synced/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2025-03-27 09:40:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

...

381 Commits
infisical- ... maidul98-p

Author SHA1 Message Date
Maidul Islam
1d8f66aac1 Update Chart.yaml 2024-02-27 01:23:46 -05:00
Maidul Islam
7a4e8b8c32 Update values.yaml 2024-02-27 01:23:35 -05:00
Maidul Islam
8e83b0f2dd npm install backend 2024-02-27 01:13:00 -05:00
Maidul Islam
59c6837071 Update faq.mdx 2024-02-27 00:48:32 -05:00
Maidul Islam
d4d23e06a8 Merge pull request from Infisical/mongo-to-postgres-guide 
Mongo to postgres guide
 2024-02-27 00:43:58 -05:00
Maidul Islam
9d202e8501 add additional discussion 2024-02-27 00:43:36 -05:00
Maidul Islam
1f9f15136e mongo to postgres guide 2024-02-27 00:35:41 -05:00
BlackMagiq
26abb7d89f Merge pull request from Infisical/ldap-docs 
Update docs for LDAP
 2024-02-26 20:48:21 -08:00
Tuan Dang
892a25edfe Update docs for LDAP 2024-02-26 20:47:20 -08:00
Maidul Islam
082a533cfa Update Chart.yaml 2024-02-26 17:19:48 -05:00
Maidul Islam
d71a8a35e5 increase resource limits more 2024-02-26 17:19:38 -05:00
Maidul Islam
59585dfea9 Merge pull request from Infisical/daniel/failed-decryption-log 
Fix: Add detailed decryption error logging
 2024-02-26 16:49:52 -05:00
Daniel Hougaard
514304eed0 Fix: Add detailed decryption error logging 2024-02-26 22:19:54 +01:00
Maidul Islam
a0fc9e534c Update Chart.yaml 2024-02-26 16:10:02 -05:00
Maidul Islam
73323c0343 update resource limits 2024-02-26 16:09:21 -05:00
BlackMagiq
98cd71d421 Merge pull request from Infisical/ldap-docs 
Add docs for LDAP
 2024-02-26 10:51:48 -08:00
Tuan Dang
ae6157dd78 Add docs for LDAP 2024-02-26 10:49:30 -08:00
Maidul Islam
4bf7e8bbd1 add ingress back to helm 2024-02-26 13:01:57 -05:00
Akhil Mohan
6891d309da Merge pull request from Trugamr/fix/1422-verify-email-loading 
fix(signup): set send verification email button loading state
 2024-02-26 19:56:51 +05:30
Maidul Islam
1cccbca0c5 Merge pull request from Trugamr/fix/contributing-guide-link 
Fix broken contributing guide link
 2024-02-26 08:54:53 -05:00
Akhil Mohan
2c2e1f5d2e Merge pull request from Infisical/scroll-rotation-fix 
fix scrolling issue in rotation modal
 2024-02-26 13:43:48 +05:30
Vladyslav Matsiiako
6946f3901c fix scrolling issue in rotation modal 2024-02-26 00:03:41 -08:00
Maidul Islam
82a7010e29 Update envars.mdx 2024-02-25 14:47:04 -05:00
Maidul Islam
a1e763fa28 Update kubernetes-helm.mdx 2024-02-25 14:42:10 -05:00
Maidul Islam
0992117173 add pull policy to docker compose 2024-02-25 14:12:19 -05:00
Maidul Islam
9419884a26 Merge pull request from radhakrisri/main 
Wait for db service to be healthy before kicking off db-migration and backend services
 2024-02-25 14:10:44 -05:00
Radha Krishna. S
850f3a347c Wait for db service to be healthy before kicking off db-migration and backend services 2024-02-25 12:33:42 -06:00
Trugamr
4c9101d18d fix(signup): set send verification email button loading state 
Set loading state for button based on send verification email mutation state

fix
2024-02-25 14:58:08 +05:30
Shivam Dua
06e8e90ad5 Fix broken contributing guide link 2024-02-25 13:52:40 +05:30
Maidul Islam
fdd79c0568 Update kubernetes-helm.mdx 2024-02-23 21:41:48 -05:00
Maidul Islam
4ef8abdb00 Merge pull request from Infisical/postgres-helm 
Add helm chart with postgres + many other docs changes
 2024-02-23 21:25:12 -05:00
Maidul Islam
46f0fb7a41 add helm with postgres + docs 2024-02-23 21:20:58 -05:00
Maidul Islam
2142f5736c Merge pull request from Infisical/snyk-upgrade-adb30694539efb19ffe3e73890bb6b8e 
[Snyk] Upgrade aws-sdk from 2.1545.0 to 2.1549.0
 2024-02-23 13:39:50 -05:00
Maidul Islam
ce764d70ad Merge branch 'main' into snyk-upgrade-adb30694539efb19ffe3e73890bb6b8e 2024-02-23 13:39:43 -05:00
Maidul Islam
c2d0ddb2fc Merge pull request from Infisical/snyk-upgrade-d2de299aecc7f7e0bc3f4806027b63db 
[Snyk] Upgrade @aws-sdk/client-secrets-manager from 3.502.0 to 3.504.0
 2024-02-23 13:38:39 -05:00
Maidul Islam
7ba9588509 Merge pull request from Infisical/snyk-upgrade-321e83ad66200d3a9986ba215332d07e 
[Snyk] Upgrade axios from 1.6.4 to 1.6.7
 2024-02-23 13:38:24 -05:00
Maidul Islam
cddb09e031 Merge pull request from Infisical/snyk-upgrade-ef9af10ff1fb4ccb502ef71e8db6e32a 
[Snyk] Upgrade dotenv from 16.3.1 to 16.4.1
 2024-02-23 13:38:13 -05:00
Maidul Islam
046dc83638 Merge pull request from Infisical/snyk-upgrade-79bce0f7942398d32958cc208d2bf3d9 
[Snyk] Upgrade @fastify/cors from 8.4.1 to 8.5.0
 2024-02-23 13:38:00 -05:00
snyk-bot
320074ef6c fix: upgrade @fastify/cors from 8.4.1 to 8.5.0 
Snyk has created this PR to upgrade @fastify/cors from 8.4.1 to 8.5.0.

See this package in npm:
https://www.npmjs.com/package/@fastify/cors

See this project in Snyk:
https://app.snyk.io/org/maidul98/project/35057e82-ed7d-4e19-ba4d-719a42135cd6?utm_source=github&utm_medium=referral&page=upgrade-pr
 2024-02-23 17:54:12 +00:00
snyk-bot
e780ee6573 fix: upgrade dotenv from 16.3.1 to 16.4.1 
Snyk has created this PR to upgrade dotenv from 16.3.1 to 16.4.1.

See this package in npm:
https://www.npmjs.com/package/dotenv

See this project in Snyk:
https://app.snyk.io/org/maidul98/project/35057e82-ed7d-4e19-ba4d-719a42135cd6?utm_source=github&utm_medium=referral&page=upgrade-pr
 2024-02-23 17:54:08 +00:00
snyk-bot
a5a881c382 fix: upgrade axios from 1.6.4 to 1.6.7 
Snyk has created this PR to upgrade axios from 1.6.4 to 1.6.7.

See this package in npm:
https://www.npmjs.com/package/axios

See this project in Snyk:
https://app.snyk.io/org/maidul98/project/35057e82-ed7d-4e19-ba4d-719a42135cd6?utm_source=github&utm_medium=referral&page=upgrade-pr
 2024-02-23 17:54:04 +00:00
snyk-bot
200d4a5af6 fix: upgrade @aws-sdk/client-secrets-manager from 3.502.0 to 3.504.0 
Snyk has created this PR to upgrade @aws-sdk/client-secrets-manager from 3.502.0 to 3.504.0.

See this package in npm:
https://www.npmjs.com/package/@aws-sdk/client-secrets-manager

See this project in Snyk:
https://app.snyk.io/org/maidul98/project/35057e82-ed7d-4e19-ba4d-719a42135cd6?utm_source=github&utm_medium=referral&page=upgrade-pr
 2024-02-23 17:54:00 +00:00
snyk-bot
07318ec54b fix: upgrade aws-sdk from 2.1545.0 to 2.1549.0 
Snyk has created this PR to upgrade aws-sdk from 2.1545.0 to 2.1549.0.

See this package in npm:
https://www.npmjs.com/package/aws-sdk

See this project in Snyk:
https://app.snyk.io/org/maidul98/project/35057e82-ed7d-4e19-ba4d-719a42135cd6?utm_source=github&utm_medium=referral&page=upgrade-pr
 2024-02-23 17:53:57 +00:00
Maidul Islam
92d237a714 Merge pull request from Infisical/snyk-fix-619f8d103918c8185c0381a3771a208f 
[Snyk] Security upgrade sanitize-html from 2.11.0 to 2.12.1
 2024-02-23 09:49:03 -05:00
Maidul Islam
6ef988fa86 Merge pull request from akhilmhdh/feat/telemetry-new-fields 
feat(telemetry): added new telemetry events
 2024-02-23 09:48:42 -05:00
snyk-bot
70822d0d98 fix: frontend/package.json & frontend/package-lock.json to reduce vulnerabilities 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334
 2024-02-23 11:28:36 +00:00
Akhil Mohan
e91499b301 feat(telemetry): updated telemetry distinct id to use service token from secrets one 2024-02-23 13:22:53 +05:30
Akhil Mohan
92acb4d943 feat(telemetry): fixed typo in filename lib/telemetry and capitalized new posthog event names 2024-02-23 13:19:16 +05:30
Akhil Mohan
76daa20d69 feat(telemetry): added telemetry events for creation of integration,project,machine identity and user invitation to org 2024-02-23 13:19:16 +05:30
Maidul Islam
a231813f01 Merge pull request from Nithishvb/fix-uppercase-member-search 2024-02-23 01:02:01 -05:00
Maidul Islam
3eb2bdb191 Merge pull request from Infisical/daniel/show-upgrade-to-everyone 
(style): Show upgrade alert to all users
 2024-02-22 22:31:05 -05:00
Daniel Hougaard
cadf6e1157 Update UpgradeOverlay.tsx 2024-02-23 01:13:26 +01:00
Daniel Hougaard
ceb7fafc06 Update UpgradeProjectAlert.tsx 2024-02-23 01:12:22 +01:00
Daniel Hougaard
3063bb9982 Update UpgradeProjectAlert.tsx 2024-02-23 01:12:02 +01:00
Maidul Islam
3d82a43615 Merge pull request from Infisical/daniel/ghost-users-fixes 
(Fix): Project upgrade
 2024-02-22 17:20:44 -05:00
Daniel Hougaard
028541a18a Update project-membership-service.ts 2024-02-22 23:18:32 +01:00
Daniel Hougaard
66a631ff46 Update SecretOverviewPage.tsx 2024-02-22 23:16:21 +01:00
Daniel Hougaard
28adb8f0ac Re-add upgrade popup 2024-02-22 23:12:41 +01:00
Daniel Hougaard
5c988c2cd5 Docs 2024-02-22 23:07:07 +01:00
Daniel Hougaard
acf8a54abb Fix service tokens not working after upgrade 2024-02-22 23:06:55 +01:00
Daniel Hougaard
387094aa27 Allow deleting project members even on V1 projects 2024-02-22 23:06:24 +01:00
Maidul Islam
4251e95c15 Merge pull request from Salman2301/fix-typo-doc-port 
docs(sdk): fix typo PORT
 2024-02-22 16:26:23 -05:00
Maidul Islam
f4386c2d93 Merge pull request from akhilmhdh/fix/service-token-email-telemetry 
fix(telemetry): added back email for telemetry when using service token
 2024-02-22 16:23:00 -05:00
Maidul Islam
ff4b943854 fix admin signup phrasing 2024-02-22 16:04:12 -05:00
Maidul Islam
879a5ecfac Merge pull request from Salman2301/feat-admin-signup 
Add admin invite only signup field
 2024-02-22 15:39:06 -05:00
Maidul Islam
a831a7d848 small typos and update migration timestamp 2024-02-22 15:35:09 -05:00
Maidul Islam
3138784d1a Merge branch 'main' into feat-admin-signup 2024-02-22 15:13:28 -05:00
Maidul Islam
0b258e3918 make clear service token with null creator 2024-02-22 15:06:00 -05:00
Maidul Islam
d0545a01b9 Merge pull request from Infisical/snyk-upgrade-12de5d06bf0c091610dcb9c1c21ef687 
[Snyk] Upgrade mysql2 from 3.6.5 to 3.9.1
 2024-02-22 14:46:59 -05:00
Maidul Islam
d71398344f Merge pull request from Infisical/snyk-upgrade-28f9cfd389af9a9d16a7b1f08b87f2b4 
[Snyk] Upgrade bullmq from 5.1.1 to 5.1.6
 2024-02-22 14:46:46 -05:00
Maidul Islam
25e3cc047b Merge pull request from Infisical/snyk-upgrade-69ae80b8287feeb813ee50b31af31ab0 
[Snyk] Upgrade zod-to-json-schema from 3.22.0 to 3.22.4
 2024-02-22 14:46:36 -05:00
Maidul Islam
17149de567 Merge pull request from Infisical/snyk-upgrade-a58302f2598bcda51b89dcf7293bd0ad 
[Snyk] Upgrade @fastify/swagger from 8.12.0 to 8.14.0
 2024-02-22 14:46:23 -05:00
Maidul Islam
cca2fb7ff5 Merge pull request from Infisical/snyk-upgrade-d48144dd89e80fb18b02fe45b4dfd7c8 
[Snyk] Upgrade fastify from 4.24.3 to 4.26.0
 2024-02-22 14:46:12 -05:00
Nithish
f1f2d62993 fix: access member returns empty results when search using upper case letters. 2024-02-22 22:32:58 +05:30
Akhil Mohan
be49de5f34 fix(telemetry): added back email for telemetry when using service token 2024-02-22 17:09:33 +05:30
Maidul Islam
acfa89ba8b fix typo 2024-02-22 05:01:50 -05:00
Maidul Islam
389ec85554 Merge pull request from akhilmhdh/ci/frontend-ts-check 
chore: added type and lint check for frontend ci/cd
 2024-02-22 04:54:23 -05:00
Maidul Islam
2a6b0efe22 Merge pull request from Infisical/update-self-host-config-docker-compose 
Update self host config docker compose
 2024-02-22 04:45:59 -05:00
Maidul Islam
74d9a76f75 update self config/docker guide 2024-02-22 04:42:39 -05:00
Maidul Islam
9c67d43ebe remove upgrade popup 2024-02-22 03:27:41 -05:00
Akhil Mohan
d8f3531b50 chore: added type and lint check for frontend 2024-02-22 13:28:07 +05:30
snyk-bot
57be73c17e fix: upgrade fastify from 4.24.3 to 4.26.0 
Snyk has created this PR to upgrade fastify from 4.24.3 to 4.26.0.

See this package in npm:
https://www.npmjs.com/package/fastify

See this project in Snyk:
https://app.snyk.io/org/maidul98/project/35057e82-ed7d-4e19-ba4d-719a42135cd6?utm_source=github&utm_medium=referral&page=upgrade-pr
 2024-02-22 07:47:03 +00:00
snyk-bot
a10129e750 fix: upgrade @fastify/swagger from 8.12.0 to 8.14.0 
Snyk has created this PR to upgrade @fastify/swagger from 8.12.0 to 8.14.0.

See this package in npm:
https://www.npmjs.com/package/@fastify/swagger

See this project in Snyk:
https://app.snyk.io/org/maidul98/project/35057e82-ed7d-4e19-ba4d-719a42135cd6?utm_source=github&utm_medium=referral&page=upgrade-pr
 2024-02-22 07:46:59 +00:00
snyk-bot
adc10cf675 fix: upgrade zod-to-json-schema from 3.22.0 to 3.22.4 
Snyk has created this PR to upgrade zod-to-json-schema from 3.22.0 to 3.22.4.

See this package in npm:
https://www.npmjs.com/package/zod-to-json-schema

See this project in Snyk:
https://app.snyk.io/org/maidul98/project/35057e82-ed7d-4e19-ba4d-719a42135cd6?utm_source=github&utm_medium=referral&page=upgrade-pr
 2024-02-22 07:46:55 +00:00
snyk-bot
49f7780e52 fix: upgrade bullmq from 5.1.1 to 5.1.6 
Snyk has created this PR to upgrade bullmq from 5.1.1 to 5.1.6.

See this package in npm:
https://www.npmjs.com/package/bullmq

See this project in Snyk:
https://app.snyk.io/org/maidul98/project/35057e82-ed7d-4e19-ba4d-719a42135cd6?utm_source=github&utm_medium=referral&page=upgrade-pr
 2024-02-22 07:46:52 +00:00
snyk-bot
26482c6b0a fix: upgrade mysql2 from 3.6.5 to 3.9.1 
Snyk has created this PR to upgrade mysql2 from 3.6.5 to 3.9.1.

