Merge pull request #3748 from Infisical/akhilmhdh-patch-3

feat: updated dynamic secret,secret import to support glob in environment
2025-07-22 13:29:55 +00:00 · 2025-06-06 10:50:36 -04:00 · 2025-06-06 20:08:21 +05:30 · 2025-06-06 18:55:03 +05:30 · 2025-06-06 16:20:48 +04:00 · 2025-06-06 04:12:04 +04:00
8 changed files with 70 additions and 10 deletions
--- a/backend/src/ee/services/license/license-service.ts
+++ b/backend/src/ee/services/license/license-service.ts
@ -709,6 +709,10 @@ export const licenseServiceFactory = ({
    return licenses;
  };

+  const invalidateGetPlan = async (orgId: string) => {
+    await keyStore.deleteItem(FEATURE_CACHE_KEY(orgId));
+  };
+
  return {
    generateOrgCustomerId,
    removeOrgCustomer,
@ -723,6 +727,7 @@ export const licenseServiceFactory = ({
      return onPremFeatures;
    },
    getPlan,
+    invalidateGetPlan,
    updateSubscriptionOrgMemberCount,
    refreshPlan,
    getOrgPlan,
--- a/backend/src/ee/services/permission/project-permission.ts
+++ b/backend/src/ee/services/permission/project-permission.ts
@ -376,7 +376,8 @@ const DynamicSecretConditionV2Schema = z
        .object({
          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
-          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
+          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN],
+          [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB]
        })
        .partial()
    ]),
@ -404,6 +405,23 @@ const DynamicSecretConditionV2Schema = z
  })
  .partial();

+const SecretImportConditionSchema = z
+  .object({
+    environment: z.union([
+      z.string(),
+      z
+        .object({
+          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
+          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
+          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN],
+          [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB]
+        })
+        .partial()
+    ]),
+    secretPath: SECRET_PATH_PERMISSION_OPERATOR_SCHEMA
+  })
+  .partial();
+
 const SecretConditionV2Schema = z
  .object({
    environment: z.union([
@ -741,7 +759,7 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
      "Describe what action an entity can take."
    ),
-    conditions: SecretConditionV1Schema.describe(
+    conditions: SecretImportConditionSchema.describe(
      "When specified, only matching conditions will be allowed to access given resource."
    ).optional()
  }),
--- a/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
+++ b/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
@ -274,9 +274,27 @@ export const identityKubernetesAuthServiceFactory = ({

    if (identityKubernetesAuth.tokenReviewMode === IdentityKubernetesAuthTokenReviewMode.Gateway) {
      const { kubernetesHost } = identityKubernetesAuth;
-      const lastColonIndex = kubernetesHost.lastIndexOf(":");
-      const k8sHost = kubernetesHost.substring(0, lastColonIndex);
-      const k8sPort = kubernetesHost.substring(lastColonIndex + 1);
+
+      let urlString = kubernetesHost;
+      if (!kubernetesHost.startsWith("http://") && !kubernetesHost.startsWith("https://")) {
+        urlString = `https://${kubernetesHost}`;
+      }
+
+      const url = new URL(urlString);
+      let { port: k8sPort } = url;
+      const { protocol, hostname: k8sHost } = url;
+
+      const cleanedProtocol = new RE2(/[^a-zA-Z0-9]/g).replace(protocol, "").toLowerCase();
+
+      if (!["https", "http"].includes(cleanedProtocol)) {
+        throw new BadRequestError({
+          message: "Invalid Kubernetes host URL, must start with http:// or https://"
+        });
+      }
+
+      if (!k8sPort) {
+        k8sPort = cleanedProtocol === "https" ? "443" : "80";
+      }

