Merge pull request #3418 from Infisical/allow-internal-ip-connection-env-var

Feature: Add General Env Var for Allowing Internal IP Connections

.infisicalignore

@@ -22,3 +22,5 @@ frontend/src/components/secret-rotations-v2/ViewSecretRotationV2GeneratedCredent
 frontend/src/hooks/api/secretRotationsV2/types/index.ts:generic-api-key:28
 frontend/src/hooks/api/secretRotationsV2/types/index.ts:generic-api-key:65
 frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretRotationListView/SecretRotationItem.tsx:generic-api-key:26
+docs/documentation/platform/kms/overview.mdx:generic-api-key:281
+docs/documentation/platform/kms/overview.mdx:generic-api-key:344

backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts

@@ -42,7 +42,7 @@ export const verifyHostInputValidity = async (host: string, isGateway = false) =
     inputHostIps.push(...resolvedIps);
   }
 
-  if (!isGateway && !appCfg.DYNAMIC_SECRET_ALLOW_INTERNAL_IP) {
+  if (!isGateway && !(appCfg.DYNAMIC_SECRET_ALLOW_INTERNAL_IP || appCfg.ALLOW_INTERNAL_IP_CONNECTIONS)) {
     const isInternalIp = inputHostIps.some((el) => isPrivateIp(el));
     if (isInternalIp) throw new BadRequestError({ message: "Invalid db host" });
   }

backend/src/lib/config/env.ts

@@ -197,6 +197,7 @@ const envSchema = z
     /* ----------------------------------------------------------------------------- */
 
     /* App Connections ----------------------------------------------------------------------------- */
+    ALLOW_INTERNAL_IP_CONNECTIONS: zodStrBool.default("false"),
 
     // aws
     INF_APP_CONNECTION_AWS_ACCESS_KEY_ID: zpStr(z.string().optional()),

backend/src/lib/crypto/sign/signing.ts

@@ -118,7 +118,12 @@ export const signingService = (algorithm: AsymmetricKeyAlgorithm): TAsymmetricSi
     }
   };
 
-  const $signRsaDigest = async (digest: Buffer, privateKey: Buffer, hashAlgorithm: SupportedHashAlgorithm) => {
+  const $signRsaDigest = async (
+    digest: Buffer,
+    privateKey: Buffer,
+    hashAlgorithm: SupportedHashAlgorithm,
+    signingAlgorithm: SigningAlgorithm
+  ) => {
     const tempDir = await createTemporaryDirectory("kms-rsa-sign");
     const digestPath = path.join(tempDir, "digest.bin");
     const sigPath = path.join(tempDir, "signature.bin");
@@ -164,12 +169,22 @@ export const signingService = (algorithm: AsymmetricKeyAlgorithm): TAsymmetricSi
       }
 
       return signature;
+    } catch (err) {
+      logger.error(err, "KMS: Failed to sign RSA digest");
+      throw new BadRequestError({
+        message: `Failed to sign RSA digest with ${signingAlgorithm} due to signing error. Ensure that your digest is hashed with ${hashAlgorithm.toUpperCase()}.`
+      });
     } finally {
       await cleanTemporaryDirectory(tempDir);
     }
   };
 
-  const $signEccDigest = async (digest: Buffer, privateKey: Buffer, hashAlgorithm: SupportedHashAlgorithm) => {
+  const $signEccDigest = async (
+    digest: Buffer,
+    privateKey: Buffer,
+    hashAlgorithm: SupportedHashAlgorithm,
+    signingAlgorithm: SigningAlgorithm
+  ) => {
     const tempDir = await createTemporaryDirectory("ecc-sign");
     const digestPath = path.join(tempDir, "digest.bin");
     const keyPath = path.join(tempDir, "key.pem");
@@ -216,6 +231,11 @@ export const signingService = (algorithm: AsymmetricKeyAlgorithm): TAsymmetricSi
       }
 
       return signature;
+    } catch (err) {
+      logger.error(err, "KMS: Failed to sign ECC digest");
+      throw new BadRequestError({
+        message: `Failed to sign ECC digest with ${signingAlgorithm} due to signing error. Ensure that your digest is hashed with ${hashAlgorithm.toUpperCase()}.`
+      });
     } finally {
       await cleanTemporaryDirectory(tempDir);
     }
@@ -329,7 +349,12 @@ export const signingService = (algorithm: AsymmetricKeyAlgorithm): TAsymmetricSi
 