See this package in npm:
https://www.npmjs.com/package/mysql2

See this project in Snyk:
https://app.snyk.io/org/maidul98/project/35057e82-ed7d-4e19-ba4d-719a42135cd6?utm_source=github&utm_medium=referral&page=upgrade-pr
 2024-02-22 07:46:48 +00:00
Maidul Islam
1cf9aaeb1b Merge pull request from Infisical/daniel/ghost-users-full 
(Feat): Interacting with projects programmatically
 2024-02-22 02:40:48 -05:00
Akhil Mohan
fed022ed09 feat: removed unused inviteSignup flag 2024-02-22 13:09:51 +05:30
Salman K.A.A
64fbe4161c docs(sdk): fix typo PORT 2024-02-22 12:27:04 +05:30
Daniel Hougaard
bbe769a961 Increase SV migrate to 1000 & add billing page to Gamma 2024-02-22 07:30:26 +01:00
Maidul Islam
45772f0108 add envs 2024-02-22 01:27:02 -05:00
Daniel Hougaard
31cc3ece0c Update srp.ts 2024-02-22 07:01:03 +01:00
Daniel Hougaard
52cfa1ba39 Update UpgradeOverlay.tsx 2024-02-22 06:29:27 +01:00
Maidul Islam
d9888f9dd1 envars update + docker standalone 2024-02-22 00:13:21 -05:00
Daniel Hougaard
4553c6bb37 Update scim-service.ts 2024-02-22 05:02:37 +01:00
Daniel Hougaard
554f0cfd00 Fix backend test 2024-02-22 05:00:40 +01:00
Daniel Hougaard
0a5112d302 Update run-backend-tests.yml 2024-02-22 05:00:40 +01:00
Daniel Hougaard
bdb0ed3e5e Removed redundantcies 2024-02-22 05:00:40 +01:00
Daniel Hougaard
7816d8593e Final changes 2024-02-22 05:00:40 +01:00
Daniel Hougaard
816c793ae3 Update index.tsx 2024-02-22 05:00:40 +01:00
Daniel Hougaard
9f0d09f8ed Update seed-data.ts 2024-02-22 05:00:40 +01:00
Daniel Hougaard
2cbd2ee75f Update project-router.ts 2024-02-22 05:00:40 +01:00
Daniel Hougaard
368974cf01 Moved 2024-02-22 05:00:40 +01:00
Daniel Hougaard
8be976a694 Get last 700 secret versions instead of 100 2024-02-22 05:00:40 +01:00
Daniel Hougaard
cab47d0b98 Update project-queue.ts 2024-02-22 05:00:40 +01:00
Daniel Hougaard
aa81711824 Fixed integrations & bulk update issue 2024-02-22 05:00:40 +01:00
Daniel Hougaard
10fbb99a15 Refactor migration to work with conflict/merge update logic 2024-02-22 05:00:40 +01:00
Daniel Hougaard
4657985468 Update project-service.ts 2024-02-22 05:00:40 +01:00
Daniel Hougaard
68ac1d285a Improved polling 2024-02-22 05:00:40 +01:00
Daniel Hougaard
fe7524fca1 Requested changes 2024-02-22 05:00:40 +01:00
Daniel Hougaard
bf9b47ad66 Requested changes 2024-02-22 05:00:40 +01:00
Daniel Hougaard
8e49825e16 Cleanup 2024-02-22 05:00:40 +01:00
Daniel Hougaard
27b4749205 More tests 2024-02-22 05:00:40 +01:00
Daniel Hougaard
5b1f07a661 Move migration to latest 2024-02-22 05:00:40 +01:00
Daniel Hougaard
50128bbac6 Test decrypt fix 2024-02-22 05:00:40 +01:00
Daniel Hougaard
debf80cfdc More 2024-02-22 05:00:40 +01:00
Daniel Hougaard
4ab47ca175 Fix for "random" crash on creation 2024-02-22 05:00:40 +01:00
Daniel Hougaard
021413fbd9 Update project-router.ts 2024-02-22 05:00:40 +01:00
Daniel Hougaard
8a39276e04 Fix for commonJS 2024-02-22 05:00:40 +01:00
Daniel Hougaard
b5e64bc8b8 Update srp.ts 2024-02-22 05:00:40 +01:00
Daniel Hougaard
faa842c3d2 Revert seed 2024-02-22 05:00:40 +01:00
Daniel Hougaard
28b24115b7 Move check to inside service 2024-02-22 05:00:40 +01:00
Daniel Hougaard
198dc05753 Allow getting bot, but not creating 2024-02-22 05:00:40 +01:00
Daniel Hougaard
178492e9bd Add logger to avoid crash 2024-02-22 05:00:40 +01:00
Daniel Hougaard
fb9cdb591c Error renaming 2024-02-22 05:00:40 +01:00
Daniel Hougaard
4c5100de6b Update project-key-service.ts 2024-02-22 05:00:40 +01:00
Daniel Hougaard
b587e6a4a1 Update models.ts 2024-02-22 05:00:40 +01:00
Daniel Hougaard
773756d731 Add transaction support 2024-02-22 05:00:40 +01:00
Daniel Hougaard
9efece1f01 Update models.ts 2024-02-22 05:00:40 +01:00
Daniel Hougaard
bb6e8b1a51 Finished migration 2024-02-22 05:00:40 +01:00
Daniel Hougaard
0f98fc94f0 Ghost user and migration finished! 2024-02-22 05:00:40 +01:00
Daniel Hougaard
7f1963f1ac Update index.ts 2024-02-22 05:00:39 +01:00
Daniel Hougaard
6064c393c6 Ghost 2024-02-22 05:00:39 +01:00
Daniel Hougaard
0cecf05a5b Fix project seed (seeds old projects that can be upgraded) 2024-02-22 05:00:39 +01:00
Daniel Hougaard
dc6497f9eb Update licence-fns.ts 2024-02-22 05:00:39 +01:00
Daniel Hougaard
e445970f36 More gohst user 2024-02-22 05:00:35 +01:00
Daniel Hougaard
c33741d588 Ghost user WIP 2024-02-22 05:00:26 +01:00
Daniel Hougaard
5dfc84190d Update bot-router.ts 2024-02-22 05:00:26 +01:00
Daniel Hougaard
a1d11c0fcd Fixes 2024-02-22 05:00:26 +01:00
Daniel Hougaard
863bbd420c Added DAL methods 2024-02-22 05:00:26 +01:00
Daniel Hougaard
4b37b2afba Wired most of the frontend to support ghost users 2024-02-22 05:00:26 +01:00
Daniel Hougaard
a366dbb16d Ghost user! 2024-02-22 05:00:26 +01:00
Daniel Hougaard
423ad49490 Helper functions for adding workspace members on serverside 2024-02-22 05:00:26 +01:00
Daniel Hougaard
2a4bda481d Crypto stuff 2024-02-22 05:00:26 +01:00
Daniel Hougaard
5b550a97a1 TS erros 2024-02-22 05:00:26 +01:00
Daniel Hougaard
0fa0e4eb0f Ghost user migration 2024-02-22 05:00:26 +01:00
Daniel Hougaard
65e3f0ec95 Update 3-project.ts 2024-02-22 05:00:26 +01:00
Daniel Hougaard
c20f6e51ae Update project-router.ts 2024-02-22 05:00:26 +01:00
Daniel Hougaard
cee8ead78a Update org-dal.ts 2024-02-22 05:00:26 +01:00
Daniel Hougaard
82fe0bb5c4 Update project-bot-service.ts 2024-02-22 05:00:26 +01:00
Daniel Hougaard
0b7efa57be Proper update project endpoint 2024-02-22 05:00:26 +01:00
Daniel Hougaard
9c11226b71 Renaming 2024-02-22 05:00:26 +01:00
Daniel Hougaard
ae3606c9fb Optional slug on create project 2024-02-22 05:00:26 +01:00
Daniel Hougaard
a0e25b8ea2 Describe 2024-02-22 05:00:26 +01:00
Daniel Hougaard
0931a17af5 Convert check to a standalone DAL operation 2024-02-22 05:00:26 +01:00
Daniel Hougaard
c16bf2afdb Removed unused invite-signup endpoint (finally) 2024-02-22 05:00:26 +01:00
Daniel Hougaard
04b4e80dd1 Documentation 2024-02-22 05:00:26 +01:00
Daniel Hougaard
f178220c5a Documentation 2024-02-22 05:00:26 +01:00
Daniel Hougaard
ed353d3263 Extra 2024-02-22 05:00:26 +01:00
Daniel Hougaard
ec6ec8813e Moved 2024-02-22 05:00:26 +01:00
Daniel Hougaard
3ea529d525 Update srp.ts 2024-02-22 05:00:26 +01:00
Daniel Hougaard
f35f10558b Get last 700 secret versions instead of 100 2024-02-22 05:00:26 +01:00
Daniel Hougaard
28287b8ed4 Update project-queue.ts 2024-02-22 05:00:26 +01:00
Daniel Hougaard
0f3ec51d14 Update project-queue.ts 2024-02-22 05:00:26 +01:00
Daniel Hougaard
75813deb81 Fixed integrations & bulk update issue 2024-02-22 05:00:26 +01:00
Maidul Islam
66e57d5d11 correct error log 2024-02-22 05:00:26 +01:00
Daniel Hougaard
fb2a213214 Refactor migration to work with conflict/merge update logic 2024-02-22 05:00:26 +01:00
Vladyslav Matsiiako
c0b11b8350 improve the styling of the project upgrade banner 2024-02-22 05:00:26 +01:00
Daniel Hougaard
bea24d9654 Remove rate limiter 2024-02-22 05:00:26 +01:00
Daniel Hougaard
a7bc62f8e4 Akhil requested changes 2024-02-22 05:00:26 +01:00
Daniel Hougaard
2ef7e8f58e Improved invite user to project (even though this function isn't actually used.) 2024-02-22 05:00:26 +01:00
Daniel Hougaard
41d3b9314e Throw before completion (FOR TESTING!) 2024-02-22 05:00:26 +01:00
Daniel Hougaard
1e9d49008b Update project-service.ts 2024-02-22 05:00:26 +01:00
Daniel Hougaard
49d07a6762 Fixed versioning bug 2024-02-22 05:00:26 +01:00
Daniel Hougaard
9ce71371a9 cx -> twMerge 2024-02-22 05:00:26 +01:00
Daniel Hougaard
c1c66da92b Improved polling 2024-02-22 05:00:26 +01:00
Daniel Hougaard
4121c1d573 Requested changes 2024-02-22 05:00:26 +01:00
Daniel Hougaard
108f3cf117 Requested changes 2024-02-22 05:00:26 +01:00
Daniel Hougaard
a6e263eded Requested changes 2024-02-22 05:00:26 +01:00
Daniel Hougaard
419916ee0c Block secret mutations during upgrade 2024-02-22 05:00:25 +01:00
Daniel Hougaard
f7e6a96a02 Cleanup 2024-02-22 05:00:25 +01:00
Daniel Hougaard
b0356ba941 More tests 2024-02-22 05:00:25 +01:00
Daniel Hougaard
7ea5323a37 Update project-queue.ts 2024-02-22 05:00:25 +01:00
Daniel Hougaard
23e198d891 Update UpgradeProjectAlert.tsx 2024-02-22 05:00:25 +01:00
Daniel Hougaard
9f9849ccfd Move migration to latest 2024-02-22 05:00:25 +01:00
Daniel Hougaard
0c53eb8e22 Test decrypt fix 2024-02-22 05:00:25 +01:00
Daniel Hougaard
9b62937db2 More 2024-02-22 05:00:25 +01:00
Daniel Hougaard
ebb8d632c4 Fix for "random" crash on creation 2024-02-22 05:00:25 +01:00
Daniel Hougaard
43aae87fb0 Update project-router.ts 2024-02-22 05:00:25 +01:00
Daniel Hougaard
3415514fde Update project-router.ts 2024-02-22 05:00:25 +01:00
Daniel Hougaard
c0e0ddde76 Update project-router.ts 2024-02-22 05:00:25 +01:00
Daniel Hougaard
39ae66a84f Update project-router.ts 2024-02-22 05:00:25 +01:00
Daniel Hougaard
e8ec5b8b49 Update check-api-for-breaking-changes.yml 2024-02-22 05:00:25 +01:00
Daniel Hougaard
592271de3b Fix for commonJS 2024-02-22 05:00:25 +01:00
Daniel Hougaard
5680b984cf Update srp.ts 2024-02-22 05:00:25 +01:00
Daniel Hougaard
f378d6cc2b Update srp.ts 2024-02-22 05:00:25 +01:00
Daniel Hougaard
04c12d9a75 Revert seed 2024-02-22 05:00:25 +01:00
Daniel Hougaard
31b5f779fb Frontend bot logic 2024-02-22 05:00:25 +01:00
Daniel Hougaard
bb92cef764 Fix dummy signup project to support V2 2024-02-22 05:00:25 +01:00
Daniel Hougaard
6090f86b74 Move check to inside service 2024-02-22 05:00:25 +01:00
Daniel Hougaard
8c3569a047 Check if project is v2 before allowing a bot to be created 2024-02-22 05:00:25 +01:00
Daniel Hougaard
6fa11fe637 Allow getting bot, but not creating 2024-02-22 05:00:25 +01:00
Daniel Hougaard
9287eb7031 Increase random size 2024-02-22 05:00:25 +01:00
Daniel Hougaard
e54b261c0f Add new routes 2024-02-22 05:00:25 +01:00
Daniel Hougaard
60747b10b6 Error renaming 2024-02-22 05:00:25 +01:00
Daniel Hougaard
bf278355c4 Delete membership by email 2024-02-22 05:00:25 +01:00
Daniel Hougaard
d3d429db37 Delete membership by email 2024-02-22 05:00:25 +01:00
Daniel Hougaard
f2dcc83a56 New doc routes 2024-02-22 05:00:25 +01:00
Daniel Hougaard
26576b6bcd Update project-membership-types.ts 2024-02-22 05:00:25 +01:00
Daniel Hougaard
4cca82c3c8 New service for deleting memberships by email 2024-02-22 05:00:25 +01:00
Daniel Hougaard
1b82a157cc Find membership by email 2024-02-22 05:00:25 +01:00
Daniel Hougaard
5409cffe33 Update project-key-service.ts 2024-02-22 05:00:25 +01:00
Daniel Hougaard
45327f10b1 Update project-bot-service.ts 2024-02-22 05:00:25 +01:00
Daniel Hougaard
37645ba126 Update project-router.ts 2024-02-22 05:00:25 +01:00
Daniel Hougaard
858b49d766 Add delete memberships by email 2024-02-22 05:00:25 +01:00
Daniel Hougaard
a3a1a0007d Add auth methods 2024-02-22 05:00:25 +01:00
Daniel Hougaard
075f457bd1 Update models.ts 2024-02-22 05:00:25 +01:00
Daniel Hougaard
5156971d75 Add feature flag for showing upgrade project modal 2024-02-22 05:00:25 +01:00
Daniel Hougaard
8f3de3cc90 Small UI fixes on approvals page (color and capitalization and spelling) 2024-02-22 05:00:25 +01:00
Daniel Hougaard
69cba4e6c7 Make alert only visible to admins and add reloading on completion 2024-02-22 05:00:25 +01:00
Daniel Hougaard
6dcab6646c Make it impossible to log in with the ghost user 2024-02-22 05:00:25 +01:00
Daniel Hougaard
8e13eb6077 Update project-service.ts 2024-02-22 05:00:25 +01:00
Daniel Hougaard
819a9b8d27 Finish upgrade queue 2024-02-22 05:00:25 +01:00
Daniel Hougaard
ec3cf0208c Add transaction support 2024-02-22 05:00:25 +01:00
Daniel Hougaard
4aa5822ae2 Don't show ghost users 2024-02-22 05:00:25 +01:00
Daniel Hougaard
5364480ca2 Update models.ts 2024-02-22 05:00:25 +01:00
Daniel Hougaard
4802a36473 Finished migration 2024-02-22 05:00:25 +01:00
Daniel Hougaard
8333250b0b Ghost user and migration finished! 2024-02-22 05:00:25 +01:00
Daniel Hougaard
0cfab8ab6b Update index.ts 2024-02-22 05:00:25 +01:00
Daniel Hougaard
8fd99855bd Ghost 2024-02-22 05:00:25 +01:00
Daniel Hougaard
f2c36c58f9 Fix project seed (seeds old projects that can be upgraded) 2024-02-22 05:00:25 +01:00
Daniel Hougaard
f47fdfe386 Update licence-fns.ts 2024-02-22 05:00:25 +01:00
Daniel Hougaard
8a11eebab8 Typo 2024-02-22 05:00:14 +01:00
Daniel Hougaard
3b1fc4b156 More gohst user 2024-02-22 05:00:14 +01:00
Daniel Hougaard
84cab17f5c Ghost user WIP 2024-02-22 04:59:11 +01:00
Daniel Hougaard
db773864d5 Update project-router.ts 2024-02-22 04:59:11 +01:00
Daniel Hougaard
b9840ceba9 Add project role 2024-02-22 04:59:11 +01:00
Daniel Hougaard
729ec7866a Update bot-router.ts 2024-02-22 04:59:11 +01:00
Daniel Hougaard
a7140941ee Fixes 2024-02-22 04:59:11 +01:00
Daniel Hougaard
34d1bbc2ed Added SRP helpers to serverside 2024-02-22 04:59:11 +01:00
Daniel Hougaard
3ad0382cb0 Added DAL methods 2024-02-22 04:59:11 +01:00
Daniel Hougaard
ccc409e9cd Wired most of the frontend to support ghost users 2024-02-22 04:59:11 +01:00
Daniel Hougaard
fe21ba0e54 Ghost user! 2024-02-22 04:59:11 +01:00
Daniel Hougaard
80a802386c Helper functions for adding workspace members on serverside 2024-02-22 04:59:11 +01:00
Daniel Hougaard
aec0e86182 Crypto stuff 2024-02-22 04:59:11 +01:00
Daniel Hougaard
8e3cddc1ea TS erros 2024-02-22 04:59:11 +01:00
Daniel Hougaard
3612e5834c Ghost user migration 2024-02-22 04:59:11 +01:00
Daniel Hougaard
031a2416a9 Schemas (mostly linting) 2024-02-22 04:59:11 +01:00
BlackMagiq
2eb9592b1a Merge pull request from Infisical/scim 
SCIM Provisioning
 2024-02-21 17:10:30 -08:00
Tuan Dang
bbd9fa4a56 Correct SCIM Token TTL ms 2024-02-21 17:00:59 -08:00
Tuan Dang
318ad25c11 Merge remote-tracking branch 'origin' into scim 2024-02-21 12:46:37 -08:00
Tuan Dang
c372eb7d20 Update SCIM docs, disable user management in Infisical if SAML is enforced 2024-02-21 11:20:42 -08:00
Maidul Islam
68a99a0b32 Merge pull request from Infisical/snyk-upgrade-5f0df547c23dd0ff111f6ca3860ac3c2 
[Snyk] Upgrade sharp from 0.32.6 to 0.33.2
 2024-02-21 12:10:41 -05:00
Maidul Islam
7512231e20 Merge branch 'main' into snyk-upgrade-5f0df547c23dd0ff111f6ca3860ac3c2 2024-02-21 12:10:35 -05:00
Maidul Islam
f0e580d68b Merge pull request from Infisical/snyk-upgrade-19fed8b881f49aaf8794932ec4cd1934 
[Snyk] Upgrade @aws-sdk/client-secrets-manager from 3.485.0 to 3.502.0
 2024-02-21 12:09:59 -05:00
Maidul Islam
116015d3cf Merge pull request from Infisical/snyk-upgrade-f0a7e4b81df465ae80db9e59002f75cc 
[Snyk] Upgrade posthog-js from 1.100.0 to 1.103.0
 2024-02-21 12:09:39 -05:00
Maidul Islam
308ff50197 Merge branch 'main' into snyk-upgrade-f0a7e4b81df465ae80db9e59002f75cc 2024-02-21 12:06:28 -05:00
Maidul Islam
9df5cbbe85 Merge pull request from Infisical/snyk-upgrade-785ded2802fbc87ba8e754f66e326fb6 
[Snyk] Upgrade cookies from 0.8.0 to 0.9.1
 2024-02-21 12:03:38 -05:00
Maidul Islam
a714a64bc2 Merge branch 'main' into snyk-upgrade-785ded2802fbc87ba8e754f66e326fb6 2024-02-21 12:00:34 -05:00
Maidul Islam
ea18d99793 Merge pull request from akhilmhdh/fix/admin-fail-redirect 
fix(admin): resolved undefined on redirect after admin signup
 2024-02-21 11:54:40 -05:00
Akhil Mohan
7c098529f7 fix(admin): resolved undefined on redirect after admin signup 2024-02-21 14:09:28 +05:30
snyk-bot
e20c623e91 fix: upgrade @aws-sdk/client-secrets-manager from 3.485.0 to 3.502.0 
Snyk has created this PR to upgrade @aws-sdk/client-secrets-manager from 3.485.0 to 3.502.0.

