|
|
||||||
offset,
|
|
||||||
permission,
|
|
||||||
limit,
|
|
||||||
type,
|
|
||||||
orderBy,
|
|
||||||
orderDirection
|
|
||||||
}: TSearchProjectsDTO) => {
|
|
||||||
// check user belong to org
|
// check user belong to org
|
||||||
await permissionService.getOrgPermission(
|
await permissionService.getOrgPermission(
|
||||||
permission.type,
|
permission.type,
|
||||||
@@ -1949,7 +1846,6 @@ export const projectServiceFactory = ({
|
|||||||
limit,
|
limit,
|
||||||
offset,
|
offset,
|
||||||
name,
|
name,
|
||||||
type,
|
|
||||||
orgId: permission.orgId,
|
orgId: permission.orgId,
|
||||||
actor: permission.type,
|
actor: permission.type,
|
||||||
actorId: permission.id,
|
actorId: permission.id,
|
||||||
@@ -1973,7 +1869,7 @@ export const projectServiceFactory = ({
|
|||||||
actor: permission.type,
|
actor: permission.type,
|
||||||
actorId: permission.id,
|
actorId: permission.id,
|
||||||
projectId,
|
projectId,
|
||||||
actionProjectType: ActionProjectType.Any,
|
|
||||||
actorAuthMethod: permission.authMethod,
|
actorAuthMethod: permission.authMethod,
|
||||||
actorOrgId: permission.orgId
|
actorOrgId: permission.orgId
|
||||||
})
|
})
|
||||||
|
@@ -92,6 +92,7 @@ export type TUpdateProjectDTO = {
|
|||||||
description?: string;
|
description?: string;
|
||||||
autoCapitalization?: boolean;
|
autoCapitalization?: boolean;
|
||||||
hasDeleteProtection?: boolean;
|
hasDeleteProtection?: boolean;
|
||||||
|
defaultProduct?: ProjectType;
|
||||||
slug?: string;
|
slug?: string;
|
||||||
secretSharing?: boolean;
|
secretSharing?: boolean;
|
||||||
showSnapshotsLegacy?: boolean;
|
showSnapshotsLegacy?: boolean;
|
||||||
|
@@ -5,6 +5,7 @@ import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
|
|||||||
|
|
||||||
import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
|
import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
|
||||||
import { TIdentityUaClientSecretDALFactory } from "../identity-ua/identity-ua-client-secret-dal";
|
import { TIdentityUaClientSecretDALFactory } from "../identity-ua/identity-ua-client-secret-dal";
|
||||||
|
import { TOrgServiceFactory } from "../org/org-service";
|
||||||
import { TSecretDALFactory } from "../secret/secret-dal";
|
import { TSecretDALFactory } from "../secret/secret-dal";
|
||||||
import { TSecretVersionDALFactory } from "../secret/secret-version-dal";
|
import { TSecretVersionDALFactory } from "../secret/secret-version-dal";
|
||||||
import { TSecretFolderVersionDALFactory } from "../secret-folder/secret-folder-version-dal";
|
import { TSecretFolderVersionDALFactory } from "../secret-folder/secret-folder-version-dal";
|
||||||
@@ -24,6 +25,7 @@ type TDailyResourceCleanUpQueueServiceFactoryDep = {
|
|||||||
secretSharingDAL: Pick<TSecretSharingDALFactory, "pruneExpiredSharedSecrets" | "pruneExpiredSecretRequests">;
|
secretSharingDAL: Pick<TSecretSharingDALFactory, "pruneExpiredSharedSecrets" | "pruneExpiredSecretRequests">;
|
||||||
serviceTokenService: Pick<TServiceTokenServiceFactory, "notifyExpiringTokens">;
|
serviceTokenService: Pick<TServiceTokenServiceFactory, "notifyExpiringTokens">;
|
||||||
queueService: TQueueServiceFactory;
|
queueService: TQueueServiceFactory;
|
||||||
|
orgService: TOrgServiceFactory;
|
||||||
};
|
};
|
||||||
|
|
||||||
export type TDailyResourceCleanUpQueueServiceFactory = ReturnType<typeof dailyResourceCleanUpQueueServiceFactory>;
|
export type TDailyResourceCleanUpQueueServiceFactory = ReturnType<typeof dailyResourceCleanUpQueueServiceFactory>;
|
||||||
@@ -39,12 +41,12 @@ export const dailyResourceCleanUpQueueServiceFactory = ({
|
|||||||
secretSharingDAL,
|
secretSharingDAL,
|
||||||
secretVersionV2DAL,
|
secretVersionV2DAL,
|
||||||
identityUniversalAuthClientSecretDAL,
|
identityUniversalAuthClientSecretDAL,
|
||||||
serviceTokenService
|
serviceTokenService,
|
||||||
|
orgService
|
||||||
}: TDailyResourceCleanUpQueueServiceFactoryDep) => {
|
}: TDailyResourceCleanUpQueueServiceFactoryDep) => {
|
||||||
queueService.start(QueueName.DailyResourceCleanUp, async () => {
|
queueService.start(QueueName.DailyResourceCleanUp, async () => {
|
||||||
logger.info(`${QueueName.DailyResourceCleanUp}: queue task started`);
|
logger.info(`${QueueName.DailyResourceCleanUp}: queue task started`);
|
||||||
await secretDAL.pruneSecretReminders(queueService);
|
await secretDAL.pruneSecretReminders(queueService);
|
||||||
await auditLogDAL.pruneAuditLog();
|
|
||||||
await identityAccessTokenDAL.removeExpiredTokens();
|
await identityAccessTokenDAL.removeExpiredTokens();
|
||||||
await identityUniversalAuthClientSecretDAL.removeExpiredClientSecrets();
|
await identityUniversalAuthClientSecretDAL.removeExpiredClientSecrets();
|
||||||
await secretSharingDAL.pruneExpiredSharedSecrets();
|
await secretSharingDAL.pruneExpiredSharedSecrets();
|
||||||
@@ -54,6 +56,8 @@ export const dailyResourceCleanUpQueueServiceFactory = ({
|
|||||||
await secretVersionV2DAL.pruneExcessVersions();
|
await secretVersionV2DAL.pruneExcessVersions();
|
||||||
await secretFolderVersionDAL.pruneExcessVersions();