   const signDigestFunctionsMap: Record<
     AsymmetricKeyAlgorithm,
-    (data: Buffer, privateKey: Buffer, hashAlgorithm: SupportedHashAlgorithm) => Promise<Buffer>
+    (
+      data: Buffer,
+      privateKey: Buffer,
+      hashAlgorithm: SupportedHashAlgorithm,
+      signingAlgorithm: SigningAlgorithm
+    ) => Promise<Buffer>
   > = {
     [AsymmetricKeyAlgorithm.ECC_NIST_P256]: $signEccDigest,
     [AsymmetricKeyAlgorithm.RSA_4096]: $signRsaDigest
@@ -360,7 +385,7 @@ export const signingService = (algorithm: AsymmetricKeyAlgorithm): TAsymmetricSi
         });
       }
 
-      const signature = await signFunction(data, privateKey, hashAlgorithm);
+      const signature = await signFunction(data, privateKey, hashAlgorithm, signingAlgorithm);
       return signature;
     }
 

backend/src/lib/validator/validate-url.ts

@@ -2,10 +2,16 @@ import dns from "node:dns/promises";
 
 import { isIPv4 } from "net";
 
+import { getConfig } from "@app/lib/config/env";
+
 import { BadRequestError } from "../errors";
 import { isPrivateIp } from "../ip/ipRange";
 
 export const blockLocalAndPrivateIpAddresses = async (url: string) => {
+  const appCfg = getConfig();
+
+  if (appCfg.isDevelopmentMode) return;
+
   const validUrl = new URL(url);
   const inputHostIps: string[] = [];
   if (isIPv4(validUrl.host)) {
@@ -18,7 +24,8 @@ export const blockLocalAndPrivateIpAddresses = async (url: string) => {
     inputHostIps.push(...resolvedIps);
   }
   const isInternalIp = inputHostIps.some((el) => isPrivateIp(el));
-  if (isInternalIp) throw new BadRequestError({ message: "Local IPs not allowed as URL" });
+  if (isInternalIp && !appCfg.ALLOW_INTERNAL_IP_CONNECTIONS)
+    throw new BadRequestError({ message: "Local IPs not allowed as URL" });
 };
 
 type FQDNOptions = {

backend/src/services/secret-import/secret-import-service.ts

@@ -825,10 +825,7 @@ export const secretImportServiceFactory = ({
     );
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
-    if (!folder)
-      throw new NotFoundError({
-        message: `Folder with path '${secretPath}' in environment with slug '${environment}' not found`
-      });
+    if (!folder) return [];
 
     const importedBy = await secretImportDAL.getFolderIsImportedBy(secretPath, folder.envId, environment, projectId);
     const deepPaths: { path: string; folderId: string }[] = [];

docs/documentation/platform/kms/overview.mdx

@@ -30,7 +30,9 @@ The typical workflow for using Infisical KMS consists of the following steps:
   as via API.
 </Note>
 
-## Guide to Encrypting Data
+## Encryption
+
+### Guide to Encrypting Data
 
 In the following steps, we explore how to generate a key and use it to encrypt data.
 
@@ -44,7 +46,8 @@ In the following steps, we explore how to generate a key and use it to encrypt d
                 Specify your key details. Here's some guidance on each field:
 
                 - Name: A slug-friendly name for the key.
-                - Type: The encryption algorithm associated with the key (e.g. `AES-GCM-256`).
+                - Key Usage: The type of key to create (e.g `Encrypt/Decrypt` for encryption, and `Sign/Verify` for signing).
+                - Algorithm: The encryption algorithm associated with the key (e.g. `AES-GCM-256`).
                 - Description: An optional description of what the intended usage is for the key.
 
                 ![kms add key modal](/images/platform/kms/infisical-kms/kms-add-key-modal.png)
@@ -137,7 +140,7 @@ In the following steps, we explore how to generate a key and use it to encrypt d
 
 </Tabs>
 
-## Guide to Decrypting Data
+### Guide to Decrypting Data
 
 In the following steps, we explore how to use decrypt data using an existing key in Infisical KMS.
 