See this package in npm:
https://www.npmjs.com/package/@aws-sdk/client-secrets-manager

See this project in Snyk:
https://app.snyk.io/org/maidul98/project/35057e82-ed7d-4e19-ba4d-719a42135cd6?utm_source=github&utm_medium=referral&page=upgrade-pr
 2024-02-20 17:51:48 +00:00
Akhil Mohan
3260932741 fix: resovled be test failing as reusable job 2024-02-20 22:39:14 +05:30
Maidul Islam
f0e73474b7 add check out before integ tests run 2024-02-20 11:49:11 -05:00
Maidul Islam
7db829b0b5 Merge pull request from akhilmhdh/feat/integration-test-secret-ops 
Integration test for secret ops
 2024-02-20 11:40:26 -05:00
Maidul Islam
ccaa9fd96e add more test cases 2024-02-20 11:35:52 -05:00
Maidul Islam
b4db06c763 return empty string for decrypt fuction 2024-02-20 11:35:06 -05:00
Maidul Islam
3ebd2fdc6d Merge pull request from akhilmhdh/fix/identity-auth-identity-ops 
feat: made identity crud with identity auth mode and api key for user me
 2024-02-20 11:05:26 -05:00
Akhil Mohan
8d06a6c969 feat: made identity crud with identity auth mode and api key for user me 2024-02-20 21:08:34 +05:30
Akhil Mohan
2996efe9d5 feat: made secrets ops test to have both identity and jwt token based and test for identity 2024-02-20 20:58:10 +05:30
vmatsiiako
43879f6813 Update scanning-overview.mdx 2024-02-19 17:05:36 -08:00
Tuan Dang
72d4490ee7 Fix lint/type issues 2024-02-19 15:04:42 -08:00
Tuan Dang
2336a7265b Merge remote-tracking branch 'origin' into scim 2024-02-19 14:41:46 -08:00
Maidul Islam
d428fd055b update test envs 2024-02-19 16:52:59 -05:00
Maidul Islam
e4b89371f0 add env slug to make expect more strict 2024-02-19 16:08:21 -05:00
Tuan Dang
6f9b30b46e Minor UX adjustments to SCIM 2024-02-19 12:25:25 -08:00
Maidul Islam
35d589a15f add more secret test cases 2024-02-19 15:04:49 -05:00
Maidul Islam
8d77f2d8f3 Merge pull request from Infisical/snyk-upgrade-5b2dd8f68969929536cb2ba586aae1b7 
[Snyk] Upgrade aws-sdk from 2.1532.0 to 2.1545.0
 2024-02-19 13:55:11 -05:00
Akhil Mohan
7070a69711 feat: made e2ee api test indepdent or stateless 2024-02-19 20:56:29 +05:30
Tuan Dang
7a65f8c837 Complete preliminary SCIM fns, add permissioning to SCIM, add docs for SCIM 2024-02-18 18:50:23 -08:00
Akhil Mohan
678306b350 feat: some name changes for better understanding on testing 2024-02-18 22:51:10 +05:30
Akhil Mohan
8864c811fe feat: updated to reuse and run integration api test before release 2024-02-18 22:47:24 +05:30
snyk-bot
79206efcd0 fix: upgrade aws-sdk from 2.1532.0 to 2.1545.0 
Snyk has created this PR to upgrade aws-sdk from 2.1532.0 to 2.1545.0.

See this package in npm:
https://www.npmjs.com/package/aws-sdk

See this project in Snyk:
https://app.snyk.io/org/maidul98/project/35057e82-ed7d-4e19-ba4d-719a42135cd6?utm_source=github&utm_medium=referral&page=upgrade-pr
 2024-02-18 06:17:23 +00:00
Maidul Islam
06d30fc10f Merge pull request from Infisical/snyk-upgrade-7fe9aedc3b5777266707225885372828 
[Snyk] Upgrade zustand from 4.4.7 to 4.5.0
 2024-02-17 16:56:29 -05:00
Maidul Islam
abd28d9269 remove comment 2024-02-17 12:14:37 -05:00
Maidul Islam
c6c64b5499 trigger workflow 2024-02-17 12:12:12 -05:00
Maidul Islam
5481b84a94 patch package json 2024-02-17 16:34:27 +00:00
Maidul Islam
ab878e00c9 Merge pull request from akhilmhdh/fix/import-sec-500 
fix: resolved secret import secrets failing when folder has empty secrets
 2024-02-17 11:11:58 -05:00
Akhil Mohan
6773996d40 fix: resolved secret import secrets failing when folder has empty secrets 2024-02-17 20:45:01 +05:30
snyk-bot
2e20b38bce fix: upgrade zustand from 4.4.7 to 4.5.0 
Snyk has created this PR to upgrade zustand from 4.4.7 to 4.5.0.

See this package in npm:
https://www.npmjs.com/package/zustand

See this project in Snyk:
https://app.snyk.io/org/maidul98/project/53d4ecb6-6cc1-4918-aa73-bf9cae4ffd13?utm_source=github&utm_medium=referral&page=upgrade-pr
 2024-02-17 04:00:15 +00:00
snyk-bot
bccbedfc31 fix: upgrade cookies from 0.8.0 to 0.9.1 
Snyk has created this PR to upgrade cookies from 0.8.0 to 0.9.1.

See this package in npm:
https://www.npmjs.com/package/cookies

See this project in Snyk:
https://app.snyk.io/org/maidul98/project/53d4ecb6-6cc1-4918-aa73-bf9cae4ffd13?utm_source=github&utm_medium=referral&page=upgrade-pr
 2024-02-17 04:00:12 +00:00
snyk-bot
0ab811194d fix: upgrade posthog-js from 1.100.0 to 1.103.0 
Snyk has created this PR to upgrade posthog-js from 1.100.0 to 1.103.0.

See this package in npm:
https://www.npmjs.com/package/posthog-js

See this project in Snyk:
https://app.snyk.io/org/maidul98/project/53d4ecb6-6cc1-4918-aa73-bf9cae4ffd13?utm_source=github&utm_medium=referral&page=upgrade-pr
 2024-02-17 04:00:08 +00:00
snyk-bot
7b54109168 fix: upgrade sharp from 0.32.6 to 0.33.2 
Snyk has created this PR to upgrade sharp from 0.32.6 to 0.33.2.

See this package in npm:
https://www.npmjs.com/package/sharp

See this project in Snyk:
https://app.snyk.io/org/maidul98/project/53d4ecb6-6cc1-4918-aa73-bf9cae4ffd13?utm_source=github&utm_medium=referral&page=upgrade-pr
 2024-02-17 04:00:04 +00:00
Maidul Islam
2d088a865f Merge pull request from ruflair/patch-1 
Update docker.mdx
 2024-02-16 13:17:28 -05:00
Lukas Ruflair
0a8ec6b9da Update docker.mdx 
Fix typo in docker.mdx
 2024-02-16 10:13:29 -08:00
Maidul Islam
01b29c3917 Merge pull request from Infisical/snyk-fix-71fbba54e9eda81c90db390106760c64 
[Snyk] Fix for 4 vulnerabilities
 2024-02-16 12:15:16 -05:00
Maidul Islam
5439ddeadf Merge branch 'main' into snyk-fix-71fbba54e9eda81c90db390106760c64 2024-02-16 12:12:48 -05:00
Maidul Islam
9d17d5277b Merge pull request from Infisical/daniel/improve-reminders 
(Fix): Improve reminders
 2024-02-16 12:00:09 -05:00
Maidul Islam
c70fc7826a Merge pull request from Infisical/snyk-fix-4a9e6187125617ed814113514828d4f5 
[Snyk] Security upgrade nodemailer from 6.9.7 to 6.9.9
 2024-02-16 11:59:43 -05:00
Maidul Islam
9ed2bb38c3 Merge branch 'main' into snyk-fix-4a9e6187125617ed814113514828d4f5 2024-02-16 11:59:31 -05:00
Maidul Islam
f458cf0d40 Merge pull request from jinsley8/fix-webhook-settings-ui 
fix(frontend): Remove max-width to match other views
 2024-02-16 11:40:25 -05:00
Maidul Islam
ce3dc86f78 add troubleshoot for ansible 2024-02-16 10:37:34 -05:00
Maidul Islam
d1927cb9cf Merge pull request from ORCID/docs/ansible-workaround 
docs: cover ansible forking error
 2024-02-16 10:36:37 -05:00
Maidul Islam
e80426f72e update signup complete route 2024-02-16 09:15:52 -05:00
Akhil Mohan
97d2a15d3e feat: updated admin dashboard to use zod and ts enum 2024-02-16 13:41:18 +05:30
Maidul Islam
f8a8ea2118 update interval text 2024-02-15 14:50:42 -05:00
Maidul Islam
f5cd68168b Merge pull request from Infisical/docker-compose-selfhost-docs 
Docker compose docs with postgres
 2024-02-15 12:58:06 -05:00
Maidul Islam
1a0a9a7402 docker compose docs with postgres 2024-02-15 12:54:22 -05:00
Daniel Hougaard
b74ce14d80 Update SecretItem.tsx 2024-02-15 18:52:25 +01:00
Akhil Mohan
afdc5e8531 Merge pull request from abdulhakkeempa/bug-fix-model-close-on-cancel 
(Fix): Create API Modal closes on Cancel button
 2024-02-15 22:39:21 +05:30
Akhil Mohan
b84579b866 feat(e2e): changed to root .env.test and added .env.test.example 2024-02-15 21:06:18 +05:30
Akhil Mohan
4f3cf046fa feat(e2e): fixed post clean up error on gh be integration action 2024-02-15 20:43:40 +05:30
Akhil Mohan
c71af00146 feat(e2e): added enc key on gh action for be test file 2024-02-15 20:38:44 +05:30
Akhil Mohan
793440feb6 feat(e2e): made rebased changes 2024-02-15 20:30:12 +05:30
Akhil Mohan
b24d748462 feat(e2e): added gh action for execution of integration tests on PR and release 2024-02-15 20:25:39 +05:30
Akhil Mohan
4c49119ac5 feat(e2e): added identity token secret access integration tests 2024-02-15 20:25:39 +05:30
Akhil Mohan
90f09c7a78 feat(e2e): added service token integration tests 2024-02-15 20:25:39 +05:30
Akhil Mohan
00876f788c feat(e2e): added secrets integration tests 2024-02-15 20:25:39 +05:30
Akhil Mohan
f09c48d79b feat(e2e): fixed seed file issue and added more seeding 2024-02-15 20:25:39 +05:30
abdulhakkeempa
57daeb71e6 Merge remote-tracking branch 'origin/main' into bug-fix-model-close-on-cancel 2024-02-15 10:47:50 +05:30
abdulhakkeempa
98b5f713a5 Fix: Cancel button working on Create API in Personal Settings 2024-02-15 10:09:45 +05:30
Daniel Hougaard
120d7e42bf Added secret reminder updating, and viewing existing values 2024-02-15 01:14:19 +01:00
Daniel Hougaard
c2bd259c12 Added secret reminders to sidebar (and formatting) 2024-02-15 01:14:05 +01:00
Daniel Hougaard
242d770098 Improved UX when trying to find reminder value 2024-02-15 01:12:48 +01:00
Maidul Islam
1855fc769d Update check-api-for-breaking-changes.yml 2024-02-14 15:42:45 -05:00
Maidul Islam
217fef65e8 update breaking change workflow to dev.yml 2024-02-14 15:37:21 -05:00
Tuan Dang
e15ed4cc58 Merge remote-tracking branch 'origin' into scim 2024-02-14 12:30:38 -08:00
Maidul Islam
8a0fd62785 update docker compose name 2024-02-14 15:19:47 -05:00
BlackMagiq
c69601c14e Merge pull request from Infisical/identity-access-token-ttl 
Patch identity access token + client secret TTL
 2024-02-14 12:19:45 -08:00
Tuan Dang
faf6323a58 Patch identity ttl conversion 2024-02-14 12:09:56 -08:00
Salman
a1cc118514 Merge remote-tracking branch 'origin/main' into feat-admin-signup 2024-02-14 23:46:25 +05:30
Tuan Dang
c73ee49425 Pass Okta SCIM 2.0 SPEC Test 2024-02-14 09:22:23 -08:00
Salman
ee69bccb6e Update disabled sign up routes 2024-02-14 14:18:44 +05:30
Salman
0ff3ddb0c8 Update generate schema run 2024-02-14 07:52:46 +05:30
Maidul Islam
b82d1b6a5d update docker compose on readme 2024-02-13 19:50:58 -05:00
Maidul Islam
3dcda44c50 Merge pull request from akhilmhdh/feat/init-container 
feat: changed docker compose to use init container pattern for running migration
 2024-02-13 19:46:39 -05:00
Maidul Islam
f320b08ca8 rename docker compose and bring back make up-dev 2024-02-13 19:44:42 -05:00
Maidul Islam
df6e5674cf patch breaking change ci 2024-02-13 19:10:28 -05:00
Maidul Islam
6bac143a8e test without pg connection 2024-02-13 19:06:47 -05:00
Maidul Islam
38b93e499f logs on health check 2024-02-13 18:58:13 -05:00
Maidul Islam
a521538010 show all logs 2024-02-13 18:47:12 -05:00
Maidul Islam
8cc2553452 test workflow no db connection 2024-02-13 18:43:43 -05:00
Maidul Islam
b1cb9de001 correct -d mode 2024-02-13 18:39:28 -05:00
Maidul Islam
036256b350 add back -d mode 2024-02-13 18:37:04 -05:00
Maidul Islam
d3a06b82e6 update health check 2024-02-13 18:34:15 -05:00
Maidul Islam
87436cfb57 Update check-api-for-breaking-changes.yml 2024-02-13 18:04:49 -05:00
Vladyslav Matsiiako
5c58a4d1a3 added signup event and restyled admin flow 2024-02-13 13:15:54 -08:00
Maidul Islam
03a91b2c59 Merge pull request from akhilmhdh/chore/doc-openapi 
chore: changed mintlify to directly get from prod openapi
 2024-02-13 00:42:47 -05:00
Maidul Islam
751361bd54 add new propety to api 2024-02-13 00:38:59 -05:00
Maidul Islam
b4b88daf36 Revert "test breaking change" 
This reverts commit 6546740bd9e08d88f464546005aa63a6aec53545.
 2024-02-13 00:37:49 -05:00
Maidul Islam
6546740bd9 test breaking change 2024-02-13 00:34:31 -05:00
Maidul Islam
b32558c66f add . 2024-02-13 00:29:49 -05:00
Maidul Islam
effd30857e fix typo 2024-02-12 22:45:35 -05:00
Maidul Islam
60998c8944 Merge pull request from akhilmhdh/chore/feature-x-guide 
feat: added guides for new backend development
 2024-02-12 22:35:16 -05:00
Maidul Islam
3c4d9fd4a9 delete docs in backend 2024-02-12 22:34:36 -05:00
Maidul Islam
ad70c783e8 add backend guide to contributor 2024-02-12 22:33:55 -05:00
Maidul Islam
7347362738 rephrase new feature development guide 2024-02-12 21:49:15 -05:00
vmatsiiako
4b7f2e808b Update overview.mdx 2024-02-12 15:06:56 -08:00
Maidul Islam
57f9d13189 Merge pull request from Infisical/infisical-jenkins 
Rewrite Infisical Jenkins docs
 2024-02-12 18:02:11 -05:00
Tuan Dang
79694750af Remove signup disable check for SAML 2024-02-12 11:43:55 -08:00
BlackMagiq
03db367a4e Merge pull request from Infisical/azure-saml 
Add disableRequestedAuthnContext for azure saml
 2024-02-12 10:40:19 -08:00
Tuan Dang
b0fb848a92 Add disableRequestedAuthnContext for azure saml 2024-02-12 10:35:38 -08:00
Tuan Dang
3a7b697549 Make progress on SCIM 2024-02-12 09:18:33 -08:00
Akhil Mohan
4fdfcd50dc feat: changed check-api-breaking with oasdiff 2024-02-12 22:32:02 +05:30
Akhil Mohan
db205b855a feat: removed mongo comments from compose file 2024-02-12 14:52:19 +05:30
Akhil Mohan
e707f0d235 feat: added description and security over api written in docs 2024-02-12 14:19:49 +05:30
Salman
0fb87ab05f Update move to react hook form, rename allowedSignUpDomain 2024-02-12 04:09:46 +05:30
Salman
2ef8781378 Update support multiple domain and error handling 2024-02-11 10:55:36 +05:30
Salman
3f96f0a8fb Fix dropdown not working on page transition 2024-02-11 00:40:17 +05:30
Salman
da377f6fda Update error handling and refactor 2024-02-10 23:00:16 +05:30
Salman
5cf1ec2400 Add restrict signup based on domain 2024-02-10 10:44:39 +05:30
Salman
6c1489a87b Add admin invite only signup field 2024-02-10 03:26:56 +05:30
Akhil Mohan
48a97fb39d chore: changed mintlify to directly get from prod openapi 2024-02-09 22:53:27 +05:30
Akhil Mohan
d8ea26feb7 feat: changed docker compose to use init container pattern for migration 2024-02-09 13:12:25 +05:30
Tuan Dang
d5064fe75a Start SCIM functionality 2024-02-08 15:54:20 -08:00
Akhil Mohan
dc146d0883 feat: fixed spelling errors 2024-02-05 22:28:40 +05:30
Akhil Mohan
24dd79b566 feat: added guides for new backend development 2024-02-05 16:31:03 +05:30
snyk-bot
00650df501 fix: backend/package.json & backend/package-lock.json to reduce vulnerabilities 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-NODEMAILER-6219989
 2024-02-01 20:01:54 +00:00
snyk-bot
6ff5fb69d4 fix: backend/package.json & backend/package-lock.json to reduce vulnerabilities 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AXIOS-6124857
- https://snyk.io/vuln/SNYK-JS-AXIOS-6144788
- https://snyk.io/vuln/SNYK-JS-FASTIFYSWAGGERUI-6157561
- https://snyk.io/vuln/SNYK-JS-INFLIGHT-6095116
 2024-01-27 15:06:50 +00:00
Giles Westwood
9fe2021d9f docs: cover ansible forking error 2024-01-10 22:33:38 +00:00
Jon Insley
fe2f2f972e fix(frontend): Remove max-width to match other views 
This commit removes the max-width constraint on the WebhooksTab.tsx component, aligning it with the full-width layout consistency seen in other views. The previous max-width of 1024px resulted in unused space on larger screens.
 2023-10-25 13:54:09 -04:00
302 changed files with 11955 additions and 9578 deletions
.env.example.env.migration.example.env.test.example
.github/workflows
check-api-for-breaking-changes.ymlcheck-fe-ts-and-lint.ymlrelease-standalone-docker-img-postgres-offical.ymlrun-backend-tests.yml
.gitignoreCONTRIBUTING.mdMakefileREADME.md
backend
.eslintignore.eslintrc.js
e2e-test
routes
v1
identity.spec.tslogin.spec.tsproject-env.spec.tssecret-folder.spec.tssecret-import.spec.ts
v2
service-token.spec.ts
v3
secrets.spec.ts
vitest-environment-knex.ts
package-lock.jsonpackage.json
scripts
create-seed-file.tsgenerate-schema-types.ts
src
@types
fastify.d.tsknex.d.ts
db
knexfile.ts
migrations
20240208234120_scim-token.ts20240216154123_ghost_users.ts20240222201806_admin-signup-control.ts
schemas
index.tsmodels.tsorganizations.tsprojects.tsscim-tokens.tssuper-admin.tsusers.ts
seed-data.ts
seeds
1-user.ts2-org.ts3-project.ts4-machine-identity.ts
ee
routes/v1
index.tsproject-router.tssaml-router.tsscim-router.tssnapshot-router.ts
services
audit-log
audit-log-service.tsaudit-log-types.ts
license
__mocks__
licence-fns.ts
licence-fns.tslicense-types.ts
permission
org-permission.tspermission-service.ts
saml-config
saml-config-service.tssaml-config-types.ts
scim
scim-dal.tsscim-fns.tsscim-service.tsscim-types.ts
secret-approval-request
secret-approval-request-secret-dal.tssecret-approval-request-service.ts
lib
crypto
encryption.tsindex.tssecret-encryption.tssrp.ts
errors
index.ts
queue
queue-service.ts
server
app.ts
lib
telemetry.ts
plugins
audit-log.ts
auth
inject-identity.tsinject-permission.ts
error-handler.tsswagger.ts
routes
index.ts
v1
admin-router.tsidentity-access-token-router.tsidentity-router.tsidentity-ua.tsindex.tsintegration-router.tsinvite-org-router.tsorganization-router.tsproject-env-router.tsproject-membership-router.tsproject-router.tssecret-folder-router.tssecret-import-router.tssso-router.ts
v2
identity-org-router.tsidentity-project-router.tsindex.tsorganization-router.tsproject-membership-router.tsproject-router.tsservice-token-router.tsuser-router.ts
v3
secret-router.tssignup-router.ts
services
auth
auth-login-service.tsauth-login-type.tsauth-signup-service.tsauth-signup-type.tsauth-type.ts
identity-access-token
identity-access-token-service.ts
identity-ua
identity-ua-service.ts
integration-auth
integration-auth-dal.ts
org
org-dal.tsorg-fns.tsorg-service.tsorg-types.ts
project-bot
project-bot-dal.tsproject-bot-service.tsproject-bot-types.ts
project-key
project-key-dal.ts
project-membership
project-membership-dal.tsproject-membership-service.tsproject-membership-types.ts
project
project-dal.tsproject-fns.tsproject-queue.tsproject-service.tsproject-types.ts
secret-import
secret-import-fns.tssecret-import-service.ts
secret
secret-dal.tssecret-service.tssecret-version-dal.ts
service-token
service-token-dal.tsservice-token-service.ts
smtp
smtp-service.ts
templates
scimUserProvisioned.handlebarsworkspaceInvitation.handlebars
super-admin
super-admin-service.ts
telemetry
telemetry-service.tstelemetry-types.ts
user
user-dal.ts
vitest.e2e.config.ts
docker-compose.dev.ymldocker-compose.pg.ymldocker-compose.prod.ymldocker-compose.yml
docs
api-reference/endpoints
environments
create.mdxdelete.mdxupdate.mdx
folders
create.mdxdelete.mdxlist.mdxupdate.mdx
identities
create.mdxdelete.mdxupdate.mdx
organizations
list-identity-memberships.mdx
secret-imports
create.mdxdelete.mdxlist.mdxupdate.mdx
service-tokens
get.mdx
workspaces
create-workspace.mdxdelete-identity-membership.mdxdelete-membership.mdxdelete-workspace.mdxget-workspace.mdxinvite-member-to-workspace.mdxlist-identity-memberships.mdxmemberships.mdxremove-member-from-workspace.mdxrollback-snapshot.mdxupdate-identity-membership.mdxupdate-membership.mdxupdate-workspace.mdx
cli
scanning-overview.mdx
contributing/platform
backend
folder-structure.mdxhow-to-create-a-feature.mdx
developing.mdx
documentation
guides
node.mdx
platform
identities
overview.mdx
ldap.mdx
ldap
general.mdxjumpcloud.mdxoverview.mdx
scim
azure.mdxjumpcloud.mdxokta.mdxoverview.mdx
sso
azure.mdxjumpcloud.mdxokta.mdxoverview.mdx
images
platform
ldap
jumpcloud
ldap-jumpcloud-enable-bind-dn.pngldap-jumpcloud-org-dn.png
ldap-config.pngldap-toggle.png
scim
azure
scim-azure-config.pngscim-azure-get-started.pngscim-azure-provisioning-status.pngscim-azure-select-user-mappings.pngscim-azure-start-provisioning.pngscim-azure-user-mappings.png
jumpcloud
scim-jumpcloud-api-type.pngscim-jumpcloud-config.pngscim-jumpcloud-test-connection.png
okta
scim-okta-app-settings.pngscim-okta-auth.pngscim-okta-config.pngscim-okta-enable-provisioning.pngscim-okta-test.png
scim-copy-token.pngscim-create-token.pngscim-enable-provisioning.png
self-hosting
applicable-to-all
selfhost-signup.png
guides/mongo-postgres
mongo-migration.png
integrations/platforms
ansible.mdxdocker.mdx
mint.json
sdks/languages
node.mdx
self-hosting
configuration
email.mdxenvars.mdxredis.mdxrequirements.mdxschema-migrations.mdxsso.mdx
deployment-options
docker-compose.mdxkubernetes-helm.mdxstandalone-infisical.mdx
deployments
kubernetes.mdxlinux.mdx
faq.mdx
guides
mongo-to-postgres.mdx
overview.mdx
spec.yaml
frontend
package-lock.jsonpackage.json
src
components
basic/table
ProjectUsersTable.tsx
signup
DonwloadBackupPDFStep.tsxEnterEmailStep.tsx
utilities
cryptography
crypto.ts
secrets
encryptSecrets.ts
v2
UpgradeOverlay
UpgradeOverlay.tsxindex.tsx
UpgradeProjectAlert
UpgradeProjectAlert.tsxindex.tsx
context/OrgPermissionContext
types.ts
helpers
project.ts
hooks/api
admin
mutation.tstypes.ts
index.tsx
keys
queries.tsx
organization
queries.tsxtypes.ts
scim
index.tsxmutations.tsxqueries.tsxtypes.ts
serverDetails
types.ts
ssoConfig
queries.tsx
subscriptions
types.ts
types.ts
users
index.tsxmutation.tsxtypes.ts
workspace
index.tsxqueries.tsxtypes.ts
layouts/AppLayout
AppLayout.tsx
pages
org/[id]/overview
index.tsx
signupinvite.tsx
views
IntegrationsPage
IntegrationsPage.tsx
Org/MembersPage/components
OrgMembersTab/components/OrgMembersSection
OrgMembersSection.tsxOrgMembersTable.tsx
OrgRoleTabSection/OrgRoleModifySection
OrgRoleModifySection.tsxOrgRoleModifySection.utils.ts
Project/MembersPage/components/MemberListTab
MemberListTab.tsx
SecretApprovalPage/components/SecretApprovalRequest/components
SecretApprovalRequestChanges.tsx
SecretMainPage/components/SecretListView
CreateReminderForm.tsxSecretDetaiSidebar.tsxSecretItem.tsx
SecretOverviewPage
SecretOverviewPage.tsx
SecretRotationPage/components/CreateRotationForm
CreateRotationForm.tsx
Settings
OrgSettingsPage/components/OrgAuthTab
OrgAuthTab.tsxOrgGeneralAuthSection.tsxOrgSCIMSection.tsxScimTokenModal.tsx
PersonalSettingsPage/APIKeySection
AddAPIKeyModal.tsx
ProjectSettingsPage/components
E2EESection
E2EESection.tsx
WebhooksTab
WebhooksTab.tsx
admin
DashboardPage
DashboardPage.tsx
SignUpPage
SignUpPage.tsx
components/DownloadBackupKeys
DownloadBackupKeys.tsx
helm-charts/infisical-standalone-postgres
.gitignore.helmignoreChart.lockChart.yaml
templates
NOTES.txt_helpers.tplinfisical.yamljobs-rbac.yamlschema-migration-job.yaml
values.yaml
pg-migrator/src
index.ts

