Compare commits

...

64 Commits

Author SHA1 Message Date
0191eb48f3 Merge pull request #3974 from Infisical/fix-email-invite-notifications
Improve + fix invitation reminder logic
2025-07-07 14:47:50 -04:00
9d39910152 Minor fix to prevent setting lastInvitedAt for invitees who weren’t actually sent an invitation 2025-07-07 15:35:49 -03:00
9137fa4ca5 Improve + fix invitation reminder logic 2025-07-07 13:31:20 -04:00
78da7ec343 Merge pull request #3972 from Infisical/fix/telemetryOrgIdentify
feat(telemetry): improve Posthog org identity logic
2025-07-07 10:15:59 -03:00
a678ebb4ac Fix Cloud telemetry queue initialization 2025-07-07 10:10:30 -03:00
83dd38db49 feat(telemetry): reduce TELEMETRY_AGGREGATED_KEY_EXP to 10 mins and avoid sending org identitfy events for batch events on sendPostHogEvents 2025-07-07 08:36:15 -03:00
06f5af1200 Merge pull request #3890 from Infisical/daniel/sso-endpoints-docs
docs(api-reference/organizations): document SSO configuration endpoints
2025-07-04 05:33:52 +04:00
f903e5b3d4 Update saml-router.ts 2025-07-04 05:23:05 +04:00
c6f8915d3f Update saml-config-service.ts 2025-07-04 05:21:54 +04:00
65b1354ef1 fix: remove undefined return type from get saml endpoint 2025-07-04 05:07:54 +04:00
cda8579ca4 fix: requested changes 2025-07-04 04:51:14 +04:00
1b1acdcb0b Merge pull request #3917 from Infisical/cli-add-bitbucket-platform
Add BitBucket platform to secret scanning
2025-07-03 20:06:48 -04:00
a8f08730a1 Merge pull request #3908 from Infisical/fix/ui-small-catches
feat: added autoplay to loading lottie and fixed tooltip in project select
2025-07-03 19:35:59 -04:00
9af9050aa2 Merge pull request #3921 from Infisical/misc/allow-users-with-create-identity-to-invite-no-access
misc: allow users with create permission to add identities with no access
2025-07-03 19:27:04 -04:00
cc564119e0 misc: allow users with create permission to add identities with no access 2025-07-04 04:24:15 +08:00
189b0dd5ee Merge pull request #3920 from Infisical/fix-secret-sync-remove-and-import-audit-logs
fix(secret-syncs): pass audit log info from import/delete secrets for sync endpoint
2025-07-03 13:02:04 -07:00
9cbef2c07b fix: pass audit log info from import/delete secrets for sync endpoint 2025-07-03 12:37:28 -07:00
9a960a85cd Merge pull request #3905 from Infisical/password-reset-ui
improvement(password-reset): re-vamp password reset flow pages/steps to match login
2025-07-03 10:31:58 -07:00
2a9e31d305 Few nits 2025-07-03 13:11:53 -04:00
fb2f1731dd Merge branch 'main' into password-reset-ui 2025-07-03 13:02:48 -04:00
42648a134c Update utils.go to look more like Gitleaks version 2025-07-03 12:47:25 -04:00
defb66ce65 Merge pull request #3918 from Infisical/revert-3901-revert-3875-ENG-3009-test
Undo Environment Variables Override PR Revert + SSO Fix
2025-07-03 12:18:10 -04:00
a3d06fdf1b misc: added reference to server admin 2025-07-03 21:21:06 +08:00
9049c441d6 Greptile review fix 2025-07-03 03:18:37 -04:00
51ecc9dfa0 Merge branch 'revert-3899-revert-3896-misc/final-changes-for-self-serve-en' into revert-3901-revert-3875-ENG-3009-test 2025-07-03 03:08:42 -04:00
13c9879fb6 Merge branch 'main' into revert-3901-revert-3875-ENG-3009-test 2025-07-03 02:54:28 -04:00
23b20ebdab Fix CLI always defaulting to github 2025-07-03 00:49:31 -04:00
37d490ede3 Add BitBucket platform to secret scanning 2025-07-03 00:09:28 -04:00
73025f5094 Merge pull request #3916 from Infisical/revert-3915-revert-3914-daniel/infisical-helm
Revert "Revert "feat(helm-charts/infiscal-core): topologySpreadConstraints support""
2025-07-03 05:25:24 +04:00
82634983ce Update Chart.yaml 2025-07-03 05:19:30 +04:00
af2f3017b7 fix: tests failing 2025-07-03 05:13:50 +04:00
a8f0eceeb9 Update helm-release-infisical-core.yml 2025-07-03 05:00:51 +04:00
36ff5e054b Update helm-release-infisical-core.yml 2025-07-03 04:50:49 +04:00
eff73f1810 fix: update versions 2025-07-03 04:27:55 +04:00
68357b5669 Revert "Revert "feat(helm-charts/infiscal-core): topologySpreadConstraints support"" 2025-07-02 20:25:36 -04:00
03c2e93bea Merge pull request #3915 from Infisical/revert-3914-daniel/infisical-helm
Revert "feat(helm-charts/infiscal-core): topologySpreadConstraints support"
2025-07-02 20:25:33 -04:00
8c1f3837e7 Revert "feat(helm-charts/infiscal-core): topologySpreadConstraints support" 2025-07-03 04:24:40 +04:00
7b47d91cc1 Merge pull request #3914 from Infisical/daniel/infisical-helm
feat(helm-charts/infiscal-core): topologySpreadConstraints support
2025-07-03 04:21:34 +04:00
c37afaa050 feat(helm-charts/infiscal-core): topologySpreadConstraints support 2025-07-03 04:08:37 +04:00
811920f8bb Merge pull request #3870 from Infisical/feat/zabbixSyncIntegration
feat(secret-sync): add Zabbix secret sync
2025-07-02 20:59:51 -03:00
7b295c5a21 Merge pull request #3913 from Infisical/daniel/fix-folder-deletion
fix(secret-folders): delete folder by ID
2025-07-03 03:49:01 +04:00
527a727c1c fix: ts issue 2025-07-03 03:28:21 +04:00
0139064aaa Update secret-folder-service.ts 2025-07-03 03:17:10 +04:00
a3859170fe fix(secret-folders): delete folder by ID 2025-07-03 03:15:06 +04:00
02b97cbf5b Merge pull request #3912 from Infisical/fix/multiEnvDeleteErrorMessage
Improve multi-env error message to show full env name instead of slug
2025-07-02 17:43:32 -04:00
=
7ab67db84d feat: fixed black color in tooltip 2025-07-03 01:18:52 +05:30
=
3a17281e37 feat: resolved tooltip overflow 2025-07-03 00:41:47 +05:30
=
abfe185a5b feat: added autoplay to loading lottie and fixed tooltip in project select 2025-07-02 22:13:37 +05:30
9163da291e feat(secret-sync): add PR suggestions for Zabbix secret sync 2025-07-02 10:18:20 -03:00
f6c10683a5 misc: add sync for passport middleware 2025-07-02 20:48:24 +08:00
307e6900ee Merge branch 'main' into feat/zabbixSyncIntegration 2025-07-02 09:25:19 -03:00
69157cb912 improvement: add period 2025-07-01 19:23:13 -07:00
44eb761d5b improvement: re-vamp password reset flow pages/steps to match login design 2025-07-01 19:19:27 -07:00
abbf541c9f Docs link on UI 2025-07-01 19:01:39 -04:00
fcdd121a58 Docs & UI update 2025-07-01 18:46:06 -04:00
5bfd92bf8d Revert "Revert "feat(super-admin): Environment Overrides"" 2025-07-01 17:43:52 -04:00
45af2c0b49 Revert "Revert "misc: updated sidebar name"" 2025-07-01 17:42:54 -04:00
13d2cbd8b0 Update docs.json 2025-07-01 02:09:14 +04:00
abfc5736fd docs(api-reference/organizations): document SSO configuration endpoints 2025-07-01 02:05:53 +04:00
68abd0f044 feat(secret-sync): fix docs 2025-06-27 14:23:39 -03:00
f3c11a0a17 feat(secret-sync): fix docs 2025-06-27 14:12:46 -03:00
f4779de051 feat(secret-sync): add re2 on replacements 2025-06-27 14:03:59 -03:00
defe7b8f0b feat(secret-sync): add blockLocalAndPrivateIpAddresses on secret-sync fns functions 2025-06-27 13:37:57 -03:00
cf3113ac89 feat(secret-sync): add Zabbix secret sync 2025-06-27 13:31:41 -03:00
160 changed files with 3297 additions and 436 deletions

View File

@ -0,0 +1,21 @@
import { Knex } from "knex";
import { TableName } from "../schemas";
export async function up(knex: Knex): Promise<void> {
const hasColumn = await knex.schema.hasColumn(TableName.SuperAdmin, "encryptedEnvOverrides");
if (!hasColumn) {
await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
t.binary("encryptedEnvOverrides").nullable();
});
}
}
export async function down(knex: Knex): Promise<void> {
const hasColumn = await knex.schema.hasColumn(TableName.SuperAdmin, "encryptedEnvOverrides");
if (hasColumn) {
await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
t.dropColumn("encryptedEnvOverrides");
});
}
}

View File

@ -0,0 +1,21 @@
import { Knex } from "knex";
import { TableName } from "../schemas";
export async function up(knex: Knex): Promise<void> {
const hasColumn = await knex.schema.hasColumn(TableName.OrgMembership, "lastInvitedAt");
if (hasColumn) {
await knex.schema.alterTable(TableName.OrgMembership, (t) => {
t.datetime("lastInvitedAt").nullable().defaultTo(knex.fn.now()).alter();
});
}
}
export async function down(knex: Knex): Promise<void> {
const hasColumn = await knex.schema.hasColumn(TableName.OrgMembership, "lastInvitedAt");
if (hasColumn) {
await knex.schema.alterTable(TableName.OrgMembership, (t) => {
t.datetime("lastInvitedAt").nullable().alter();
});
}
}

View File

@ -34,7 +34,8 @@ export const SuperAdminSchema = z.object({
encryptedGitHubAppConnectionClientSecret: zodBuffer.nullable().optional(), encryptedGitHubAppConnectionClientSecret: zodBuffer.nullable().optional(),
encryptedGitHubAppConnectionSlug: zodBuffer.nullable().optional(), encryptedGitHubAppConnectionSlug: zodBuffer.nullable().optional(),
encryptedGitHubAppConnectionId: zodBuffer.nullable().optional(), encryptedGitHubAppConnectionId: zodBuffer.nullable().optional(),
encryptedGitHubAppConnectionPrivateKey: zodBuffer.nullable().optional() encryptedGitHubAppConnectionPrivateKey: zodBuffer.nullable().optional(),
encryptedEnvOverrides: zodBuffer.nullable().optional()
}); });
export type TSuperAdmin = z.infer<typeof SuperAdminSchema>; export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;

View File

@ -17,6 +17,7 @@ import { z } from "zod";
import { LdapGroupMapsSchema } from "@app/db/schemas"; import { LdapGroupMapsSchema } from "@app/db/schemas";
import { TLDAPConfig } from "@app/ee/services/ldap-config/ldap-config-types"; import { TLDAPConfig } from "@app/ee/services/ldap-config/ldap-config-types";
import { isValidLdapFilter, searchGroups } from "@app/ee/services/ldap-config/ldap-fns"; import { isValidLdapFilter, searchGroups } from "@app/ee/services/ldap-config/ldap-fns";
import { ApiDocsTags, LdapSso } from "@app/lib/api-docs";
import { getConfig } from "@app/lib/config/env"; import { getConfig } from "@app/lib/config/env";
import { BadRequestError } from "@app/lib/errors"; import { BadRequestError } from "@app/lib/errors";
import { logger } from "@app/lib/logger"; import { logger } from "@app/lib/logger";
@ -132,10 +133,18 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
config: { config: {
rateLimit: readLimit rateLimit: readLimit
}, },
onRequest: verifyAuth([AuthMode.JWT]), onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: { schema: {
hide: false,
tags: [ApiDocsTags.LdapSso],
description: "Get LDAP config",
security: [
{
bearerAuth: []
}
],
querystring: z.object({ querystring: z.object({
organizationId: z.string().trim() organizationId: z.string().trim().describe(LdapSso.GET_CONFIG.organizationId)
}), }),
response: { response: {
200: z.object({ 200: z.object({
@ -172,23 +181,32 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
config: { config: {
rateLimit: writeLimit rateLimit: writeLimit
}, },
onRequest: verifyAuth([AuthMode.JWT]), onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: { schema: {
hide: false,
tags: [ApiDocsTags.LdapSso],
description: "Create LDAP config",
security: [
{
bearerAuth: []
}
],
body: z.object({ body: z.object({
organizationId: z.string().trim(), organizationId: z.string().trim().describe(LdapSso.CREATE_CONFIG.organizationId),
isActive: z.boolean(), isActive: z.boolean().describe(LdapSso.CREATE_CONFIG.isActive),
url: z.string().trim(), url: z.string().trim().describe(LdapSso.CREATE_CONFIG.url),
bindDN: z.string().trim(), bindDN: z.string().trim().describe(LdapSso.CREATE_CONFIG.bindDN),
bindPass: z.string().trim(), bindPass: z.string().trim().describe(LdapSso.CREATE_CONFIG.bindPass),
uniqueUserAttribute: z.string().trim().default("uidNumber"), uniqueUserAttribute: z.string().trim().default("uidNumber").describe(LdapSso.CREATE_CONFIG.uniqueUserAttribute),
searchBase: z.string().trim(), searchBase: z.string().trim().describe(LdapSso.CREATE_CONFIG.searchBase),
searchFilter: z.string().trim().default("(uid={{username}})"), searchFilter: z.string().trim().default("(uid={{username}})").describe(LdapSso.CREATE_CONFIG.searchFilter),
groupSearchBase: z.string().trim(), groupSearchBase: z.string().trim().describe(LdapSso.CREATE_CONFIG.groupSearchBase),
groupSearchFilter: z groupSearchFilter: z
.string() .string()
.trim() .trim()
.default("(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))"), .default("(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))")
caCert: z.string().trim().default("") .describe(LdapSso.CREATE_CONFIG.groupSearchFilter),
caCert: z.string().trim().default("").describe(LdapSso.CREATE_CONFIG.caCert)
}), }),
response: { response: {
200: SanitizedLdapConfigSchema 200: SanitizedLdapConfigSchema
@ -214,23 +232,31 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
config: { config: {
rateLimit: writeLimit rateLimit: writeLimit
}, },
onRequest: verifyAuth([AuthMode.JWT]), onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: { schema: {
hide: false,
tags: [ApiDocsTags.LdapSso],
description: "Update LDAP config",
security: [
{
bearerAuth: []
}
],
body: z body: z
.object({ .object({
isActive: z.boolean(), isActive: z.boolean().describe(LdapSso.UPDATE_CONFIG.isActive),
url: z.string().trim(), url: z.string().trim().describe(LdapSso.UPDATE_CONFIG.url),
bindDN: z.string().trim(), bindDN: z.string().trim().describe(LdapSso.UPDATE_CONFIG.bindDN),
bindPass: z.string().trim(), bindPass: z.string().trim().describe(LdapSso.UPDATE_CONFIG.bindPass),
uniqueUserAttribute: z.string().trim(), uniqueUserAttribute: z.string().trim().describe(LdapSso.UPDATE_CONFIG.uniqueUserAttribute),
searchBase: z.string().trim(), searchBase: z.string().trim().describe(LdapSso.UPDATE_CONFIG.searchBase),
searchFilter: z.string().trim(), searchFilter: z.string().trim().describe(LdapSso.UPDATE_CONFIG.searchFilter),
groupSearchBase: z.string().trim(), groupSearchBase: z.string().trim().describe(LdapSso.UPDATE_CONFIG.groupSearchBase),
groupSearchFilter: z.string().trim(), groupSearchFilter: z.string().trim().describe(LdapSso.UPDATE_CONFIG.groupSearchFilter),
caCert: z.string().trim() caCert: z.string().trim().describe(LdapSso.UPDATE_CONFIG.caCert)
}) })
.partial() .partial()
.merge(z.object({ organizationId: z.string() })), .merge(z.object({ organizationId: z.string().trim().describe(LdapSso.UPDATE_CONFIG.organizationId) })),
response: { response: {
200: SanitizedLdapConfigSchema 200: SanitizedLdapConfigSchema
} }