@@ -193,6 +196,164 @@ In the following steps, we explore how to use decrypt data using an existing key
 
 </Tabs>
 
+## Signing
+
+### Guide to Signing Data
+
+In the following steps, we explore how to generate a key and use it to sign data.
+
+<Tabs>
+    <Tab title="Infisical UI">
+        <Steps>
+            <Step title="Creating a KMS key">
+                Navigate to Project > Key Management and tap on the **Add Key** button.
+                ![kms add key button](/images/platform/kms/infisical-kms/kms-add-key.png)
+
+                Specify your key details. Here's some guidance on each field:
+
+                - Name: A slug-friendly name for the key.
+                - Key Usage: The type of key to create (e.g `Encrypt/Decrypt` for encryption, and `Sign/Verify` for signing).
+                - Algorithm: The signing algorithm associated with the key (e.g. `RSA_4096`).
+                - Description: An optional description of what the intended usage is for the key.
+
+                ![kms add key modal](/images/platform/kms/infisical-kms/signing/add-new-rsa-key.png)
+            </Step>
+
+            <Step title="Signing data with the KMS key">
+              Once your key is generated, open the options menu for the newly created key and select sign data.
+              ![kms key options](/images/platform/kms/infisical-kms/signing/sign-options.png)
+
+              Populate the text area with your data and tap on the Sign button.
+              ![kms sign data](/images/platform/kms/infisical-kms/signing/sign-data-modal.png)
+
+              Make sure to select the appropriate signing algorithm that will be used to sign the data.
+              Supported signing algorithms are:
+               
+               **For RSA keys:**
+               - `RSASSA PSS SHA 512`: Not deterministic, and includes random salt.
+               - `RSASSA PSS SHA 384`: Not deterministic, and includes random salt.
+               - `RSASSA PSS SHA 256`: Not deterministic, and includes random salt.
+               - `RSASSA PKCS1 V1.5 SHA 512`: Deterministic, and does not include randomness.
+               - `RSASSA PKCS1 V1.5 SHA 384`: Deterministic, and does not include randomness.
+               - `RSASSA PKCS1 V1.5 SHA 256`: Deterministic, and does not include randomness.
+
+               **For ECC keys:**
+               - `ECDSA SHA 512`: Not deterministic, and includes randomness.
+               - `ECDSA SHA 384`: Not deterministic, and includes randomness.
+               - `ECDSA SHA 256`: Not deterministic, and includes randomness.
+
+               In this example, we'll use the `RSASSA PSS SHA 512` signing algorithm.
+
+              <Note>
+                If your data is already Base64 encoded make sure to toggle the respective switch on to avoid
+                redundant encoding.
+              </Note>
+
+               Copy and store the signature of your data.
+               ![kms signed data](/images/platform/kms/infisical-kms/signing/copy-signature.png)
+            </Step>
+        </Steps>
+    </Tab>
+    <Tab title="API">
+        <Steps>
+            <Step title="Signing data">
+                To sign data, make an API request to the [Sign
+                Data](/api-reference/endpoints/kms/signing/sign) API endpoint,
+                specifying the key to use.
+
+                ### Sample request
+
+                ```bash Request
+                curl --request POST \
+                --url https://app.infisical.com/api/v1/kms/keys/<key-id>/sign \
+                --header 'Content-Type: application/json' \
+                --data '{
+                    "data": "SGVsbG8sIFdvcmxkIQ==", // base64 encoded data
+                    "signingAlgorithm": "RSASSA_PKCS1_V1_5_SHA_512",
+                }'
+                ```
+
+                ### Sample response
+
+                ```bash Response
+                {
+                    "signature": "JYuiBt1Ta9pbqFIW9Ou6qzBsFhjYbMJp9k4dP87ILrO+F2MPnp85g3nOlXK1ttZmRoGWsWnLNDRn9W3rf5VtkeaixPqUW/KvY/fM3CxdMyIV3BuxlGgDksjL8X34Eqkrz4CCPo9hjB5uT+rBCOxCgZqRbOdATPipAneUapI9npseNquEeh3jPklwviBix83PJHV9PW2t03AGGUXuMY55ZaFEIMv+IrI1WYdnPVIXDyIitYsS3y+/6KRfhVeTcPNJ5Rw+FE9y1eZzDEZtTNpxOfUT3QIoXmpZlYL4HbhRuJBZ+Yx54C7uPiUIN9U69XbyXt+Kkynykw2HPaagwuCZxiqCU5sFfLnrVbc3dmZxQcX2yRrs2gmFamzBx+uVbi648H4mb7WuE5UPTBjjA11jRsBjCY0YS2T4Vgfe1RlzlPQkZgjP/bnCCGDqXa3/VZAlZX1nTI51X995bPHBQI0rq2sNDlIXenwiAy1wJSITbSI8DbUx09Cr83xCEaYAE6R6PUfog/tbIUXi0VbrYsCVkAGCK446Wb1vW6q7HR8jrjXNwmXlqN9eLbSVWqdWj7N7fieeTYSrECtUaAjxtUYTIVsH2bfT6FOEM9gMWKffOpFowVzzr3B9bNQLIhnEEwebxBw947i4OcxyVIcEUuumWxoKvcbSPxzJ8v1M3SoBBh4=", // base64 encoded signature