|
await secretFolderVersionDAL.pruneExcessVersions();
|
||||||
await serviceTokenService.notifyExpiringTokens();
|
await serviceTokenService.notifyExpiringTokens();
|
||||||
|
await orgService.notifyInvitedUsers();
|
||||||
|
await auditLogDAL.pruneAuditLog();
|
||||||
logger.info(`${QueueName.DailyResourceCleanUp}: queue task completed`);
|
logger.info(`${QueueName.DailyResourceCleanUp}: queue task completed`);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
@@ -1,4 +1,4 @@
|
|||||||
import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
|
import { ProjectMembershipRole } from "@app/db/schemas";
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
|
import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
|
||||||
|
|
||||||
@@ -36,8 +36,7 @@ export const secretBlindIndexServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const secretCount = await secretBlindIndexDAL.countOfSecretsWithNullSecretBlindIndex(projectId);
|
const secretCount = await secretBlindIndexDAL.countOfSecretsWithNullSecretBlindIndex(projectId);
|
||||||
@@ -56,8 +55,7 @@ export const secretBlindIndexServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
if (!hasRole(ProjectMembershipRole.Admin)) {
|
if (!hasRole(ProjectMembershipRole.Admin)) {
|
||||||
throw new ForbiddenRequestError({ message: "Insufficient privileges, user must be admin" });
|
throw new ForbiddenRequestError({ message: "Insufficient privileges, user must be admin" });
|
||||||
@@ -80,8 +78,7 @@ export const secretBlindIndexServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
if (!hasRole(ProjectMembershipRole.Admin)) {
|
if (!hasRole(ProjectMembershipRole.Admin)) {
|
||||||
throw new ForbiddenRequestError({ message: "Insufficient privileges, user must be admin" });
|
throw new ForbiddenRequestError({ message: "Insufficient privileges, user must be admin" });
|
||||||
|
@@ -2,9 +2,10 @@ import { ForbiddenError, subject } from "@casl/ability";
|
|||||||
import path from "path";
|
import path from "path";
|
||||||
import { v4 as uuidv4, validate as uuidValidate } from "uuid";
|
import { v4 as uuidv4, validate as uuidValidate } from "uuid";
|
||||||
|
|
||||||
import { ActionProjectType, TSecretFoldersInsert } from "@app/db/schemas";
|
import { TProjectEnvironments, TSecretFolders, TSecretFoldersInsert } from "@app/db/schemas";
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
|
||||||
|
import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
|
||||||
import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
|
import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
|
||||||
import { PgSqlLock } from "@app/keystore/keystore";
|
import { PgSqlLock } from "@app/keystore/keystore";
|
||||||
import { BadRequestError, NotFoundError } from "@app/lib/errors";
|
import { BadRequestError, NotFoundError } from "@app/lib/errors";
|
||||||
@@ -14,6 +15,7 @@ import { buildFolderPath } from "@app/services/secret-folder/secret-folder-fns";
|
|||||||
import { ChangeType, CommitType, TFolderCommitServiceFactory } from "../folder-commit/folder-commit-service";
|
import { ChangeType, CommitType, TFolderCommitServiceFactory } from "../folder-commit/folder-commit-service";
|
||||||
import { TProjectDALFactory } from "../project/project-dal";
|
import { TProjectDALFactory } from "../project/project-dal";
|
||||||
import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
|
import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
|
||||||
|
import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
|
||||||
import { TSecretFolderDALFactory } from "./secret-folder-dal";
|
import { TSecretFolderDALFactory } from "./secret-folder-dal";
|
||||||
import {
|
import {
|
||||||
TCreateFolderDTO,
|
TCreateFolderDTO,
|
||||||
@@ -34,6 +36,8 @@ type TSecretFolderServiceFactoryDep = {
|
|||||||
folderVersionDAL: Pick<TSecretFolderVersionDALFactory, "findLatestFolderVersions" | "create" | "insertMany" | "find">;
|
folderVersionDAL: Pick<TSecretFolderVersionDALFactory, "findLatestFolderVersions" | "create" | "insertMany" | "find">;
|
||||||
folderCommitService: Pick<TFolderCommitServiceFactory, "createCommit">;
|
folderCommitService: Pick<TFolderCommitServiceFactory, "createCommit">;
|
||||||
projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
|
projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
|
||||||
|
secretApprovalPolicyService: Pick<TSecretApprovalPolicyServiceFactory, "getSecretApprovalPolicy">;
|
||||||
|
secretV2BridgeDAL: Pick<TSecretV2BridgeDALFactory, "findByFolderIds">;
|
||||||
};
|
};
|
||||||
|
|
||||||
export type TSecretFolderServiceFactory = ReturnType<typeof secretFolderServiceFactory>;
|
export type TSecretFolderServiceFactory = ReturnType<typeof secretFolderServiceFactory>;
|
||||||
@@ -45,7 +49,9 @@ export const secretFolderServiceFactory = ({
|
|||||||
projectEnvDAL,
|
projectEnvDAL,
|
||||||
folderVersionDAL,
|
folderVersionDAL,
|
||||||
folderCommitService,
|
folderCommitService,
|
||||||
projectDAL
|
projectDAL,
|
||||||
|
secretApprovalPolicyService,