View File

@ -13,6 +13,7 @@ import { z } from "zod";
import { OidcConfigsSchema } from "@app/db/schemas"; import { OidcConfigsSchema } from "@app/db/schemas";
import { OIDCConfigurationType, OIDCJWTSignatureAlgorithm } from "@app/ee/services/oidc/oidc-config-types"; import { OIDCConfigurationType, OIDCJWTSignatureAlgorithm } from "@app/ee/services/oidc/oidc-config-types";
import { ApiDocsTags, OidcSSo } from "@app/lib/api-docs";
import { getConfig } from "@app/lib/config/env"; import { getConfig } from "@app/lib/config/env";
import { authRateLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter"; import { authRateLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
import { verifyAuth } from "@app/server/plugins/auth/verify-auth"; import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@ -153,10 +154,18 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
config: { config: {
rateLimit: readLimit rateLimit: readLimit
}, },
onRequest: verifyAuth([AuthMode.JWT]), onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: { schema: {
hide: false,
tags: [ApiDocsTags.OidcSso],
description: "Get OIDC config",
security: [
{
bearerAuth: []
}
],
querystring: z.object({ querystring: z.object({
orgSlug: z.string().trim() organizationId: z.string().trim().describe(OidcSSo.GET_CONFIG.organizationId)
}), }),
response: { response: {
200: SanitizedOidcConfigSchema.pick({ 200: SanitizedOidcConfigSchema.pick({
@ -180,9 +189,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
} }
}, },
handler: async (req) => { handler: async (req) => {
const { orgSlug } = req.query;
const oidc = await server.services.oidc.getOidc({ const oidc = await server.services.oidc.getOidc({
orgSlug, organizationId: req.query.organizationId,
type: "external", type: "external",
actor: req.permission.type, actor: req.permission.type,
actorId: req.permission.id, actorId: req.permission.id,
@ -200,8 +208,16 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
config: { config: {
rateLimit: writeLimit rateLimit: writeLimit
}, },
onRequest: verifyAuth([AuthMode.JWT]), onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: { schema: {
hide: false,
tags: [ApiDocsTags.OidcSso],
description: "Update OIDC config",
security: [
{
bearerAuth: []
}
],
body: z body: z
.object({ .object({
allowedEmailDomains: z allowedEmailDomains: z
@ -216,22 +232,26 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
.split(",") .split(",")
.map((id) => id.trim()) .map((id) => id.trim())
.join(", "); .join(", ");
}), })
discoveryURL: z.string().trim(), .describe(OidcSSo.UPDATE_CONFIG.allowedEmailDomains),
configurationType: z.nativeEnum(OIDCConfigurationType), discoveryURL: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.discoveryURL),
issuer: z.string().trim(), configurationType: z.nativeEnum(OIDCConfigurationType).describe(OidcSSo.UPDATE_CONFIG.configurationType),
authorizationEndpoint: z.string().trim(), issuer: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.issuer),
jwksUri: z.string().trim(), authorizationEndpoint: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.authorizationEndpoint),
tokenEndpoint: z.string().trim(), jwksUri: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.jwksUri),
userinfoEndpoint: z.string().trim(), tokenEndpoint: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.tokenEndpoint),
clientId: z.string().trim(), userinfoEndpoint: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.userinfoEndpoint),
clientSecret: z.string().trim(), clientId: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.clientId),
isActive: z.boolean(), clientSecret: z.string().trim().describe(OidcSSo.UPDATE_CONFIG.clientSecret),
manageGroupMemberships: z.boolean().optional(), isActive: z.boolean().describe(OidcSSo.UPDATE_CONFIG.isActive),
jwtSignatureAlgorithm: z.nativeEnum(OIDCJWTSignatureAlgorithm).optional() manageGroupMemberships: z.boolean().optional().describe(OidcSSo.UPDATE_CONFIG.manageGroupMemberships),
jwtSignatureAlgorithm: z
.nativeEnum(OIDCJWTSignatureAlgorithm)
.optional()
.describe(OidcSSo.UPDATE_CONFIG.jwtSignatureAlgorithm)
}) })
.partial() .partial()
.merge(z.object({ orgSlug: z.string() })), .merge(z.object({ organizationId: z.string().describe(OidcSSo.UPDATE_CONFIG.organizationId) })),
response: { response: {
200: SanitizedOidcConfigSchema.pick({ 200: SanitizedOidcConfigSchema.pick({
id: true, id: true,
@ -267,8 +287,16 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
config: { config: {
rateLimit: writeLimit rateLimit: writeLimit
}, },
onRequest: verifyAuth([AuthMode.JWT]), onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: { schema: {
hide: false,
tags: [ApiDocsTags.OidcSso],
description: "Create OIDC config",
security: [
{
bearerAuth: []
}
],
body: z body: z
.object({ .object({
allowedEmailDomains: z allowedEmailDomains: z
@ -283,23 +311,34 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
.split(",") .split(",")
.map((id) => id.trim()) .map((id) => id.trim())
.join(", "); .join(", ");
}), })
configurationType: z.nativeEnum(OIDCConfigurationType), .describe(OidcSSo.CREATE_CONFIG.allowedEmailDomains),
issuer: z.string().trim().optional().default(""), configurationType: z.nativeEnum(OIDCConfigurationType).describe(OidcSSo.CREATE_CONFIG.configurationType),
discoveryURL: z.string().trim().optional().default(""), issuer: z.string().trim().optional().default("").describe(OidcSSo.CREATE_CONFIG.issuer),
authorizationEndpoint: z.string().trim().optional().default(""), discoveryURL: z.string().trim().optional().default("").describe(OidcSSo.CREATE_CONFIG.discoveryURL),
jwksUri: z.string().trim().optional().default(""), authorizationEndpoint: z
tokenEndpoint: z.string().trim().optional().default(""), .string()
userinfoEndpoint: z.string().trim().optional().default(""), .trim()
clientId: z.string().trim(), .optional()
clientSecret: z.string().trim(), .default("")
isActive: z.boolean(), .describe(OidcSSo.CREATE_CONFIG.authorizationEndpoint),
orgSlug: z.string().trim(), jwksUri: z.string().trim().optional().default("").describe(OidcSSo.CREATE_CONFIG.jwksUri),
manageGroupMemberships: z.boolean().optional().default(false), tokenEndpoint: z.string().trim().optional().default("").describe(OidcSSo.CREATE_CONFIG.tokenEndpoint),
userinfoEndpoint: z.string().trim().optional().default("").describe(OidcSSo.CREATE_CONFIG.userinfoEndpoint),
clientId: z.string().trim().describe(OidcSSo.CREATE_CONFIG.clientId),
clientSecret: z.string().trim().describe(OidcSSo.CREATE_CONFIG.clientSecret),
isActive: z.boolean().describe(OidcSSo.CREATE_CONFIG.isActive),
organizationId: z.string().trim().describe(OidcSSo.CREATE_CONFIG.organizationId),
manageGroupMemberships: z
.boolean()
.optional()
.default(false)
.describe(OidcSSo.CREATE_CONFIG.manageGroupMemberships),
jwtSignatureAlgorithm: z jwtSignatureAlgorithm: z
.nativeEnum(OIDCJWTSignatureAlgorithm) .nativeEnum(OIDCJWTSignatureAlgorithm)
.optional() .optional()
.default(OIDCJWTSignatureAlgorithm.RS256) .default(OIDCJWTSignatureAlgorithm.RS256)
.describe(OidcSSo.CREATE_CONFIG.jwtSignatureAlgorithm)
}) })
.superRefine((data, ctx) => { .superRefine((data, ctx) => {
if (data.configurationType === OIDCConfigurationType.CUSTOM) { if (data.configurationType === OIDCConfigurationType.CUSTOM) {

View File

@ -13,6 +13,7 @@ import { FastifyRequest } from "fastify";
import { z } from "zod"; import { z } from "zod";
import { SamlProviders, TGetSamlCfgDTO } from "@app/ee/services/saml-config/saml-config-types"; import { SamlProviders, TGetSamlCfgDTO } from "@app/ee/services/saml-config/saml-config-types";
import { ApiDocsTags, SamlSso } from "@app/lib/api-docs";
import { getConfig } from "@app/lib/config/env"; import { getConfig } from "@app/lib/config/env";
import { BadRequestError } from "@app/lib/errors"; import { BadRequestError } from "@app/lib/errors";
import { logger } from "@app/lib/logger"; import { logger } from "@app/lib/logger";
@ -149,8 +150,8 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
firstName, firstName,
lastName: lastName as string, lastName: lastName as string,
relayState: (req.body as { RelayState?: string }).RelayState, relayState: (req.body as { RelayState?: string }).RelayState,
authProvider: (req as unknown as FastifyRequest).ssoConfig?.authProvider as string, authProvider: (req as unknown as FastifyRequest).ssoConfig?.authProvider,
orgId: (req as unknown as FastifyRequest).ssoConfig?.orgId as string, orgId: (req as unknown as FastifyRequest).ssoConfig?.orgId,
metadata: userMetadata metadata: userMetadata
}); });
cb(null, { isUserCompleted, providerAuthToken }); cb(null, { isUserCompleted, providerAuthToken });
@ -262,25 +263,31 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
config: { config: {
rateLimit: readLimit rateLimit: readLimit
}, },
onRequest: verifyAuth([AuthMode.JWT]), onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: { schema: {
hide: false,
tags: [ApiDocsTags.SamlSso],
description: "Get SAML config",
security: [
{
bearerAuth: []
}
],
querystring: z.object({ querystring: z.object({
organizationId: z.string().trim() organizationId: z.string().trim().describe(SamlSso.GET_CONFIG.organizationId)
}), }),
response: { response: {
200: z 200: z.object({
.object({ id: z.string(),
id: z.string(), organization: z.string(),
organization: z.string(), orgId: z.string(),
orgId: z.string(), authProvider: z.string(),
authProvider: z.string(), isActive: z.boolean(),
isActive: z.boolean(), entryPoint: z.string(),
entryPoint: z.string(), issuer: z.string(),
issuer: z.string(), cert: z.string(),
cert: z.string(), lastUsed: z.date().nullable().optional()
lastUsed: z.date().nullable().optional() })
})
.optional()
} }
}, },
handler: async (req) => { handler: async (req) => {
@ -302,15 +309,23 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
config: { config: {
rateLimit: writeLimit rateLimit: writeLimit
}, },
onRequest: verifyAuth([AuthMode.JWT]), onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: { schema: {
hide: false,
tags: [ApiDocsTags.SamlSso],
description: "Create SAML config",
security: [
{
bearerAuth: []
}
],
body: z.object({ body: z.object({
organizationId: z.string(), organizationId: z.string().trim().describe(SamlSso.CREATE_CONFIG.organizationId),
authProvider: z.nativeEnum(SamlProviders), authProvider: z.nativeEnum(SamlProviders).describe(SamlSso.CREATE_CONFIG.authProvider),
isActive: z.boolean(), isActive: z.boolean().describe(SamlSso.CREATE_CONFIG.isActive),
entryPoint: z.string(), entryPoint: z.string().trim().describe(SamlSso.CREATE_CONFIG.entryPoint),
issuer: z.string(), issuer: z.string().trim().describe(SamlSso.CREATE_CONFIG.issuer),
cert: z.string() cert: z.string().trim().describe(SamlSso.CREATE_CONFIG.cert)
}), }),
response: { response: {
200: SanitizedSamlConfigSchema 200: SanitizedSamlConfigSchema
@ -341,18 +356,26 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
config: { config: {
rateLimit: writeLimit rateLimit: writeLimit
}, },
onRequest: verifyAuth([AuthMode.JWT]), onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: { schema: {
hide: false,
tags: [ApiDocsTags.SamlSso],
description: "Update SAML config",
security: [
{
bearerAuth: []
}
],
body: z body: z
.object({ .object({
authProvider: z.nativeEnum(SamlProviders), authProvider: z.nativeEnum(SamlProviders).describe(SamlSso.UPDATE_CONFIG.authProvider),
isActive: z.boolean(), isActive: z.boolean().describe(SamlSso.UPDATE_CONFIG.isActive),
entryPoint: z.string(), entryPoint: z.string().trim().describe(SamlSso.UPDATE_CONFIG.entryPoint),
issuer: z.string(), issuer: z.string().trim().describe(SamlSso.UPDATE_CONFIG.issuer),
cert: z.string() cert: z.string().trim().describe(SamlSso.UPDATE_CONFIG.cert)
}) })
.partial() .partial()
.merge(z.object({ organizationId: z.string() })), .merge(z.object({ organizationId: z.string().trim().describe(SamlSso.UPDATE_CONFIG.organizationId) })),
response: { response: {
200: SanitizedSamlConfigSchema 200: SanitizedSamlConfigSchema
} }

View File

@ -107,34 +107,26 @@ export const oidcConfigServiceFactory = ({
kmsService kmsService
}: TOidcConfigServiceFactoryDep) => { }: TOidcConfigServiceFactoryDep) => {
const getOidc = async (dto: TGetOidcCfgDTO) => { const getOidc = async (dto: TGetOidcCfgDTO) => {
const org = await orgDAL.findOne({ slug: dto.orgSlug }); const oidcCfg = await oidcConfigDAL.findOne({
if (!org) { orgId: dto.organizationId
});
if (!oidcCfg) {
throw new NotFoundError({ throw new NotFoundError({
message: `Organization with slug '${dto.orgSlug}' not found`, message: `OIDC configuration for organization with ID '${dto.organizationId}' not found`
name: "OrgNotFound"
}); });
} }
if (dto.type === "external") { if (dto.type === "external") {
const { permission } = await permissionService.getOrgPermission( const { permission } = await permissionService.getOrgPermission(
dto.actor, dto.actor,
dto.actorId, dto.actorId,
org.id, dto.organizationId,
dto.actorAuthMethod, dto.actorAuthMethod,
dto.actorOrgId dto.actorOrgId
); );
ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Sso); ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Sso);
} }
const oidcCfg = await oidcConfigDAL.findOne({
orgId: org.id
});
if (!oidcCfg) {
throw new NotFoundError({
message: `OIDC configuration for organization with slug '${dto.orgSlug}' not found`
});
}
const { decryptor } = await kmsService.createCipherPairWithDataKey({ const { decryptor } = await kmsService.createCipherPairWithDataKey({
type: KmsDataKey.Organization, type: KmsDataKey.Organization,
orgId: oidcCfg.orgId orgId: oidcCfg.orgId
@ -465,7 +457,7 @@ export const oidcConfigServiceFactory = ({
}; };
const updateOidcCfg = async ({ const updateOidcCfg = async ({
orgSlug, organizationId,
allowedEmailDomains, allowedEmailDomains,
configurationType, configurationType,
discoveryURL, discoveryURL,
@ -484,13 +476,11 @@ export const oidcConfigServiceFactory = ({
manageGroupMemberships, manageGroupMemberships,
jwtSignatureAlgorithm jwtSignatureAlgorithm
}: TUpdateOidcCfgDTO) => { }: TUpdateOidcCfgDTO) => {
const org = await orgDAL.findOne({ const org = await orgDAL.findOne({ id: organizationId });
slug: orgSlug
});
if (!org) { if (!org) {
throw new NotFoundError({ throw new NotFoundError({
message: `Organization with slug '${orgSlug}' not found` message: `Organization with ID '${organizationId}' not found`
}); });
} }
@ -555,7 +545,7 @@ export const oidcConfigServiceFactory = ({
}; };
const createOidcCfg = async ({ const createOidcCfg = async ({
orgSlug, organizationId,
allowedEmailDomains, allowedEmailDomains,
configurationType, configurationType,
discoveryURL, discoveryURL,
@ -574,12 +564,10 @@ export const oidcConfigServiceFactory = ({
manageGroupMemberships, manageGroupMemberships,
jwtSignatureAlgorithm jwtSignatureAlgorithm
}: TCreateOidcCfgDTO) => { }: TCreateOidcCfgDTO) => {
const org = await orgDAL.findOne({ const org = await orgDAL.findOne({ id: organizationId });
slug: orgSlug
});
if (!org) { if (!org) {
throw new NotFoundError({ throw new NotFoundError({
message: `Organization with slug '${orgSlug}' not found` message: `Organization with ID '${organizationId}' not found`
}); });
} }
@ -639,7 +627,7 @@ export const oidcConfigServiceFactory = ({
const oidcCfg = await getOidc({ const oidcCfg = await getOidc({
type: "internal", type: "internal",
orgSlug organizationId: org.id
}); });
if (!oidcCfg || !oidcCfg.isActive) { if (!oidcCfg || !oidcCfg.isActive) {

View File

@ -26,11 +26,11 @@ export type TOidcLoginDTO = {
export type TGetOidcCfgDTO = export type TGetOidcCfgDTO =
| ({ | ({
type: "external"; type: "external";
orgSlug: string; organizationId: string;
} & TGenericPermission) } & TGenericPermission)
| { | {
type: "internal"; type: "internal";
orgSlug: string; organizationId: string;
}; };
export type TCreateOidcCfgDTO = { export type TCreateOidcCfgDTO = {
@ -45,7 +45,7 @@ export type TCreateOidcCfgDTO = {
clientId: string; clientId: string;
clientSecret: string; clientSecret: string;
isActive: boolean; isActive: boolean;
orgSlug: string; organizationId: string;
manageGroupMemberships: boolean; manageGroupMemberships: boolean;
jwtSignatureAlgorithm: OIDCJWTSignatureAlgorithm; jwtSignatureAlgorithm: OIDCJWTSignatureAlgorithm;
} & TGenericPermission; } & TGenericPermission;
@ -62,7 +62,7 @@ export type TUpdateOidcCfgDTO = Partial<{
clientId: string; clientId: string;
clientSecret: string; clientSecret: string;
isActive: boolean; isActive: boolean;
orgSlug: string; organizationId: string;
manageGroupMemberships: boolean; manageGroupMemberships: boolean;
jwtSignatureAlgorithm: OIDCJWTSignatureAlgorithm; jwtSignatureAlgorithm: OIDCJWTSignatureAlgorithm;
}> & }> &

View File

@ -148,10 +148,18 @@ export const samlConfigServiceFactory = ({
let samlConfig: TSamlConfigs | undefined; let samlConfig: TSamlConfigs | undefined;
if (dto.type === "org") { if (dto.type === "org") {
samlConfig = await samlConfigDAL.findOne({ orgId: dto.orgId }); samlConfig = await samlConfigDAL.findOne({ orgId: dto.orgId });
if (!samlConfig) return; if (!samlConfig) {
throw new NotFoundError({
message: `SAML configuration for organization with ID '${dto.orgId}' not found`
});
}
} else if (dto.type === "orgSlug") { } else if (dto.type === "orgSlug") {
const org = await orgDAL.findOne({ slug: dto.orgSlug }); const org = await orgDAL.findOne({ slug: dto.orgSlug });
if (!org) return; if (!org) {
throw new NotFoundError({
message: `Organization with slug '${dto.orgSlug}' not found`
});
}
samlConfig = await samlConfigDAL.findOne({ orgId: org.id }); samlConfig = await samlConfigDAL.findOne({ orgId: org.id });
} else if (dto.type === "ssoId") { } else if (dto.type === "ssoId") {
// TODO: // TODO:

View File

@ -61,20 +61,17 @@ export type TSamlLoginDTO = {
export type TSamlConfigServiceFactory = { export type TSamlConfigServiceFactory = {
createSamlCfg: (arg: TCreateSamlCfgDTO) => Promise<TSamlConfigs>; createSamlCfg: (arg: TCreateSamlCfgDTO) => Promise<TSamlConfigs>;
updateSamlCfg: (arg: TUpdateSamlCfgDTO) => Promise<TSamlConfigs>; updateSamlCfg: (arg: TUpdateSamlCfgDTO) => Promise<TSamlConfigs>;
getSaml: (arg: TGetSamlCfgDTO) => Promise< getSaml: (arg: TGetSamlCfgDTO) => Promise<{
| { id: string;
id: string; organization: string;
organization: string; orgId: string;
orgId: string; authProvider: string;
authProvider: string; isActive: boolean;
isActive: boolean; entryPoint: string;
entryPoint: string; issuer: string;
issuer: string; cert: string;
cert: string; lastUsed: Date | null | undefined;
lastUsed: Date | null | undefined; }>;
}
| undefined
>;
samlLogin: (arg: TSamlLoginDTO) => Promise<{ samlLogin: (arg: TSamlLoginDTO) => Promise<{
isUserCompleted: boolean; isUserCompleted: boolean;
providerAuthToken: string; providerAuthToken: string;