+                    "keyId": "62b2c14e-58af-4199-9842-02995c63edf9",
+                    "signingAlgorithm": "RSASSA_PKCS1_V1_5_SHA_512",
+                }
+                ```
+
+                <Note>
+                  To sign predigested data, you can pass `"isDigest": true` in the request body. This requires the data to be a base64 encoded digest of the data you wish to sign.
+                  It's important that the digest is created using the same hashing algorithm as the signing algorithm. As an example, you would create the digest with `SHA512` if you are using the `RSASSA_PKCS1_V1_5_SHA_512` signing algorithm.
+                </Note>
+            </Step>
+        </Steps>
+    </Tab>
+</Tabs>
+
+### Guide to Verifying Data
+
+In the following steps, we explore how to verify data using an existing key in Infisical KMS.
+
+<Tabs>
+    <Tab title="Infisical UI">
+        <Steps>
+            <Step title="Accessing your key">
+                Navigate to Project > Key Management and open the options menu for the key used to sign the data
+                you want to verify.
+                ![kms key options](/images/platform/kms/infisical-kms/signing/sign-options.png)
+            </Step>
+
+            <Step title="Verifying data with the KMS key">
+                Paste your signature and data into the text areas and tap on the Verify button.
+                ![kms verify data](/images/platform/kms/infisical-kms/signing/verify-data-modal.png)
+
+                Your verification result will be displayed and can be copied for use.
+                ![kms verified data](/images/platform/kms/infisical-kms/signing/signature-verified.png)
+
+                If the signature is invalid, you'll see an error message indicating that the signature is invalid, and the "Signature Status" field will be `Invalid`.
+            </Step>
+        </Steps>
+    </Tab>
+    <Tab title="API">
+        <Steps>
+            <Step title="Verifying data">
+                To verify data, make an API request to the [Verify
+                Data](/api-reference/endpoints/kms/signing/verify) API endpoint,
+                specifying the key to use.
+
+                ### Sample request
+
+                ```bash Request
+                curl --request POST \
+                --url https://app.infisical.com/api/v1/kms/keys/<key-id>/verify \
+                --header 'Content-Type: application/json' \
+                --data '{
+                    "data": "SGVsbG8sIFdvcmxkIQ==", // base64 encoded data
+                    "signature": "JYuiBt1Ta9pbqFIW9Ou6qzBsFhjYbMJp9k4dP87ILrO+F2MPnp85g3nOlXK1ttZmRoGWsWnLNDRn9W3rf5VtkeaixPqUW/KvY/fM3CxdMyIV3BuxlGgDksjL8X34Eqkrz4CCPo9hjB5uT+rBCOxCgZqRbOdATPipAneUapI9npseNquEeh3jPklwviBix83PJHV9PW2t03AGGUXuMY55ZaFEIMv+IrI1WYdnPVIXDyIitYsS3y+/6KRfhVeTcPNJ5Rw+FE9y1eZzDEZtTNpxOfUT3QIoXmpZlYL4HbhRuJBZ+Yx54C7uPiUIN9U69XbyXt+Kkynykw2HPaagwuCZxiqCU5sFfLnrVbc3dmZxQcX2yRrs2gmFamzBx+uVbi648H4mb7WuE5UPTBjjA11jRsBjCY0YS2T4Vgfe1RlzlPQkZgjP/bnCCGDqXa3/VZAlZX1nTI51X995bPHBQI0rq2sNDlIXenwiAy1wJSITbSI8DbUx09Cr83xCEaYAE6R6PUfog/tbIUXi0VbrYsCVkAGCK446Wb1vW6q7HR8jrjXNwmXlqN9eLbSVWqdWj7N7fieeTYSrECtUaAjxtUYTIVsH2bfT6FOEM9gMWKffOpFowVzzr3B9bNQLIhnEEwebxBw947i4OcxyVIcEUuumWxoKvcbSPxzJ8v1M3SoBBh4=", // base64 encoded signature
+                    "signingAlgorithm": "RSASSA_PKCS1_V1_5_SHA_512"
+                }'
+                ```
+
+                ### Sample response
+
+                ```bash Response
+                {
+                    "signatureValid": true,
+                    "keyId": "62b2c14e-58af-4199-9842-02995c63edf9",
+                    "signingAlgorithm": "RSASSA_PKCS1_V1_5_SHA_512"
+                }
+                ```
+                <Note>
+                  To verify predigested data, you can pass `"isDigest": true` in the request body. This requires the data to be a base64 encoded digest of the data you wish to verify.
+                  It's important that the digest is created using the same hashing algorithm as the signing algorithm. As an example, you would create the digest with `SHA512` if you are using the `RSASSA_PKCS1_V1_5_SHA_512` signing algorithm.
+                </Note>
+            </Step>
+        </Steps>
+    </Tab>
+</Tabs>
+
 ## FAQ
 