|
||||||
|
secretV2BridgeDAL
|
||||||
}: TSecretFolderServiceFactoryDep) => {
|
}: TSecretFolderServiceFactoryDep) => {
|
||||||
const createFolder = async ({
|
const createFolder = async ({
|
||||||
projectId,
|
projectId,
|
||||||
@@ -63,8 +69,7 @@ export const secretFolderServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -245,8 +250,7 @@ export const secretFolderServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: project.id,
|
projectId: project.id,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
folders.forEach(({ environment, path: secretPath }) => {
|
folders.forEach(({ environment, path: secretPath }) => {
|
||||||
@@ -377,8 +381,7 @@ export const secretFolderServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -464,6 +467,106 @@ export const secretFolderServiceFactory = ({
|
|||||||
return { folder: newFolder, old: folder };
|
return { folder: newFolder, old: folder };
|
||||||
};
|
};
|
||||||
|
|
||||||
|
const $checkFolderPolicy = async ({
|
||||||
|
projectId,
|
||||||
|
env,
|
||||||
|
parentId,
|
||||||
|
idOrName
|
||||||
|
}: {
|
||||||
|
projectId: string;
|
||||||
|
env: TProjectEnvironments;
|
||||||
|
parentId: string;
|
||||||
|
idOrName: string;
|
||||||
|
}) => {
|
||||||
|
let targetFolder = await folderDAL
|
||||||
|
.findOne({
|
||||||
|
envId: env.id,
|
||||||
|
name: idOrName,
|
||||||
|
parentId,
|
||||||
|
isReserved: false
|
||||||
|
})
|
||||||
|
.catch(() => null);
|
||||||
|
|
||||||
|
if (!targetFolder && uuidValidate(idOrName)) {
|
||||||
|
targetFolder = await folderDAL
|
||||||
|
.findOne({
|
||||||
|
envId: env.id,
|
||||||
|
id: idOrName,
|
||||||
|
parentId,
|
||||||
|
isReserved: false
|
||||||
|
})
|
||||||
|
.catch(() => null);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!targetFolder) {
|
||||||
|
throw new NotFoundError({ message: `Target folder not found` });
|
||||||
|
}
|
||||||
|
|
||||||
|
// get environment root folder (as it's needed to get all folders under it)
|
||||||
|
const rootFolder = await folderDAL.findBySecretPath(projectId, env.slug, "/");
|
||||||
|
if (!rootFolder) throw new NotFoundError({ message: `Root folder not found` });
|
||||||
|
// get all folders under environment root folder
|
||||||
|
const folderPaths = await folderDAL.findByEnvsDeep({ parentIds: [rootFolder.id] });
|
||||||
|
|
||||||
|
// create a map of folders by parent id
|
||||||
|
const normalizeKey = (key: string | null | undefined): string => key ?? "root";
|
||||||
|
const folderMap = new Map<string, (TSecretFolders & { path: string; depth: number; environment: string })[]>();
|
||||||
|
for (const folder of folderPaths) {
|
||||||
|
if (!folderMap.has(normalizeKey(folder.parentId))) {
|
||||||
|
folderMap.set(normalizeKey(folder.parentId), []);
|
||||||
|
}
|
||||||
|
folderMap.get(normalizeKey(folder.parentId))?.push(folder);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Find the target folder in the folderPaths to get its full details
|
||||||
|
const targetFolderWithPath = folderPaths.find((f) => f.id === targetFolder!.id);
|
||||||
|
if (!targetFolderWithPath) {
|
||||||
|
throw new NotFoundError({ message: `Target folder path not found` });
|
||||||
|
}
|
||||||
|
|
||||||
|
// Recursively collect all folders under the target folder (descendants only)
|
||||||
|
const collectDescendants = (
|
||||||
|
id: string
|
||||||
|
): (TSecretFolders & { path: string; depth: number; environment: string })[] => {
|
||||||
|
const children = folderMap.get(normalizeKey(id)) || [];
|
||||||
|
return [...children, ...children.flatMap((child) => collectDescendants(child.id))];
|
||||||
|
};
|
||||||
|
|
||||||
|
const targetFolderDescendants = collectDescendants(targetFolder.id);
|
||||||
|
|
||||||
|
// Include the target folder itself plus all its descendants
|
||||||
|
const foldersToCheck = [targetFolderWithPath, ...targetFolderDescendants];
|
||||||
|
|
||||||
|
const folderPolicyPaths = foldersToCheck.map((folder) => ({
|
||||||
|
path: folder.path,
|
||||||
|
id: folder.id
|
||||||
|
}));
|
||||||
|
|
||||||
|
// get secrets under the given folders
|
||||||
|
const secrets = await secretV2BridgeDAL.findByFolderIds({
|
||||||
|
folderIds: folderPolicyPaths.map((p) => p.id)
|
||||||
|
});
|
||||||
|
|
||||||
|
for await (const folderPolicyPath of folderPolicyPaths) {
|
||||||
|
// eslint-disable-next-line no-continue
|
||||||
|
if (!secrets.some((s) => s.folderId === folderPolicyPath.id)) continue;
|
||||||
|
|
||||||
|
const policy = await secretApprovalPolicyService.getSecretApprovalPolicy(
|
||||||
|
projectId,
|
||||||
|
env.slug,
|
||||||
|
folderPolicyPath.path
|
||||||
|
);
|
||||||
|
|
||||||
|
// if there is a policy and there are secrets under the given folder, throw error
|
||||||
|
if (policy) {
|
||||||
|
throw new BadRequestError({
|
||||||
|
message: `You cannot delete the selected folder because it contains one or more secrets that are protected by the change policy "${policy.name}" at folder path "${folderPolicyPath.path}". Please remove the secrets at folder path "${folderPolicyPath.path}" and try again.`,