16
.env.example

@ -3,24 +3,22 @@
# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218
# Required
DB_CONNECTION_URI=postgres://infisical:infisical@db:5432/infisical
# JWT
# Required secrets to sign JWT tokens
# THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION
AUTH_SECRET=5lrMXKKWCVocS/uerPsl7V+TX/aaUaI7iDkgl3tSmLE=
# MongoDB
# Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref
# to the MongoDB container instance or Mongo Cloud
# Required
MONGO_URL=mongodb://root:example@mongo:27017/?authSource=admin
# Postgres creds
POSTGRES_PASSWORD=infisical
POSTGRES_USER=infisical
POSTGRES_DB=infisical
# Redis
REDIS_URL=redis://redis:6379
# Optional credentials for MongoDB container instance and Mongo-Express
MONGO_USERNAME=root
MONGO_PASSWORD=example
# Website URL
# Required
SITE_URL=http://localhost:8080

1
.env.migration.example Normal file

@ -0,0 +1 @@
DB_CONNECTION_URI=

4
.env.test.example Normal file

@ -0,0 +1,4 @@
REDIS_URL=redis://localhost:6379
DB_CONNECTION_URI=postgres://infisical:infisical@localhost/infisical?sslmode=disable
AUTH_SECRET=4bnfe4e407b8921c104518903515b218
ENCRYPTION_KEY=4bnfe4e407b8921c104518903515b218

68
.github/workflows/check-api-for-breaking-changes.yml vendored

@ -14,36 +14,62 @@ jobs:
steps:
- name: Checkout source
uses: actions/checkout@v3
- name: Setup Node 20
uses: actions/setup-node@v3
with:
node-version: "20"
# uncomment this when testing locally using nektos/act
# - uses: KengoTODA/actions-setup-docker-compose@v1
# if: ${{ env.ACT }}
# name: Install `docker-compose` for local simulations
# - name: Setup Node 20
# uses: actions/setup-node@v3
# with:
# version: "2.14.2"
# node-version: "20"
# uncomment this when testing locally using nektos/act
- uses: KengoTODA/actions-setup-docker-compose@v1
if: ${{ env.ACT }}
name: Install `docker-compose` for local simulations
with:
version: "2.14.2"
- name: 📦Build the latest image
run: docker build --tag infisical-api .
working-directory: backend
- name: Start postgres and redis
run: touch .env && docker-compose -f docker-compose.pg.yml up -d db redis
run: touch .env && docker-compose -f docker-compose.dev.yml up -d db redis
- name: Start the server
run: docker run --name infisical-api -d -p 4000:4000 -e DB_CONNECTION_URI=$DB_CONNECTION_URI -e REDIS_URL=$REDIS_URL -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET --entrypoint '/bin/sh' infisical-api -c "npm run migration:latest && ls && node dist/main.mjs"
run: |
echo "SECRET_SCANNING_GIT_APP_ID=793712" >> .env
echo "SECRET_SCANNING_PRIVATE_KEY=some-random" >> .env
echo "SECRET_SCANNING_WEBHOOK_SECRET=some-random" >> .env
docker run --name infisical-api -d -p 4000:4000 -e DB_CONNECTION_URI=$DB_CONNECTION_URI -e REDIS_URL=$REDIS_URL -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET --env-file .env --entrypoint '/bin/sh' infisical-api -c "npm run migration:latest && ls && node dist/main.mjs"
env:
REDIS_URL: redis://172.17.0.1:6379
DB_CONNECTION_URI: postgres://infisical:infisical@172.17.0.1:5432/infisical?sslmode=disable
JWT_AUTH_SECRET: something-random
- name: Install openapi api diff
run: npm install -g openapi-diff
- name: Wait for containers to be stable
run: timeout 60s sh -c 'until docker ps | grep infisical-api | grep -q healthy; do echo "Waiting for container to be healthy..."; sleep 2; done'
- name: Get changes made in API
id: openapi-diff
run: openapi-diff https://app.infisical.com/api/docs/json http://localhost:4000/api/docs/json
- uses: actions/setup-go@v5
with:
go-version: '1.21.5'
- name: Wait for container to be stable and check logs
run: |
SECONDS=0
HEALTHY=0
while [ $SECONDS -lt 60 ]; do
if docker ps | grep infisical-api | grep -q healthy; then
echo "Container is healthy."
HEALTHY=1
break
fi
echo "Waiting for container to be healthy... ($SECONDS seconds elapsed)"
docker logs infisical-api
sleep 2
SECONDS=$((SECONDS+2))
done
if [ $HEALTHY -ne 1 ]; then
echo "Container did not become healthy in time"
exit 1
fi
- name: Install openapi-diff
run: go install github.com/tufin/oasdiff@latest
- name: Running OpenAPI Spec diff action
run: oasdiff breaking https://app.infisical.com/api/docs/json http://localhost:4000/api/docs/json --fail-on ERR
- name: cleanup
run: |
docker-compose -f "docker-compose.pg.yml" down
run: |
docker-compose -f "docker-compose.dev.yml" down
docker stop infisical-api
docker remove infisical-api
docker remove infisical-api

19
.github/workflows/check-fe-pull-request.yml → .github/workflows/check-fe-ts-and-lint.yml vendored

@ -1,4 +1,4 @@
name: Check Frontend Pull Request
name: Check Frontend Type and Lint check
on:
pull_request:
@ -10,8 +10,8 @@ on:
- "frontend/.eslintrc.js"
jobs:
check-fe-pr:
name: Check
check-fe-ts-lint:
name: Check Frontend Type and Lint check
runs-on: ubuntu-latest
timeout-minutes: 15
@ -25,12 +25,11 @@ jobs:
cache: "npm"
cache-dependency-path: frontend/package-lock.json
- name: 📦 Install dependencies
run: npm ci --only-production --ignore-scripts
run: npm install
working-directory: frontend
# -
# name: 🧪 Run tests
# run: npm run test:ci
# working-directory: frontend
- name: 🏗️ Run build
run: npm run build
- name: 🏗️ Run Type check
run: npm run type:check
working-directory: frontend
- name: 🏗️ Run Link check
run: npm run lint:fix
working-directory: frontend

5
.github/workflows/release-standalone-docker-img-postgres-offical.yml vendored

@ -5,9 +5,14 @@ on:
- "infisical/v*.*.*-postgres"
jobs:
infisical-tests:
name: Run tests before deployment
# https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview
uses: ./.github/workflows/run-backend-tests.yml
infisical-standalone:
name: Build infisical standalone image postgres
runs-on: ubuntu-latest
needs: [infisical-tests]
steps:
- name: Extract version from tag
id: extract_version

47
.github/workflows/run-backend-tests.yml vendored Normal file

@ -0,0 +1,47 @@
name: "Run backend tests"
on:
pull_request:
types: [opened, synchronize]
paths:
- "backend/**"
- "!backend/README.md"
- "!backend/.*"
- "backend/.eslintrc.js"
workflow_call:
jobs:
check-be-pr:
name: Run integration test
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- name: ☁️ Checkout source
uses: actions/checkout@v3
- uses: KengoTODA/actions-setup-docker-compose@v1
if: ${{ env.ACT }}
name: Install `docker-compose` for local simulations
with:
version: "2.14.2"
- name: 🔧 Setup Node 20
uses: actions/setup-node@v3
with:
node-version: "20"
cache: "npm"
cache-dependency-path: backend/package-lock.json
- name: Install dependencies
run: npm install
working-directory: backend
- name: Start postgres and redis
run: touch .env && docker-compose -f docker-compose.dev.yml up -d db redis
- name: Start integration test
run: npm run test:e2e
working-directory: backend
env:
REDIS_URL: redis://172.17.0.1:6379
DB_CONNECTION_URI: postgres://infisical:infisical@172.17.0.1:5432/infisical?sslmode=disable
AUTH_SECRET: something-random
ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
- name: cleanup
run: |
docker-compose -f "docker-compose.dev.yml" down

4
.gitignore vendored

@ -6,7 +6,7 @@ node_modules
.env.gamma
.env.prod
.env.infisical
.env.migration
*~
*.swp
*.swo
@ -63,3 +63,5 @@ yarn-error.log*
.vscode/*
frontend-build
*.tgz

2
CONTRIBUTING.md

@ -2,6 +2,6 @@
Thanks for taking the time to contribute! 😃 🚀
Please refer to our [Contributing Guide](https://infisical.com/docs/contributing/overview) for instructions on how to contribute.
Please refer to our [Contributing Guide](https://infisical.com/docs/contributing/getting-started/overview) for instructions on how to contribute.
We also have some 🔥amazing🔥 merch for our contributors. Please reach out to tony@infisical.com for more info 👀

10
Makefile

@ -5,16 +5,10 @@ push:
docker-compose -f docker-compose.yml push
up-dev:
docker-compose -f docker-compose.dev.yml up --build
up-pg-dev:
docker compose -f docker-compose.pg.yml up --build
i-dev:
infisical run -- docker-compose -f docker-compose.dev.yml up --build
docker compose -f docker-compose.dev.yml up --build
up-prod:
docker-compose -f docker-compose.yml up --build
docker-compose -f docker-compose.prod.yml up --build
down:
docker-compose down

4
README.md

@ -84,13 +84,13 @@ To set up and run Infisical locally, make sure you have Git and Docker installed
Linux/macOS:
```console
git clone https://github.com/Infisical/infisical && cd "$(basename $_ .git)" && cp .env.example .env && docker-compose -f docker-compose.yml up
git clone https://github.com/Infisical/infisical && cd "$(basename $_ .git)" && cp .env.example .env && docker-compose -f docker-compose.prod.yml up
```
Windows Command Prompt:
```console
git clone https://github.com/Infisical/infisical && cd infisical && copy .env.example .env && docker-compose -f docker-compose.yml up
git clone https://github.com/Infisical/infisical && cd infisical && copy .env.example .env && docker-compose -f docker-compose.prod.yml up
```
Create an account at `http://localhost:80`

1
backend/.eslintignore

@ -1,2 +1,3 @@
vitest-environment-infisical.ts
vitest.config.ts
vitest.e2e.config.ts

12
backend/.eslintrc.js

@ -21,6 +21,18 @@ module.exports = {
tsconfigRootDir: __dirname
},
root: true,
overrides: [
{
files: ["./e2e-test/**/*"],
rules: {
"@typescript-eslint/no-unsafe-member-access": "off",
"@typescript-eslint/no-unsafe-assignment": "off",
"@typescript-eslint/no-unsafe-argument": "off",
"@typescript-eslint/no-unsafe-return": "off",
"@typescript-eslint/no-unsafe-call": "off",
}
}
],
rules: {
"@typescript-eslint/no-empty-function": "off",
"@typescript-eslint/no-unsafe-enum-comparison": "off",

71
backend/e2e-test/routes/v1/identity.spec.ts Normal file

@ -0,0 +1,71 @@
import { OrgMembershipRole } from "@app/db/schemas";
import { seedData1 } from "@app/db/seed-data";
export const createIdentity = async (name: string, role: string) => {
const createIdentityRes = await testServer.inject({
method: "POST",
url: "/api/v1/identities",
body: {
name,
role,
organizationId: seedData1.organization.id
},
headers: {
authorization: `Bearer ${jwtAuthToken}`
}
});
expect(createIdentityRes.statusCode).toBe(200);
return createIdentityRes.json().identity;
};
export const deleteIdentity = async (id: string) => {
const deleteIdentityRes = await testServer.inject({
method: "DELETE",
url: `/api/v1/identities/${id}`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
}
});
expect(deleteIdentityRes.statusCode).toBe(200);
return deleteIdentityRes.json().identity;
};
describe("Identity v1", async () => {
test("Create identity", async () => {
const newIdentity = await createIdentity("mac1", OrgMembershipRole.Admin);
expect(newIdentity.name).toBe("mac1");
expect(newIdentity.authMethod).toBeNull();
await deleteIdentity(newIdentity.id);
});
test("Update identity", async () => {
const newIdentity = await createIdentity("mac1", OrgMembershipRole.Admin);
expect(newIdentity.name).toBe("mac1");
expect(newIdentity.authMethod).toBeNull();
const updatedIdentity = await testServer.inject({
method: "PATCH",
url: `/api/v1/identities/${newIdentity.id}`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
},
body: {
name: "updated-mac-1",
role: OrgMembershipRole.Member
}
});
expect(updatedIdentity.statusCode).toBe(200);
expect(updatedIdentity.json().identity.name).toBe("updated-mac-1");
await deleteIdentity(newIdentity.id);
});
test("Delete Identity", async () => {
const newIdentity = await createIdentity("mac1", OrgMembershipRole.Admin);
const deletedIdentity = await deleteIdentity(newIdentity.id);
expect(deletedIdentity.name).toBe("mac1");
});
});