 <AccordionGroup>
@@ -205,8 +366,76 @@ In the following steps, we explore how to use decrypt data using an existing key
     external sources.
   </Accordion>
   <Accordion title="What algorithms does Infisical KMS support?">
-    Currently, Infisical only supports `AES-128-GCM` and `AES-256-GCM` for
-    encryption operations. We anticipate supporting more algorithms and
-    cryptographic operations in the coming months.
+    Currently Infisical supports 4 different key algorithms with different purposes:
+
+    - `RSA_4096`: For signing and verifying data.
+    - `ECC_NIST_P256`: For signing and verifying data.
+
+    - `AES-256-GCM`: For encryption and decryption operations.
+    - `AES-128-GCM`: For encryption and decryption operations.
+
+    We anticipate to further expand our supported algorithms and support cryptographic operations in the future.
+  </Accordion>
+  <Accordion title="How do I sign and verify a digest using the Infisical KMS?">
+    To sign and verify a digest using the Infisical KMS, you can use the `Sign` and `Verify` endpoints respectively.
+    You will need to pass `"isDigest": true` in the request body to indicate that you are signing or verifying a digest.
+    The data you are signing or verifying will need to be a base64 encoded digest of the data you wish to sign or verify.
+    It's important that the digest is created using the same hashing algorithm as the signing algorithm. As an example, you would create the digest with `SHA512` if you are using the `RSASSA_PKCS1_V1_5_SHA_512` signing algorithm.
+
+    To create a SHA512 digest of your data, you can use the following command with OpenSSL:
+    ```bash
+    echo -n "Hello, World" | openssl dgst -sha512 -binary | openssl base64
+    ```
+
+    ### Sample request for signing a digest
+
+    ```bash Request
+    curl --request POST \
+    --url https://app.infisical.com/api/v1/kms/keys/<key-id>/sign \
+    --header 'Content-Type: application/json' \
+    --data '{
+    "data": <digest-output-of-openssl-command>,
+    "signingAlgorithm": "RSASSA_PKCS1_V1_5_SHA_512",
+    "isDigest": true
+    }'
+    ```
+
+    ### Sample response for signing a digest
+
+    ```bash Response
+    {
+        "signature": <base64-encoded-signature>,
+        "keyId": <key-id>,
+        "signingAlgorithm": "RSASSA_PKCS1_V1_5_SHA_512"
+    }
+    ```
+
+    ### Sample request for verifying a digest
+
+    ```bash Request
+    curl --request POST \
+    --url https://app.infisical.com/api/v1/kms/keys/<key-id>/verify \
+    --header 'Content-Type: application/json' \
+    --data '{
+    "data": <digest-output-of-openssl-command>,
+    "signature": <base64-encoded-signature>,
+    "signingAlgorithm": "RSASSA_PKCS1_V1_5_SHA_512",
+    "isDigest": true
+    }'
+    ```
+
+    ### Sample response for verifying a digest
+
+    ```bash Response
+    {
+        "signatureValid": true,
+        "keyId": <key-id>,
+        "signingAlgorithm": "RSASSA_PKCS1_V1_5_SHA_512"
+    }
+    ```
+
+    <Note>
+      Please note that `RSA PSS` signing algorithms are not supported for digest signing and verification. Please use `RSA PKCS1 V1.5` signing algorithms for digest signing and verification, or `ECDSA` if you're using an ECC key.
+    </Note>
   </Accordion>
 </AccordionGroup>

docs/integrations/app-connections/mssql.mdx

@@ -51,6 +51,10 @@ Infisical supports connecting to Microsoft SQL Server using database principals.
         - `username` - The username of the login created in the steps above
         - `password` - The password of the login created in the steps above
         - `sslCertificate` (optional) - The SSL certificate required for connection (if configured)
+
+        <Note>
+            If you are self-hosting Infisical and intend to connect to an internal/private IP address, be sure to set the `ALLOW_INTERNAL_IP_CONNECTIONS` environment variable to `true`.
+        </Note>
     </Step>
 </Steps>
 