|
||||||
|
name: "DeleteFolderProtectedByPolicy"
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
const deleteFolder = async ({
|
const deleteFolder = async ({
|
||||||
projectId,
|
projectId,
|
||||||
actor,
|
actor,
|
||||||
@@ -479,8 +582,7 @@ export const secretFolderServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -498,18 +600,42 @@ export const secretFolderServiceFactory = ({
|
|||||||
message: `Folder with path '${secretPath}' in environment with slug '${environment}' not found`
|
message: `Folder with path '${secretPath}' in environment with slug '${environment}' not found`
|
||||||
});
|
});
|
||||||
|
|
||||||
|
await $checkFolderPolicy({ projectId, env, parentId: parentFolder.id, idOrName });
|
||||||
|
|
||||||
|
let folderToDelete = await folderDAL
|
||||||
|
.findOne({
|
||||||
|
envId: env.id,
|
||||||
|
name: idOrName,
|
||||||
|
parentId: parentFolder.id,
|
||||||
|
isReserved: false
|
||||||
|
})
|
||||||
|
.catch(() => null);
|
||||||
|
|
||||||
|
if (!folderToDelete && uuidValidate(idOrName)) {
|
||||||
|
folderToDelete = await folderDAL
|
||||||
|
.findOne({
|
||||||
|
envId: env.id,
|
||||||
|
id: idOrName,
|
||||||
|
parentId: parentFolder.id,
|
||||||
|
isReserved: false
|
||||||
|
})
|
||||||
|
.catch(() => null);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!folderToDelete) {
|
||||||
|
throw new NotFoundError({ message: `Folder with ID '${idOrName}' not found` });
|
||||||
|
}
|
||||||
|
|
||||||
const [doc] = await folderDAL.delete(
|
const [doc] = await folderDAL.delete(
|
||||||
{
|
{
|
||||||
envId: env.id,
|
envId: env.id,
|
||||||
[uuidValidate(idOrName) ? "id" : "name"]: idOrName,
|
id: folderToDelete.id,
|
||||||
parentId: parentFolder.id,
|
parentId: parentFolder.id,
|
||||||
isReserved: false
|
isReserved: false
|
||||||
},
|
},
|
||||||
tx
|
tx
|
||||||
);
|
);
|
||||||
|
|
||||||
if (!doc) throw new NotFoundError({ message: `Failed to delete folder with ID '${idOrName}', not found` });
|
|
||||||
|
|
||||||
const folderVersions = await folderVersionDAL.findLatestFolderVersions([doc.id], tx);
|
const folderVersions = await folderVersionDAL.findLatestFolderVersions([doc.id], tx);
|
||||||
|
|
||||||
await folderCommitService.createCommit(
|
await folderCommitService.createCommit(
|
||||||
@@ -562,8 +688,7 @@ export const secretFolderServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const env = await projectEnvDAL.findOne({ projectId, slug: environment });
|
const env = await projectEnvDAL.findOne({ projectId, slug: environment });
|
||||||
@@ -631,8 +756,7 @@ export const secretFolderServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const envs = await projectEnvDAL.findBySlugs(projectId, environments);
|
const envs = await projectEnvDAL.findBySlugs(projectId, environments);
|
||||||
@@ -673,8 +797,7 @@ export const secretFolderServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const envs = await projectEnvDAL.findBySlugs(projectId, environments);
|
const envs = await projectEnvDAL.findBySlugs(projectId, environments);
|
||||||
@@ -709,8 +832,7 @@ export const secretFolderServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: folder.projectId,
|
projectId: folder.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const [folderWithPath] = await folderDAL.findSecretPathByFolderIds(folder.projectId, [folder.id]);
|
const [folderWithPath] = await folderDAL.findSecretPathByFolderIds(folder.projectId, [folder.id]);
|
||||||
@@ -738,8 +860,7 @@ export const secretFolderServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const envs = await projectEnvDAL.findBySlugs(projectId, environments);
|
const envs = await projectEnvDAL.findBySlugs(projectId, environments);
|
||||||
@@ -766,8 +887,7 @@ export const secretFolderServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const environments = await projectEnvDAL.find({ projectId });
|
const environments = await projectEnvDAL.find({ projectId });
|
||||||
|
@@ -2,7 +2,7 @@ import path from "node:path";
|
|||||||
|
|
||||||
import { ForbiddenError, subject } from "@casl/ability";
|
import { ForbiddenError, subject } from "@casl/ability";
|
||||||
|
|
||||||
import { ActionProjectType, TableName } from "@app/db/schemas";
|
import { TableName } from "@app/db/schemas";
|
||||||
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
|
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
|
||||||
import {
|
import {
|
||||||
hasSecretReadValueOrDescribePermission,
|
hasSecretReadValueOrDescribePermission,
|
||||||
@@ -87,8 +87,7 @@ export const secretImportServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
// check if user has permission to import into destination path
|
// check if user has permission to import into destination path
|
||||||
@@ -205,8 +204,7 @@ export const secretImportServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -303,8 +301,7 @@ export const secretImportServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -378,8 +375,7 @@ export const secretImportServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