View File

@ -66,7 +66,10 @@ export enum ApiDocsTags {
KmsKeys = "KMS Keys", KmsKeys = "KMS Keys",
KmsEncryption = "KMS Encryption", KmsEncryption = "KMS Encryption",
KmsSigning = "KMS Signing", KmsSigning = "KMS Signing",
SecretScanning = "Secret Scanning" SecretScanning = "Secret Scanning",
OidcSso = "OIDC SSO",
SamlSso = "SAML SSO",
LdapSso = "LDAP SSO"
} }
export const GROUPS = { export const GROUPS = {
@ -2268,6 +2271,10 @@ export const AppConnections = {
accessToken: "The Access Token used to access GitLab.", accessToken: "The Access Token used to access GitLab.",
code: "The OAuth code to use to connect with GitLab.", code: "The OAuth code to use to connect with GitLab.",
accessTokenType: "The type of token used to connect with GitLab." accessTokenType: "The type of token used to connect with GitLab."
},
ZABBIX: {
apiToken: "The API Token used to access Zabbix.",
instanceUrl: "The Zabbix instance URL to connect with."
} }
} }
}; };
@ -2457,6 +2464,12 @@ export const SecretSyncs = {
CLOUDFLARE_PAGES: { CLOUDFLARE_PAGES: {
projectName: "The name of the Cloudflare Pages project to sync secrets to.", projectName: "The name of the Cloudflare Pages project to sync secrets to.",
environment: "The environment of the Cloudflare Pages project to sync secrets to." environment: "The environment of the Cloudflare Pages project to sync secrets to."
},
ZABBIX: {
scope: "The Zabbix scope that secrets should be synced to.",
hostId: "The ID of the Zabbix host to sync secrets to.",
hostName: "The name of the Zabbix host to sync secrets to.",
macroType: "The type of macro to sync secrets to. (0: Text, 1: Secret)"
} }
} }
}; };
@ -2652,3 +2665,113 @@ export const SecretScanningConfigs = {
content: "The contents of the Secret Scanning Configuration file." content: "The contents of the Secret Scanning Configuration file."
} }
}; };
export const OidcSSo = {
GET_CONFIG: {
organizationId: "The ID of the organization to get the OIDC config for."
},
UPDATE_CONFIG: {
organizationId: "The ID of the organization to update the OIDC config for.",
allowedEmailDomains:
"A list of allowed email domains that users can use to authenticate with. This field is comma separated. Example: 'example.com,acme.com'",
discoveryURL: "The URL of the OIDC discovery endpoint.",
configurationType: "The configuration type to use for the OIDC configuration.",
issuer:
"The issuer for the OIDC configuration. This is only supported when the OIDC configuration type is set to 'custom'.",
authorizationEndpoint:
"The endpoint to use for OIDC authorization. This is only supported when the OIDC configuration type is set to 'custom'.",
jwksUri: "The URL of the OIDC JWKS endpoint.",
tokenEndpoint: "The token endpoint to use for OIDC token exchange.",
userinfoEndpoint: "The userinfo endpoint to get user information from the OIDC provider.",
clientId: "The client ID to use for OIDC authentication.",
clientSecret: "The client secret to use for OIDC authentication.",
isActive: "Whether to enable or disable this OIDC configuration.",
manageGroupMemberships:
"Whether to manage group memberships for the OIDC configuration. If enabled, users will automatically be assigned groups when they sign in, based on which groups they are a member of in the OIDC provider.",
jwtSignatureAlgorithm: "The algorithm to use for JWT signature verification."
},
CREATE_CONFIG: {
organizationId: "The ID of the organization to create the OIDC config for.",
allowedEmailDomains:
"A list of allowed email domains that users can use to authenticate with. This field is comma separated.",
discoveryURL: "The URL of the OIDC discovery endpoint.",
configurationType: "The configuration type to use for the OIDC configuration.",
issuer:
"The issuer for the OIDC configuration. This is only supported when the OIDC configuration type is set to 'custom'.",
authorizationEndpoint:
"The authorization endpoint to use for OIDC authorization. This is only supported when the OIDC configuration type is set to 'custom'.",
jwksUri: "The URL of the OIDC JWKS endpoint.",
tokenEndpoint: "The token endpoint to use for OIDC token exchange.",
userinfoEndpoint: "The userinfo endpoint to get user information from the OIDC provider.",
clientId: "The client ID to use for OIDC authentication.",
clientSecret: "The client secret to use for OIDC authentication.",
isActive: "Whether to enable or disable this OIDC configuration.",
manageGroupMemberships:
"Whether to manage group memberships for the OIDC configuration. If enabled, users will automatically be assigned groups when they sign in, based on which groups they are a member of in the OIDC provider.",
jwtSignatureAlgorithm: "The algorithm to use for JWT signature verification."
}
};
export const SamlSso = {
GET_CONFIG: {
organizationId: "The ID of the organization to get the SAML config for."
},
UPDATE_CONFIG: {
organizationId: "The ID of the organization to update the SAML config for.",
authProvider: "Authentication provider to use for SAML authentication.",
isActive: "Whether to enable or disable this SAML configuration.",
entryPoint:
"The entry point for the SAML authentication. This is the URL that the user will be redirected to after they have authenticated with the SAML provider.",
issuer: "The SAML provider issuer URL or entity ID.",
cert: "The certificate to use for SAML authentication."
},
CREATE_CONFIG: {
organizationId: "The ID of the organization to create the SAML config for.",
authProvider: "Authentication provider to use for SAML authentication.",
isActive: "Whether to enable or disable this SAML configuration.",
entryPoint:
"The entry point for the SAML authentication. This is the URL that the user will be redirected to after they have authenticated with the SAML provider.",
issuer: "The SAML provider issuer URL or entity ID.",
cert: "The certificate to use for SAML authentication."
}
};
export const LdapSso = {
GET_CONFIG: {
organizationId: "The ID of the organization to get the LDAP config for."
},
CREATE_CONFIG: {
organizationId: "The ID of the organization to create the LDAP config for.",
isActive: "Whether to enable or disable this LDAP configuration.",
url: "The LDAP server to connect to such as `ldap://ldap.your-org.com`, `ldaps://ldap.myorg.com:636` (for connection over SSL/TLS), etc.",
bindDN:
"The distinguished name of the object to bind when performing the user search such as `cn=infisical,ou=Users,dc=acme,dc=com`",
bindPass: "The password to use along with Bind DN when performing the user search.",
searchBase: "The base DN to use for the user search such as `ou=Users,dc=acme,dc=com`",
uniqueUserAttribute:
"The attribute to use as the unique identifier of LDAP users such as `sAMAccountName`, `cn`, `uid`, `objectGUID`. If left blank, defaults to uidNumber",
searchFilter:
"The template used to construct the LDAP user search filter such as `(uid={{username}})` uses literal `{{username}}` to have the given username used in the search. The default is `(uid={{username}})` which is compatible with several common directory schemas.",
groupSearchBase: "LDAP search base to use for group membership search such as `ou=Groups,dc=acme,dc=com`",
groupSearchFilter:
"The template used when constructing the group membership query such as `(&(objectClass=posixGroup)(memberUid={{.Username}}))`. The template can access the following context variables: `[UserDN, UserName]`. The default is `(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))` which is compatible with several common directory schemas.",
caCert: "The CA certificate to use when verifying the LDAP server certificate."
},
UPDATE_CONFIG: {
organizationId: "The ID of the organization to update the LDAP config for.",
isActive: "Whether to enable or disable this LDAP configuration.",
url: "The LDAP server to connect to such as `ldap://ldap.your-org.com`, `ldaps://ldap.myorg.com:636` (for connection over SSL/TLS), etc.",
bindDN:
"The distinguished name of object to bind when performing the user search such as `cn=infisical,ou=Users,dc=acme,dc=com`",
bindPass: "The password to use along with Bind DN when performing the user search.",
uniqueUserAttribute:
"The attribute to use as the unique identifier of LDAP users such as `sAMAccountName`, `cn`, `uid`, `objectGUID`. If left blank, defaults to uidNumber",
searchFilter:
"The template used to construct the LDAP user search filter such as `(uid={{username}})` uses literal `{{username}}` to have the given username used in the search. The default is `(uid={{username}})` which is compatible with several common directory schemas.",
searchBase: "The base DN to use for the user search such as `ou=Users,dc=acme,dc=com`",
groupSearchBase: "LDAP search base to use for group membership search such as `ou=Groups,dc=acme,dc=com`",
groupSearchFilter:
"The template used when constructing the group membership query such as `(&(objectClass=posixGroup)(memberUid={{.Username}}))`. The template can access the following context variables: `[UserDN, UserName]`. The default is `(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))` which is compatible with several common directory schemas.",
caCert: "The CA certificate to use when verifying the LDAP server certificate."
}
};

View File

@ -2,6 +2,7 @@ import { z } from "zod";
import { QueueWorkerProfile } from "@app/lib/types"; import { QueueWorkerProfile } from "@app/lib/types";
import { BadRequestError } from "../errors";
import { removeTrailingSlash } from "../fn"; import { removeTrailingSlash } from "../fn";
import { CustomLogger } from "../logger/logger"; import { CustomLogger } from "../logger/logger";
import { zpStr } from "../zod"; import { zpStr } from "../zod";
@ -341,8 +342,11 @@ const envSchema = z
export type TEnvConfig = Readonly<z.infer<typeof envSchema>>; export type TEnvConfig = Readonly<z.infer<typeof envSchema>>;
let envCfg: TEnvConfig; let envCfg: TEnvConfig;
let originalEnvConfig: TEnvConfig;
export const getConfig = () => envCfg; export const getConfig = () => envCfg;
export const getOriginalConfig = () => originalEnvConfig;
// cannot import singleton logger directly as it needs config to load various transport // cannot import singleton logger directly as it needs config to load various transport
export const initEnvConfig = (logger?: CustomLogger) => { export const initEnvConfig = (logger?: CustomLogger) => {
const parsedEnv = envSchema.safeParse(process.env); const parsedEnv = envSchema.safeParse(process.env);
@ -352,10 +356,115 @@ export const initEnvConfig = (logger?: CustomLogger) => {
process.exit(-1); process.exit(-1);
} }
envCfg = Object.freeze(parsedEnv.data); const config = Object.freeze(parsedEnv.data);
envCfg = config;
if (!originalEnvConfig) {
originalEnvConfig = config;
}
return envCfg; return envCfg;
}; };
// A list of environment variables that can be overwritten
export const overwriteSchema: {
[key: string]: {
name: string;
fields: { key: keyof TEnvConfig; description?: string }[];
};
} = {
azure: {
name: "Azure",
fields: [
{
key: "INF_APP_CONNECTION_AZURE_CLIENT_ID",
description: "The Application (Client) ID of your Azure application."
},
{
key: "INF_APP_CONNECTION_AZURE_CLIENT_SECRET",
description: "The Client Secret of your Azure application."
}
]
},
google_sso: {
name: "Google SSO",
fields: [
{
key: "CLIENT_ID_GOOGLE_LOGIN",
description: "The Client ID of your GCP OAuth2 application."
},
{
key: "CLIENT_SECRET_GOOGLE_LOGIN",
description: "The Client Secret of your GCP OAuth2 application."
}
]
},
github_sso: {
name: "GitHub SSO",
fields: [
{
key: "CLIENT_ID_GITHUB_LOGIN",
description: "The Client ID of your GitHub OAuth application."
},
{
key: "CLIENT_SECRET_GITHUB_LOGIN",
description: "The Client Secret of your GitHub OAuth application."
}
]
},
gitlab_sso: {
name: "GitLab SSO",
fields: [
{
key: "CLIENT_ID_GITLAB_LOGIN",
description: "The Client ID of your GitLab application."
},
{
key: "CLIENT_SECRET_GITLAB_LOGIN",
description: "The Secret of your GitLab application."
},
{
key: "CLIENT_GITLAB_LOGIN_URL",
description:
"The URL of your self-hosted instance of GitLab where the OAuth application is registered. If no URL is passed in, this will default to https://gitlab.com."
}
]
}
};
export const overridableKeys = new Set(
Object.values(overwriteSchema).flatMap(({ fields }) => fields.map(({ key }) => key))
);
export const validateOverrides = (config: Record<string, string>) => {
const allowedOverrides = Object.fromEntries(
Object.entries(config).filter(([key]) => overridableKeys.has(key as keyof z.input<typeof envSchema>))
);
const tempEnv: Record<string, unknown> = { ...process.env, ...allowedOverrides };
const parsedResult = envSchema.safeParse(tempEnv);
if (!parsedResult.success) {
const errorDetails = parsedResult.error.issues
.map((issue) => `Key: "${issue.path.join(".")}", Error: ${issue.message}`)
.join("\n");
throw new BadRequestError({ message: errorDetails });
}
};
export const overrideEnvConfig = (config: Record<string, string>) => {
const allowedOverrides = Object.fromEntries(
Object.entries(config).filter(([key]) => overridableKeys.has(key as keyof z.input<typeof envSchema>))
);
const tempEnv: Record<string, unknown> = { ...process.env, ...allowedOverrides };
const parsedResult = envSchema.safeParse(tempEnv);
if (parsedResult.success) {
envCfg = Object.freeze(parsedResult.data);
}
};
export const formatSmtpConfig = () => { export const formatSmtpConfig = () => {
const tlsOptions: { const tlsOptions: {
rejectUnauthorized: boolean; rejectUnauthorized: boolean;

View File

@ -300,6 +300,7 @@ import { injectIdentity } from "../plugins/auth/inject-identity";
import { injectPermission } from "../plugins/auth/inject-permission"; import { injectPermission } from "../plugins/auth/inject-permission";
import { injectRateLimits } from "../plugins/inject-rate-limits"; import { injectRateLimits } from "../plugins/inject-rate-limits";
import { registerV1Routes } from "./v1"; import { registerV1Routes } from "./v1";
import { initializeOauthConfigSync } from "./v1/sso-router";
import { registerV2Routes } from "./v2"; import { registerV2Routes } from "./v2";
import { registerV3Routes } from "./v3"; import { registerV3Routes } from "./v3";
@ -1910,6 +1911,7 @@ export const registerRoutes = async (
await hsmService.startService(); await hsmService.startService();
await telemetryQueue.startTelemetryCheck(); await telemetryQueue.startTelemetryCheck();
await telemetryQueue.startAggregatedEventsJob();
await dailyResourceCleanUp.startCleanUp(); await dailyResourceCleanUp.startCleanUp();
await dailyExpiringPkiItemAlert.startSendingAlerts(); await dailyExpiringPkiItemAlert.startSendingAlerts();
await pkiSubscriberQueue.startDailyAutoRenewalJob(); await pkiSubscriberQueue.startDailyAutoRenewalJob();
@ -2046,6 +2048,16 @@ export const registerRoutes = async (
} }
} }
const configSyncJob = await superAdminService.initializeEnvConfigSync();
if (configSyncJob) {
cronJobs.push(configSyncJob);
}
const oauthConfigSyncJob = await initializeOauthConfigSync();
if (oauthConfigSyncJob) {
cronJobs.push(oauthConfigSyncJob);
}
server.decorate<FastifyZodProvider["store"]>("store", { server.decorate<FastifyZodProvider["store"]>("store", {
user: userDAL, user: userDAL,
kmipClient: kmipClientDAL kmipClient: kmipClientDAL

View File

@ -8,7 +8,7 @@ import {
SuperAdminSchema, SuperAdminSchema,
UsersSchema UsersSchema
} from "@app/db/schemas"; } from "@app/db/schemas";
import { getConfig } from "@app/lib/config/env"; import { getConfig, overridableKeys } from "@app/lib/config/env";
import { BadRequestError } from "@app/lib/errors"; import { BadRequestError } from "@app/lib/errors";
import { invalidateCacheLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter"; import { invalidateCacheLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
import { getTelemetryDistinctId } from "@app/server/lib/telemetry"; import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
@ -42,7 +42,8 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
encryptedGitHubAppConnectionClientSecret: true, encryptedGitHubAppConnectionClientSecret: true,
encryptedGitHubAppConnectionSlug: true, encryptedGitHubAppConnectionSlug: true,
encryptedGitHubAppConnectionId: true, encryptedGitHubAppConnectionId: true,
encryptedGitHubAppConnectionPrivateKey: true encryptedGitHubAppConnectionPrivateKey: true,
encryptedEnvOverrides: true
}).extend({ }).extend({
isMigrationModeOn: z.boolean(), isMigrationModeOn: z.boolean(),
defaultAuthOrgSlug: z.string().nullable(), defaultAuthOrgSlug: z.string().nullable(),
@ -110,11 +111,14 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
.refine((content) => DOMPurify.sanitize(content) === content, { .refine((content) => DOMPurify.sanitize(content) === content, {
message: "Page frame content contains unsafe HTML." message: "Page frame content contains unsafe HTML."
}) })
.optional() .optional(),
envOverrides: z.record(z.enum(Array.from(overridableKeys) as [string, ...string[]]), z.string()).optional()
}), }),
response: { response: {
200: z.object({ 200: z.object({
config: SuperAdminSchema.extend({ config: SuperAdminSchema.omit({
encryptedEnvOverrides: true
}).extend({
defaultAuthOrgSlug: z.string().nullable() defaultAuthOrgSlug: z.string().nullable()
}) })
}) })
@ -381,6 +385,41 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
} }
}); });
server.route({
method: "GET",
url: "/env-overrides",
config: {
rateLimit: readLimit
},
schema: {
response: {
200: z.record(
z.string(),
z.object({
name: z.string(),
fields: z
.object({
key: z.string(),
value: z.string(),
hasEnvEntry: z.boolean(),
description: z.string().optional()
})
.array()
})
)
}
},
onRequest: (req, res, done) => {
verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
verifySuperAdmin(req, res, done);
});
},
handler: async () => {
const envOverrides = await server.services.superAdmin.getEnvOverridesOrganized();
return envOverrides;
}
});
server.route({ server.route({
method: "DELETE", method: "DELETE",
url: "/user-management/users/:userId", url: "/user-management/users/:userId",