docs/integrations/app-connections/postgres.mdx

@@ -41,6 +41,10 @@ Infisical supports connecting to PostgreSQL using a database role.
         - `username` - The role name of the login created in the steps above
         - `password` - The role password of the login created in the steps above
         - `sslCertificate` (optional) - The SSL certificate required for connection (if configured)
+
+        <Note>
+            If you are self-hosting Infisical and intend to connect to an internal/private IP address, be sure to set the `ALLOW_INTERNAL_IP_CONNECTIONS` environment variable to `true`.
+        </Note>
     </Step>
 </Steps>
 

docs/sdks/languages/go.mdx

@@ -284,7 +284,7 @@ if err != nil {
 }
 ```
 
-## Working With Secrets
+## Secrets
 
 ### List Secrets
 
@@ -591,7 +591,7 @@ Create multiple secrets in Infisical.
   </Expandable>
 </ParamField>
 
-## Working With Folders
+## Folders
 
 ###
 
@@ -748,3 +748,353 @@ deletedFolder, err := client.Folders().Delete(infisical.DeleteFolderOptions{
     </Expandable>
 
 </ParamField>
+
+## KMS
+
+### Create Key
+
+`client.Kms().Keys().Create(options)`
+
+Create a new key in Infisical.
+
+```go
+	newKey, err := client.Kms().Keys().Create(infisical.KmsCreateKeyOptions{
+		KeyUsage:            "<sign-verify>|<encrypt-decrypt>",
+		Description:         "<key-description>",
+		Name:                "<key-name>",
+		EncryptionAlgorithm: "<rsa-4096>|<ecc-nist-p256>|<aes-256-gcm>|<aes-128-gcm>",
+		ProjectId:           "<project-id>",
+	})
+```
+
+#### Parameters
+
+<ParamField query="Parameters" type="object" optional>
+  <Expandable title="properties">
+    <ParamField query="KeyUsage" type="string" required>
+      The usage of the key. Valid options are `sign-verify` or `encrypt-decrypt`.
+      The usage dictates what the key can be used for.
+    </ParamField>
+    <ParamField query="Description" type="string" optional>
+      The description of the key.
+    </ParamField>
+    <ParamField query="Name" type="string" required>
+      The name of the key.
+    </ParamField>
+    <ParamField query="EncryptionAlgorithm" type="string" required>
+      The encryption algorithm of the key.
+
+      Valid options for Signing/Verifying keys are:
+      - `rsa-4096`
+      - `ecc-nist-p256`
+
+      Valid options for Encryption/Decryption keys are:
+      - `aes-256-gcm`
+      - `aes-128-gcm`
+    </ParamField>
+    <ParamField query="ProjectId" type="string" required>
+      The ID of the project where the key will be created.
+    </ParamField>
+  </Expandable>
+</ParamField>
+
+#### Return (object)
+<ParamField query="Return" type="object">
+  <Expandable title="properties">
+  <ParamField query="KeyId" type="string" required>
+    The ID of the key that was created.
+  </ParamField>
+  <ParamField query="Name" type="string" required>
+    The name of the key that was created.
+  </ParamField>
+  <ParamField query="Description" type="string" required>
+    The description of the key that was created.
+  </ParamField>
+  <ParamField query="IsDisabled" type="boolean" required>
+    Whether or not the key is disabled.
+  </ParamField>
+  <ParamField query="OrgId" type="string" required>
+    The ID of the organization that the key belongs to.
+  </ParamField>
+  <ParamField query="ProjectId" type="string" required>
+    The ID of the project that the key belongs to.
+  </ParamField>
+  <ParamField query="KeyUsage" type="string" required>
+    The intended usage of the key that was created.
+  </ParamField>
+  <ParamField query="EncryptionAlgorithm" type="string" required>
+    The encryption algorithm of the key that was created.
+  </ParamField>
+  <ParamField query="Version" type="string" required>
+    The version of the key that was created.
+    </ParamField>
+  </Expandable>
+</ParamField>
+
+### Delete Key
+
+`client.Kms().Keys().Delete(options)`
+
+Delete a key in Infisical.
+
+```go
+deletedKey, err = client.Kms().Keys().Delete(infisical.KmsDeleteKeyOptions{
+		KeyId: "<key-id>",
+	})
+```
+
+#### Parameters
+
+<ParamField query="Parameters" type="object" optional>
+  <Expandable title="properties">
+    <ParamField query="KeyId" type="string" required>