// check if user has permission to import into destination path
|
// check if user has permission to import into destination path
|
||||||
@@ -455,8 +451,7 @@ export const secretImportServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionActions.Read,
|
ProjectPermissionActions.Read,
|
||||||
@@ -489,8 +484,7 @@ export const secretImportServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
const filteredEnvironments = [];
|
const filteredEnvironments = [];
|
||||||
for (const environment of environments) {
|
for (const environment of environments) {
|
||||||
@@ -543,8 +537,7 @@ export const secretImportServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionActions.Read,
|
ProjectPermissionActions.Read,
|
||||||
@@ -593,8 +586,7 @@ export const secretImportServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId: folder.projectId,
|
projectId: folder.projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
|
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
@@ -642,8 +634,7 @@ export const secretImportServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionActions.Read,
|
ProjectPermissionActions.Read,
|
||||||
@@ -678,8 +669,7 @@ export const secretImportServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
ForbiddenError.from(permission).throwUnlessCan(
|
ForbiddenError.from(permission).throwUnlessCan(
|
||||||
ProjectPermissionActions.Read,
|
ProjectPermissionActions.Read,
|
||||||
@@ -762,8 +752,7 @@ export const secretImportServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
const filteredEnvironments = [];
|
const filteredEnvironments = [];
|
||||||
for (const environment of environments) {
|
for (const environment of environments) {
|
||||||
@@ -815,8 +804,7 @@ export const secretImportServiceFactory = ({
|
|||||||
actorId,
|
actorId,
|
||||||
projectId,
|
projectId,
|
||||||
actorAuthMethod,
|
actorAuthMethod,
|
||||||
actorOrgId,
|
actorOrgId
|
||||||
actionProjectType: ActionProjectType.SecretManager
|
|
||||||
});
|
});
|
||||||
if (
|
if (
|
||||||
permission.cannot(
|
permission.cannot(
|
||||||
|
@@ -6,7 +6,6 @@ import {
|
|||||||
TOnePassListVariablesResponse,
|
TOnePassListVariablesResponse,
|
||||||
TOnePassSyncWithCredentials,
|
TOnePassSyncWithCredentials,
|
||||||
TOnePassVariable,
|
TOnePassVariable,
|
||||||
TOnePassVariableDetails,
|
|
||||||
TPostOnePassVariable,
|
TPostOnePassVariable,
|
||||||
TPutOnePassVariable
|
TPutOnePassVariable
|
||||||
} from "@app/services/secret-sync/1password/1password-sync-types";
|
} from "@app/services/secret-sync/1password/1password-sync-types";
|
||||||
@@ -14,7 +13,10 @@ import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
|
|||||||
import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
|
import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
|
||||||
import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
|
import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
|
||||||
|
|
||||||
const listOnePassItems = async ({ instanceUrl, apiToken, vaultId }: TOnePassListVariables) => {
|
// This should not be changed or it may break existing logic
|
||||||
|
const VALUE_LABEL_DEFAULT = "value";
|
||||||
|
|
||||||
|
const listOnePassItems = async ({ instanceUrl, apiToken, vaultId, valueLabel }: TOnePassListVariables) => {
|
||||||
const { data } = await request.get<TOnePassListVariablesResponse>(`${instanceUrl}/v1/vaults/${vaultId}/items`, {
|
const { data } = await request.get<TOnePassListVariablesResponse>(`${instanceUrl}/v1/vaults/${vaultId}/items`, {
|
||||||
headers: {
|
headers: {
|
||||||
Authorization: `Bearer ${apiToken}`,
|
Authorization: `Bearer ${apiToken}`,
|
||||||
@@ -22,36 +24,49 @@ const listOnePassItems = async ({ instanceUrl, apiToken, vaultId }: TOnePassList
|
|||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
const result: Record<string, TOnePassVariable & { value: string; fieldId: string }> = {};
|
const items: Record<string, TOnePassVariable & { value: string; fieldId: string }> = {};
|
||||||
|
const duplicates: Record<string, string> = {};
|
||||||
|
|
||||||
for await (const s of data) {
|
for await (const s of data) {
|
||||||
const { data: secret } = await request.get<TOnePassVariableDetails>(
|
// eslint-disable-next-line no-continue
|
||||||
`${instanceUrl}/v1/vaults/${vaultId}/items/${s.id}`,
|
if (s.category !== "API_CREDENTIAL") continue;
|
||||||
{
|
|
||||||
headers: {
|
|
||||||
Authorization: `Bearer ${apiToken}`,
|
|
||||||
Accept: "application/json"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
);
|
|
||||||
|
|
||||||
const value = secret.fields.find((f) => f.label === "value")?.value;
|
if (items[s.title]) {
|
||||||
const fieldId = secret.fields.find((f) => f.label === "value")?.id;
|
duplicates[s.id] = s.title;
|
||||||
|
// eslint-disable-next-line no-continue
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
const { data: secret } = await request.get<TOnePassVariable>(`${instanceUrl}/v1/vaults/${vaultId}/items/${s.id}`, {