View File

@ -84,6 +84,7 @@ import {
SanitizedWindmillConnectionSchema, SanitizedWindmillConnectionSchema,
WindmillConnectionListItemSchema WindmillConnectionListItemSchema
} from "@app/services/app-connection/windmill"; } from "@app/services/app-connection/windmill";
import { SanitizedZabbixConnectionSchema, ZabbixConnectionListItemSchema } from "@app/services/app-connection/zabbix";
import { AuthMode } from "@app/services/auth/auth-type"; import { AuthMode } from "@app/services/auth/auth-type";
// can't use discriminated due to multiple schemas for certain apps // can't use discriminated due to multiple schemas for certain apps
@ -116,7 +117,8 @@ const SanitizedAppConnectionSchema = z.union([
...SanitizedRenderConnectionSchema.options, ...SanitizedRenderConnectionSchema.options,
...SanitizedFlyioConnectionSchema.options, ...SanitizedFlyioConnectionSchema.options,
...SanitizedGitLabConnectionSchema.options, ...SanitizedGitLabConnectionSchema.options,
...SanitizedCloudflareConnectionSchema.options ...SanitizedCloudflareConnectionSchema.options,
...SanitizedZabbixConnectionSchema.options
]); ]);
const AppConnectionOptionsSchema = z.discriminatedUnion("app", [ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
@ -148,7 +150,8 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
RenderConnectionListItemSchema, RenderConnectionListItemSchema,
FlyioConnectionListItemSchema, FlyioConnectionListItemSchema,
GitLabConnectionListItemSchema, GitLabConnectionListItemSchema,
CloudflareConnectionListItemSchema CloudflareConnectionListItemSchema,
ZabbixConnectionListItemSchema
]); ]);
export const registerAppConnectionRouter = async (server: FastifyZodProvider) => { export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {

View File

@ -29,6 +29,7 @@ import { registerTeamCityConnectionRouter } from "./teamcity-connection-router";
import { registerTerraformCloudConnectionRouter } from "./terraform-cloud-router"; import { registerTerraformCloudConnectionRouter } from "./terraform-cloud-router";
import { registerVercelConnectionRouter } from "./vercel-connection-router"; import { registerVercelConnectionRouter } from "./vercel-connection-router";
import { registerWindmillConnectionRouter } from "./windmill-connection-router"; import { registerWindmillConnectionRouter } from "./windmill-connection-router";
import { registerZabbixConnectionRouter } from "./zabbix-connection-router";
export * from "./app-connection-router"; export * from "./app-connection-router";
@ -62,5 +63,6 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
[AppConnection.Render]: registerRenderConnectionRouter, [AppConnection.Render]: registerRenderConnectionRouter,
[AppConnection.Flyio]: registerFlyioConnectionRouter, [AppConnection.Flyio]: registerFlyioConnectionRouter,
[AppConnection.GitLab]: registerGitLabConnectionRouter, [AppConnection.GitLab]: registerGitLabConnectionRouter,
[AppConnection.Cloudflare]: registerCloudflareConnectionRouter [AppConnection.Cloudflare]: registerCloudflareConnectionRouter,
[AppConnection.Zabbix]: registerZabbixConnectionRouter
}; };

View File

@ -0,0 +1,51 @@
import z from "zod";
import { readLimit } from "@app/server/config/rateLimiter";
import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
import { AppConnection } from "@app/services/app-connection/app-connection-enums";
import {
CreateZabbixConnectionSchema,
SanitizedZabbixConnectionSchema,
UpdateZabbixConnectionSchema
} from "@app/services/app-connection/zabbix";
import { AuthMode } from "@app/services/auth/auth-type";
import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
export const registerZabbixConnectionRouter = async (server: FastifyZodProvider) => {
registerAppConnectionEndpoints({
app: AppConnection.Zabbix,
server,
sanitizedResponseSchema: SanitizedZabbixConnectionSchema,
createSchema: CreateZabbixConnectionSchema,
updateSchema: UpdateZabbixConnectionSchema
});
// The following endpoints are for internal Infisical App use only and not part of the public API
server.route({
method: "GET",
url: `/:connectionId/hosts`,
config: {
rateLimit: readLimit
},
schema: {
params: z.object({
connectionId: z.string().uuid()
}),
response: {
200: z
.object({
hostId: z.string(),
host: z.string()
})
.array()
}
},
onRequest: verifyAuth([AuthMode.JWT]),
handler: async (req) => {
const { connectionId } = req.params;
const hosts = await server.services.appConnection.zabbix.listHosts(connectionId, req.permission);
return hosts;
}
});
};

View File

@ -22,6 +22,7 @@ import { registerTeamCitySyncRouter } from "./teamcity-sync-router";
import { registerTerraformCloudSyncRouter } from "./terraform-cloud-sync-router"; import { registerTerraformCloudSyncRouter } from "./terraform-cloud-sync-router";
import { registerVercelSyncRouter } from "./vercel-sync-router"; import { registerVercelSyncRouter } from "./vercel-sync-router";
import { registerWindmillSyncRouter } from "./windmill-sync-router"; import { registerWindmillSyncRouter } from "./windmill-sync-router";
import { registerZabbixSyncRouter } from "./zabbix-sync-router";
export * from "./secret-sync-router"; export * from "./secret-sync-router";
@ -47,5 +48,6 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
[SecretSync.Render]: registerRenderSyncRouter, [SecretSync.Render]: registerRenderSyncRouter,
[SecretSync.Flyio]: registerFlyioSyncRouter, [SecretSync.Flyio]: registerFlyioSyncRouter,
[SecretSync.GitLab]: registerGitLabSyncRouter, [SecretSync.GitLab]: registerGitLabSyncRouter,
[SecretSync.CloudflarePages]: registerCloudflarePagesSyncRouter [SecretSync.CloudflarePages]: registerCloudflarePagesSyncRouter,
[SecretSync.Zabbix]: registerZabbixSyncRouter
}; };

View File

@ -382,7 +382,8 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
{ {
syncId, syncId,
destination, destination,
importBehavior importBehavior,
auditLogInfo: req.auditLogInfo
}, },
req.permission req.permission
)) as T; )) as T;
@ -415,7 +416,8 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
const secretSync = (await server.services.secretSync.triggerSecretSyncRemoveSecretsById( const secretSync = (await server.services.secretSync.triggerSecretSyncRemoveSecretsById(
{ {
syncId, syncId,
destination destination,
auditLogInfo: req.auditLogInfo
}, },
req.permission req.permission
)) as T; )) as T;

View File

@ -39,6 +39,7 @@ import { TeamCitySyncListItemSchema, TeamCitySyncSchema } from "@app/services/se
import { TerraformCloudSyncListItemSchema, TerraformCloudSyncSchema } from "@app/services/secret-sync/terraform-cloud"; import { TerraformCloudSyncListItemSchema, TerraformCloudSyncSchema } from "@app/services/secret-sync/terraform-cloud";
import { VercelSyncListItemSchema, VercelSyncSchema } from "@app/services/secret-sync/vercel"; import { VercelSyncListItemSchema, VercelSyncSchema } from "@app/services/secret-sync/vercel";
import { WindmillSyncListItemSchema, WindmillSyncSchema } from "@app/services/secret-sync/windmill"; import { WindmillSyncListItemSchema, WindmillSyncSchema } from "@app/services/secret-sync/windmill";
import { ZabbixSyncListItemSchema, ZabbixSyncSchema } from "@app/services/secret-sync/zabbix";
const SecretSyncSchema = z.discriminatedUnion("destination", [ const SecretSyncSchema = z.discriminatedUnion("destination", [
AwsParameterStoreSyncSchema, AwsParameterStoreSyncSchema,
@ -62,7 +63,8 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
RenderSyncSchema, RenderSyncSchema,
FlyioSyncSchema, FlyioSyncSchema,
GitLabSyncSchema, GitLabSyncSchema,
CloudflarePagesSyncSchema CloudflarePagesSyncSchema,
ZabbixSyncSchema
]); ]);
const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
@ -87,7 +89,8 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
RenderSyncListItemSchema, RenderSyncListItemSchema,
FlyioSyncListItemSchema, FlyioSyncListItemSchema,
GitLabSyncListItemSchema, GitLabSyncListItemSchema,
CloudflarePagesSyncListItemSchema CloudflarePagesSyncListItemSchema,
ZabbixSyncListItemSchema
]); ]);
export const registerSecretSyncRouter = async (server: FastifyZodProvider) => { export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {

View File

@ -0,0 +1,13 @@
import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
import { CreateZabbixSyncSchema, UpdateZabbixSyncSchema, ZabbixSyncSchema } from "@app/services/secret-sync/zabbix";
import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
export const registerZabbixSyncRouter = async (server: FastifyZodProvider) =>
registerSyncSecretsEndpoints({
destination: SecretSync.Zabbix,
server,
responseSchema: ZabbixSyncSchema,
createSchema: CreateZabbixSyncSchema,
updateSchema: UpdateZabbixSyncSchema
});

View File

@ -9,6 +9,7 @@
import { Authenticator } from "@fastify/passport"; import { Authenticator } from "@fastify/passport";
import fastifySession from "@fastify/session"; import fastifySession from "@fastify/session";
import RedisStore from "connect-redis"; import RedisStore from "connect-redis";
import { CronJob } from "cron";
import { Strategy as GitLabStrategy } from "passport-gitlab2"; import { Strategy as GitLabStrategy } from "passport-gitlab2";
import { Strategy as GoogleStrategy } from "passport-google-oauth20"; import { Strategy as GoogleStrategy } from "passport-google-oauth20";
import { Strategy as OAuth2Strategy } from "passport-oauth2"; import { Strategy as OAuth2Strategy } from "passport-oauth2";
@ -25,27 +26,14 @@ import { AuthMethod } from "@app/services/auth/auth-type";
import { OrgAuthMethod } from "@app/services/org/org-types"; import { OrgAuthMethod } from "@app/services/org/org-types";
import { getServerCfg } from "@app/services/super-admin/super-admin-service"; import { getServerCfg } from "@app/services/super-admin/super-admin-service";
export const registerSsoRouter = async (server: FastifyZodProvider) => { const passport = new Authenticator({ key: "sso", userProperty: "passportUser" });
let serverInstance: FastifyZodProvider | null = null;
export const registerOauthMiddlewares = (server: FastifyZodProvider) => {
serverInstance = server;
const appCfg = getConfig(); const appCfg = getConfig();
const passport = new Authenticator({ key: "sso", userProperty: "passportUser" });
const redisStore = new RedisStore({
client: server.redis,
prefix: "oauth-session:",
ttl: 600 // 10 minutes
});
await server.register(fastifySession, {
secret: appCfg.COOKIE_SECRET_SIGN_KEY,
store: redisStore,
cookie: {
secure: appCfg.HTTPS_ENABLED,
sameSite: "lax" // we want cookies to be sent to Infisical in redirects originating from IDP server
}
});
await server.register(passport.initialize());
await server.register(passport.secureSession());
// passport oauth strategy for Google // passport oauth strategy for Google
const isGoogleOauthActive = Boolean(appCfg.CLIENT_ID_GOOGLE_LOGIN && appCfg.CLIENT_SECRET_GOOGLE_LOGIN); const isGoogleOauthActive = Boolean(appCfg.CLIENT_ID_GOOGLE_LOGIN && appCfg.CLIENT_SECRET_GOOGLE_LOGIN);
if (isGoogleOauthActive) { if (isGoogleOauthActive) {
@ -176,6 +164,49 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
) )
); );
} }
};
export const refreshOauthConfig = () => {
if (!serverInstance) {
logger.warn("Cannot refresh OAuth config: server instance not available");
return;
}
logger.info("Refreshing OAuth configuration...");
registerOauthMiddlewares(serverInstance);
};
export const initializeOauthConfigSync = async () => {
logger.info("Setting up background sync process for oauth configuration");
// sync every 5 minutes
const job = new CronJob("*/5 * * * *", refreshOauthConfig);
job.start();
return job;
};
export const registerSsoRouter = async (server: FastifyZodProvider) => {
const appCfg = getConfig();
const redisStore = new RedisStore({
client: server.redis,
prefix: "oauth-session:",
ttl: 600 // 10 minutes
});
await server.register(fastifySession, {
secret: appCfg.COOKIE_SECRET_SIGN_KEY,
store: redisStore,
cookie: {
secure: appCfg.HTTPS_ENABLED,
sameSite: "lax" // we want cookies to be sent to Infisical in redirects originating from IDP server
}
});
await server.register(passport.initialize());
await server.register(passport.secureSession());
registerOauthMiddlewares(server);
server.route({ server.route({
url: "/redirect/google", url: "/redirect/google",

View File

@ -27,7 +27,8 @@ export enum AppConnection {
Render = "render", Render = "render",
Flyio = "flyio", Flyio = "flyio",
GitLab = "gitlab", GitLab = "gitlab",
Cloudflare = "cloudflare" Cloudflare = "cloudflare",
Zabbix = "zabbix"
} }
export enum AWSRegion { export enum AWSRegion {

View File

@ -105,6 +105,7 @@ import {
validateWindmillConnectionCredentials, validateWindmillConnectionCredentials,
WindmillConnectionMethod WindmillConnectionMethod
} from "./windmill"; } from "./windmill";
import { getZabbixConnectionListItem, validateZabbixConnectionCredentials, ZabbixConnectionMethod } from "./zabbix";
export const listAppConnectionOptions = () => { export const listAppConnectionOptions = () => {
return [ return [
@ -136,7 +137,8 @@ export const listAppConnectionOptions = () => {
getRenderConnectionListItem(), getRenderConnectionListItem(),
getFlyioConnectionListItem(), getFlyioConnectionListItem(),
getGitLabConnectionListItem(), getGitLabConnectionListItem(),
getCloudflareConnectionListItem() getCloudflareConnectionListItem(),
getZabbixConnectionListItem()
].sort((a, b) => a.name.localeCompare(b.name)); ].sort((a, b) => a.name.localeCompare(b.name));
}; };
@ -216,7 +218,8 @@ export const validateAppConnectionCredentials = async (
[AppConnection.Render]: validateRenderConnectionCredentials as TAppConnectionCredentialsValidator, [AppConnection.Render]: validateRenderConnectionCredentials as TAppConnectionCredentialsValidator,
[AppConnection.Flyio]: validateFlyioConnectionCredentials as TAppConnectionCredentialsValidator, [AppConnection.Flyio]: validateFlyioConnectionCredentials as TAppConnectionCredentialsValidator,
[AppConnection.GitLab]: validateGitLabConnectionCredentials as TAppConnectionCredentialsValidator, [AppConnection.GitLab]: validateGitLabConnectionCredentials as TAppConnectionCredentialsValidator,
[AppConnection.Cloudflare]: validateCloudflareConnectionCredentials as TAppConnectionCredentialsValidator [AppConnection.Cloudflare]: validateCloudflareConnectionCredentials as TAppConnectionCredentialsValidator,
[AppConnection.Zabbix]: validateZabbixConnectionCredentials as TAppConnectionCredentialsValidator
}; };
return VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[appConnection.app](appConnection); return VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[appConnection.app](appConnection);
@ -253,6 +256,7 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
case VercelConnectionMethod.ApiToken: case VercelConnectionMethod.ApiToken:
case OnePassConnectionMethod.ApiToken: case OnePassConnectionMethod.ApiToken:
case CloudflareConnectionMethod.APIToken: case CloudflareConnectionMethod.APIToken:
case ZabbixConnectionMethod.ApiToken:
return "API Token"; return "API Token";
case PostgresConnectionMethod.UsernameAndPassword: case PostgresConnectionMethod.UsernameAndPassword:
case MsSqlConnectionMethod.UsernameAndPassword: case MsSqlConnectionMethod.UsernameAndPassword:
@ -332,7 +336,8 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
[AppConnection.Render]: platformManagedCredentialsNotSupported, [AppConnection.Render]: platformManagedCredentialsNotSupported,
[AppConnection.Flyio]: platformManagedCredentialsNotSupported, [AppConnection.Flyio]: platformManagedCredentialsNotSupported,
[AppConnection.GitLab]: platformManagedCredentialsNotSupported, [AppConnection.GitLab]: platformManagedCredentialsNotSupported,
[AppConnection.Cloudflare]: platformManagedCredentialsNotSupported [AppConnection.Cloudflare]: platformManagedCredentialsNotSupported,
[AppConnection.Zabbix]: platformManagedCredentialsNotSupported
}; };
export const enterpriseAppCheck = async ( export const enterpriseAppCheck = async (

View File

@ -29,7 +29,8 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
[AppConnection.Render]: "Render", [AppConnection.Render]: "Render",
[AppConnection.Flyio]: "Fly.io", [AppConnection.Flyio]: "Fly.io",
[AppConnection.GitLab]: "GitLab", [AppConnection.GitLab]: "GitLab",
[AppConnection.Cloudflare]: "Cloudflare" [AppConnection.Cloudflare]: "Cloudflare",
[AppConnection.Zabbix]: "Zabbix"
}; };
export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanType> = { export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanType> = {
@ -61,5 +62,6 @@ export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanTyp
[AppConnection.Render]: AppConnectionPlanType.Regular, [AppConnection.Render]: AppConnectionPlanType.Regular,
[AppConnection.Flyio]: AppConnectionPlanType.Regular, [AppConnection.Flyio]: AppConnectionPlanType.Regular,
[AppConnection.GitLab]: AppConnectionPlanType.Regular, [AppConnection.GitLab]: AppConnectionPlanType.Regular,
[AppConnection.Cloudflare]: AppConnectionPlanType.Regular [AppConnection.Cloudflare]: AppConnectionPlanType.Regular,
[AppConnection.Zabbix]: AppConnectionPlanType.Regular
}; };

View File

@ -80,6 +80,8 @@ import { ValidateVercelConnectionCredentialsSchema } from "./vercel";
import { vercelConnectionService } from "./vercel/vercel-connection-service"; import { vercelConnectionService } from "./vercel/vercel-connection-service";
import { ValidateWindmillConnectionCredentialsSchema } from "./windmill"; import { ValidateWindmillConnectionCredentialsSchema } from "./windmill";
import { windmillConnectionService } from "./windmill/windmill-connection-service"; import { windmillConnectionService } from "./windmill/windmill-connection-service";
import { ValidateZabbixConnectionCredentialsSchema } from "./zabbix";
import { zabbixConnectionService } from "./zabbix/zabbix-connection-service";
export type TAppConnectionServiceFactoryDep = { export type TAppConnectionServiceFactoryDep = {
appConnectionDAL: TAppConnectionDALFactory; appConnectionDAL: TAppConnectionDALFactory;
@ -119,7 +121,8 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
[AppConnection.Render]: ValidateRenderConnectionCredentialsSchema, [AppConnection.Render]: ValidateRenderConnectionCredentialsSchema,
[AppConnection.Flyio]: ValidateFlyioConnectionCredentialsSchema, [AppConnection.Flyio]: ValidateFlyioConnectionCredentialsSchema,
[AppConnection.GitLab]: ValidateGitLabConnectionCredentialsSchema, [AppConnection.GitLab]: ValidateGitLabConnectionCredentialsSchema,
[AppConnection.Cloudflare]: ValidateCloudflareConnectionCredentialsSchema [AppConnection.Cloudflare]: ValidateCloudflareConnectionCredentialsSchema,
[AppConnection.Zabbix]: ValidateZabbixConnectionCredentialsSchema
}; };
export const appConnectionServiceFactory = ({ export const appConnectionServiceFactory = ({
@ -529,6 +532,7 @@ export const appConnectionServiceFactory = ({
render: renderConnectionService(connectAppConnectionById), render: renderConnectionService(connectAppConnectionById),
flyio: flyioConnectionService(connectAppConnectionById), flyio: flyioConnectionService(connectAppConnectionById),
gitlab: gitlabConnectionService(connectAppConnectionById, appConnectionDAL, kmsService), gitlab: gitlabConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
cloudflare: cloudflareConnectionService(connectAppConnectionById) cloudflare: cloudflareConnectionService(connectAppConnectionById),
zabbix: zabbixConnectionService(connectAppConnectionById)
}; };
}; };