3
backend/e2e-test/routes/v1/login.spec.ts

@ -1,6 +1,7 @@
import { seedData1 } from "@app/db/seed-data";
import jsrp from "jsrp";
import { seedData1 } from "@app/db/seed-data";
describe("Login V1 Router", async () => {
// eslint-disable-next-line
const client = new jsrp.client();

113
backend/e2e-test/routes/v1/project-env.spec.ts

@ -1,6 +1,40 @@
import { seedData1 } from "@app/db/seed-data";
import { DEFAULT_PROJECT_ENVS } from "@app/db/seeds/3-project";
const createProjectEnvironment = async (name: string, slug: string) => {
const res = await testServer.inject({
method: "POST",
url: `/api/v1/workspace/${seedData1.project.id}/environments`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
},
body: {
name,
slug
}
});
expect(res.statusCode).toBe(200);
const payload = JSON.parse(res.payload);
expect(payload).toHaveProperty("environment");
return payload.environment;
};
const deleteProjectEnvironment = async (envId: string) => {
const res = await testServer.inject({
method: "DELETE",
url: `/api/v1/workspace/${seedData1.project.id}/environments/${envId}`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
}
});
expect(res.statusCode).toBe(200);
const payload = JSON.parse(res.payload);
expect(payload).toHaveProperty("environment");
return payload.environment;
};
describe("Project Environment Router", async () => {
test("Get default environments", async () => {
const res = await testServer.inject({
@ -31,24 +65,10 @@ describe("Project Environment Router", async () => {
expect(payload.workspace.environments.length).toBe(3);
});
const mockProjectEnv = { name: "temp", slug: "temp", id: "" }; // id will be filled in create op
const mockProjectEnv = { name: "temp", slug: "temp" }; // id will be filled in create op
test("Create environment", async () => {
const res = await testServer.inject({
method: "POST",
url: `/api/v1/workspace/${seedData1.project.id}/environments`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
},
body: {
name: mockProjectEnv.name,
slug: mockProjectEnv.slug
}
});
expect(res.statusCode).toBe(200);
const payload = JSON.parse(res.payload);
expect(payload).toHaveProperty("environment");
expect(payload.environment).toEqual(
const newEnvironment = await createProjectEnvironment(mockProjectEnv.name, mockProjectEnv.slug);
expect(newEnvironment).toEqual(
expect.objectContaining({
id: expect.any(String),
name: mockProjectEnv.name,
@ -59,14 +79,15 @@ describe("Project Environment Router", async () => {
updatedAt: expect.any(String)
})
);
mockProjectEnv.id = payload.environment.id;
await deleteProjectEnvironment(newEnvironment.id);
});
test("Update environment", async () => {
const newEnvironment = await createProjectEnvironment(mockProjectEnv.name, mockProjectEnv.slug);
const updatedName = { name: "temp#2", slug: "temp2" };
const res = await testServer.inject({
method: "PATCH",
url: `/api/v1/workspace/${seedData1.project.id}/environments/${mockProjectEnv.id}`,
url: `/api/v1/workspace/${seedData1.project.id}/environments/${newEnvironment.id}`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
},
@ -82,7 +103,7 @@ describe("Project Environment Router", async () => {
expect(payload).toHaveProperty("environment");
expect(payload.environment).toEqual(
expect.objectContaining({
id: expect.any(String),
id: newEnvironment.id,
name: updatedName.name,
slug: updatedName.slug,
projectId: seedData1.project.id,
@ -91,61 +112,21 @@ describe("Project Environment Router", async () => {
updatedAt: expect.any(String)
})
);
mockProjectEnv.name = updatedName.name;
mockProjectEnv.slug = updatedName.slug;
await deleteProjectEnvironment(newEnvironment.id);
});
test("Delete environment", async () => {
const res = await testServer.inject({
method: "DELETE",
url: `/api/v1/workspace/${seedData1.project.id}/environments/${mockProjectEnv.id}`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
}
});
expect(res.statusCode).toBe(200);
const payload = JSON.parse(res.payload);
expect(payload).toHaveProperty("environment");
expect(payload.environment).toEqual(
const newEnvironment = await createProjectEnvironment(mockProjectEnv.name, mockProjectEnv.slug);
const deletedProjectEnvironment = await deleteProjectEnvironment(newEnvironment.id);
expect(deletedProjectEnvironment).toEqual(
expect.objectContaining({
id: expect.any(String),
id: deletedProjectEnvironment.id,
name: mockProjectEnv.name,
slug: mockProjectEnv.slug,
position: 1,
position: 4,
createdAt: expect.any(String),
updatedAt: expect.any(String)
})
);
});
// after all these opreations the list of environment should be still same
test("Default list of environment", async () => {
const res = await testServer.inject({
method: "GET",
url: `/api/v1/workspace/${seedData1.project.id}`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
}
});
expect(res.statusCode).toBe(200);
const payload = JSON.parse(res.payload);
expect(payload).toHaveProperty("workspace");
// check for default environments
expect(payload).toEqual({
workspace: expect.objectContaining({
name: seedData1.project.name,
id: seedData1.project.id,
slug: seedData1.project.slug,
environments: expect.arrayContaining([
expect.objectContaining(DEFAULT_PROJECT_ENVS[0]),
expect.objectContaining(DEFAULT_PROJECT_ENVS[1]),
expect.objectContaining(DEFAULT_PROJECT_ENVS[2])
])
})
});
// ensure only two default environments exist
expect(payload.workspace.environments.length).toBe(3);
});
});

100
backend/e2e-test/routes/v1/secret-folder.spec.ts

@ -1,5 +1,40 @@
import { seedData1 } from "@app/db/seed-data";
const createFolder = async (dto: { path: string; name: string }) => {
const res = await testServer.inject({
method: "POST",
url: `/api/v1/folders`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
},
body: {
workspaceId: seedData1.project.id,
environment: seedData1.environment.slug,
name: dto.name,
path: dto.path
}
});
expect(res.statusCode).toBe(200);
return res.json().folder;
};
const deleteFolder = async (dto: { path: string; id: string }) => {
const res = await testServer.inject({
method: "DELETE",
url: `/api/v1/folders/${dto.id}`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
},
body: {
workspaceId: seedData1.project.id,
environment: seedData1.environment.slug,
path: dto.path
}
});
expect(res.statusCode).toBe(200);
return res.json().folder;
};
describe("Secret Folder Router", async () => {
test.each([
{ name: "folder1", path: "/" }, // one in root
@ -7,30 +42,15 @@ describe("Secret Folder Router", async () => {
{ name: "folder2", path: "/" },
{ name: "folder1", path: "/level1/level2" } // this should not create folder return same thing
])("Create folder $name in $path", async ({ name, path }) => {
const res = await testServer.inject({
method: "POST",
url: `/api/v1/folders`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
},
body: {
workspaceId: seedData1.project.id,
environment: seedData1.environment.slug,
name,
path
}
});
expect(res.statusCode).toBe(200);
const payload = JSON.parse(res.payload);
expect(payload).toHaveProperty("folder");
const createdFolder = await createFolder({ path, name });
// check for default environments
expect(payload).toEqual({
folder: expect.objectContaining({
expect(createdFolder).toEqual(
expect.objectContaining({
name,
id: expect.any(String)
})
});
);
await deleteFolder({ path, id: createdFolder.id });
});
test.each([
@ -43,6 +63,8 @@ describe("Secret Folder Router", async () => {
},
{ path: "/level1/level2", expected: { folders: [{ name: "folder1" }], length: 1 } }
])("Get folders $path", async ({ path, expected }) => {
const newFolders = await Promise.all(expected.folders.map(({ name }) => createFolder({ name, path })));
const res = await testServer.inject({
method: "GET",
url: `/api/v1/folders`,
@ -59,36 +81,22 @@ describe("Secret Folder Router", async () => {
expect(res.statusCode).toBe(200);
const payload = JSON.parse(res.payload);
expect(payload).toHaveProperty("folders");
expect(payload.folders.length).toBe(expected.length);
expect(payload).toEqual({ folders: expected.folders.map((el) => expect.objectContaining(el)) });
});
let toBeDeleteFolderId = "";
test("Update a deep folder", async () => {
const res = await testServer.inject({
method: "PATCH",
url: `/api/v1/folders/folder1`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
},
body: {
workspaceId: seedData1.project.id,
environment: seedData1.environment.slug,
name: "folder-updated",
path: "/level1/level2"
}
expect(payload.folders.length >= expected.folders.length).toBeTruthy();
expect(payload).toEqual({
folders: expect.arrayContaining(expected.folders.map((el) => expect.objectContaining(el)))
});
expect(res.statusCode).toBe(200);
const payload = JSON.parse(res.payload);
expect(payload).toHaveProperty("folder");
expect(payload.folder).toEqual(
await Promise.all(newFolders.map(({ id }) => deleteFolder({ path, id })));
});
test("Update a deep folder", async () => {
const newFolder = await createFolder({ name: "folder-updated", path: "/level1/level2" });
expect(newFolder).toEqual(
expect.objectContaining({
id: expect.any(String),
name: "folder-updated"
})
);
toBeDeleteFolderId = payload.folder.id;
const resUpdatedFolders = await testServer.inject({
method: "GET",
@ -106,14 +114,16 @@ describe("Secret Folder Router", async () => {
expect(resUpdatedFolders.statusCode).toBe(200);
const updatedFolderList = JSON.parse(resUpdatedFolders.payload);
expect(updatedFolderList).toHaveProperty("folders");
expect(updatedFolderList.folders.length).toEqual(1);
expect(updatedFolderList.folders[0].name).toEqual("folder-updated");
await deleteFolder({ path: "/level1/level2", id: newFolder.id });
});
test("Delete a deep folder", async () => {
const newFolder = await createFolder({ name: "folder-updated", path: "/level1/level2" });
const res = await testServer.inject({
method: "DELETE",
url: `/api/v1/folders/${toBeDeleteFolderId}`,
url: `/api/v1/folders/${newFolder.id}`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
},

121
backend/e2e-test/routes/v1/secret-import.spec.ts

@ -1,32 +1,57 @@
import { seedData1 } from "@app/db/seed-data";
describe("Secret Folder Router", async () => {
const createSecretImport = async (importPath: string, importEnv: string) => {
const res = await testServer.inject({
method: "POST",
url: `/api/v1/secret-imports`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
},
body: {
workspaceId: seedData1.project.id,
environment: seedData1.environment.slug,
path: "/",
import: {
environment: importEnv,
path: importPath
}
}
});
expect(res.statusCode).toBe(200);
const payload = JSON.parse(res.payload);
expect(payload).toHaveProperty("secretImport");
return payload.secretImport;
};
const deleteSecretImport = async (id: string) => {
const res = await testServer.inject({
method: "DELETE",
url: `/api/v1/secret-imports/${id}`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
},
body: {
workspaceId: seedData1.project.id,
environment: seedData1.environment.slug,
path: "/"
}
});
expect(res.statusCode).toBe(200);
const payload = JSON.parse(res.payload);
expect(payload).toHaveProperty("secretImport");
return payload.secretImport;
};
describe("Secret Import Router", async () => {
test.each([
{ importEnv: "dev", importPath: "/" }, // one in root
{ importEnv: "staging", importPath: "/" } // then create a deep one creating intermediate ones
])("Create secret import $importEnv with path $importPath", async ({ importPath, importEnv }) => {
const res = await testServer.inject({
method: "POST",
url: `/api/v1/secret-imports`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
},
body: {
workspaceId: seedData1.project.id,
environment: seedData1.environment.slug,
path: "/",
import: {
environment: importEnv,
path: importPath
}
}
});
expect(res.statusCode).toBe(200);
const payload = JSON.parse(res.payload);
expect(payload).toHaveProperty("secretImport");
// check for default environments
expect(payload.secretImport).toEqual(
const payload = await createSecretImport(importPath, importEnv);
expect(payload).toEqual(
expect.objectContaining({
id: expect.any(String),
importPath: expect.any(String),
@ -37,10 +62,12 @@ describe("Secret Folder Router", async () => {
})
})
);
await deleteSecretImport(payload.id);
});
let testSecretImportId = "";
test("Get secret imports", async () => {
const createdImport1 = await createSecretImport("/", "dev");
const createdImport2 = await createSecretImport("/", "staging");
const res = await testServer.inject({
method: "GET",
url: `/api/v1/secret-imports`,
@ -58,7 +85,6 @@ describe("Secret Folder Router", async () => {
const payload = JSON.parse(res.payload);
expect(payload).toHaveProperty("secretImports");
expect(payload.secretImports.length).toBe(2);
testSecretImportId = payload.secretImports[0].id;
expect(payload.secretImports).toEqual(
expect.arrayContaining([
expect.objectContaining({
@ -72,12 +98,20 @@ describe("Secret Folder Router", async () => {
})
])
);
await deleteSecretImport(createdImport1.id);
await deleteSecretImport(createdImport2.id);
});
test("Update secret import position", async () => {
const res = await testServer.inject({
const devImportDetails = { path: "/", envSlug: "dev" };
const stagingImportDetails = { path: "/", envSlug: "staging" };
const createdImport1 = await createSecretImport(devImportDetails.path, devImportDetails.envSlug);
const createdImport2 = await createSecretImport(stagingImportDetails.path, stagingImportDetails.envSlug);
const updateImportRes = await testServer.inject({
method: "PATCH",
url: `/api/v1/secret-imports/${testSecretImportId}`,
url: `/api/v1/secret-imports/${createdImport1.id}`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
},
@ -91,8 +125,8 @@ describe("Secret Folder Router", async () => {
}
});
expect(res.statusCode).toBe(200);
const payload = JSON.parse(res.payload);
expect(updateImportRes.statusCode).toBe(200);
const payload = JSON.parse(updateImportRes.payload);
expect(payload).toHaveProperty("secretImport");
// check for default environments
expect(payload.secretImport).toEqual(
@ -102,7 +136,7 @@ describe("Secret Folder Router", async () => {
position: 2,
importEnv: expect.objectContaining({
name: expect.any(String),
slug: expect.any(String),
slug: expect.stringMatching(devImportDetails.envSlug),
id: expect.any(String)
})
})
@ -124,28 +158,19 @@ describe("Secret Folder Router", async () => {
expect(secretImportsListRes.statusCode).toBe(200);
const secretImportList = JSON.parse(secretImportsListRes.payload);
expect(secretImportList).toHaveProperty("secretImports");
expect(secretImportList.secretImports[1].id).toEqual(testSecretImportId);
expect(secretImportList.secretImports[1].id).toEqual(createdImport1.id);
expect(secretImportList.secretImports[0].id).toEqual(createdImport2.id);
await deleteSecretImport(createdImport1.id);
await deleteSecretImport(createdImport2.id);
});
test("Delete secret import position", async () => {
const res = await testServer.inject({
method: "DELETE",
url: `/api/v1/secret-imports/${testSecretImportId}`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
},
body: {
workspaceId: seedData1.project.id,
environment: seedData1.environment.slug,
path: "/"
}
});
expect(res.statusCode).toBe(200);
const payload = JSON.parse(res.payload);
expect(payload).toHaveProperty("secretImport");
const createdImport1 = await createSecretImport("/", "dev");
const createdImport2 = await createSecretImport("/", "staging");
const deletedImport = await deleteSecretImport(createdImport1.id);
// check for default environments
expect(payload.secretImport).toEqual(
expect(deletedImport).toEqual(
expect.objectContaining({
id: expect.any(String),
importPath: expect.any(String),
@ -175,5 +200,7 @@ describe("Secret Folder Router", async () => {
expect(secretImportList).toHaveProperty("secretImports");
expect(secretImportList.secretImports.length).toEqual(1);
expect(secretImportList.secretImports[0].position).toEqual(1);
await deleteSecretImport(createdImport2.id);
});
});