|
||||||
|
headers: {
|
||||||
|
Authorization: `Bearer ${apiToken}`,
|
||||||
|
Accept: "application/json"
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
const valueField = secret.fields.find((f) => f.label === valueLabel);
|
||||||
|
|
||||||
// eslint-disable-next-line no-continue
|
// eslint-disable-next-line no-continue
|
||||||
if (!value || !fieldId) continue;
|
if (!valueField || !valueField.value || !valueField.id) continue;
|
||||||
|
|
||||||
result[s.title] = {
|
items[s.title] = {
|
||||||
...secret,
|
...secret,
|
||||||
value,
|
value: valueField.value,
|
||||||
fieldId
|
fieldId: valueField.id
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
return result;
|
return { items, duplicates };
|
||||||
};
|
};
|
||||||
|
|
||||||
const createOnePassItem = async ({ instanceUrl, apiToken, vaultId, itemTitle, itemValue }: TPostOnePassVariable) => {
|
const createOnePassItem = async ({
|
||||||
|
instanceUrl,
|
||||||
|
apiToken,
|
||||||
|
vaultId,
|
||||||
|
itemTitle,
|
||||||
|
itemValue,
|
||||||
|
valueLabel
|
||||||
|
}: TPostOnePassVariable) => {
|
||||||
return request.post(
|
return request.post(
|
||||||
`${instanceUrl}/v1/vaults/${vaultId}/items`,
|
`${instanceUrl}/v1/vaults/${vaultId}/items`,
|
||||||
{
|
{
|
||||||
@@ -63,7 +78,7 @@ const createOnePassItem = async ({ instanceUrl, apiToken, vaultId, itemTitle, it
|
|||||||
tags: ["synced-from-infisical"],
|
tags: ["synced-from-infisical"],
|
||||||
fields: [
|
fields: [
|
||||||
{
|
{
|
||||||
label: "value",
|
label: valueLabel,
|
||||||
value: itemValue,
|
value: itemValue,
|
||||||
type: "CONCEALED"
|
type: "CONCEALED"
|
||||||
}
|
}
|
||||||
@@ -85,7 +100,9 @@ const updateOnePassItem = async ({
|
|||||||
itemId,
|
itemId,
|
||||||
fieldId,
|
fieldId,
|
||||||
itemTitle,
|
itemTitle,
|
||||||
itemValue
|
itemValue,
|
||||||
|
valueLabel,
|
||||||
|
otherFields
|
||||||
}: TPutOnePassVariable) => {
|
}: TPutOnePassVariable) => {
|
||||||
return request.put(
|
return request.put(
|
||||||
`${instanceUrl}/v1/vaults/${vaultId}/items/${itemId}`,
|
`${instanceUrl}/v1/vaults/${vaultId}/items/${itemId}`,
|
||||||
@@ -98,9 +115,10 @@ const updateOnePassItem = async ({
|
|||||||
},
|
},
|
||||||
tags: ["synced-from-infisical"],
|
tags: ["synced-from-infisical"],
|
||||||
fields: [
|
fields: [
|
||||||
|
...otherFields,
|
||||||
{
|
{
|
||||||
id: fieldId,
|
id: fieldId,
|
||||||
label: "value",
|
label: valueLabel,
|
||||||
value: itemValue,
|
value: itemValue,
|
||||||
type: "CONCEALED"
|
type: "CONCEALED"
|
||||||
}
|
}
|
||||||
@@ -128,13 +146,18 @@ export const OnePassSyncFns = {
|
|||||||
const {
|
const {
|
||||||
connection,
|
connection,
|
||||||
environment,
|
environment,
|
||||||
destinationConfig: { vaultId }
|
destinationConfig: { vaultId, valueLabel }
|
||||||
} = secretSync;
|
} = secretSync;
|
||||||
|
|
||||||
const instanceUrl = await getOnePassInstanceUrl(connection);
|
const instanceUrl = await getOnePassInstanceUrl(connection);
|
||||||
const { apiToken } = connection.credentials;
|
const { apiToken } = connection.credentials;
|
||||||
|
|
||||||
const items = await listOnePassItems({ instanceUrl, apiToken, vaultId });
|
const { items, duplicates } = await listOnePassItems({
|
||||||
|
instanceUrl,
|
||||||
|
apiToken,
|
||||||
|
vaultId,
|
||||||
|
valueLabel: valueLabel || VALUE_LABEL_DEFAULT
|
||||||
|
});
|
||||||
|
|
||||||
for await (const entry of Object.entries(secretMap)) {
|
for await (const entry of Object.entries(secretMap)) {
|
||||||
const [key, { value }] = entry;
|
const [key, { value }] = entry;
|
||||||
@@ -148,10 +171,19 @@ export const OnePassSyncFns = {
|
|||||||
itemTitle: key,
|
itemTitle: key,
|
||||||
itemValue: value,
|
itemValue: value,
|
||||||
itemId: items[key].id,
|
itemId: items[key].id,
|
||||||
fieldId: items[key].fieldId
|
fieldId: items[key].fieldId,
|
||||||
|
valueLabel: valueLabel || VALUE_LABEL_DEFAULT,
|
||||||
|
otherFields: items[key].fields.filter((field) => field.label !== (valueLabel || VALUE_LABEL_DEFAULT))
|
||||||
});
|
});
|
||||||
} else {
|
} else {
|
||||||
await createOnePassItem({ instanceUrl, apiToken, vaultId, itemTitle: key, itemValue: value });
|
await createOnePassItem({
|
||||||
|
instanceUrl,
|
||||||
|
apiToken,
|
||||||
|
vaultId,
|
||||||
|
itemTitle: key,
|
||||||
|
itemValue: value,
|
||||||
|
valueLabel: valueLabel || VALUE_LABEL_DEFAULT
|
||||||
|
});
|
||||||
}
|
}
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
throw new SecretSyncError({
|
throw new SecretSyncError({
|
||||||
@@ -163,7 +195,28 @@ export const OnePassSyncFns = {
|
|||||||
|
|
||||||
if (secretSync.syncOptions.disableSecretDeletion) return;
|
if (secretSync.syncOptions.disableSecretDeletion) return;
|
||||||
|
|
||||||
for await (const [key, variable] of Object.entries(items)) {
|
// Delete duplicate item entries
|
||||||
|
for await (const [itemId, key] of Object.entries(duplicates)) {
|
||||||
|
// eslint-disable-next-line no-continue
|
||||||
|
if (!matchesSchema(key, environment?.slug || "", secretSync.syncOptions.keySchema)) continue;