View File

@ -165,6 +165,12 @@ import {
TWindmillConnectionConfig, TWindmillConnectionConfig,
TWindmillConnectionInput TWindmillConnectionInput
} from "./windmill"; } from "./windmill";
import {
TValidateZabbixConnectionCredentialsSchema,
TZabbixConnection,
TZabbixConnectionConfig,
TZabbixConnectionInput
} from "./zabbix";
export type TAppConnection = { id: string } & ( export type TAppConnection = { id: string } & (
| TAwsConnection | TAwsConnection
@ -196,6 +202,7 @@ export type TAppConnection = { id: string } & (
| TFlyioConnection | TFlyioConnection
| TGitLabConnection | TGitLabConnection
| TCloudflareConnection | TCloudflareConnection
| TZabbixConnection
); );
export type TAppConnectionRaw = NonNullable<Awaited<ReturnType<TAppConnectionDALFactory["findById"]>>>; export type TAppConnectionRaw = NonNullable<Awaited<ReturnType<TAppConnectionDALFactory["findById"]>>>;
@ -232,6 +239,7 @@ export type TAppConnectionInput = { id: string } & (
| TFlyioConnectionInput | TFlyioConnectionInput
| TGitLabConnectionInput | TGitLabConnectionInput
| TCloudflareConnectionInput | TCloudflareConnectionInput
| TZabbixConnectionInput
); );
export type TSqlConnectionInput = export type TSqlConnectionInput =
@ -275,7 +283,8 @@ export type TAppConnectionConfig =
| TRenderConnectionConfig | TRenderConnectionConfig
| TFlyioConnectionConfig | TFlyioConnectionConfig
| TGitLabConnectionConfig | TGitLabConnectionConfig
| TCloudflareConnectionConfig; | TCloudflareConnectionConfig
| TZabbixConnectionConfig;
export type TValidateAppConnectionCredentialsSchema = export type TValidateAppConnectionCredentialsSchema =
| TValidateAwsConnectionCredentialsSchema | TValidateAwsConnectionCredentialsSchema
@ -306,7 +315,8 @@ export type TValidateAppConnectionCredentialsSchema =
| TValidateRenderConnectionCredentialsSchema | TValidateRenderConnectionCredentialsSchema
| TValidateFlyioConnectionCredentialsSchema | TValidateFlyioConnectionCredentialsSchema
| TValidateGitLabConnectionCredentialsSchema | TValidateGitLabConnectionCredentialsSchema
| TValidateCloudflareConnectionCredentialsSchema; | TValidateCloudflareConnectionCredentialsSchema
| TValidateZabbixConnectionCredentialsSchema;
export type TListAwsConnectionKmsKeys = { export type TListAwsConnectionKmsKeys = {
connectionId: string; connectionId: string;

View File

@ -0,0 +1,4 @@
export * from "./zabbix-connection-enums";
export * from "./zabbix-connection-fns";
export * from "./zabbix-connection-schemas";
export * from "./zabbix-connection-types";

View File

@ -0,0 +1,3 @@
export enum ZabbixConnectionMethod {
ApiToken = "api-token"
}

View File

@ -0,0 +1,108 @@
import { AxiosError } from "axios";
import RE2 from "re2";
import { request } from "@app/lib/config/request";
import { BadRequestError } from "@app/lib/errors";
import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
import { AppConnection } from "@app/services/app-connection/app-connection-enums";
import { ZabbixConnectionMethod } from "./zabbix-connection-enums";
import {
TZabbixConnection,
TZabbixConnectionConfig,
TZabbixHost,
TZabbixHostListResponse
} from "./zabbix-connection-types";
const TRAILING_SLASH_REGEX = new RE2("/+$");
export const getZabbixConnectionListItem = () => {
return {
name: "Zabbix" as const,
app: AppConnection.Zabbix as const,
methods: Object.values(ZabbixConnectionMethod) as [ZabbixConnectionMethod.ApiToken]
};
};
export const validateZabbixConnectionCredentials = async (config: TZabbixConnectionConfig) => {
const { apiToken, instanceUrl } = config.credentials;
await blockLocalAndPrivateIpAddresses(instanceUrl);
try {
const apiUrl = `${instanceUrl.replace(TRAILING_SLASH_REGEX, "")}/api_jsonrpc.php`;
const payload = {
jsonrpc: "2.0",
method: "authentication.get",
params: {
output: "extend"
},
id: 1
};
const response: { data: { error?: { message: string }; result?: string } } = await request.post(apiUrl, payload, {
headers: {
"Content-Type": "application/json",
Authorization: `Bearer ${apiToken}`
}
});
if (response.data.error) {
throw new BadRequestError({
message: response.data.error.message
});
}
return config.credentials;
} catch (error) {
if (error instanceof AxiosError) {
throw new BadRequestError({
message: `Failed to connect to Zabbix instance: ${error.message}`
});
}
throw error;
}
};
export const listZabbixHosts = async (appConnection: TZabbixConnection): Promise<TZabbixHost[]> => {
const { apiToken, instanceUrl } = appConnection.credentials;
await blockLocalAndPrivateIpAddresses(instanceUrl);
try {
const apiUrl = `${instanceUrl.replace(TRAILING_SLASH_REGEX, "")}/api_jsonrpc.php`;
const payload = {
jsonrpc: "2.0",
method: "host.get",
params: {
output: ["hostid", "host"],
sortfield: "host",
sortorder: "ASC"
},
id: 1
};
const response: { data: TZabbixHostListResponse } = await request.post(apiUrl, payload, {
headers: {
"Content-Type": "application/json",
Authorization: `Bearer ${apiToken}`
}
});
return response.data.result
? response.data.result.map((host) => ({
hostId: host.hostid,
host: host.host
}))
: [];
} catch (error: unknown) {
if (error instanceof AxiosError) {
throw new BadRequestError({
message: `Failed to validate credentials: ${error.message || "Unknown error"}`
});
}
throw new BadRequestError({
message: "Unable to validate connection: verify credentials"
});
}
};

View File

@ -0,0 +1,62 @@
import z from "zod";
import { AppConnections } from "@app/lib/api-docs";
import { AppConnection } from "@app/services/app-connection/app-connection-enums";
import {
BaseAppConnectionSchema,
GenericCreateAppConnectionFieldsSchema,
GenericUpdateAppConnectionFieldsSchema
} from "@app/services/app-connection/app-connection-schemas";
import { ZabbixConnectionMethod } from "./zabbix-connection-enums";
export const ZabbixConnectionApiTokenCredentialsSchema = z.object({
apiToken: z
.string()
.trim()
.min(1, "API Token required")
.max(1000)
.describe(AppConnections.CREDENTIALS.ZABBIX.apiToken),
instanceUrl: z.string().trim().url("Invalid Instance URL").describe(AppConnections.CREDENTIALS.ZABBIX.instanceUrl)
});
const BaseZabbixConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.Zabbix) });
export const ZabbixConnectionSchema = BaseZabbixConnectionSchema.extend({
method: z.literal(ZabbixConnectionMethod.ApiToken),
credentials: ZabbixConnectionApiTokenCredentialsSchema
});
export const SanitizedZabbixConnectionSchema = z.discriminatedUnion("method", [
BaseZabbixConnectionSchema.extend({
method: z.literal(ZabbixConnectionMethod.ApiToken),
credentials: ZabbixConnectionApiTokenCredentialsSchema.pick({ instanceUrl: true })
})
]);
export const ValidateZabbixConnectionCredentialsSchema = z.discriminatedUnion("method", [
z.object({
method: z.literal(ZabbixConnectionMethod.ApiToken).describe(AppConnections.CREATE(AppConnection.Zabbix).method),
credentials: ZabbixConnectionApiTokenCredentialsSchema.describe(
AppConnections.CREATE(AppConnection.Zabbix).credentials
)
})
]);
export const CreateZabbixConnectionSchema = ValidateZabbixConnectionCredentialsSchema.and(
GenericCreateAppConnectionFieldsSchema(AppConnection.Zabbix)
);
export const UpdateZabbixConnectionSchema = z
.object({
credentials: ZabbixConnectionApiTokenCredentialsSchema.optional().describe(
AppConnections.UPDATE(AppConnection.Zabbix).credentials
)
})
.and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Zabbix));
export const ZabbixConnectionListItemSchema = z.object({
name: z.literal("Zabbix"),
app: z.literal(AppConnection.Zabbix),
methods: z.nativeEnum(ZabbixConnectionMethod).array()
});

View File

@ -0,0 +1,30 @@
import { logger } from "@app/lib/logger";
import { OrgServiceActor } from "@app/lib/types";
import { AppConnection } from "../app-connection-enums";
import { listZabbixHosts } from "./zabbix-connection-fns";
import { TZabbixConnection } from "./zabbix-connection-types";
type TGetAppConnectionFunc = (
app: AppConnection,
connectionId: string,
actor: OrgServiceActor
) => Promise<TZabbixConnection>;
export const zabbixConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
const listHosts = async (connectionId: string, actor: OrgServiceActor) => {
const appConnection = await getAppConnection(AppConnection.Zabbix, connectionId, actor);
try {
const hosts = await listZabbixHosts(appConnection);
return hosts;
} catch (error) {
logger.error(error, "Failed to establish connection with zabbix");
return [];
}
};
return {
listHosts
};
};

View File

@ -0,0 +1,33 @@
import z from "zod";
import { DiscriminativePick } from "@app/lib/types";
import { AppConnection } from "../app-connection-enums";
import {
CreateZabbixConnectionSchema,
ValidateZabbixConnectionCredentialsSchema,
ZabbixConnectionSchema
} from "./zabbix-connection-schemas";
export type TZabbixConnection = z.infer<typeof ZabbixConnectionSchema>;
export type TZabbixConnectionInput = z.infer<typeof CreateZabbixConnectionSchema> & {
app: AppConnection.Zabbix;
};
export type TValidateZabbixConnectionCredentialsSchema = typeof ValidateZabbixConnectionCredentialsSchema;
export type TZabbixConnectionConfig = DiscriminativePick<TZabbixConnectionInput, "method" | "app" | "credentials"> & {
orgId: string;
};
export type TZabbixHost = {
hostId: string;
host: string;
};
export type TZabbixHostListResponse = {
jsonrpc: string;
result: { hostid: string; host: string }[];
error?: { message: string };
};

View File

@ -93,23 +93,25 @@ export const identityProjectServiceFactory = ({
projectId projectId
); );
const permissionBoundary = validatePrivilegeChangeOperation( if (requestedRoleChange !== ProjectMembershipRole.NoAccess) {
membership.shouldUseNewPrivilegeSystem, const permissionBoundary = validatePrivilegeChangeOperation(
ProjectPermissionIdentityActions.GrantPrivileges, membership.shouldUseNewPrivilegeSystem,
ProjectPermissionSub.Identity, ProjectPermissionIdentityActions.GrantPrivileges,
permission, ProjectPermissionSub.Identity,
rolePermission permission,
); rolePermission
if (!permissionBoundary.isValid) );
throw new PermissionBoundaryError({ if (!permissionBoundary.isValid)
message: constructPermissionErrorMessage( throw new PermissionBoundaryError({
"Failed to assign to role", message: constructPermissionErrorMessage(
membership.shouldUseNewPrivilegeSystem, "Failed to assign to role",
ProjectPermissionIdentityActions.GrantPrivileges, membership.shouldUseNewPrivilegeSystem,
ProjectPermissionSub.Identity ProjectPermissionIdentityActions.GrantPrivileges,
), ProjectPermissionSub.Identity
details: { missingPermissions: permissionBoundary.missingPermissions } ),
}); details: { missingPermissions: permissionBoundary.missingPermissions }
});
}
} }
// validate custom roles input // validate custom roles input

View File

@ -69,23 +69,25 @@ export const identityServiceFactory = ({
orgId orgId
); );
const isCustomRole = Boolean(customRole); const isCustomRole = Boolean(customRole);
const permissionBoundary = validatePrivilegeChangeOperation( if (role !== OrgMembershipRole.NoAccess) {
membership.shouldUseNewPrivilegeSystem, const permissionBoundary = validatePrivilegeChangeOperation(
OrgPermissionIdentityActions.GrantPrivileges, membership.shouldUseNewPrivilegeSystem,
OrgPermissionSubjects.Identity, OrgPermissionIdentityActions.GrantPrivileges,
permission, OrgPermissionSubjects.Identity,
rolePermission permission,
); rolePermission
if (!permissionBoundary.isValid) );
throw new PermissionBoundaryError({ if (!permissionBoundary.isValid)
message: constructPermissionErrorMessage( throw new PermissionBoundaryError({
"Failed to create identity", message: constructPermissionErrorMessage(
membership.shouldUseNewPrivilegeSystem, "Failed to create identity",
OrgPermissionIdentityActions.GrantPrivileges, membership.shouldUseNewPrivilegeSystem,
OrgPermissionSubjects.Identity OrgPermissionIdentityActions.GrantPrivileges,
), OrgPermissionSubjects.Identity
details: { missingPermissions: permissionBoundary.missingPermissions } ),
}); details: { missingPermissions: permissionBoundary.missingPermissions }
});
}
const plan = await licenseService.getPlan(orgId); const plan = await licenseService.getPlan(orgId);
@ -187,6 +189,7 @@ export const identityServiceFactory = ({
), ),
details: { missingPermissions: appliedRolePermissionBoundary.missingPermissions } details: { missingPermissions: appliedRolePermissionBoundary.missingPermissions }
}); });
if (isCustomRole) customRole = customOrgRole; if (isCustomRole) customRole = customOrgRole;
} }

View File

@ -122,8 +122,8 @@ export const orgMembershipDALFactory = (db: TDbClient) => {
.orWhere((qb) => { .orWhere((qb) => {
// lastInvitedAt is older than 1 week ago AND createdAt is younger than 1 month ago // lastInvitedAt is older than 1 week ago AND createdAt is younger than 1 month ago
void qb void qb
.where(`${TableName.OrgMembership}.lastInvitedAt`, "<", oneMonthAgo) .where(`${TableName.OrgMembership}.lastInvitedAt`, "<", oneWeekAgo)
.where(`${TableName.OrgMembership}.createdAt`, ">", oneWeekAgo); .where(`${TableName.OrgMembership}.createdAt`, ">", oneMonthAgo);
}); });
return memberships; return memberships;
@ -135,9 +135,22 @@ export const orgMembershipDALFactory = (db: TDbClient) => {
} }
}; };
const updateLastInvitedAtByIds = async (membershipIds: string[]) => {
try {
if (membershipIds.length === 0) return;
await db(TableName.OrgMembership).whereIn("id", membershipIds).update({ lastInvitedAt: new Date() });
} catch (error) {
throw new DatabaseError({
error,
name: "Update last invited at by ids"
});
}
};
return { return {
...orgMembershipOrm, ...orgMembershipOrm,
findOrgMembershipById, findOrgMembershipById,
findRecentInvitedMemberships findRecentInvitedMemberships,
updateLastInvitedAtByIds
}; };
}; };

View File

@ -109,7 +109,12 @@ type TOrgServiceFactoryDep = {
projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "delete" | "insertMany" | "findLatestProjectKey" | "create">; projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "delete" | "insertMany" | "findLatestProjectKey" | "create">;
orgMembershipDAL: Pick< orgMembershipDAL: Pick<
TOrgMembershipDALFactory, TOrgMembershipDALFactory,
"findOrgMembershipById" | "findOne" | "findById" | "findRecentInvitedMemberships" | "updateById" | "findOrgMembershipById"
| "findOne"
| "findById"
| "findRecentInvitedMemberships"
| "updateById"
| "updateLastInvitedAtByIds"
>; >;
incidentContactDAL: TIncidentContactsDALFactory; incidentContactDAL: TIncidentContactsDALFactory;
samlConfigDAL: Pick<TSamlConfigDALFactory, "findOne">; samlConfigDAL: Pick<TSamlConfigDALFactory, "findOne">;
@ -763,6 +768,10 @@ export const orgServiceFactory = ({
} }
}); });
await orgMembershipDAL.updateById(inviteeOrgMembership.id, {
lastInvitedAt: new Date()
});
return { signupToken: undefined }; return { signupToken: undefined };
}; };
@ -1433,6 +1442,7 @@ export const orgServiceFactory = ({
const appCfg = getConfig(); const appCfg = getConfig();
const orgCache: Record<string, { name: string; id: string } | undefined> = {}; const orgCache: Record<string, { name: string; id: string } | undefined> = {};
const notifiedUsers: string[] = [];
await Promise.all( await Promise.all(
invitedUsers.map(async (invitedUser) => { invitedUsers.map(async (invitedUser) => {
@ -1463,13 +1473,12 @@ export const orgServiceFactory = ({
callback_url: `${appCfg.SITE_URL}/signupinvite` callback_url: `${appCfg.SITE_URL}/signupinvite`
} }
}); });
notifiedUsers.push(invitedUser.id);
} }
await orgMembershipDAL.updateById(invitedUser.id, {
lastInvitedAt: new Date()
});
}) })
); );
await orgMembershipDAL.updateLastInvitedAtByIds(notifiedUsers);
}; };
return { return {