+      The ID of the key to delete.
+    </ParamField>
+  </Expandable>
+</ParamField>
+
+#### Return (object)
+<ParamField query="Return" type="object">
+  <Expandable title="properties">
+    <ParamField query="KeyId" type="string" required>
+      The ID of the key that was deleted
+    </ParamField>
+    <ParamField query="Name" type="string" required>
+      The name of the key that was deleted.
+    </ParamField>
+    <ParamField query="Description" type="string" required>
+      The description of the key that was deleted.
+    </ParamField>
+    <ParamField query="IsDisabled" type="boolean" required>
+      Whether or not the key is disabled.
+    </ParamField>
+    <ParamField query="OrgId" type="string" required>
+      The ID of the organization that the key belonged to.
+    </ParamField>
+    <ParamField query="ProjectId" type="string" required>
+      The ID of the project that the key belonged to.
+    </ParamField>
+    <ParamField query="KeyUsage" type="string" required>
+      The intended usage of the key that was deleted.
+    </ParamField>
+    <ParamField query="EncryptionAlgorithm" type="string" required>
+      The encryption algorithm of the key that was deleted.
+    </ParamField>
+    <ParamField query="Version" type="string" required>
+      The version of the key that was deleted.
+    </ParamField>
+  </Expandable>
+</ParamField>
+
+### Signing Data
+
+`client.Kms().Signing().Sign(options)`
+Sign data in Infisical.
+
+```go
+res, err := client.Kms().Signing().SignData(infisical.KmsSignDataOptions{
+  KeyId:            "<key-id>",
+  Data:             "<data-to-sign>", // Must be a base64 encoded string.
+  SigningAlgorithm: "<signing-algorithm>", // The signing algorithm that will be used to sign the data.
+})
+```
+
+#### Parameters
+
+<ParamField query="Parameters" type="object" optional>
+  <Expandable title="properties">
+    <ParamField query="KeyId" type="string" required>
+      The ID of the key to sign the data with.
+    </ParamField>
+    <ParamField query="Data" type="string" required>
+      The data to sign. Must be a base64 encoded string.
+    </ParamField>
+    <ParamField query="IsDigest" type="boolean" optional>
+      Whether the data is already digested or not.
+    </ParamField>
+    <ParamField query="SigningAlgorithm" type="string" required>
+      The signing algorithm to use. You must use a signing algorithm that matches the key usage.
+
+      <Note>
+        If you are unsure about which signing algorithms are available for your key, you can use the `client.Kms().Signing().ListSigningAlgorithms()` method. It will return an array of signing algorithms that are available for your key.
+      </Note>
+
+      Valid options for `RSA 4096` keys are:
+      - `RSASSA_PSS_SHA_512`
+      - `RSASSA_PSS_SHA_384`
+      - `RSASSA_PSS_SHA_256`
+      - `RSASSA_PKCS1_V1_5_SHA_512`
+      - `RSASSA_PKCS1_V1_5_SHA_384`
+      - `RSASSA_PKCS1_V1_5_SHA_256`
+
+      Valid options for `ECC NIST P256` keys are:
+      - `ECDSA_SHA_512`
+      - `ECDSA_SHA_384`
+      - `ECDSA_SHA_256`
+    </ParamField>
+  </Expandable>
+</ParamField>
+
+#### Return ([]byte)
+<ParamField query="Return" type="[]byte">
+  The signature of the data that was signed.
+</ParamField>
+
+### Verifying Data
+
+`client.Kms().Signing().Verify(options)`
+Verify data in Infisical.
+
+```go
+res, err := client.Kms().Signing().Verify(infisical.KmsVerifyDataOptions{
+  KeyId:            "<key-id>",
+  Data:             "<data-to-verify>", // Must be a base64 encoded string.
+  SigningAlgorithm: "<signing-algorithm>", // The signing algorithm that was used to sign the data.
+})
+```
+
+#### Parameters
+
+<ParamField query="Parameters" type="object" optional>
+  <Expandable title="properties">
+    <ParamField query="KeyId" type="string" required>
+      The ID of the key to verify the data with.
+    </ParamField>
+    <ParamField query="Data" type="string" required>
+      The data to verify. Must be a base64 encoded string.
+    </ParamField>
+    <ParamField query="IsDigest" type="boolean" optional>
+      Whether the data is already digested or not.
+    </ParamField>