      if (!identityKubernetesAuth.gatewayId) {
        throw new BadRequestError({
@ -287,7 +305,7 @@ export const identityKubernetesAuthServiceFactory = ({
      data = await $gatewayProxyWrapper(
        {
          gatewayId: identityKubernetesAuth.gatewayId,
-          targetHost: k8sHost, // note(daniel): must include the protocol (https|http)
+          targetHost: `${cleanedProtocol}://${k8sHost}`, // note(daniel): must include the protocol (https|http)
          targetPort: k8sPort ? Number(k8sPort) : 443,
          caCert,
          reviewTokenThroughGateway: true
--- a/backend/src/services/project/project-service.ts
+++ b/backend/src/services/project/project-service.ts
@ -165,7 +165,7 @@ type TProjectServiceFactoryDep = {
  sshHostGroupDAL: Pick<TSshHostGroupDALFactory, "find" | "findSshHostGroupsWithLoginMappings">;
  permissionService: TPermissionServiceFactory;
  orgService: Pick<TOrgServiceFactory, "addGhostUser">;
-  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan" | "invalidateGetPlan">;
  queueService: Pick<TQueueServiceFactory, "stopRepeatableJob">;
  smtpService: Pick<TSmtpService, "sendMail">;
  orgDAL: Pick<TOrgDALFactory, "findOne">;
@ -494,6 +494,10 @@ export const projectServiceFactory = ({
        );
      }

+      // no need to invalidate if there was no limit
+      if (plan.workspaceLimit) {
+        await licenseService.invalidateGetPlan(organization.id);
+      }
      return {
        ...project,
        environments: envs,
--- a/cli/packages/gateway/connection.go
+++ b/cli/packages/gateway/connection.go
@ -12,6 +12,7 @@ import (
 	"io"
 	"net"
 	"net/http"
+	"net/url"
 	"os"
 	"strings"
 	"sync"
@ -106,6 +107,11 @@ func handleStream(stream quic.Stream, quicConn quic.Connection) {

 			targetURL := string(argParts[0])

+			if !isValidURL(targetURL) {
+				log.Error().Msgf("Invalid target URL: %s", targetURL)
+				return
+			}
+
 			// Parse optional parameters
 			var caCertB64, verifyParam string
 			for _, part := range argParts[1:] {
@ -255,6 +261,11 @@ type CloseWrite interface {
 	CloseWrite() error
 }

+func isValidURL(str string) bool {
+	u, err := url.Parse(str)
+	return err == nil && u.Scheme != "" && u.Host != ""
+}
+
 func CopyDataFromQuicToTcp(quicStream quic.Stream, tcpConn net.Conn) {
 	// Create a WaitGroup to wait for both copy operations
 	var wg sync.WaitGroup
--- a/helm-charts/infisical-gateway/CHANGELOG.md
+++ b/helm-charts/infisical-gateway/CHANGELOG.md
@ -1,3 +1,7 @@
+## 0.0.3 (June 6, 2025)
+
+* Minor fix for handling malformed URLs for HTTP forwarding
+
 ## 0.0.2 (June 6, 2025)

 * Bumped default CLI image version from 0.41.1 -> 0.41.8.
--- a/helm-charts/infisical-gateway/Chart.yaml
+++ b/helm-charts/infisical-gateway/Chart.yaml
@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.2
+version: 0.0.3

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.0.2"
+appVersion: "0.0.3"
--- a/helm-charts/infisical-gateway/values.yaml
+++ b/helm-charts/infisical-gateway/values.yaml
@ -1,6 +1,6 @@
 image:
  pullPolicy: IfNotPresent
-  tag: "0.41.8"
+  tag: "0.41.81"

 secret:
  # The secret that contains the environment variables to be used by the gateway, such as INFISICAL_API_URL and TOKEN
Author	SHA1	Message	Date
Maidul Islam	b4f37193ac	Merge pull request #3748 from Infisical/akhilmhdh-patch-3 feat: updated dynamic secret,secret import to support glob in environment	2025-06-06 10:50:36 -04:00
Akhil Mohan	c8be5a637a	feat: updated dynamic secret,secret import to support glob in environment	2025-06-06 20:08:21 +05:30
Akhil Mohan	45485f8bd3	Merge pull request #3739 from akhilmhdh/feat/limit-project-create feat: added invalidate function to lock	2025-06-06 18:55:03 +05:30
Daniel Hougaard	766254c4e3	Merge pull request #3742 from Infisical/daniel/gateway-fix fix(gateway): handle malformed URL's	2025-06-06 16:20:48 +04:00
Daniel Hougaard	4bd1eb6f70	Update helm-charts/infisical-gateway/CHANGELOG.md Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>	2025-06-06 04:12:04 +04:00
Daniel Hougaard	022ecf75e1	fix(gateway): handle malformed URL's	2025-06-06 04:02:24 +04:00
=	1f80ff040d	feat: added invalidate function to lock	2025-06-06 01:45:01 +05:30