View File

@ -478,12 +478,25 @@ export const secretFolderServiceFactory = ({
parentId: string; parentId: string;
idOrName: string; idOrName: string;
}) => { }) => {
const targetFolder = await folderDAL.findOne({ let targetFolder = await folderDAL
envId: env.id, .findOne({
[uuidValidate(idOrName) ? "id" : "name"]: idOrName, envId: env.id,
parentId, name: idOrName,
isReserved: false parentId,
}); isReserved: false
})
.catch(() => null);
if (!targetFolder && uuidValidate(idOrName)) {
targetFolder = await folderDAL
.findOne({
envId: env.id,
id: idOrName,
parentId,
isReserved: false
})
.catch(() => null);
}
if (!targetFolder) { if (!targetFolder) {
throw new NotFoundError({ message: `Target folder not found` }); throw new NotFoundError({ message: `Target folder not found` });
@ -506,7 +519,7 @@ export const secretFolderServiceFactory = ({
} }
// Find the target folder in the folderPaths to get its full details // Find the target folder in the folderPaths to get its full details
const targetFolderWithPath = folderPaths.find((f) => f.id === targetFolder.id); const targetFolderWithPath = folderPaths.find((f) => f.id === targetFolder!.id);
if (!targetFolderWithPath) { if (!targetFolderWithPath) {
throw new NotFoundError({ message: `Target folder path not found` }); throw new NotFoundError({ message: `Target folder path not found` });
} }
@ -589,18 +602,40 @@ export const secretFolderServiceFactory = ({
await $checkFolderPolicy({ projectId, env, parentId: parentFolder.id, idOrName }); await $checkFolderPolicy({ projectId, env, parentId: parentFolder.id, idOrName });
let folderToDelete = await folderDAL
.findOne({
envId: env.id,
name: idOrName,
parentId: parentFolder.id,
isReserved: false
})
.catch(() => null);
if (!folderToDelete && uuidValidate(idOrName)) {
folderToDelete = await folderDAL
.findOne({
envId: env.id,
id: idOrName,
parentId: parentFolder.id,
isReserved: false
})
.catch(() => null);
}
if (!folderToDelete) {
throw new NotFoundError({ message: `Folder with ID '${idOrName}' not found` });
}
const [doc] = await folderDAL.delete( const [doc] = await folderDAL.delete(
{ {
envId: env.id, envId: env.id,
[uuidValidate(idOrName) ? "id" : "name"]: idOrName, id: folderToDelete.id,
parentId: parentFolder.id, parentId: parentFolder.id,
isReserved: false isReserved: false
}, },
tx tx
); );
if (!doc) throw new NotFoundError({ message: `Failed to delete folder with ID '${idOrName}', not found` });
const folderVersions = await folderVersionDAL.findLatestFolderVersions([doc.id], tx); const folderVersions = await folderVersionDAL.findLatestFolderVersions([doc.id], tx);
await folderCommitService.createCommit( await folderCommitService.createCommit(

View File

@ -20,7 +20,8 @@ export enum SecretSync {
Render = "render", Render = "render",
Flyio = "flyio", Flyio = "flyio",
GitLab = "gitlab", GitLab = "gitlab",
CloudflarePages = "cloudflare-pages" CloudflarePages = "cloudflare-pages",
Zabbix = "zabbix"
} }
export enum SecretSyncInitialSyncBehavior { export enum SecretSyncInitialSyncBehavior {

View File

@ -45,6 +45,7 @@ import { TEAMCITY_SYNC_LIST_OPTION, TeamCitySyncFns } from "./teamcity";
import { TERRAFORM_CLOUD_SYNC_LIST_OPTION, TerraformCloudSyncFns } from "./terraform-cloud"; import { TERRAFORM_CLOUD_SYNC_LIST_OPTION, TerraformCloudSyncFns } from "./terraform-cloud";
import { VERCEL_SYNC_LIST_OPTION, VercelSyncFns } from "./vercel"; import { VERCEL_SYNC_LIST_OPTION, VercelSyncFns } from "./vercel";
import { WINDMILL_SYNC_LIST_OPTION, WindmillSyncFns } from "./windmill"; import { WINDMILL_SYNC_LIST_OPTION, WindmillSyncFns } from "./windmill";
import { ZABBIX_SYNC_LIST_OPTION, ZabbixSyncFns } from "./zabbix";
const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = { const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
[SecretSync.AWSParameterStore]: AWS_PARAMETER_STORE_SYNC_LIST_OPTION, [SecretSync.AWSParameterStore]: AWS_PARAMETER_STORE_SYNC_LIST_OPTION,
@ -68,7 +69,8 @@ const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
[SecretSync.Render]: RENDER_SYNC_LIST_OPTION, [SecretSync.Render]: RENDER_SYNC_LIST_OPTION,
[SecretSync.Flyio]: FLYIO_SYNC_LIST_OPTION, [SecretSync.Flyio]: FLYIO_SYNC_LIST_OPTION,
[SecretSync.GitLab]: GITLAB_SYNC_LIST_OPTION, [SecretSync.GitLab]: GITLAB_SYNC_LIST_OPTION,
[SecretSync.CloudflarePages]: CLOUDFLARE_PAGES_SYNC_LIST_OPTION [SecretSync.CloudflarePages]: CLOUDFLARE_PAGES_SYNC_LIST_OPTION,
[SecretSync.Zabbix]: ZABBIX_SYNC_LIST_OPTION
}; };
export const listSecretSyncOptions = () => { export const listSecretSyncOptions = () => {
@ -236,6 +238,8 @@ export const SecretSyncFns = {
return GitLabSyncFns.syncSecrets(secretSync, schemaSecretMap, { appConnectionDAL, kmsService }); return GitLabSyncFns.syncSecrets(secretSync, schemaSecretMap, { appConnectionDAL, kmsService });
case SecretSync.CloudflarePages: case SecretSync.CloudflarePages:
return CloudflarePagesSyncFns.syncSecrets(secretSync, schemaSecretMap); return CloudflarePagesSyncFns.syncSecrets(secretSync, schemaSecretMap);
case SecretSync.Zabbix:
return ZabbixSyncFns.syncSecrets(secretSync, schemaSecretMap);
default: default:
throw new Error( throw new Error(
`Unhandled sync destination for sync secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}` `Unhandled sync destination for sync secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@ -328,6 +332,9 @@ export const SecretSyncFns = {
case SecretSync.CloudflarePages: case SecretSync.CloudflarePages:
secretMap = await CloudflarePagesSyncFns.getSecrets(secretSync); secretMap = await CloudflarePagesSyncFns.getSecrets(secretSync);
break; break;
case SecretSync.Zabbix:
secretMap = await ZabbixSyncFns.getSecrets(secretSync);
break;
default: default:
throw new Error( throw new Error(
`Unhandled sync destination for get secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}` `Unhandled sync destination for get secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@ -405,6 +412,8 @@ export const SecretSyncFns = {
return GitLabSyncFns.removeSecrets(secretSync, schemaSecretMap, { appConnectionDAL, kmsService }); return GitLabSyncFns.removeSecrets(secretSync, schemaSecretMap, { appConnectionDAL, kmsService });
case SecretSync.CloudflarePages: case SecretSync.CloudflarePages:
return CloudflarePagesSyncFns.removeSecrets(secretSync, schemaSecretMap); return CloudflarePagesSyncFns.removeSecrets(secretSync, schemaSecretMap);
case SecretSync.Zabbix:
return ZabbixSyncFns.removeSecrets(secretSync, schemaSecretMap);
default: default:
throw new Error( throw new Error(
`Unhandled sync destination for remove secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}` `Unhandled sync destination for remove secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`

View File

@ -23,7 +23,8 @@ export const SECRET_SYNC_NAME_MAP: Record<SecretSync, string> = {
[SecretSync.Render]: "Render", [SecretSync.Render]: "Render",
[SecretSync.Flyio]: "Fly.io", [SecretSync.Flyio]: "Fly.io",
[SecretSync.GitLab]: "GitLab", [SecretSync.GitLab]: "GitLab",
[SecretSync.CloudflarePages]: "Cloudflare Pages" [SecretSync.CloudflarePages]: "Cloudflare Pages",
[SecretSync.Zabbix]: "Zabbix"
}; };
export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = { export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
@ -48,7 +49,8 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
[SecretSync.Render]: AppConnection.Render, [SecretSync.Render]: AppConnection.Render,
[SecretSync.Flyio]: AppConnection.Flyio, [SecretSync.Flyio]: AppConnection.Flyio,
[SecretSync.GitLab]: AppConnection.GitLab, [SecretSync.GitLab]: AppConnection.GitLab,
[SecretSync.CloudflarePages]: AppConnection.Cloudflare [SecretSync.CloudflarePages]: AppConnection.Cloudflare,
[SecretSync.Zabbix]: AppConnection.Zabbix
}; };
export const SECRET_SYNC_PLAN_MAP: Record<SecretSync, SecretSyncPlanType> = { export const SECRET_SYNC_PLAN_MAP: Record<SecretSync, SecretSyncPlanType> = {
@ -73,5 +75,6 @@ export const SECRET_SYNC_PLAN_MAP: Record<SecretSync, SecretSyncPlanType> = {
[SecretSync.Render]: SecretSyncPlanType.Regular, [SecretSync.Render]: SecretSyncPlanType.Regular,
[SecretSync.Flyio]: SecretSyncPlanType.Regular, [SecretSync.Flyio]: SecretSyncPlanType.Regular,
[SecretSync.GitLab]: SecretSyncPlanType.Regular, [SecretSync.GitLab]: SecretSyncPlanType.Regular,
[SecretSync.CloudflarePages]: SecretSyncPlanType.Regular [SecretSync.CloudflarePages]: SecretSyncPlanType.Regular,
[SecretSync.Zabbix]: SecretSyncPlanType.Regular
}; };

View File

@ -113,6 +113,7 @@ import {
TTerraformCloudSyncWithCredentials TTerraformCloudSyncWithCredentials
} from "./terraform-cloud"; } from "./terraform-cloud";
import { TVercelSync, TVercelSyncInput, TVercelSyncListItem, TVercelSyncWithCredentials } from "./vercel"; import { TVercelSync, TVercelSyncInput, TVercelSyncListItem, TVercelSyncWithCredentials } from "./vercel";
import { TZabbixSync, TZabbixSyncInput, TZabbixSyncListItem, TZabbixSyncWithCredentials } from "./zabbix";
export type TSecretSync = export type TSecretSync =
| TAwsParameterStoreSync | TAwsParameterStoreSync
@ -136,7 +137,8 @@ export type TSecretSync =
| TRenderSync | TRenderSync
| TFlyioSync | TFlyioSync
| TGitLabSync | TGitLabSync
| TCloudflarePagesSync; | TCloudflarePagesSync
| TZabbixSync;
export type TSecretSyncWithCredentials = export type TSecretSyncWithCredentials =
| TAwsParameterStoreSyncWithCredentials | TAwsParameterStoreSyncWithCredentials
@ -160,7 +162,8 @@ export type TSecretSyncWithCredentials =
| TRenderSyncWithCredentials | TRenderSyncWithCredentials
| TFlyioSyncWithCredentials | TFlyioSyncWithCredentials
| TGitLabSyncWithCredentials | TGitLabSyncWithCredentials
| TCloudflarePagesSyncWithCredentials; | TCloudflarePagesSyncWithCredentials
| TZabbixSyncWithCredentials;
export type TSecretSyncInput = export type TSecretSyncInput =
| TAwsParameterStoreSyncInput | TAwsParameterStoreSyncInput
@ -184,7 +187,8 @@ export type TSecretSyncInput =
| TRenderSyncInput | TRenderSyncInput
| TFlyioSyncInput | TFlyioSyncInput
| TGitLabSyncInput | TGitLabSyncInput
| TCloudflarePagesSyncInput; | TCloudflarePagesSyncInput
| TZabbixSyncInput;
export type TSecretSyncListItem = export type TSecretSyncListItem =
| TAwsParameterStoreSyncListItem | TAwsParameterStoreSyncListItem
@ -208,7 +212,8 @@ export type TSecretSyncListItem =
| TRenderSyncListItem | TRenderSyncListItem
| TFlyioSyncListItem | TFlyioSyncListItem
| TGitLabSyncListItem | TGitLabSyncListItem
| TCloudflarePagesSyncListItem; | TCloudflarePagesSyncListItem
| TZabbixSyncListItem;
export type TSyncOptionsConfig = { export type TSyncOptionsConfig = {
canImportSecrets: boolean; canImportSecrets: boolean;

View File

@ -0,0 +1,5 @@
export * from "./zabbix-sync-constants";
export * from "./zabbix-sync-enums";
export * from "./zabbix-sync-fns";
export * from "./zabbix-sync-schemas";
export * from "./zabbix-sync-types";

View File

@ -0,0 +1,10 @@
import { AppConnection } from "@app/services/app-connection/app-connection-enums";
import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
export const ZABBIX_SYNC_LIST_OPTION: TSecretSyncListItem = {
name: "Zabbix",
destination: SecretSync.Zabbix,
connection: AppConnection.Zabbix,
canImportSecrets: true
};

View File

@ -0,0 +1,4 @@
export enum ZabbixSyncScope {
Global = "global",
Host = "host"
}

View File

@ -0,0 +1,285 @@
import RE2 from "re2";
import { request } from "@app/lib/config/request";
import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
import {
TZabbixSecret,
TZabbixSyncWithCredentials,
ZabbixApiResponse,
ZabbixMacroCreateResponse,
ZabbixMacroDeleteResponse
} from "@app/services/secret-sync/zabbix/zabbix-sync-types";
import { ZabbixSyncScope } from "./zabbix-sync-enums";
const TRAILING_SLASH_REGEX = new RE2("/+$");
const MACRO_START_REGEX = new RE2("^\\{\\$");
const MACRO_END_REGEX = new RE2("\\}$");
const extractMacroKey = (macro: string): string => {
return macro.replace(MACRO_START_REGEX, "").replace(MACRO_END_REGEX, "");
};
// Helper function to handle Zabbix API responses and errors
const handleZabbixResponse = <T>(response: ZabbixApiResponse<T>): T => {
if (response.data.error) {
const errorMessage = response.data.error.data
? `${response.data.error.message}: ${response.data.error.data}`
: response.data.error.message;
throw new SecretSyncError({
error: new Error(`Zabbix API Error (${response.data.error.code}): ${errorMessage}`)
});
}
if (response.data.result === undefined) {
throw new SecretSyncError({
error: new Error("Zabbix API returned no result")
});
}
return response.data.result;
};
const listZabbixSecrets = async (apiToken: string, instanceUrl: string, hostId?: string): Promise<TZabbixSecret[]> => {
const apiUrl = `${instanceUrl.replace(TRAILING_SLASH_REGEX, "")}/api_jsonrpc.php`;
// - jsonrpc: Specifies the JSON-RPC protocol version.
// - method: The API method to call, in this case "usermacro.get" for retrieving user macros.
// - id: A unique identifier for the request. Required by JSON-RPC but not used by the API for logic. Typically set to any integer.
const payload = {
jsonrpc: "2.0" as const,
method: "usermacro.get",
params: hostId ? { output: "extend", hostids: hostId } : { output: "extend", globalmacro: true },
id: 1
};
try {
const response: ZabbixApiResponse<TZabbixSecret[]> = await request.post(apiUrl, payload, {
headers: {
"Content-Type": "application/json",
Authorization: `Bearer ${apiToken}`
}
});
return handleZabbixResponse(response) || [];
} catch (error) {
throw new SecretSyncError({
error: error instanceof Error ? error : new Error("Failed to list Zabbix secrets")
});
}
};
const putZabbixSecrets = async (
apiToken: string,
instanceUrl: string,
secretMap: TSecretMap,
destinationConfig: TZabbixSyncWithCredentials["destinationConfig"],
existingSecrets: TZabbixSecret[]
): Promise<void> => {
const apiUrl = `${instanceUrl.replace(TRAILING_SLASH_REGEX, "")}/api_jsonrpc.php`;
const hostId = destinationConfig.scope === ZabbixSyncScope.Host ? destinationConfig.hostId : undefined;
const existingMacroMap = new Map(existingSecrets.map((secret) => [secret.macro, secret]));
for (const [key, secret] of Object.entries(secretMap)) {
const macroKey = `{$${key.toUpperCase()}}`;
const existingMacro = existingMacroMap.get(macroKey);
try {
if (existingMacro) {
// Update existing macro
const updatePayload = {
jsonrpc: "2.0" as const,
method: hostId ? "usermacro.update" : "usermacro.updateglobal",
params: {
[hostId ? "hostmacroid" : "globalmacroid"]: existingMacro[hostId ? "hostmacroid" : "globalmacroid"],
value: secret.value,
type: destinationConfig.macroType,
description: secret.comment
},
id: 1
};
// eslint-disable-next-line no-await-in-loop
const response: ZabbixApiResponse<ZabbixMacroCreateResponse> = await request.post(apiUrl, updatePayload, {
headers: {
"Content-Type": "application/json",
Authorization: `Bearer ${apiToken}`
}
});
handleZabbixResponse(response);
} else {
// Create new macro
const createPayload = {
jsonrpc: "2.0" as const,
method: hostId ? "usermacro.create" : "usermacro.createglobal",
params: hostId
? {
hostid: hostId,
macro: macroKey,
value: secret.value,
type: destinationConfig.macroType,
description: secret.comment
}
: {
macro: macroKey,
value: secret.value,
type: destinationConfig.macroType,
description: secret.comment
},
id: 1
};
// eslint-disable-next-line no-await-in-loop
const response: ZabbixApiResponse<ZabbixMacroCreateResponse> = await request.post(apiUrl, createPayload, {
headers: {
"Content-Type": "application/json",
Authorization: `Bearer ${apiToken}`
}
});
handleZabbixResponse(response);
}
} catch (error) {
throw new SecretSyncError({
error: error instanceof Error ? error : new Error(`Failed to sync secret ${key}`)
});
}
}
};
const deleteZabbixSecrets = async (
apiToken: string,
instanceUrl: string,
keys: string[],
hostId?: string
): Promise<void> => {
if (keys.length === 0) return;
const apiUrl = `${instanceUrl.replace(TRAILING_SLASH_REGEX, "")}/api_jsonrpc.php`;
try {
// Get existing macros to find their IDs
const existingSecrets = await listZabbixSecrets(apiToken, instanceUrl, hostId);
const macroIds = existingSecrets
.filter((secret) => keys.includes(secret.macro))
.map((secret) => secret[hostId ? "hostmacroid" : "globalmacroid"])
.filter(Boolean);
if (macroIds.length === 0) return;
const payload = {
jsonrpc: "2.0" as const,
method: hostId ? "usermacro.delete" : "usermacro.deleteglobal",
params: macroIds,
id: 1
};
const response: ZabbixApiResponse<ZabbixMacroDeleteResponse> = await request.post(apiUrl, payload, {
headers: {
"Content-Type": "application/json",
Authorization: `Bearer ${apiToken}`
}
});
handleZabbixResponse(response);
} catch (error) {
throw new SecretSyncError({
error: error instanceof Error ? error : new Error("Failed to delete Zabbix secrets")
});
}
};
export const ZabbixSyncFns = {
syncSecrets: async (secretSync: TZabbixSyncWithCredentials, secretMap: TSecretMap) => {
const { connection, environment, destinationConfig } = secretSync;
const { apiToken, instanceUrl } = connection.credentials;
await blockLocalAndPrivateIpAddresses(instanceUrl);
const hostId = destinationConfig.scope === ZabbixSyncScope.Host ? destinationConfig.hostId : undefined;
let secrets: TZabbixSecret[] = [];
try {
secrets = await listZabbixSecrets(apiToken, instanceUrl, hostId);
} catch (error) {
throw new SecretSyncError({
error: error instanceof Error ? error : new Error("Failed to list Zabbix secrets")
});
}
try {
await putZabbixSecrets(apiToken, instanceUrl, secretMap, destinationConfig, secrets);
} catch (error) {
throw new SecretSyncError({
error: error instanceof Error ? error : new Error("Failed to sync secrets")
});
}
if (secretSync.syncOptions.disableSecretDeletion) return;
try {
const shapedSecretMapKeys = Object.keys(secretMap).map((key) => key.toUpperCase());
const keys = secrets
.filter(
(secret) =>
matchesSchema(secret.macro, environment?.slug || "", secretSync.syncOptions.keySchema) &&
!shapedSecretMapKeys.includes(extractMacroKey(secret.macro))
)
.map((secret) => secret.macro);
await deleteZabbixSecrets(apiToken, instanceUrl, keys, hostId);
} catch (error) {
throw new SecretSyncError({
error: error instanceof Error ? error : new Error("Failed to delete orphaned secrets")
});
}
},
removeSecrets: async (secretSync: TZabbixSyncWithCredentials, secretMap: TSecretMap) => {
const { connection, destinationConfig } = secretSync;
const { apiToken, instanceUrl } = connection.credentials;
await blockLocalAndPrivateIpAddresses(instanceUrl);
const hostId = destinationConfig.scope === ZabbixSyncScope.Host ? destinationConfig.hostId : undefined;
try {
const secrets = await listZabbixSecrets(apiToken, instanceUrl, hostId);
const shapedSecretMapKeys = Object.keys(secretMap).map((key) => key.toUpperCase());
const keys = secrets
.filter((secret) => shapedSecretMapKeys.includes(extractMacroKey(secret.macro)))
.map((secret) => secret.macro);
await deleteZabbixSecrets(apiToken, instanceUrl, keys, hostId);
} catch (error) {
throw new SecretSyncError({
error: error instanceof Error ? error : new Error("Failed to remove secrets")
});
}
},
getSecrets: async (secretSync: TZabbixSyncWithCredentials) => {
const { connection, destinationConfig } = secretSync;
const { apiToken, instanceUrl } = connection.credentials;
await blockLocalAndPrivateIpAddresses(instanceUrl);
const hostId = destinationConfig.scope === ZabbixSyncScope.Host ? destinationConfig.hostId : undefined;
try {
const secrets = await listZabbixSecrets(apiToken, instanceUrl, hostId);
return Object.fromEntries(
secrets.map((secret) => [
extractMacroKey(secret.macro),
{ value: secret.value ?? "", comment: secret.description }
])
);
} catch (error) {
throw new SecretSyncError({
error: error instanceof Error ? error : new Error("Failed to get secrets")
});
}
}
};