+    <ParamField query="SigningAlgorithm" type="string" required>
+      The signing algorithm that was used to sign the data.
+    </ParamField>
+  </Expandable>
+</ParamField>
+
+#### Return (object)
+<ParamField query="Return" type="object">
+  <Expandable title="properties">
+    <ParamField query="SignatureValid" type="boolean" required>
+      Whether or not the data is valid.
+    </ParamField>
+    <ParamField query="KeyId" type="string" required>
+      The ID of the key that was used to verify the data.
+    </ParamField>
+    <ParamField query="SigningAlgorithm" type="string" required>
+      The signing algorithm that was used to verify the data.
+    </ParamField>
+  </Expandable>
+</ParamField>
+
+### List Signing Algorithms
+
+`client.Kms().Signing().ListSigningAlgorithms(options)`
+List signing algorithms in Infisical.
+
+```go
+res, err := client.Kms().Signing().ListSigningAlgorithms(infisical.KmsListSigningAlgorithmsOptions{
+  KeyId: "<key-id>",
+})
+```
+
+#### Parameters
+
+<ParamField query="Parameters" type="object" optional>
+  <Expandable title="properties">
+    <ParamField query="KeyId" type="string" required>
+      The ID of the key to list signing algorithms for.
+    </ParamField>
+  </Expandable>
+</ParamField>
+
+#### Return ([]string)
+<ParamField query="Return" type="[]string">
+  The signing algorithms that are available for the key.
+</ParamField>
+
+### Get Public Key
+<Note>
+  This method is only available for keys with key usage `sign-verify`. If you attempt to use this method on a key that is intended for encryption/decryption, it will return an error.
+</Note>
+
+`client.Kms().Signing().GetPublicKey(options)`
+Get the public key in Infisical.
+
+```go
+publicKey, err := client.Kms().Signing().GetPublicKey(infisical.KmsGetPublicKeyOptions{
+  KeyId: "<key-id>",
+})
+```
+
+#### Parameters
+
+<ParamField query="Parameters" type="object" optional>
+  <Expandable title="properties">
+    <ParamField query="KeyId" type="string" required>
+      The ID of the key to get the public key for.
+    </ParamField>
+  </Expandable>
+</ParamField>
+
+#### Return (string)
+<ParamField query="Return" type="string">
+  The public key for the key.
+</ParamField>
+
+### Encrypt Data
+
+`client.Kms().Encryption().Encrypt(options)`
+Encrypt data with a key in Infisical KMS.
+
+```go
+res, err := client.Kms().EncryptData(infisical.KmsEncryptDataOptions{
+  KeyId: "<key-id>",
+  Plaintext: "<data-to-encrypt>",
+})
+```
+
+#### Parameters
+
+<ParamField query="Parameters" type="object" optional>
+  <Expandable title="properties">
+    <ParamField query="KeyId" type="string" required>
+      The ID of the key to encrypt the data with.
+    </ParamField>
+  </Expandable>
+</ParamField>
+
+#### Return (string)
+<ParamField query="Return" type="string">
+  The encrypted data.
+</ParamField>
+
+### Decrypt Data
+
+`client.Kms().DecryptData(options)`
+Decrypt data with a key in Infisical KMS.
+
+```go
+res, err := client.Kms().DecryptData(infisical.KmsDecryptDataOptions{
+  KeyId: "<key-id>",
+  Ciphertext: "<encrypted-data>",
+})
+```
+
+#### Parameters
+
+<ParamField query="Parameters" type="object" optional>
+  <Expandable title="properties">
+    <ParamField query="KeyId" type="string" required>
+      The ID of the key to decrypt the data with.
+    </ParamField>
+    <ParamField query="Ciphertext" type="string" required>
+      The encrypted data to decrypt.
+    </ParamField>
+  </Expandable>
+</ParamField>
+
+#### Return (string)
+<ParamField query="Return" type="string">
+  The decrypted data.
+</ParamField>

docs/self-hosting/configuration/envars.mdx

@@ -34,6 +34,10 @@ Used to configure platform-specific security and operational settings
   this to `false`.
 </ParamField>
 
+<ParamField query="ALLOW_INTERNAL_IP_CONNECTIONS" type="bool" default="false" optional>
+    Determines whether App Connections and Dynamic Secrets are permitted to connect with internal/private IP addresses.
+</ParamField>
+
 ## CORS
 
 Cross-Origin Resource Sharing (CORS) is a security feature that allows web applications running on one domain to access resources from another domain.