579
backend/e2e-test/routes/v2/service-token.spec.ts Normal file

@ -0,0 +1,579 @@
import crypto from "node:crypto";
import { SecretType, TSecrets } from "@app/db/schemas";
import { decryptSecret, encryptSecret, getUserPrivateKey, seedData1 } from "@app/db/seed-data";
import { decryptAsymmetric, decryptSymmetric128BitHexKeyUTF8, encryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
const createServiceToken = async (
scopes: { environment: string; secretPath: string }[],
permissions: ("read" | "write")[]
) => {
const projectKeyRes = await testServer.inject({
method: "GET",
url: `/api/v2/workspace/${seedData1.project.id}/encrypted-key`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
}
});
const projectKeyEnc = JSON.parse(projectKeyRes.payload);
const userInfoRes = await testServer.inject({
method: "GET",
url: "/api/v2/users/me",
headers: {
authorization: `Bearer ${jwtAuthToken}`
}
});
const { user: userInfo } = JSON.parse(userInfoRes.payload);
const privateKey = await getUserPrivateKey(seedData1.password, userInfo);
const projectKey = decryptAsymmetric({
ciphertext: projectKeyEnc.encryptedKey,
nonce: projectKeyEnc.nonce,
publicKey: projectKeyEnc.sender.publicKey,
privateKey
});
const randomBytes = crypto.randomBytes(16).toString("hex");
const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8(projectKey, randomBytes);
const serviceTokenRes = await testServer.inject({
method: "POST",
url: "/api/v2/service-token",
headers: {
authorization: `Bearer ${jwtAuthToken}`
},
body: {
name: "test-token",
workspaceId: seedData1.project.id,
scopes,
encryptedKey: ciphertext,
iv,
tag,
permissions,
expiresIn: null
}
});
expect(serviceTokenRes.statusCode).toBe(200);
const serviceTokenInfo = serviceTokenRes.json();
expect(serviceTokenInfo).toHaveProperty("serviceToken");
expect(serviceTokenInfo).toHaveProperty("serviceTokenData");
return `${serviceTokenInfo.serviceToken}.${randomBytes}`;
};
const deleteServiceToken = async () => {
const serviceTokenListRes = await testServer.inject({
method: "GET",
url: `/api/v1/workspace/${seedData1.project.id}/service-token-data`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
}
});
expect(serviceTokenListRes.statusCode).toBe(200);
const serviceTokens = JSON.parse(serviceTokenListRes.payload).serviceTokenData as { name: string; id: string }[];
expect(serviceTokens.length).toBeGreaterThan(0);
const serviceTokenInfo = serviceTokens.find(({ name }) => name === "test-token");
expect(serviceTokenInfo).toBeDefined();
const deleteTokenRes = await testServer.inject({
method: "DELETE",
url: `/api/v2/service-token/${serviceTokenInfo?.id}`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
}
});
expect(deleteTokenRes.statusCode).toBe(200);
};
const createSecret = async (dto: {
projectKey: string;
path: string;
key: string;
value: string;
comment: string;
type?: SecretType;
token: string;
}) => {
const createSecretReqBody = {
workspaceId: seedData1.project.id,
environment: seedData1.environment.slug,
type: dto.type || SecretType.Shared,
secretPath: dto.path,
...encryptSecret(dto.projectKey, dto.key, dto.value, dto.comment)
};
const createSecRes = await testServer.inject({
method: "POST",
url: `/api/v3/secrets/${dto.key}`,
headers: {
authorization: `Bearer ${dto.token}`
},
body: createSecretReqBody
});
expect(createSecRes.statusCode).toBe(200);
const createdSecretPayload = JSON.parse(createSecRes.payload);
expect(createdSecretPayload).toHaveProperty("secret");
return createdSecretPayload.secret;
};
const deleteSecret = async (dto: { path: string; key: string; token: string }) => {
const deleteSecRes = await testServer.inject({
method: "DELETE",
url: `/api/v3/secrets/${dto.key}`,
headers: {
authorization: `Bearer ${dto.token}`
},
body: {
workspaceId: seedData1.project.id,
environment: seedData1.environment.slug,
secretPath: dto.path
}
});
expect(deleteSecRes.statusCode).toBe(200);
const updatedSecretPayload = JSON.parse(deleteSecRes.payload);
expect(updatedSecretPayload).toHaveProperty("secret");
return updatedSecretPayload.secret;
};
describe("Service token secret ops", async () => {
let serviceToken = "";
let projectKey = "";
let folderId = "";
beforeAll(async () => {
serviceToken = await createServiceToken(
[{ secretPath: "/**", environment: seedData1.environment.slug }],
["read", "write"]
);
// this is ensure cli service token decryptiong working fine
const serviceTokenInfoRes = await testServer.inject({
method: "GET",
url: "/api/v2/service-token",
headers: {
authorization: `Bearer ${serviceToken}`
}
});
expect(serviceTokenInfoRes.statusCode).toBe(200);
const serviceTokenInfo = serviceTokenInfoRes.json();
const serviceTokenParts = serviceToken.split(".");
projectKey = decryptSymmetric128BitHexKeyUTF8({
key: serviceTokenParts[3],
tag: serviceTokenInfo.tag,
ciphertext: serviceTokenInfo.encryptedKey,
iv: serviceTokenInfo.iv
});
// create a deep folder
const folderCreate = await testServer.inject({
method: "POST",
url: `/api/v1/folders`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
},
body: {
workspaceId: seedData1.project.id,
environment: seedData1.environment.slug,
name: "folder",
path: "/nested1/nested2"
}
});
expect(folderCreate.statusCode).toBe(200);
folderId = folderCreate.json().folder.id;
});
afterAll(async () => {
await deleteServiceToken();
// create a deep folder
const deleteFolder = await testServer.inject({
method: "DELETE",
url: `/api/v1/folders/${folderId}`,
headers: {
authorization: `Bearer ${jwtAuthToken}`
},
body: {
workspaceId: seedData1.project.id,
environment: seedData1.environment.slug,
path: "/nested1/nested2"
}
});
expect(deleteFolder.statusCode).toBe(200);
});
const testSecrets = [
{
path: "/",
secret: {
key: "ST-SEC",
value: "something-secret",
comment: "some comment"
}
},
{
path: "/nested1/nested2/folder",
secret: {
key: "NESTED-ST-SEC",
value: "something-secret",
comment: "some comment"
}
}
];
const getSecrets = async (environment: string, secretPath = "/") => {
const res = await testServer.inject({
method: "GET",
url: `/api/v3/secrets`,
headers: {
authorization: `Bearer ${serviceToken}`
},
query: {
secretPath,
environment,
workspaceId: seedData1.project.id
}
});
const secrets: TSecrets[] = JSON.parse(res.payload).secrets || [];
return secrets.map((el) => ({ ...decryptSecret(projectKey, el), type: el.type }));
};
test.each(testSecrets)("Create secret in path $path", async ({ secret, path }) => {
const createdSecret = await createSecret({ projectKey, path, ...secret, token: serviceToken });
const decryptedSecret = decryptSecret(projectKey, createdSecret);
expect(decryptedSecret.key).toEqual(secret.key);
expect(decryptedSecret.value).toEqual(secret.value);
expect(decryptedSecret.comment).toEqual(secret.comment);
expect(decryptedSecret.version).toEqual(1);
const secrets = await getSecrets(seedData1.environment.slug, path);
expect(secrets).toEqual(
expect.arrayContaining([
expect.objectContaining({
key: secret.key,
value: secret.value,
type: SecretType.Shared
})
])
);
await deleteSecret({ path, key: secret.key, token: serviceToken });
});
test.each(testSecrets)("Get secret by name in path $path", async ({ secret, path }) => {
await createSecret({ projectKey, path, ...secret, token: serviceToken });
const getSecByNameRes = await testServer.inject({
method: "GET",
url: `/api/v3/secrets/${secret.key}`,
headers: {
authorization: `Bearer ${serviceToken}`
},
query: {
secretPath: path,
workspaceId: seedData1.project.id,
environment: seedData1.environment.slug
}
});
expect(getSecByNameRes.statusCode).toBe(200);
const getSecretByNamePayload = JSON.parse(getSecByNameRes.payload);
expect(getSecretByNamePayload).toHaveProperty("secret");
const decryptedSecret = decryptSecret(projectKey, getSecretByNamePayload.secret);
expect(decryptedSecret.key).toEqual(secret.key);
expect(decryptedSecret.value).toEqual(secret.value);
expect(decryptedSecret.comment).toEqual(secret.comment);
await deleteSecret({ path, key: secret.key, token: serviceToken });
});
test.each(testSecrets)("Update secret in path $path", async ({ path, secret }) => {
await createSecret({ projectKey, path, ...secret, token: serviceToken });
const updateSecretReqBody = {
workspaceId: seedData1.project.id,
environment: seedData1.environment.slug,
type: SecretType.Shared,
secretPath: path,
...encryptSecret(projectKey, secret.key, "new-value", secret.comment)
};
const updateSecRes = await testServer.inject({
method: "PATCH",
url: `/api/v3/secrets/${secret.key}`,
headers: {
authorization: `Bearer ${serviceToken}`
},
body: updateSecretReqBody
});
expect(updateSecRes.statusCode).toBe(200);
const updatedSecretPayload = JSON.parse(updateSecRes.payload);
expect(updatedSecretPayload).toHaveProperty("secret");
const decryptedSecret = decryptSecret(projectKey, updatedSecretPayload.secret);
expect(decryptedSecret.key).toEqual(secret.key);
expect(decryptedSecret.value).toEqual("new-value");
expect(decryptedSecret.comment).toEqual(secret.comment);
// list secret should have updated value
const secrets = await getSecrets(seedData1.environment.slug, path);
expect(secrets).toEqual(
expect.arrayContaining([
expect.objectContaining({
key: secret.key,
value: "new-value",
type: SecretType.Shared
})
])
);
await deleteSecret({ path, key: secret.key, token: serviceToken });
});
test.each(testSecrets)("Delete secret in path $path", async ({ secret, path }) => {
await createSecret({ projectKey, path, ...secret, token: serviceToken });
const deletedSecret = await deleteSecret({ path, key: secret.key, token: serviceToken });
const decryptedSecret = decryptSecret(projectKey, deletedSecret);
expect(decryptedSecret.key).toEqual(secret.key);
// shared secret deletion should delete personal ones also
const secrets = await getSecrets(seedData1.environment.slug, path);
expect(secrets).toEqual(
expect.not.arrayContaining([
expect.objectContaining({
key: secret.key,
type: SecretType.Shared
})
])
);
});
test.each(testSecrets)("Bulk create secrets in path $path", async ({ secret, path }) => {
const createSharedSecRes = await testServer.inject({
method: "POST",
url: `/api/v3/secrets/batch`,
headers: {
authorization: `Bearer ${serviceToken}`
},
body: {
workspaceId: seedData1.project.id,
environment: seedData1.environment.slug,
secretPath: path,
secrets: Array.from(Array(5)).map((_e, i) => ({
secretName: `BULK-${secret.key}-${i + 1}`,
...encryptSecret(projectKey, `BULK-${secret.key}-${i + 1}`, secret.value, secret.comment)
}))
}
});
expect(createSharedSecRes.statusCode).toBe(200);
const createSharedSecPayload = JSON.parse(createSharedSecRes.payload);
expect(createSharedSecPayload).toHaveProperty("secrets");
// bulk ones should exist
const secrets = await getSecrets(seedData1.environment.slug, path);
expect(secrets).toEqual(
expect.arrayContaining(
Array.from(Array(5)).map((_e, i) =>
expect.objectContaining({
key: `BULK-${secret.key}-${i + 1}`,
type: SecretType.Shared
})
)
)
);
await Promise.all(
Array.from(Array(5)).map((_e, i) =>
deleteSecret({ path, token: serviceToken, key: `BULK-${secret.key}-${i + 1}` })
)
);
});
test.each(testSecrets)("Bulk create fail on existing secret in path $path", async ({ secret, path }) => {
await createSecret({ projectKey, ...secret, key: `BULK-${secret.key}-1`, path, token: serviceToken });
const createSharedSecRes = await testServer.inject({
method: "POST",
url: `/api/v3/secrets/batch`,
headers: {
authorization: `Bearer ${serviceToken}`
},
body: {
workspaceId: seedData1.project.id,
environment: seedData1.environment.slug,
secretPath: path,
secrets: Array.from(Array(5)).map((_e, i) => ({
secretName: `BULK-${secret.key}-${i + 1}`,
...encryptSecret(projectKey, `BULK-${secret.key}-${i + 1}`, secret.value, secret.comment)
}))
}
});
expect(createSharedSecRes.statusCode).toBe(400);
await deleteSecret({ path, key: `BULK-${secret.key}-1`, token: serviceToken });
});
test.each(testSecrets)("Bulk update secrets in path $path", async ({ secret, path }) => {
await Promise.all(
Array.from(Array(5)).map((_e, i) =>
createSecret({ projectKey, token: serviceToken, ...secret, key: `BULK-${secret.key}-${i + 1}`, path })
)
);
const updateSharedSecRes = await testServer.inject({
method: "PATCH",
url: `/api/v3/secrets/batch`,
headers: {
authorization: `Bearer ${serviceToken}`
},
body: {
workspaceId: seedData1.project.id,
environment: seedData1.environment.slug,
secretPath: path,
secrets: Array.from(Array(5)).map((_e, i) => ({
secretName: `BULK-${secret.key}-${i + 1}`,
...encryptSecret(projectKey, `BULK-${secret.key}-${i + 1}`, "update-value", secret.comment)
}))
}
});
expect(updateSharedSecRes.statusCode).toBe(200);
const updateSharedSecPayload = JSON.parse(updateSharedSecRes.payload);
expect(updateSharedSecPayload).toHaveProperty("secrets");
// bulk ones should exist
const secrets = await getSecrets(seedData1.environment.slug, path);
expect(secrets).toEqual(
expect.arrayContaining(
Array.from(Array(5)).map((_e, i) =>
expect.objectContaining({
key: `BULK-${secret.key}-${i + 1}`,
value: "update-value",
type: SecretType.Shared
})
)
)
);
await Promise.all(
Array.from(Array(5)).map((_e, i) =>
deleteSecret({ path, key: `BULK-${secret.key}-${i + 1}`, token: serviceToken })
)
);
});
test.each(testSecrets)("Bulk delete secrets in path $path", async ({ secret, path }) => {
await Promise.all(
Array.from(Array(5)).map((_e, i) =>
createSecret({ projectKey, token: serviceToken, ...secret, key: `BULK-${secret.key}-${i + 1}`, path })
)
);
const deletedSharedSecRes = await testServer.inject({
method: "DELETE",
url: `/api/v3/secrets/batch`,
headers: {
authorization: `Bearer ${serviceToken}`
},
body: {
workspaceId: seedData1.project.id,
environment: seedData1.environment.slug,
secretPath: path,
secrets: Array.from(Array(5)).map((_e, i) => ({
secretName: `BULK-${secret.key}-${i + 1}`
}))
}
});
expect(deletedSharedSecRes.statusCode).toBe(200);
const deletedSecretPayload = JSON.parse(deletedSharedSecRes.payload);
expect(deletedSecretPayload).toHaveProperty("secrets");
// bulk ones should exist
const secrets = await getSecrets(seedData1.environment.slug, path);
expect(secrets).toEqual(
expect.not.arrayContaining(
Array.from(Array(5)).map((_e, i) =>
expect.objectContaining({
key: `BULK-${secret.value}-${i + 1}`,
type: SecretType.Shared
})
)
)
);
});
});
describe("Service token fail cases", async () => {
test("Unauthorized secret path access", async () => {
const serviceToken = await createServiceToken(
[{ secretPath: "/", environment: seedData1.environment.slug }],
["read", "write"]
);
const fetchSecrets = await testServer.inject({
method: "GET",
url: "/api/v3/secrets",
query: {
workspaceId: seedData1.project.id,
environment: seedData1.environment.slug,
secretPath: "/nested/deep"
},
headers: {
authorization: `Bearer ${serviceToken}`
}
});
expect(fetchSecrets.statusCode).toBe(401);
expect(fetchSecrets.json().error).toBe("PermissionDenied");
await deleteServiceToken();
});
test("Unauthorized secret environment access", async () => {
const serviceToken = await createServiceToken(
[{ secretPath: "/", environment: seedData1.environment.slug }],
["read", "write"]
);
const fetchSecrets = await testServer.inject({
method: "GET",
url: "/api/v3/secrets",
query: {
workspaceId: seedData1.project.id,
environment: "prod",
secretPath: "/"
},
headers: {
authorization: `Bearer ${serviceToken}`
}
});
expect(fetchSecrets.statusCode).toBe(401);
expect(fetchSecrets.json().error).toBe("PermissionDenied");
await deleteServiceToken();
});
test("Unauthorized write operation", async () => {
const serviceToken = await createServiceToken(
[{ secretPath: "/", environment: seedData1.environment.slug }],
["read"]
);
const writeSecrets = await testServer.inject({
method: "POST",
url: `/api/v3/secrets/NEW`,
body: {
workspaceId: seedData1.project.id,
environment: seedData1.environment.slug,
type: SecretType.Shared,
secretPath: "/",
// doesn't matter project key because this will fail before that due to read only access
...encryptSecret(crypto.randomBytes(16).toString("hex"), "NEW", "value", "")
},
headers: {
authorization: `Bearer ${serviceToken}`
}
});
expect(writeSecrets.statusCode).toBe(401);
expect(writeSecrets.json().error).toBe("PermissionDenied");
// but read access should still work fine
const fetchSecrets = await testServer.inject({
method: "GET",
url: "/api/v3/secrets",
query: {
workspaceId: seedData1.project.id,
environment: seedData1.environment.slug,
secretPath: "/"
},
headers: {
authorization: `Bearer ${serviceToken}`
}
});
expect(fetchSecrets.statusCode).toBe(200);
await deleteServiceToken();
});
});

1008
backend/e2e-test/routes/v3/secrets.spec.ts

File diff suppressed because it is too large Load Diff

29
backend/e2e-test/vitest-environment-knex.ts

@ -1,26 +1,30 @@
// import { main } from "@app/server/app";
import { initEnvConfig } from "@app/lib/config/env";
// eslint-disable-next-line
import "ts-node/register";
import dotenv from "dotenv";
import jwt from "jsonwebtoken";
import knex from "knex";
import path from "path";
import { mockSmtpServer } from "./mocks/smtp";
import { initLogger } from "@app/lib/logger";
import jwt from "jsonwebtoken";
import "ts-node/register";
import { main } from "@app/server/app";
import { mockQueue } from "./mocks/queue";
import { AuthTokenType } from "@app/services/auth/auth-type";
import { seedData1 } from "@app/db/seed-data";
import { initEnvConfig } from "@app/lib/config/env";
import { initLogger } from "@app/lib/logger";
import { main } from "@app/server/app";
import { AuthTokenType } from "@app/services/auth/auth-type";
dotenv.config({ path: path.join(__dirname, "../.env.test") });
import { mockQueue } from "./mocks/queue";
import { mockSmtpServer } from "./mocks/smtp";
dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
export default {
name: "knex-env",
transformMode: "ssr",
async setup() {
const logger = await initLogger();
const cfg = initEnvConfig(logger);
const db = knex({
client: "pg",
connection: process.env.DB_CONNECTION_URI,
connection: cfg.DB_CONNECTION_URI,
migrations: {
directory: path.join(__dirname, "../src/db/migrations"),
extension: "ts",
@ -37,8 +41,6 @@ export default {
await db.seed.run();
const smtp = mockSmtpServer();
const queue = mockQueue();
const logger = await initLogger();
const cfg = initEnvConfig(logger);
const server = await main({ db, smtp, logger, queue });
// @ts-expect-error type
globalThis.testServer = server;
@ -54,6 +56,7 @@ export default {
{ expiresIn: cfg.JWT_AUTH_LIFETIME }
);
} catch (error) {
console.log("[TEST] Error setting up environment", error);
await db.destroy();
throw error;
}

2290
backend/package-lock.json generated

File diff suppressed because it is too large Load Diff

35
backend/package.json

@ -24,8 +24,8 @@
"migration:latest": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:latest",
"migration:rollback": "knex --knexfile ./src/db/knexfile.ts migrate:rollback",
"seed:new": "tsx ./scripts/create-seed-file.ts",
"seed:run": "knex --knexfile ./src/db/knexfile.ts --client pg seed:run",
"db:reset": "npm run migration:rollback -- --all && npm run migration:latest && npm run seed:run"
"seed": "knex --knexfile ./src/db/knexfile.ts --client pg seed:run",
"db:reset": "npm run migration:rollback -- --all && npm run migration:latest"
},
"keywords": [],
"author": "",
@ -67,21 +67,21 @@
"tsx": "^4.4.0",
"typescript": "^5.3.2",
"vite-tsconfig-paths": "^4.2.2",
"vitest": "^1.0.4"
"vitest": "^1.2.2"
},
"dependencies": {
"@aws-sdk/client-secrets-manager": "^3.485.0",
"@aws-sdk/client-secrets-manager": "^3.504.0",
"@casl/ability": "^6.5.0",
"@fastify/cookie": "^9.2.0",
"@fastify/cors": "^8.4.1",
"@fastify/cors": "^8.5.0",
"@fastify/etag": "^5.1.0",
"@fastify/formbody": "^7.4.0",
"@fastify/helmet": "^11.1.1",
"@fastify/passport": "^2.4.0",
"@fastify/rate-limit": "^9.0.0",
"@fastify/session": "^10.7.0",
"@fastify/swagger": "^8.12.0",
"@fastify/swagger-ui": "^1.10.1",
"@fastify/swagger": "^8.14.0",
"@fastify/swagger-ui": "^2.1.0",
"@node-saml/passport-saml": "^4.0.4",
"@octokit/rest": "^20.0.2",
"@octokit/webhooks-types": "^7.3.1",
@ -90,13 +90,13 @@
"@ucast/mongo2js": "^1.3.4",
"ajv": "^8.12.0",
"argon2": "^0.31.2",
"aws-sdk": "^2.1532.0",
"axios": "^1.6.2",
"aws-sdk": "^2.1549.0",
"axios": "^1.6.7",
"axios-retry": "^4.0.0",
"bcrypt": "^5.1.1",
"bullmq": "^5.1.1",
"dotenv": "^16.3.1",
"fastify": "^4.24.3",
"bullmq": "^5.1.6",
"dotenv": "^16.4.1",
"fastify": "^4.26.0",
"fastify-plugin": "^4.5.1",
"handlebars": "^4.7.8",
"ioredis": "^5.3.2",
@ -106,10 +106,11 @@
"knex": "^3.0.1",
"libsodium-wrappers": "^0.7.13",
"lodash.isequal": "^4.5.0",
"mysql2": "^3.6.5",
"mysql2": "^3.9.1",
"nanoid": "^5.0.4",
"node-cache": "^5.1.2",
"nodemailer": "^6.9.7",
"nodemailer": "^6.9.9",
"ora": "^7.0.1",
"passport-github": "^1.1.0",
"passport-gitlab2": "^5.0.0",
"passport-google-oauth20": "^2.0.0",
@ -117,12 +118,12 @@
"picomatch": "^3.0.1",
"pino": "^8.16.2",
"posthog-node": "^3.6.0",
"probot": "^12.3.3",
"probot": "^13.0.0",
"smee-client": "^2.0.0",
"tweetnacl": "^1.0.3",
"tweetnacl-util": "^0.15.1",
"uuid": "^9.0.1",
"zod": "^3.22.4",
"zod-to-json-schema": "^3.22.0"
"zod-to-json-schema": "^3.22.4"
}
}
}