View File

@ -0,0 +1,67 @@
import { z } from "zod";
import { SecretSyncs } from "@app/lib/api-docs";
import { AppConnection } from "@app/services/app-connection/app-connection-enums";
import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
import {
BaseSecretSyncSchema,
GenericCreateSecretSyncFieldsSchema,
GenericUpdateSecretSyncFieldsSchema
} from "@app/services/secret-sync/secret-sync-schemas";
import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
import { ZabbixSyncScope } from "./zabbix-sync-enums";
const ZabbixSyncDestinationConfigSchema = z.discriminatedUnion("scope", [
z.object({
scope: z.literal(ZabbixSyncScope.Host).describe(SecretSyncs.DESTINATION_CONFIG.ZABBIX.scope),
hostId: z.string().trim().min(1, "Host required").max(255).describe(SecretSyncs.DESTINATION_CONFIG.ZABBIX.hostId),
hostName: z
.string()
.trim()
.min(1, "Host name required")
.max(255)
.describe(SecretSyncs.DESTINATION_CONFIG.ZABBIX.hostName),
macroType: z
.number()
.min(0, "Macro type required")
.max(1, "Macro type required")
.describe(SecretSyncs.DESTINATION_CONFIG.ZABBIX.macroType)
}),
z.object({
scope: z.literal(ZabbixSyncScope.Global).describe(SecretSyncs.DESTINATION_CONFIG.ZABBIX.scope),
macroType: z
.number()
.min(0, "Macro type required")
.max(1, "Macro type required")
.describe(SecretSyncs.DESTINATION_CONFIG.ZABBIX.macroType)
})
]);
const ZabbixSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
export const ZabbixSyncSchema = BaseSecretSyncSchema(SecretSync.Zabbix, ZabbixSyncOptionsConfig).extend({
destination: z.literal(SecretSync.Zabbix),
destinationConfig: ZabbixSyncDestinationConfigSchema
});
export const CreateZabbixSyncSchema = GenericCreateSecretSyncFieldsSchema(
SecretSync.Zabbix,
ZabbixSyncOptionsConfig
).extend({
destinationConfig: ZabbixSyncDestinationConfigSchema
});
export const UpdateZabbixSyncSchema = GenericUpdateSecretSyncFieldsSchema(
SecretSync.Zabbix,
ZabbixSyncOptionsConfig
).extend({
destinationConfig: ZabbixSyncDestinationConfigSchema.optional()
});
export const ZabbixSyncListItemSchema = z.object({
name: z.literal("Zabbix"),
connection: z.literal(AppConnection.Zabbix),
destination: z.literal(SecretSync.Zabbix),
canImportSecrets: z.literal(true)
});

View File

@ -0,0 +1,75 @@
import { z } from "zod";
import { TZabbixConnection } from "@app/services/app-connection/zabbix";
import { CreateZabbixSyncSchema, ZabbixSyncListItemSchema, ZabbixSyncSchema } from "./zabbix-sync-schemas";
export type TZabbixSync = z.infer<typeof ZabbixSyncSchema>;
export type TZabbixSyncInput = z.infer<typeof CreateZabbixSyncSchema>;
export type TZabbixSyncListItem = z.infer<typeof ZabbixSyncListItemSchema>;
export type TZabbixSyncWithCredentials = TZabbixSync & {
connection: TZabbixConnection;
};
export type TZabbixSecret = {
macro: string;
value: string;
description?: string;
globalmacroid?: string;
hostmacroid?: string;
hostid?: string;
type: number;
automatic?: string;
};
export interface ZabbixApiResponse<T = unknown> {
data: {
jsonrpc: "2.0";
result?: T;
error?: {
code: number;
message: string;
data?: string;
};
id: number;
};
}
export interface ZabbixMacroCreateResponse {
hostmacroids?: string[];
globalmacroids?: string[];
}
export interface ZabbixMacroUpdateResponse {
hostmacroids?: string[];
globalmacroids?: string[];
}
export interface ZabbixMacroDeleteResponse {
hostmacroids?: string[];
globalmacroids?: string[];
}
export enum ZabbixMacroType {
TEXT = 0,
SECRET = 1
}
export interface ZabbixMacroInput {
hostid?: string;
macro: string;
value: string;
description?: string;
type?: ZabbixMacroType;
automatic?: "0" | "1";
}
export interface ZabbixMacroUpdate {
hostmacroid?: string;
globalmacroid?: string;
value?: string;
description?: string;
type?: ZabbixMacroType;
automatic?: "0" | "1";
}

View File

@ -5,7 +5,13 @@ import jwt from "jsonwebtoken";
import { IdentityAuthMethod, OrgMembershipRole, TSuperAdmin, TSuperAdminUpdate } from "@app/db/schemas"; import { IdentityAuthMethod, OrgMembershipRole, TSuperAdmin, TSuperAdminUpdate } from "@app/db/schemas";
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service"; import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
import { PgSqlLock, TKeyStoreFactory } from "@app/keystore/keystore"; import { PgSqlLock, TKeyStoreFactory } from "@app/keystore/keystore";
import { getConfig } from "@app/lib/config/env"; import {
getConfig,
getOriginalConfig,
overrideEnvConfig,
overwriteSchema,
validateOverrides
} from "@app/lib/config/env";
import { infisicalSymmetricEncypt } from "@app/lib/crypto/encryption"; import { infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
import { generateUserSrpKeys, getUserPrivateKey } from "@app/lib/crypto/srp"; import { generateUserSrpKeys, getUserPrivateKey } from "@app/lib/crypto/srp";
import { BadRequestError, NotFoundError } from "@app/lib/errors"; import { BadRequestError, NotFoundError } from "@app/lib/errors";
@ -33,6 +39,7 @@ import { TInvalidateCacheQueueFactory } from "./invalidate-cache-queue";
import { TSuperAdminDALFactory } from "./super-admin-dal"; import { TSuperAdminDALFactory } from "./super-admin-dal";
import { import {
CacheType, CacheType,
EnvOverrides,
LoginMethod, LoginMethod,
TAdminBootstrapInstanceDTO, TAdminBootstrapInstanceDTO,
TAdminGetIdentitiesDTO, TAdminGetIdentitiesDTO,
@ -234,6 +241,45 @@ export const superAdminServiceFactory = ({
adminIntegrationsConfig = config; adminIntegrationsConfig = config;
}; };
const getEnvOverrides = async () => {
const serverCfg = await serverCfgDAL.findById(ADMIN_CONFIG_DB_UUID);
if (!serverCfg || !serverCfg.encryptedEnvOverrides) {
return {};
}
const decrypt = kmsService.decryptWithRootKey();
const overrides = JSON.parse(decrypt(serverCfg.encryptedEnvOverrides).toString()) as Record<string, string>;
return overrides;
};
const getEnvOverridesOrganized = async (): Promise<EnvOverrides> => {
const overrides = await getEnvOverrides();
const ogConfig = getOriginalConfig();
return Object.fromEntries(
Object.entries(overwriteSchema).map(([groupKey, groupDef]) => [
groupKey,
{
name: groupDef.name,
fields: groupDef.fields.map(({ key, description }) => ({
key,
description,
value: overrides[key] || "",
hasEnvEntry: !!(ogConfig as unknown as Record<string, string | undefined>)[key]
}))
}
])
);
};
const $syncEnvConfig = async () => {
const config = await getEnvOverrides();
overrideEnvConfig(config);
};
const updateServerCfg = async ( const updateServerCfg = async (
data: TSuperAdminUpdate & { data: TSuperAdminUpdate & {
slackClientId?: string; slackClientId?: string;
@ -246,6 +292,7 @@ export const superAdminServiceFactory = ({
gitHubAppConnectionSlug?: string; gitHubAppConnectionSlug?: string;
gitHubAppConnectionId?: string; gitHubAppConnectionId?: string;
gitHubAppConnectionPrivateKey?: string; gitHubAppConnectionPrivateKey?: string;
envOverrides?: Record<string, string>;
}, },
userId: string userId: string
) => { ) => {
@ -374,6 +421,17 @@ export const superAdminServiceFactory = ({
gitHubAppConnectionSettingsUpdated = true; gitHubAppConnectionSettingsUpdated = true;
} }
let envOverridesUpdated = false;
if (data.envOverrides !== undefined) {
// Verify input format
validateOverrides(data.envOverrides);
const encryptedEnvOverrides = encryptWithRoot(Buffer.from(JSON.stringify(data.envOverrides)));
updatedData.encryptedEnvOverrides = encryptedEnvOverrides;
updatedData.envOverrides = undefined;
envOverridesUpdated = true;
}
const updatedServerCfg = await serverCfgDAL.updateById(ADMIN_CONFIG_DB_UUID, updatedData); const updatedServerCfg = await serverCfgDAL.updateById(ADMIN_CONFIG_DB_UUID, updatedData);
await keyStore.setItemWithExpiry(ADMIN_CONFIG_KEY, ADMIN_CONFIG_KEY_EXP, JSON.stringify(updatedServerCfg)); await keyStore.setItemWithExpiry(ADMIN_CONFIG_KEY, ADMIN_CONFIG_KEY_EXP, JSON.stringify(updatedServerCfg));
@ -382,6 +440,10 @@ export const superAdminServiceFactory = ({
await $syncAdminIntegrationConfig(); await $syncAdminIntegrationConfig();
} }
if (envOverridesUpdated) {
await $syncEnvConfig();
}
if ( if (
updatedServerCfg.encryptedMicrosoftTeamsAppId && updatedServerCfg.encryptedMicrosoftTeamsAppId &&
updatedServerCfg.encryptedMicrosoftTeamsClientSecret && updatedServerCfg.encryptedMicrosoftTeamsClientSecret &&
@ -814,6 +876,18 @@ export const superAdminServiceFactory = ({
return job; return job;
}; };
const initializeEnvConfigSync = async () => {
logger.info("Setting up background sync process for environment overrides");
await $syncEnvConfig();
// sync every 5 minutes
const job = new CronJob("*/5 * * * *", $syncEnvConfig);
job.start();
return job;
};
return { return {
initServerCfg, initServerCfg,
updateServerCfg, updateServerCfg,
@ -833,6 +907,9 @@ export const superAdminServiceFactory = ({
getOrganizations, getOrganizations,
deleteOrganization, deleteOrganization,
deleteOrganizationMembership, deleteOrganizationMembership,
initializeAdminIntegrationConfigSync initializeAdminIntegrationConfigSync,
initializeEnvConfigSync,
getEnvOverrides,
getEnvOverridesOrganized
}; };
}; };

View File

@ -1,3 +1,5 @@
import { TEnvConfig } from "@app/lib/config/env";
export type TAdminSignUpDTO = { export type TAdminSignUpDTO = {
email: string; email: string;
password: string; password: string;
@ -74,3 +76,10 @@ export type TAdminIntegrationConfig = {
privateKey: string; privateKey: string;
}; };
}; };
export interface EnvOverrides {
[key: string]: {
name: string;
fields: { key: keyof TEnvConfig; value: string; hasEnvEntry: boolean; description?: string }[];
};
}

View File

@ -71,6 +71,15 @@ export const telemetryQueueServiceFactory = ({
QueueName.TelemetryInstanceStats // just a job id QueueName.TelemetryInstanceStats // just a job id
); );
if (postHog) {
await queueService.queue(QueueName.TelemetryInstanceStats, QueueJobs.TelemetryInstanceStats, undefined, {
jobId: QueueName.TelemetryInstanceStats,
repeat: { pattern: "0 0 * * *", utc: true }
});
}
};
const startAggregatedEventsJob = async () => {
// clear previous aggregated events job // clear previous aggregated events job
await queueService.stopRepeatableJob( await queueService.stopRepeatableJob(
QueueName.TelemetryAggregatedEvents, QueueName.TelemetryAggregatedEvents,
@ -80,11 +89,6 @@ export const telemetryQueueServiceFactory = ({
); );
if (postHog) { if (postHog) {
await queueService.queue(QueueName.TelemetryInstanceStats, QueueJobs.TelemetryInstanceStats, undefined, {
jobId: QueueName.TelemetryInstanceStats,
repeat: { pattern: "0 0 * * *", utc: true }
});
// Start aggregated events job (runs every five minutes) // Start aggregated events job (runs every five minutes)
await queueService.queue(QueueName.TelemetryAggregatedEvents, QueueJobs.TelemetryAggregatedEvents, undefined, { await queueService.queue(QueueName.TelemetryAggregatedEvents, QueueJobs.TelemetryAggregatedEvents, undefined, {
jobId: QueueName.TelemetryAggregatedEvents, jobId: QueueName.TelemetryAggregatedEvents,
@ -102,6 +106,7 @@ export const telemetryQueueServiceFactory = ({
}); });
return { return {
startTelemetryCheck startTelemetryCheck,
startAggregatedEventsJob
}; };
}; };

View File

@ -14,7 +14,7 @@ export const TELEMETRY_SECRET_PROCESSED_KEY = "telemetry-secret-processed";
export const TELEMETRY_SECRET_OPERATIONS_KEY = "telemetry-secret-operations"; export const TELEMETRY_SECRET_OPERATIONS_KEY = "telemetry-secret-operations";
export const POSTHOG_AGGREGATED_EVENTS = [PostHogEventTypes.SecretPulled]; export const POSTHOG_AGGREGATED_EVENTS = [PostHogEventTypes.SecretPulled];
const TELEMETRY_AGGREGATED_KEY_EXP = 900; // 15mins const TELEMETRY_AGGREGATED_KEY_EXP = 600; // 10mins
// Bucket configuration // Bucket configuration
const TELEMETRY_BUCKET_COUNT = 30; const TELEMETRY_BUCKET_COUNT = 30;
@ -102,13 +102,6 @@ To opt into telemetry, you can set "TELEMETRY_ENABLED=true" within the environme
const instanceType = licenseService.getInstanceType(); const instanceType = licenseService.getInstanceType();
// capture posthog only when its cloud or signup event happens in self-hosted // capture posthog only when its cloud or signup event happens in self-hosted
if (instanceType === InstanceType.Cloud || event.event === PostHogEventTypes.UserSignedUp) { if (instanceType === InstanceType.Cloud || event.event === PostHogEventTypes.UserSignedUp) {
if (event.organizationId) {
try {
postHog.groupIdentify({ groupType: "organization", groupKey: event.organizationId });
} catch (error) {
logger.error(error, "Failed to identify PostHog organization");
}
}
if (POSTHOG_AGGREGATED_EVENTS.includes(event.event)) { if (POSTHOG_AGGREGATED_EVENTS.includes(event.event)) {
const eventKey = createTelemetryEventKey(event.event, event.distinctId); const eventKey = createTelemetryEventKey(event.event, event.distinctId);
await keyStore.setItemWithExpiry( await keyStore.setItemWithExpiry(
@ -122,6 +115,13 @@ To opt into telemetry, you can set "TELEMETRY_ENABLED=true" within the environme
}) })
); );
} else { } else {
if (event.organizationId) {
try {
postHog.groupIdentify({ groupType: "organization", groupKey: event.organizationId });
} catch (error) {
logger.error(error, "Failed to identify PostHog organization");
}
}
postHog.capture({ postHog.capture({
event: event.event, event: event.event,
distinctId: event.distinctId, distinctId: event.distinctId,