|
||||||
|
|
||||||
|
try {
|
||||||
|
await deleteOnePassItem({
|
||||||
|
instanceUrl,
|
||||||
|
apiToken,
|
||||||
|
vaultId,
|
||||||
|
itemId
|
||||||
|
});
|
||||||
|
} catch (error) {
|
||||||
|
throw new SecretSyncError({
|
||||||
|
error,
|
||||||
|
secretKey: key
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Delete item entries that are not in secretMap
|
||||||
|
for await (const [key, item] of Object.entries(items)) {
|
||||||
// eslint-disable-next-line no-continue
|
// eslint-disable-next-line no-continue
|
||||||
if (!matchesSchema(key, environment?.slug || "", secretSync.syncOptions.keySchema)) continue;
|
if (!matchesSchema(key, environment?.slug || "", secretSync.syncOptions.keySchema)) continue;
|
||||||
|
|
||||||
@@ -173,7 +226,7 @@ export const OnePassSyncFns = {
|
|||||||
instanceUrl,
|
instanceUrl,
|
||||||
apiToken,
|
apiToken,
|
||||||
vaultId,
|
vaultId,
|
||||||
itemId: variable.id
|
itemId: item.id
|
||||||
});
|
});
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
throw new SecretSyncError({
|
throw new SecretSyncError({
|
||||||
@@ -187,13 +240,18 @@ export const OnePassSyncFns = {
|
|||||||
removeSecrets: async (secretSync: TOnePassSyncWithCredentials, secretMap: TSecretMap) => {
|
removeSecrets: async (secretSync: TOnePassSyncWithCredentials, secretMap: TSecretMap) => {
|
||||||
const {
|
const {
|
||||||
connection,
|
connection,
|
||||||
destinationConfig: { vaultId }
|
destinationConfig: { vaultId, valueLabel }
|
||||||
} = secretSync;
|
} = secretSync;
|
||||||
|
|
||||||
const instanceUrl = await getOnePassInstanceUrl(connection);
|
const instanceUrl = await getOnePassInstanceUrl(connection);
|
||||||
const { apiToken } = connection.credentials;
|
const { apiToken } = connection.credentials;
|
||||||
|
|
||||||
const items = await listOnePassItems({ instanceUrl, apiToken, vaultId });
|
const { items } = await listOnePassItems({
|
||||||
|
instanceUrl,
|
||||||
|
apiToken,
|
||||||
|
vaultId,
|
||||||
|
valueLabel: valueLabel || VALUE_LABEL_DEFAULT
|
||||||
|
});
|
||||||
|
|
||||||
for await (const [key, item] of Object.entries(items)) {
|
for await (const [key, item] of Object.entries(items)) {
|
||||||
if (key in secretMap) {
|
if (key in secretMap) {
|
||||||
@@ -216,12 +274,19 @@ export const OnePassSyncFns = {
|
|||||||
getSecrets: async (secretSync: TOnePassSyncWithCredentials) => {
|
getSecrets: async (secretSync: TOnePassSyncWithCredentials) => {
|
||||||
const {
|
const {
|
||||||
connection,
|
connection,
|
||||||
destinationConfig: { vaultId }
|
destinationConfig: { vaultId, valueLabel }
|
||||||
} = secretSync;
|
} = secretSync;
|
||||||
|
|
||||||
const instanceUrl = await getOnePassInstanceUrl(connection);
|
const instanceUrl = await getOnePassInstanceUrl(connection);
|
||||||
const { apiToken } = connection.credentials;
|
const { apiToken } = connection.credentials;
|
||||||
|
|
||||||
return listOnePassItems({ instanceUrl, apiToken, vaultId });
|
const res = await listOnePassItems({
|
||||||
|
instanceUrl,
|
||||||
|
apiToken,
|
||||||
|
vaultId,
|
||||||
|
valueLabel: valueLabel || VALUE_LABEL_DEFAULT
|
||||||
|
});
|
||||||
|
|
||||||
|
return Object.fromEntries(Object.entries(res.items).map(([key, item]) => [key, { value: item.value }]));
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
@@ -11,7 +11,8 @@ import {
|
|||||||
import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
|
import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
|
||||||
|
|
||||||
const OnePassSyncDestinationConfigSchema = z.object({
|
const OnePassSyncDestinationConfigSchema = z.object({
|
||||||
vaultId: z.string().trim().min(1, "Vault required").describe(SecretSyncs.DESTINATION_CONFIG.ONEPASS.vaultId)
|
vaultId: z.string().trim().min(1, "Vault required").describe(SecretSyncs.DESTINATION_CONFIG.ONEPASS.vaultId),
|
||||||
|
valueLabel: z.string().trim().optional().describe(SecretSyncs.DESTINATION_CONFIG.ONEPASS.valueLabel)
|
||||||
});
|
});
|
||||||
|
|
||||||
const OnePassSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
|
const OnePassSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
|
||||||
|
@@ -14,29 +14,32 @@ export type TOnePassSyncWithCredentials = TOnePassSync & {
|
|||||||
connection: TOnePassConnection;
|
connection: TOnePassConnection;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
type Field = {
|
||||||
|
id: string;
|
||||||
|
type: string; // CONCEALED, STRING
|
||||||
|
label: string;
|
||||||
|
value: string;
|
||||||
|
};
|
||||||
|
|
||||||
export type TOnePassVariable = {
|
export type TOnePassVariable = {
|
||||||
id: string;
|
id: string;
|
||||||
title: string;
|
title: string;
|
||||||
category: string; // API_CREDENTIAL, SECURE_NOTE, LOGIN, etc
|
category: string; // API_CREDENTIAL, SECURE_NOTE, LOGIN, etc
|
||||||
};
|
fields: Field[];
|
||||||
|
|
||||||
export type TOnePassVariableDetails = TOnePassVariable & {
|
|
||||||
fields: {
|
|
||||||
id: string;
|
|
||||||
type: string; // CONCEALED, STRING
|
|