9
backend/scripts/create-seed-file.ts

@ -7,11 +7,10 @@ import promptSync from "prompt-sync";
const prompt = promptSync({ sigint: true });
const migrationName = prompt("Enter name for seedfile: ");
const fileCounter = readdirSync(path.join(__dirname, "../src/db/seed")).length || 1;
const fileCounter = readdirSync(path.join(__dirname, "../src/db/seeds")).length || 1;
execSync(
`npx knex seed:make --knexfile ${path.join(
__dirname,
"../src/db/knexfile.ts"
)} -x ts ${fileCounter}-${migrationName}`,
`npx knex seed:make --knexfile ${path.join(__dirname, "../src/db/knexfile.ts")} -x ts ${
fileCounter + 1
}-${migrationName}`,
{ stdio: "inherit" }
);

35
backend/scripts/generate-schema-types.ts

@ -3,13 +3,9 @@ import dotenv from "dotenv";
import path from "path";
import knex from "knex";
import { writeFileSync } from "fs";
import promptSync from "prompt-sync";
const prompt = promptSync({ sigint: true });
dotenv.config({
path: path.join(__dirname, "../.env"),
debug: true
path: path.join(__dirname, "../../.env.migration")
});
const db = knex({
@ -94,17 +90,7 @@ const main = async () => {
.orderBy("table_name")
).filter((el) => !el.tableName.includes("_migrations"));
console.log("Select a table to generate schema");
console.table(tables);
console.log("all: all tables");
const selectedTables = prompt("Type table numbers comma seperated: ");
const tableNumbers =
selectedTables !== "all" ? selectedTables.split(",").map((el) => Number(el)) : [];
for (let i = 0; i < tables.length; i += 1) {
// skip if not desired table
if (selectedTables !== "all" && !tableNumbers.includes(i)) continue;
const { tableName } = tables[i];
const columns = await db(tableName).columnInfo();
const columnNames = Object.keys(columns);
@ -124,16 +110,16 @@ const main = async () => {
if (colInfo.nullable) {
ztype = ztype.concat(".nullable().optional()");
}
schema = schema.concat(`${!schema ? "\n" : ""} ${columnName}: ${ztype},\n`);
schema = schema.concat(
`${!schema ? "\n" : ""} ${columnName}: ${ztype}${colNum === columnNames.length - 1 ? "" : ","}\n`
);
}
const dashcase = tableName.split("_").join("-");
const pascalCase = tableName
.split("_")
.reduce(
(prev, curr) => prev + `${curr.at(0)?.toUpperCase()}${curr.slice(1).toLowerCase()}`,
""
);
.reduce((prev, curr) => prev + `${curr.at(0)?.toUpperCase()}${curr.slice(1).toLowerCase()}`, "");
writeFileSync(
path.join(__dirname, "../src/db/schemas", `${dashcase}.ts`),
`// Code generated by automation script, DO NOT EDIT.
@ -152,15 +138,6 @@ export type T${pascalCase}Insert = Omit<T${pascalCase}, TImmutableDBKeys>;
export type T${pascalCase}Update = Partial<Omit<T${pascalCase}, TImmutableDBKeys>>;
`
);
// const file = readFileSync(path.join(__dirname, "../src/db/schemas/index.ts"), "utf8");
// if (!file.includes(`export * from "./${dashcase};"`)) {
// appendFileSync(
// path.join(__dirname, "../src/db/schemas/index.ts"),
// `\nexport * from "./${dashcase}";`,
// "utf8"
// );
// }
}
process.exit(0);

2
backend/src/@types/fastify.d.ts vendored

@ -6,6 +6,7 @@ import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
import { TSamlConfigServiceFactory } from "@app/ee/services/saml-config/saml-config-service";
import { TScimServiceFactory } from "@app/ee/services/scim/scim-service";
import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
import { TSecretApprovalRequestServiceFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-service";
import { TSecretRotationServiceFactory } from "@app/ee/services/secret-rotation/secret-rotation-service";
@ -105,6 +106,7 @@ declare module "fastify" {
secretRotation: TSecretRotationServiceFactory;
snapshot: TSecretSnapshotServiceFactory;
saml: TSamlConfigServiceFactory;
scim: TScimServiceFactory;
auditLog: TAuditLogServiceFactory;
secretScanning: TSecretScanningServiceFactory;
license: TLicenseServiceFactory;

4
backend/src/@types/knex.d.ts vendored

@ -83,6 +83,9 @@ import {
TSamlConfigs,
TSamlConfigsInsert,
TSamlConfigsUpdate,
TScimTokens,
TScimTokensInsert,
TScimTokensUpdate,
TSecretApprovalPolicies,
TSecretApprovalPoliciesApprovers,
TSecretApprovalPoliciesApproversInsert,
@ -262,6 +265,7 @@ declare module "knex/types/tables" {
TIdentityProjectMembershipsInsert,
TIdentityProjectMembershipsUpdate
>;
[TableName.ScimToken]: Knex.CompositeTableType<TScimTokens, TScimTokensInsert, TScimTokensUpdate>;
[TableName.SecretApprovalPolicy]: Knex.CompositeTableType<
TSecretApprovalPolicies,
TSecretApprovalPoliciesInsert,

8
backend/src/db/knexfile.ts

@ -5,9 +5,13 @@ import dotenv from "dotenv";
import type { Knex } from "knex";
import path from "path";
// Update with your config settings.
// Update with your config settings. .
dotenv.config({
path: path.join(__dirname, "../../.env"),
path: path.join(__dirname, "../../../.env.migration"),
debug: true
});
dotenv.config({
path: path.join(__dirname, "../../../.env"),
debug: true
});
export default {

31
backend/src/db/migrations/20240208234120_scim-token.ts Normal file

@ -0,0 +1,31 @@
import { Knex } from "knex";
import { TableName } from "../schemas";
import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
export async function up(knex: Knex): Promise<void> {
if (!(await knex.schema.hasTable(TableName.ScimToken))) {
await knex.schema.createTable(TableName.ScimToken, (t) => {
t.string("id", 36).primary().defaultTo(knex.fn.uuid());
t.bigInteger("ttlDays").defaultTo(365).notNullable();
t.string("description").notNullable();
t.uuid("orgId").notNullable();
t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
t.timestamps(true, true, true);
});
}
await knex.schema.alterTable(TableName.Organization, (t) => {
t.boolean("scimEnabled").defaultTo(false);
});
await createOnUpdateTrigger(knex, TableName.ScimToken);
}
export async function down(knex: Knex): Promise<void> {
await knex.schema.dropTableIfExists(TableName.ScimToken);
await dropOnUpdateTrigger(knex, TableName.ScimToken);
await knex.schema.alterTable(TableName.Organization, (t) => {
t.dropColumn("scimEnabled");
});
}

39
backend/src/db/migrations/20240216154123_ghost_users.ts Normal file

@ -0,0 +1,39 @@
import { Knex } from "knex";
import { ProjectVersion, TableName } from "../schemas";
export async function up(knex: Knex): Promise<void> {
const hasGhostUserColumn = await knex.schema.hasColumn(TableName.Users, "isGhost");
const hasProjectVersionColumn = await knex.schema.hasColumn(TableName.Project, "version");
if (!hasGhostUserColumn) {
await knex.schema.alterTable(TableName.Users, (t) => {
t.boolean("isGhost").defaultTo(false).notNullable();
});
}
if (!hasProjectVersionColumn) {
await knex.schema.alterTable(TableName.Project, (t) => {
t.integer("version").defaultTo(ProjectVersion.V1).notNullable();
t.string("upgradeStatus").nullable();
});
}
}
export async function down(knex: Knex): Promise<void> {
const hasGhostUserColumn = await knex.schema.hasColumn(TableName.Users, "isGhost");
const hasProjectVersionColumn = await knex.schema.hasColumn(TableName.Project, "version");
if (hasGhostUserColumn) {
await knex.schema.alterTable(TableName.Users, (t) => {
t.dropColumn("isGhost");
});
}
if (hasProjectVersionColumn) {
await knex.schema.alterTable(TableName.Project, (t) => {
t.dropColumn("version");
t.dropColumn("upgradeStatus");
});
}
}

20
backend/src/db/migrations/20240222201806_admin-signup-control.ts Normal file

@ -0,0 +1,20 @@
import { Knex } from "knex";
import { TableName } from "../schemas";
export async function up(knex: Knex): Promise<void> {
const isTablePresent = await knex.schema.hasTable(TableName.SuperAdmin);
if (isTablePresent) {
await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
t.string("allowedSignUpDomain");
});
}
}
export async function down(knex: Knex): Promise<void> {
if (await knex.schema.hasColumn(TableName.SuperAdmin, "allowedSignUpDomain")) {
await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
t.dropColumn("allowedSignUpDomain");
});
}
}

1
backend/src/db/schemas/index.ts

@ -26,6 +26,7 @@ export * from "./project-memberships";
export * from "./project-roles";
export * from "./projects";
export * from "./saml-configs";
export * from "./scim-tokens";
export * from "./secret-approval-policies";
export * from "./secret-approval-policies-approvers";
export * from "./secret-approval-request-secret-tags";

12
backend/src/db/schemas/models.ts

@ -40,6 +40,7 @@ export enum TableName {
IdentityUaClientSecret = "identity_ua_client_secrets",
IdentityOrgMembership = "identity_org_memberships",
IdentityProjectMembership = "identity_project_memberships",
ScimToken = "scim_tokens",
SecretApprovalPolicy = "secret_approval_policies",
SecretApprovalPolicyApprover = "secret_approval_policies_approvers",
SecretApprovalRequest = "secret_approval_requests",
@ -111,6 +112,17 @@ export enum SecretType {
Personal = "personal"
}
export enum ProjectVersion {
V1 = 1,
V2 = 2
}
export enum ProjectUpgradeStatus {
InProgress = "IN_PROGRESS",
// Completed -> Will be null if completed. So a completed status is not needed
Failed = "FAILED"
}
export enum IdentityAuthMethod {
Univeral = "universal-auth"
}

3
backend/src/db/schemas/organizations.ts

@ -14,7 +14,8 @@ export const OrganizationsSchema = z.object({
slug: z.string(),
createdAt: z.date(),
updatedAt: z.date(),
authEnforced: z.boolean().default(false).nullable().optional()
authEnforced: z.boolean().default(false).nullable().optional(),
scimEnabled: z.boolean().default(false).nullable().optional()
});
export type TOrganizations = z.infer<typeof OrganizationsSchema>;

4
backend/src/db/schemas/projects.ts

@ -14,7 +14,9 @@ export const ProjectsSchema = z.object({
autoCapitalization: z.boolean().default(true).nullable().optional(),
orgId: z.string().uuid(),
createdAt: z.date(),
updatedAt: z.date()
updatedAt: z.date(),
version: z.number().default(1),
upgradeStatus: z.string().nullable().optional()
});
export type TProjects = z.infer<typeof ProjectsSchema>;

21
backend/src/db/schemas/scim-tokens.ts Normal file

@ -0,0 +1,21 @@
// Code generated by automation script, DO NOT EDIT.
// Automated by pulling database and generating zod schema
// To update. Just run npm run generate:schema
// Written by akhilmhdh.
import { z } from "zod";
import { TImmutableDBKeys } from "./models";
export const ScimTokensSchema = z.object({
id: z.string(),
ttlDays: z.coerce.number().default(365),
description: z.string(),
orgId: z.string().uuid(),
createdAt: z.date(),
updatedAt: z.date()
});
export type TScimTokens = z.infer<typeof ScimTokensSchema>;
export type TScimTokensInsert = Omit<TScimTokens, TImmutableDBKeys>;
export type TScimTokensUpdate = Partial<Omit<TScimTokens, TImmutableDBKeys>>;

3
backend/src/db/schemas/super-admin.ts

@ -12,7 +12,8 @@ export const SuperAdminSchema = z.object({
initialized: z.boolean().default(false).nullable().optional(),
allowSignUp: z.boolean().default(true).nullable().optional(),
createdAt: z.date(),
updatedAt: z.date()
updatedAt: z.date(),
allowedSignUpDomain: z.string().nullable().optional()
});
export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;

3
backend/src/db/schemas/users.ts

@ -19,7 +19,8 @@ export const UsersSchema = z.object({
mfaMethods: z.string().array().nullable().optional(),
devices: z.unknown().nullable().optional(),
createdAt: z.date(),
updatedAt: z.date()
updatedAt: z.date(),
isGhost: z.boolean().default(false)
});
export type TUsers = z.infer<typeof UsersSchema>;

127
backend/src/db/seed-data.ts

@ -1,3 +1,4 @@
/* eslint-disable import/no-mutable-exports */
import crypto from "node:crypto";
import argon2, { argon2id } from "argon2";
@ -6,17 +7,21 @@ import nacl from "tweetnacl";
import { encodeBase64 } from "tweetnacl-util";
import {
decryptAsymmetric,
// decryptAsymmetric,
decryptSymmetric,
decryptSymmetric128BitHexKeyUTF8,
encryptAsymmetric,
encryptSymmetric
encryptSymmetric128BitHexKeyUTF8
} from "@app/lib/crypto";
import { TUserEncryptionKeys } from "./schemas";
import { TSecrets, TUserEncryptionKeys } from "./schemas";
export let userPrivateKey: string | undefined;
export let userPublicKey: string | undefined;
export const seedData1 = {
id: "3dafd81d-4388-432b-a4c5-f735616868c1",
email: "test@localhost.local",
email: process.env.TEST_USER_EMAIL || "test@localhost.local",
password: process.env.TEST_USER_PASSWORD || "testInfisical@1",
organization: {
id: "180870b7-f464-4740-8ffe-9d11c9245ea7",
@ -31,8 +36,22 @@ export const seedData1 = {
name: "Development",
slug: "dev"
},
machineIdentity: {
id: "88fa7aed-9288-401e-a4c9-fa9430be62a0",
name: "mac1",
clientCredentials: {
id: "3f6135db-f237-421d-af66-a8f4e80d443b",
secret: "da35a5a5a7b57f977a9a73394506e878a7175d06606df43dc93e1472b10cf339"
}
},
token: {
id: "a9dfafba-a3b7-42e3-8618-91abb702fd36"
},
// We set these values during user creation, and later re-use them during project seeding.
encryptionKeys: {
publicKey: "",
privateKey: ""
}
};
@ -73,7 +92,7 @@ export const generateUserSrpKeys = async (password: string) => {
ciphertext: encryptedPrivateKey,
iv: encryptedPrivateKeyIV,
tag: encryptedPrivateKeyTag
} = encryptSymmetric(privateKey, key.toString("base64"));
} = encryptSymmetric128BitHexKeyUTF8(privateKey, key);
// create the protected key by encrypting the symmetric key
// [key] with the derived key
@ -81,7 +100,7 @@ export const generateUserSrpKeys = async (password: string) => {
ciphertext: protectedKey,
iv: protectedKeyIV,
tag: protectedKeyTag
} = encryptSymmetric(key.toString("hex"), derivedKey.toString("base64"));
} = encryptSymmetric128BitHexKeyUTF8(key.toString("hex"), derivedKey);
return {
protectedKey,
@ -107,32 +126,102 @@ export const getUserPrivateKey = async (password: string, user: TUserEncryptionK
raw: true
});
if (!derivedKey) throw new Error("Failed to derive key from password");
const key = decryptSymmetric({
const key = decryptSymmetric128BitHexKeyUTF8({
ciphertext: user.protectedKey as string,
iv: user.protectedKeyIV as string,
tag: user.protectedKeyTag as string,
key: derivedKey.toString("base64")
key: derivedKey
});
const privateKey = decryptSymmetric({
const privateKey = decryptSymmetric128BitHexKeyUTF8({
ciphertext: user.encryptedPrivateKey,
iv: user.iv,
tag: user.tag,
key
key: Buffer.from(key, "hex")
});
return privateKey;
};
export const buildUserProjectKey = async (privateKey: string, publickey: string) => {
export const buildUserProjectKey = (privateKey: string, publickey: string) => {
const randomBytes = crypto.randomBytes(16).toString("hex");
const { nonce, ciphertext } = encryptAsymmetric(randomBytes, publickey, privateKey);
return { nonce, ciphertext };
};
// export const getUserProjectKey = async (privateKey: string) => {
// const key = decryptAsymmetric({
// ciphertext: decryptFileKey.encryptedKey,
// nonce: decryptFileKey.nonce,
// publicKey: decryptFileKey.sender.publicKey,
// privateKey: PRIVATE_KEY
// });
// };
export const getUserProjectKey = async (privateKey: string, ciphertext: string, nonce: string, publicKey: string) => {
return decryptAsymmetric({
ciphertext,
nonce,
publicKey,
privateKey
});
};
export const encryptSecret = (encKey: string, key: string, value?: string, comment?: string) => {
// encrypt key
const {
ciphertext: secretKeyCiphertext,
iv: secretKeyIV,
tag: secretKeyTag
} = encryptSymmetric128BitHexKeyUTF8(key, encKey);
// encrypt value
const {
ciphertext: secretValueCiphertext,
iv: secretValueIV,
tag: secretValueTag
} = encryptSymmetric128BitHexKeyUTF8(value ?? "", encKey);
// encrypt comment
const {
ciphertext: secretCommentCiphertext,
iv: secretCommentIV,
tag: secretCommentTag
} = encryptSymmetric128BitHexKeyUTF8(comment ?? "", encKey);
return {
secretKeyCiphertext,
secretKeyIV,
secretKeyTag,
secretValueCiphertext,
secretValueIV,
secretValueTag,
secretCommentCiphertext,
secretCommentIV,
secretCommentTag
};
};
export const decryptSecret = (decryptKey: string, encSecret: TSecrets) => {
const secretKey = decryptSymmetric128BitHexKeyUTF8({
key: decryptKey,
ciphertext: encSecret.secretKeyCiphertext,
tag: encSecret.secretKeyTag,
iv: encSecret.secretKeyIV
});
const secretValue = decryptSymmetric128BitHexKeyUTF8({
key: decryptKey,
ciphertext: encSecret.secretValueCiphertext,
tag: encSecret.secretValueTag,
iv: encSecret.secretValueIV
});
const secretComment =
encSecret.secretCommentIV && encSecret.secretCommentTag && encSecret.secretCommentCiphertext
? decryptSymmetric128BitHexKeyUTF8({
key: decryptKey,
ciphertext: encSecret.secretCommentCiphertext,
tag: encSecret.secretCommentTag,
iv: encSecret.secretCommentIV
})
: "";
return {
key: secretKey,
value: secretValue,
comment: secretComment,
version: encSecret.version
};
};