View File

@ -35,6 +35,7 @@ const (
GitHubPlatform GitHubPlatform
GitLabPlatform GitLabPlatform
AzureDevOpsPlatform AzureDevOpsPlatform
BitBucketPlatform
// TODO: Add others. // TODO: Add others.
) )
@ -45,6 +46,7 @@ func (p Platform) String() string {
"github", "github",
"gitlab", "gitlab",
"azuredevops", "azuredevops",
"bitbucket",
}[p] }[p]
} }
@ -60,6 +62,8 @@ func PlatformFromString(s string) (Platform, error) {
return GitLabPlatform, nil return GitLabPlatform, nil
case "azuredevops": case "azuredevops":
return AzureDevOpsPlatform, nil return AzureDevOpsPlatform, nil
case "bitbucket":
return BitBucketPlatform, nil
default: default:
return UnknownPlatform, fmt.Errorf("invalid scm platform value: %s", s) return UnknownPlatform, fmt.Errorf("invalid scm platform value: %s", s)
} }

View File

@ -208,6 +208,8 @@ func platformFromHost(u *url.URL) scm.Platform {
return scm.GitLabPlatform return scm.GitLabPlatform
case "dev.azure.com", "visualstudio.com": case "dev.azure.com", "visualstudio.com":
return scm.AzureDevOpsPlatform return scm.AzureDevOpsPlatform
case "bitbucket.org":
return scm.BitBucketPlatform
default: default:
return scm.UnknownPlatform return scm.UnknownPlatform
} }

View File

@ -112,6 +112,15 @@ func createScmLink(scmPlatform scm.Platform, remoteUrl string, finding report.Fi
// This is a bit dirty, but Azure DevOps does not highlight the line when the lineStartColumn and lineEndColumn are not provided // This is a bit dirty, but Azure DevOps does not highlight the line when the lineStartColumn and lineEndColumn are not provided
link += "&lineStartColumn=1&lineEndColumn=10000000&type=2&lineStyle=plain&_a=files" link += "&lineStartColumn=1&lineEndColumn=10000000&type=2&lineStyle=plain&_a=files"
return link return link
case scm.BitBucketPlatform:
link := fmt.Sprintf("%s/src/%s/%s", remoteUrl, finding.Commit, filePath)
if finding.StartLine != 0 {
link += fmt.Sprintf("#lines-%d", finding.StartLine)
}
if finding.EndLine != finding.StartLine {
link += fmt.Sprintf(":%d", finding.EndLine)
}
return link
default: default:
// This should never happen. // This should never happen.
return "" return ""

View File

@ -337,9 +337,7 @@ var scanCmd = &cobra.Command{
if gitCmd, err = sources.NewGitLogCmd(source, logOpts); err != nil { if gitCmd, err = sources.NewGitLogCmd(source, logOpts); err != nil {
logging.Fatal().Err(err).Msg("could not create Git cmd") logging.Fatal().Err(err).Msg("could not create Git cmd")
} }
if scmPlatform, err = scm.PlatformFromString("github"); err != nil { scmPlatform = scm.UnknownPlatform
logging.Fatal().Err(err).Send()
}
remote = detect.NewRemoteInfo(scmPlatform, source) remote = detect.NewRemoteInfo(scmPlatform, source)
if findings, err = detector.DetectGit(gitCmd, remote); err != nil { if findings, err = detector.DetectGit(gitCmd, remote); err != nil {

View File

@ -0,0 +1,4 @@
---
title: "Available"
openapi: "GET /api/v1/app-connections/zabbix/available"
---

View File

@ -0,0 +1,8 @@
---
title: "Create"
openapi: "POST /api/v1/app-connections/zabbix"
---
<Note>
Check out the configuration docs for [Zabbix Connections](/integrations/app-connections/zabbix) to learn how to obtain the required credentials.
</Note>

View File

@ -0,0 +1,4 @@
---
title: "Delete"
openapi: "DELETE /api/v1/app-connections/zabbix/{connectionId}"
---

View File

@ -0,0 +1,4 @@
---
title: "Get by ID"
openapi: "GET /api/v1/app-connections/zabbix/{connectionId}"
---

View File

@ -0,0 +1,4 @@
---
title: "Get by Name"
openapi: "GET /api/v1/app-connections/zabbix/connection-name/{connectionName}"
---

View File

@ -0,0 +1,4 @@
---
title: "List"
openapi: "GET /api/v1/app-connections/zabbix"
---

View File

@ -0,0 +1,8 @@
---
title: "Update"
openapi: "PATCH /api/v1/app-connections/zabbix/{connectionId}"
---
<Note>
Check out the configuration docs for [Zabbix Connections](/integrations/app-connections/zabbix) to learn how to obtain the required credentials.
</Note>

View File

@ -0,0 +1,4 @@
---
title: "Create LDAP SSO Config"
openapi: "POST /api/v1/ldap/config"
---

View File

@ -0,0 +1,4 @@
---
title: "Get LDAP SSO Config"
openapi: "GET /api/v1/ldap/config"
---

View File

@ -0,0 +1,4 @@
---
title: "Update LDAP SSO Config"
openapi: "PATCH /api/v1/ldap/config"
---

View File

@ -0,0 +1,4 @@
---
title: "Create OIDC Config"
openapi: "POST /api/v1/sso/oidc/config"
---

View File

@ -0,0 +1,4 @@
---
title: "Get OIDC Config"
openapi: "GET /api/v1/sso/oidc/config"
---

View File

@ -0,0 +1,4 @@
---
title: "Update OIDC Config"
openapi: "PATCH /api/v1/sso/oidc/config"
---

View File

@ -0,0 +1,4 @@
---
title: "Create SAML SSO Config"
openapi: "POST /api/v1/sso/config"
---

View File

@ -0,0 +1,4 @@
---
title: "Get SAML SSO Config"
openapi: "GET /api/v1/sso/config"
---

View File

@ -0,0 +1,4 @@
---
title: "Update SAML SSO Config"
openapi: "PATCH /api/v1/sso/config"
---

View File

@ -0,0 +1,4 @@
---
title: "Create"
openapi: "POST /api/v1/secret-syncs/zabbix"
---

View File

@ -0,0 +1,4 @@
---
title: "Delete"
openapi: "DELETE /api/v1/secret-syncs/zabbix/{syncId}"
---

View File

@ -0,0 +1,4 @@
---
title: "Get by ID"
openapi: "GET /api/v1/secret-syncs/zabbix/{syncId}"
---

View File

@ -0,0 +1,4 @@
---
title: "Get by Name"
openapi: "GET /api/v1/secret-syncs/zabbix/sync-name/{syncName}"
---

View File

@ -0,0 +1,4 @@
---
title: "Import Secrets"
openapi: "POST /api/v1/secret-syncs/zabbix/{syncId}/import-secrets"
---

View File

@ -0,0 +1,4 @@
---
title: "List"
openapi: "GET /api/v1/secret-syncs/zabbix"
---

View File

@ -0,0 +1,4 @@
---
title: "Remove Secrets"
openapi: "POST /api/v1/secret-syncs/zabbix/{syncId}/remove-secrets"
---

View File

@ -0,0 +1,4 @@
---
title: "Sync Secrets"
openapi: "POST /api/v1/secret-syncs/zabbix/{syncId}/sync-secrets"
---

View File

@ -0,0 +1,4 @@
---
title: "Update"
openapi: "PATCH /api/v1/secret-syncs/zabbix/{syncId}"
---

View File

@ -490,7 +490,8 @@
"integrations/app-connections/teamcity", "integrations/app-connections/teamcity",
"integrations/app-connections/terraform-cloud", "integrations/app-connections/terraform-cloud",
"integrations/app-connections/vercel", "integrations/app-connections/vercel",
"integrations/app-connections/windmill" "integrations/app-connections/windmill",
"integrations/app-connections/zabbix"
] ]
} }
] ]
@ -523,7 +524,8 @@
"integrations/secret-syncs/teamcity", "integrations/secret-syncs/teamcity",
"integrations/secret-syncs/terraform-cloud", "integrations/secret-syncs/terraform-cloud",
"integrations/secret-syncs/vercel", "integrations/secret-syncs/vercel",
"integrations/secret-syncs/windmill" "integrations/secret-syncs/windmill",
"integrations/secret-syncs/zabbix"
] ]
} }
] ]
@ -849,6 +851,30 @@
{ {
"group": "Organizations", "group": "Organizations",
"pages": [ "pages": [
{
"group": "OIDC SSO",
"pages": [
"api-reference/endpoints/organizations/oidc-sso/get-oidc-config",
"api-reference/endpoints/organizations/oidc-sso/update-oidc-config",
"api-reference/endpoints/organizations/oidc-sso/create-oidc-config"
]
},
{
"group": "LDAP SSO",
"pages": [
"api-reference/endpoints/organizations/ldap-sso/get-ldap-config",
"api-reference/endpoints/organizations/ldap-sso/update-ldap-config",
"api-reference/endpoints/organizations/ldap-sso/create-ldap-config"
]
},
{
"group": "SAML SSO",
"pages": [
"api-reference/endpoints/organizations/saml-sso/get-saml-config",
"api-reference/endpoints/organizations/saml-sso/update-saml-config",
"api-reference/endpoints/organizations/saml-sso/create-saml-config"
]
},
"api-reference/endpoints/organizations/memberships", "api-reference/endpoints/organizations/memberships",
"api-reference/endpoints/organizations/update-membership", "api-reference/endpoints/organizations/update-membership",
"api-reference/endpoints/organizations/delete-membership", "api-reference/endpoints/organizations/delete-membership",
@ -1521,6 +1547,18 @@
"api-reference/endpoints/app-connections/windmill/update", "api-reference/endpoints/app-connections/windmill/update",
"api-reference/endpoints/app-connections/windmill/delete" "api-reference/endpoints/app-connections/windmill/delete"
] ]
},
{
"group": "Zabbix",
"pages": [
"api-reference/endpoints/app-connections/zabbix/list",
"api-reference/endpoints/app-connections/zabbix/available",
"api-reference/endpoints/app-connections/zabbix/get-by-id",
"api-reference/endpoints/app-connections/zabbix/get-by-name",
"api-reference/endpoints/app-connections/zabbix/create",
"api-reference/endpoints/app-connections/zabbix/update",
"api-reference/endpoints/app-connections/zabbix/delete"
]
} }
] ]
}, },
@ -1827,6 +1865,20 @@
"api-reference/endpoints/secret-syncs/windmill/import-secrets", "api-reference/endpoints/secret-syncs/windmill/import-secrets",
"api-reference/endpoints/secret-syncs/windmill/remove-secrets" "api-reference/endpoints/secret-syncs/windmill/remove-secrets"
] ]
},
{
"group": "Zabbix",
"pages": [
"api-reference/endpoints/secret-syncs/zabbix/list",
"api-reference/endpoints/secret-syncs/zabbix/get-by-id",
"api-reference/endpoints/secret-syncs/zabbix/get-by-name",
"api-reference/endpoints/secret-syncs/zabbix/create",
"api-reference/endpoints/secret-syncs/zabbix/update",
"api-reference/endpoints/secret-syncs/zabbix/delete",
"api-reference/endpoints/secret-syncs/zabbix/sync-secrets",
"api-reference/endpoints/secret-syncs/zabbix/import-secrets",
"api-reference/endpoints/secret-syncs/zabbix/remove-secrets"
]
} }
] ]
}, },

Binary file not shown.

After

Width:  |  Height:  |  Size: 339 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 348 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 316 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 577 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 938 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 627 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.4 MiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 591 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 558 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 547 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 592 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 589 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 551 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 958 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 868 KiB

View File

@ -0,0 +1,101 @@
---
title: "Zabbix Connection"
description: "Learn how to configure a Zabbix Connection for Infisical."
---
Infisical supports the use of [API Tokens](https://www.zabbix.com/documentation/current/en/manual/web_interface/frontend_sections/users/api_tokens) to connect with Zabbix.
## Create Zabbix API Token
<Steps>
<Step title="Navigate to 'API Tokens'">
![Dashboard Page](/images/app-connections/zabbix/zabbix-dashboard.png)
</Step>
<Step title="Click 'Create API Token'">
![Click Create Token](/images/app-connections/zabbix/zabbix-api-token-list.png)
</Step>
<Step title="Provide Token Information">
Ensure that you give this token access to the correct app, then click 'Create Token'.
![Create Token Page](/images/app-connections/zabbix/zabbix-api-token-form.png)
</Step>
<Step title="Save Token">
After clicking 'Create Token', a modal containing your access token will appear. Save this token for later steps.
![Copy Token Modal](/images/app-connections/zabbix/zabbix-api-token-generated.png)
</Step>
</Steps>
## Create Zabbix Connection in Infisical
<Tabs>
<Tab title="Infisical UI">
<Steps>
<Step title="Navigate to App Connections">
In your Infisical dashboard, go to **Organization Settings** and select the [**App Connections**](https://app.infisical.com/organization/app-connections) tab.
![App Connections Tab](/images/app-connections/general/add-connection.png)
</Step>
<Step title="Select Zabbix Connection">
Click the **+ Add Connection** button and select the **Zabbix Connection** option from the available integrations.
![Select Zabbix Connection](/images/app-connections/zabbix/zabbix-app-connection-option.png)
</Step>
<Step title="Fill out the Zabbix Connection Modal">
Complete the Zabbix Connection form by entering:
- A descriptive name for the connection
- An optional description for future reference
- The Zabbix URL for your instance
- The API Token from earlier steps
![Zabbix Connection Modal](/images/app-connections/zabbix/zabbix-app-connection-form.png)
</Step>
<Step title="Connection Created">
After clicking Create, your **Zabbix Connection** is established and ready to use with your Infisical projects.
![Zabbix Connection Created](/images/app-connections/zabbix/zabbix-app-connection-generated.png)
</Step>
</Steps>
</Tab>
<Tab title="API">
To create a Zabbix Connection, make an API request to the [Create Zabbix Connection](/api-reference/endpoints/app-connections/zabbix/create) API endpoint.
### Sample request
```bash Request
curl --request POST \
--url https://app.infisical.com/api/v1/app-connections/zabbix \
--header 'Content-Type: application/json' \
--data '{
"name": "my-zabbix-connection",
"method": "api-token",
"credentials": {
"apiToken": "[API TOKEN]",
"instanceUrl": "https://zabbix.example.com"
}
}'
```
### Sample response
```bash Response
{
"appConnection": {
"id": "e5d18aca-86f7-4026-a95e-efb8aeb0d8e6",
"name": "my-zabbix-connection",
"description": null,
"version": 1,
"orgId": "6f03caa1-a5de-43ce-b127-95a145d3464c",
"createdAt": "2025-04-23T19:46:34.831Z",
"updatedAt": "2025-04-23T19:46:34.831Z",
"isPlatformManagedCredentials": false,
"credentialsHash": "7c2d371dec195f82a6a0d5b41c970a229cfcaf88e894a5b6395e2dbd0280661f",
"app": "zabbix",
"method": "api-token",
"credentials": {
"instanceUrl": "https://zabbix.example.com"
}
}
}
```
</Tab>
</Tabs>

View File

@ -0,0 +1,173 @@
---
title: "Zabbix Sync"
description: "Learn how to configure a Zabbix Sync for Infisical."
---
**Prerequisites:**
- Create a [Zabbix Connection](/integrations/app-connections/zabbix)
<Tabs>
<Tab title="Infisical UI">
<Steps>
<Step title="Add Sync">
Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab](/images/secret-syncs/general/secret-sync-tab.png)
</Step>
<Step title="Select 'Zabbix'">
![Select Zabbix](/images/secret-syncs/zabbix/select-option.png)
</Step>
<Step title="Configure source">
Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source](/images/secret-syncs/zabbix/configure-source.png)
- **Environment**: The project environment to retrieve secrets from.
- **Secret Path**: The folder path to retrieve secrets from.
<Tip>
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
</Tip>
</Step>
<Step title="Configure destination">
Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination](/images/secret-syncs/zabbix/configure-destination.png)
- **Zabbix Connection**: The Zabbix Connection to authenticate with.
- **Scope**: The Zabbix scope to sync secrets to.
- **Global**: Secrets will be synced globally.
- **Host**: Secrets will be synced to the specified host.
- **Macro Type**: The type of macro to use when syncing secrets to Zabbix. Currently only **Text** and **Secret** macros are supported.
The remaining fields are determined by the selected **Scope**:
<AccordionGroup>
<Accordion title="Host">
- **Host**: The host to sync secrets to.
</Accordion>
</AccordionGroup>
</Step>
<Step title="Configure Sync Options">
Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options](/images/secret-syncs/zabbix/configure-sync-options.png)
- **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
- **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
- **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Zabbix when keys conflict.
- **Import Secrets (Prioritize Zabbix)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Zabbix over Infisical when keys conflict.
- **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
<Note>
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
</Note>
- **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
- **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
</Step>
<Step title="Configure details">
Configure the **Details** of your Zabbix Sync, then click **Next**.
![Configure Details](/images/secret-syncs/zabbix/configure-details.png)
- **Name**: The name of your sync. Must be slug-friendly.
- **Description**: An optional description for your sync.
</Step>
<Step title="Review configuration">
Review your Zabbix Sync configuration, then click **Create Sync**.
![Review Configuration](/images/secret-syncs/zabbix/review-configuration.png)
</Step>
<Step title="Sync created">
If enabled, your Zabbix Sync will begin syncing your secrets to the destination endpoint.
![Sync Created](/images/secret-syncs/zabbix/sync-created.png)
</Step>
</Steps>
</Tab>
<Tab title="API">
To create a **Zabbix Sync**, make an API request to the [Create Zabbix Sync](/api-reference/endpoints/secret-syncs/zabbix/create) API endpoint.
### Sample request
```bash Request
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/zabbix \
--header 'Content-Type: application/json' \
--data '{
"name": "my-zabbix-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"autoSyncEnabled": true,
"disableSecretDeletion": false
},
"destinationConfig": {
"scope": "host",
"hostId": "my-zabbix-host",
"hostName": "my-zabbix-host",
"macroType": 0
}
}'
```
### Sample response
```bash Response
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-zabbix-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"autoSyncEnabled": true,
"disableSecretDeletion": false
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "zabbix",
"name": "my-zabbix-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "zabbix",
"destinationConfig": {
"scope": "host",
"hostId": "my-zabbix-host",
"hostName": "my-zabbix-host",
"macroType": 0
}
}
}
```
</Tab>
</Tabs>

View File

@ -794,3 +794,9 @@ If export type is set to `otlp`, you will have to configure a value for `OTEL_EX
The TLS header used to propagate the client certificate from the load balancer The TLS header used to propagate the client certificate from the load balancer
to the server. to the server.
</ParamField> </ParamField>
## Environment Variable Overrides
If you can't directly access and modify environment variables, you can update them using the [Server Admin Console](/documentation/platform/admin-panel/server-admin).
![Environment Variables Overrides Page](../../images/self-hosting/configuration/overrides/page.png)

Some files were not shown because too many files have changed in this diff Show More