||||||
label: string;
|
|
||||||
value: string;
|
|
||||||
}[];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
export type TOnePassListVariablesResponse = TOnePassVariable[];
|
export type TOnePassListVariablesResponse = TOnePassVariable[];
|
||||||
|
|
||||||
export type TOnePassListVariables = {
|
type TOnePassBase = {
|
||||||
apiToken: string;
|
apiToken: string;
|
||||||
instanceUrl: string;
|
instanceUrl: string;
|
||||||
vaultId: string;
|
vaultId: string;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
export type TOnePassListVariables = TOnePassBase & {
|
||||||
|
valueLabel: string;
|
||||||
|
};
|
||||||
|
|
||||||
export type TPostOnePassVariable = TOnePassListVariables & {
|
export type TPostOnePassVariable = TOnePassListVariables & {
|
||||||
itemTitle: string;
|
itemTitle: string;
|
||||||
itemValue: string;
|
itemValue: string;
|
||||||
@@ -47,8 +50,9 @@ export type TPutOnePassVariable = TOnePassListVariables & {
|
|||||||
fieldId: string;
|
fieldId: string;
|
||||||
itemTitle: string;
|
itemTitle: string;
|
||||||
itemValue: string;
|
itemValue: string;
|
||||||
|
otherFields: Field[];
|
||||||
};
|
};
|
||||||
|
|
||||||
export type TDeleteOnePassVariable = TOnePassListVariables & {
|
export type TDeleteOnePassVariable = TOnePassBase & {
|
||||||
itemId: string;
|
itemId: string;
|
||||||
};
|
};
|
||||||
|
@@ -868,7 +868,7 @@ export const secretSyncQueueFactory = ({
|
|||||||
secretPath: folder?.path,
|
secretPath: folder?.path,
|
||||||
environment: environment?.name,
|
environment: environment?.name,
|
||||||
projectName: project.name,
|
projectName: project.name,
|
||||||
syncUrl: `${appCfg.SITE_URL}/secret-manager/${projectId}/integrations/secret-syncs/${destination}/${secretSync.id}`
|
syncUrl: `${appCfg.SITE_URL}/projects/${projectId}/secret-manager/integrations/secret-syncs/${destination}/${secretSync.id}`
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
};
|
};
|
||||||
|
@@ -1,6 +1,5 @@
|
|||||||
import { ForbiddenError, subject } from "@casl/ability";
|
import { ForbiddenError, subject } from "@casl/ability";
|
||||||
|
|
||||||
import { ActionProjectType } from "@app/db/schemas";
|
|
||||||
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
|
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
|
||||||
import { throwIfMissingSecretReadValueOrDescribePermission } from "@app/ee/services/permission/permission-fns";
|
import { throwIfMissingSecretReadValueOrDescribePermission } from "@app/ee/services/permission/permission-fns";
|
||||||
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
|
||||||
@@ -75,7 +74,7 @@ export const secretSyncServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretManager,
|
|
||||||
projectId
|
projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -111,7 +110,7 @@ export const secretSyncServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretManager,
|
|
||||||
projectId
|
projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -154,7 +153,7 @@ export const secretSyncServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretManager,
|
|
||||||
projectId: secretSync.projectId
|
projectId: secretSync.projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -196,7 +195,7 @@ export const secretSyncServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretManager,
|
|
||||||
projectId: secretSync.projectId
|
projectId: secretSync.projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -234,7 +233,7 @@ export const secretSyncServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretManager,
|
|
||||||
projectId
|
projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -314,7 +313,7 @@ export const secretSyncServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretManager,
|
|
||||||
projectId: secretSync.projectId
|
projectId: secretSync.projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -430,7 +429,7 @@ export const secretSyncServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretManager,
|
|
||||||
projectId: secretSync.projectId
|
projectId: secretSync.projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -507,7 +506,7 @@ export const secretSyncServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretManager,
|
|
||||||
projectId: secretSync.projectId
|
projectId: secretSync.projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -579,7 +578,7 @@ export const secretSyncServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretManager,
|
|
||||||
projectId: secretSync.projectId
|
projectId: secretSync.projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -645,7 +644,7 @@ export const secretSyncServiceFactory = ({
|
|||||||
actorId: actor.id,
|
actorId: actor.id,
|
||||||
actorAuthMethod: actor.authMethod,
|
actorAuthMethod: actor.authMethod,
|
||||||
actorOrgId: actor.orgId,
|
actorOrgId: actor.orgId,
|
||||||
actionProjectType: ActionProjectType.SecretManager,
|
|
||||||
projectId: secretSync.projectId
|
projectId: secretSync.projectId
|
||||||
});
|
});
|
||||||
|
|
||||||
|
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user