6
backend/src/db/seeds/1-user.ts

@ -14,7 +14,8 @@ export async function seed(knex: Knex): Promise<void> {
const [user] = await knex(TableName.Users)
.insert([
{
// @ts-expect-error exluded type id needs to be inserted here to keep it testable
// eslint-disable-next-line
// @ts-ignore
id: seedData1.id,
email: seedData1.email,
superAdmin: true,
@ -48,7 +49,8 @@ export async function seed(knex: Knex): Promise<void> {
]);
await knex(TableName.AuthTokenSession).insert({
// @ts-expect-error exluded type id needs to be inserted here to keep it testable
// eslint-disable-next-line
// @ts-ignore
id: seedData1.token.id,
userId: seedData1.id,
ip: "151.196.220.213",

3
backend/src/db/seeds/2-org.ts

@ -14,7 +14,8 @@ export async function seed(knex: Knex): Promise<void> {
const [org] = await knex(TableName.Organization)
.insert([
{
// @ts-expect-error exluded type id needs to be inserted here to keep it testable
// eslint-disable-next-line
// @ts-ignore
id: seedData1.organization.id,
name: "infisical",
slug: "infisical",

46
backend/src/db/seeds/3-project.ts

@ -1,7 +1,11 @@
import crypto from "node:crypto";
import { Knex } from "knex";
import { OrgMembershipRole, TableName } from "../schemas";
import { seedData1 } from "../seed-data";
import { encryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
import { OrgMembershipRole, SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
import { buildUserProjectKey, getUserPrivateKey, seedData1 } from "../seed-data";
export const DEFAULT_PROJECT_ENVS = [
{ name: "Development", slug: "dev" },
@ -20,21 +24,32 @@ export async function seed(knex: Knex): Promise<void> {
name: seedData1.project.name,
orgId: seedData1.organization.id,
slug: "first-project",
// @ts-expect-error exluded type id needs to be inserted here to keep it testable
// eslint-disable-next-line
// @ts-ignore
id: seedData1.project.id
})
.returning("*");
// await knex(TableName.ProjectKeys).insert({
// projectId: project.id,
// senderId: seedData1.id
// });
await knex(TableName.ProjectMembership).insert({
projectId: project.id,
role: OrgMembershipRole.Admin,
userId: seedData1.id
});
const user = await knex(TableName.UserEncryptionKey).where({ userId: seedData1.id }).first();
if (!user) throw new Error("User not found");
const userPrivateKey = await getUserPrivateKey(seedData1.password, user);
const projectKey = buildUserProjectKey(userPrivateKey, user.publicKey);
await knex(TableName.ProjectKeys).insert({
projectId: project.id,
nonce: projectKey.nonce,
encryptedKey: projectKey.ciphertext,
receiverId: seedData1.id,
senderId: seedData1.id
});
// create default environments and default folders
const envs = await knex(TableName.Environment)
.insert(
DEFAULT_PROJECT_ENVS.map(({ name, slug }, index) => ({
@ -46,4 +61,19 @@ export async function seed(knex: Knex): Promise<void> {
)
.returning("*");
await knex(TableName.SecretFolder).insert(envs.map(({ id }) => ({ name: "root", envId: id, parentId: null })));
// save secret secret blind index
const encKey = process.env.ENCRYPTION_KEY;
if (!encKey) throw new Error("Missing ENCRYPTION_KEY");
const salt = crypto.randomBytes(16).toString("base64");
const secretBlindIndex = encryptSymmetric128BitHexKeyUTF8(salt, encKey);
// insert secret blind index for project
await knex(TableName.SecretBlindIndex).insert({
projectId: project.id,
encryptedSaltCipherText: secretBlindIndex.ciphertext,
saltIV: secretBlindIndex.iv,
saltTag: secretBlindIndex.tag,
algorithm: SecretEncryptionAlgo.AES_256_GCM,
keyEncoding: SecretKeyEncoding.UTF8
});
}

83
backend/src/db/seeds/4-machine-identity.ts Normal file

@ -0,0 +1,83 @@
import bcrypt from "bcrypt";
import { Knex } from "knex";
import { IdentityAuthMethod, OrgMembershipRole, ProjectMembershipRole, TableName } from "../schemas";
import { seedData1 } from "../seed-data";
export async function seed(knex: Knex): Promise<void> {
// Deletes ALL existing entries
await knex(TableName.Identity).del();
await knex(TableName.IdentityOrgMembership).del();
// Inserts seed entries
await knex(TableName.Identity).insert([
{
// eslint-disable-next-line
// @ts-ignore
id: seedData1.machineIdentity.id,
name: seedData1.machineIdentity.name,
authMethod: IdentityAuthMethod.Univeral
}
]);
const identityUa = await knex(TableName.IdentityUniversalAuth)
.insert([
{
identityId: seedData1.machineIdentity.id,
clientId: seedData1.machineIdentity.clientCredentials.id,
clientSecretTrustedIps: JSON.stringify([
{
type: "ipv4",
prefix: 0,
ipAddress: "0.0.0.0"
},
{
type: "ipv6",
prefix: 0,
ipAddress: "::"
}
]),
accessTokenTrustedIps: JSON.stringify([
{
type: "ipv4",
prefix: 0,
ipAddress: "0.0.0.0"
},
{
type: "ipv6",
prefix: 0,
ipAddress: "::"
}
]),
accessTokenTTL: 2592000,
accessTokenMaxTTL: 2592000,
accessTokenNumUsesLimit: 0
}
])
.returning("*");
const clientSecretHash = await bcrypt.hash(seedData1.machineIdentity.clientCredentials.secret, 10);
await knex(TableName.IdentityUaClientSecret).insert([
{
identityUAId: identityUa[0].id,
description: "",
clientSecretTTL: 0,
clientSecretNumUses: 0,
clientSecretNumUsesLimit: 0,
clientSecretPrefix: seedData1.machineIdentity.clientCredentials.secret.slice(0, 4),
clientSecretHash,
isClientSecretRevoked: false
}
]);
await knex(TableName.IdentityOrgMembership).insert([
{
identityId: seedData1.machineIdentity.id,
orgId: seedData1.organization.id,
role: OrgMembershipRole.Admin
}
]);
await knex(TableName.IdentityProjectMembership).insert({
identityId: seedData1.machineIdentity.id,
role: ProjectMembershipRole.Admin,
projectId: seedData1.project.id
});
}

2
backend/src/ee/routes/v1/index.ts

@ -3,6 +3,7 @@ import { registerOrgRoleRouter } from "./org-role-router";
import { registerProjectRoleRouter } from "./project-role-router";
import { registerProjectRouter } from "./project-router";
import { registerSamlRouter } from "./saml-router";
import { registerScimRouter } from "./scim-router";
import { registerSecretApprovalPolicyRouter } from "./secret-approval-policy-router";
import { registerSecretApprovalRequestRouter } from "./secret-approval-request-router";
import { registerSecretRotationProviderRouter } from "./secret-rotation-provider-router";
@ -33,6 +34,7 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
prefix: "/secret-rotation-providers"
});
await server.register(registerSamlRouter, { prefix: "/sso" });
await server.register(registerScimRouter, { prefix: "/scim" });
await server.register(registerSecretScanningRouter, { prefix: "/secret-scanning" });
await server.register(registerSecretRotationRouter, { prefix: "/secret-rotations" });
await server.register(registerSecretVersionRouter, { prefix: "/secret" });

14
backend/src/ee/routes/v1/project-router.ts

@ -11,6 +11,13 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
method: "GET",
url: "/:workspaceId/secret-snapshots",
schema: {
description: "Return project secret snapshots ids",
security: [
{
apiKeyAuth: [],
bearerAuth: []
}
],
params: z.object({
workspaceId: z.string().trim()
}),
@ -74,6 +81,13 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
method: "GET",
url: "/:workspaceId/audit-logs",
schema: {
description: "Return audit logs",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
params: z.object({
workspaceId: z.string().trim()
}),

5
backend/src/ee/routes/v1/saml-router.ts

@ -19,7 +19,6 @@ import { BadRequestError } from "@app/lib/errors";
import { logger } from "@app/lib/logger";
import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
import { AuthMode } from "@app/services/auth/auth-type";
import { getServerCfg } from "@app/services/super-admin/super-admin-service";
type TSAMLConfig = {
callbackUrl: string;
@ -28,6 +27,7 @@ type TSAMLConfig = {
cert: string;
audience: string;
wantAuthnResponseSigned?: boolean;
disableRequestedAuthnContext?: boolean;
};
export const registerSamlRouter = async (server: FastifyZodProvider) => {
@ -77,6 +77,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
samlConfig.wantAuthnResponseSigned = false;
}
if (ssoConfig.authProvider === SamlProviders.AZURE_SAML) {
samlConfig.disableRequestedAuthnContext = true;
if (req.body?.RelayState && JSON.parse(req.body.RelayState).spInitiated) {
samlConfig.audience = `spn:${ssoConfig.issuer}`;
}
@ -92,7 +93,6 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
// eslint-disable-next-line
async (req, profile, cb) => {
try {
const serverCfg = await getServerCfg();
if (!profile) throw new BadRequestError({ message: "Missing profile" });
const { firstName } = profile;
const email = profile?.email ?? (profile?.emailAddress as string); // emailRippling is added because in Rippling the field `email` reserved
@ -105,7 +105,6 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
email,
firstName: profile.firstName as string,
lastName: profile.lastName as string,
isSignupAllowed: Boolean(serverCfg.allowSignUp),
relayState: (req.body as { RelayState?: string }).RelayState,
authProvider: (req as unknown as FastifyRequest).ssoConfig?.authProvider as string,
orgId: (req as unknown as FastifyRequest).ssoConfig?.orgId as string

331
backend/src/ee/routes/v1/scim-router.ts Normal file

@ -0,0 +1,331 @@
import { z } from "zod";
import { ScimTokensSchema } from "@app/db/schemas";
import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
import { AuthMode } from "@app/services/auth/auth-type";
export const registerScimRouter = async (server: FastifyZodProvider) => {
server.addContentTypeParser("application/scim+json", { parseAs: "string" }, (_, body, done) => {
try {
const strBody = body instanceof Buffer ? body.toString() : body;
const json: unknown = JSON.parse(strBody);
done(null, json);
} catch (err) {
const error = err as Error;
done(error, undefined);
}
});
server.route({
url: "/scim-tokens",
method: "POST",
onRequest: verifyAuth([AuthMode.JWT]),
schema: {
body: z.object({
organizationId: z.string().trim(),
description: z.string().trim().default(""),
ttlDays: z.number().min(0).default(0)
}),
response: {
200: z.object({
scimToken: z.string().trim()
})
}
},
handler: async (req) => {
const { scimToken } = await server.services.scim.createScimToken({
actor: req.permission.type,
actorId: req.permission.id,
actorOrgId: req.permission.orgId,
orgId: req.body.organizationId,
description: req.body.description,
ttlDays: req.body.ttlDays
});
return { scimToken };
}
});
server.route({
url: "/scim-tokens",
method: "GET",
onRequest: verifyAuth([AuthMode.JWT]),
schema: {
querystring: z.object({
organizationId: z.string().trim()
}),
response: {
200: z.object({
scimTokens: z.array(ScimTokensSchema)
})
}
},
handler: async (req) => {
const scimTokens = await server.services.scim.listScimTokens({
actor: req.permission.type,
actorId: req.permission.id,
actorOrgId: req.permission.orgId,
orgId: req.query.organizationId
});
return { scimTokens };
}
});
server.route({
url: "/scim-tokens/:scimTokenId",
method: "DELETE",
onRequest: verifyAuth([AuthMode.JWT]),
schema: {
params: z.object({
scimTokenId: z.string().trim()
}),
response: {
200: z.object({
scimToken: ScimTokensSchema
})
}
},
handler: async (req) => {
const scimToken = await server.services.scim.deleteScimToken({
scimTokenId: req.params.scimTokenId,
actor: req.permission.type,
actorId: req.permission.id,
actorOrgId: req.permission.orgId
});
return { scimToken };
}
});
// SCIM server endpoints
server.route({
url: "/Users",
method: "GET",
schema: {
querystring: z.object({
startIndex: z.coerce.number().default(1),
count: z.coerce.number().default(20),
filter: z.string().trim().optional()
}),
response: {
200: z.object({
Resources: z.array(
z.object({
id: z.string().trim(),
userName: z.string().trim(),
name: z.object({
familyName: z.string().trim(),
givenName: z.string().trim()
}),
emails: z.array(
z.object({
primary: z.boolean(),
value: z.string().email(),
type: z.string().trim()
})
),
displayName: z.string().trim(),
active: z.boolean()
})
),
itemsPerPage: z.number(),
schemas: z.array(z.string()),
startIndex: z.number(),
totalResults: z.number()
})
}
},
onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
handler: async (req) => {
const users = await req.server.services.scim.listScimUsers({
offset: req.query.startIndex,
limit: req.query.count,
filter: req.query.filter,
orgId: req.permission.orgId as string
});
return users;
}
});
server.route({
url: "/Users/:userId",
method: "GET",
schema: {
params: z.object({
userId: z.string().trim()
}),
response: {
201: z.object({
schemas: z.array(z.string()),
id: z.string().trim(),
userName: z.string().trim(),
name: z.object({
familyName: z.string().trim(),
givenName: z.string().trim()
}),
emails: z.array(
z.object({
primary: z.boolean(),
value: z.string().email(),
type: z.string().trim()
})
),
displayName: z.string().trim(),
active: z.boolean()
})
}
},
onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
handler: async (req) => {
const user = await req.server.services.scim.getScimUser({
userId: req.params.userId,
orgId: req.permission.orgId as string
});
return user;
}
});
server.route({
url: "/Users",
method: "POST",
schema: {
body: z.object({
schemas: z.array(z.string()),
userName: z.string().trim().email(),
name: z.object({
familyName: z.string().trim(),
givenName: z.string().trim()
}),
// emails: z.array( // optional?
// z.object({
// primary: z.boolean(),
// value: z.string().email(),
// type: z.string().trim()
// })
// ),
// displayName: z.string().trim(),
active: z.boolean()
}),
response: {
200: z.object({
schemas: z.array(z.string()),
id: z.string().trim(),
userName: z.string().trim().email(),
name: z.object({
familyName: z.string().trim(),
givenName: z.string().trim()
}),
emails: z.array(
z.object({
primary: z.boolean(),
value: z.string().email(),
type: z.string().trim()
})
),
displayName: z.string().trim(),
active: z.boolean()
})
}
},
onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
handler: async (req) => {
const user = await req.server.services.scim.createScimUser({
email: req.body.userName,
firstName: req.body.name.givenName,
lastName: req.body.name.familyName,
orgId: req.permission.orgId as string
});
return user;
}
});
server.route({
url: "/Users/:userId",
method: "PATCH",
schema: {
params: z.object({
userId: z.string().trim()
}),
body: z.object({
schemas: z.array(z.string()),
Operations: z.array(
z.object({
op: z.string().trim(),
path: z.string().trim().optional(),
value: z.union([
z.object({
active: z.boolean()
}),
z.string().trim()
])
})
)
}),
response: {
200: z.object({})
}
},
onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
handler: async (req) => {
const user = await req.server.services.scim.updateScimUser({
userId: req.params.userId,
orgId: req.permission.orgId as string,
operations: req.body.Operations
});
return user;
}
});
server.route({
url: "/Users/:userId",
method: "PUT",
schema: {
params: z.object({
userId: z.string().trim()
}),
body: z.object({
schemas: z.array(z.string()),
id: z.string().trim(),
userName: z.string().trim(),
name: z.object({
familyName: z.string().trim(),
givenName: z.string().trim()
}),
displayName: z.string().trim(),
active: z.boolean()
}),
response: {
200: z.object({
schemas: z.array(z.string()),
id: z.string().trim(),
userName: z.string().trim(),
name: z.object({
familyName: z.string().trim(),
givenName: z.string().trim()
}),
emails: z.array(
z.object({
primary: z.boolean(),
value: z.string().email(),
type: z.string().trim()
})
),
displayName: z.string().trim(),
active: z.boolean()
})
}
},
onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
handler: async (req) => {
const user = await req.server.services.scim.replaceScimUser({
userId: req.params.userId,
orgId: req.permission.orgId as string,
active: req.body.active
});
return user;
}
});
};

7
backend/src/ee/routes/v1/snapshot-router.ts

@ -57,6 +57,13 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
method: "POST",
url: "/:secretSnapshotId/rollback",
schema: {
description: "Roll back project secrets to those captured in a secret snapshot version.",
security: [
{
apiKeyAuth: [],
bearerAuth: []
}
],
params: z.object({
secretSnapshotId: z.string().trim()
}),

1
backend/src/ee/services/audit-log/audit-log-service.ts

@ -58,6 +58,7 @@ export const auditLogServiceFactory = ({
if (data.event.type !== EventType.LOGIN_IDENTITY_UNIVERSAL_AUTH) {
if (!data.projectId && !data.orgId) throw new BadRequestError({ message: "Must either project id or org id" });
}
return auditLogQueue.pushToLog(data);
};

11
backend/src/ee/services/audit-log/audit-log-types.ts

@ -15,7 +15,7 @@ export type TListProjectAuditLogDTO = {
export type TCreateAuditLogDTO = {
event: Event;
actor: UserActor | IdentityActor | ServiceActor;
actor: UserActor | IdentityActor | ServiceActor | ScimClientActor;
orgId?: string;
projectId?: string;
} & BaseAuthData;
@ -105,6 +105,8 @@ interface IdentityActorMetadata {
name: string;
}
interface ScimClientActorMetadata {}
export interface UserActor {
type: ActorType.USER;
metadata: UserActorMetadata;
@ -120,7 +122,12 @@ export interface IdentityActor {
metadata: IdentityActorMetadata;
}
export type Actor = UserActor | ServiceActor | IdentityActor;
export interface ScimClientActor {
type: ActorType.SCIM_CLIENT;
metadata: ScimClientActorMetadata;
}
export type Actor = UserActor | ServiceActor | IdentityActor | ScimClientActor;
interface GetSecretsEvent {
type: EventType.GET_SECRETS;

27
backend/src/ee/services/license/__mocks__/licence-fns.ts Normal file

@ -0,0 +1,27 @@
export const getDefaultOnPremFeatures = () => {
return {
_id: null,
slug: null,
tier: -1,
workspaceLimit: null,
workspacesUsed: 0,
memberLimit: null,
membersUsed: 0,
environmentLimit: null,
environmentsUsed: 0,
secretVersioning: true,
pitRecovery: false,
ipAllowlisting: true,
rbac: false,
customRateLimits: false,
customAlerts: false,
auditLogs: false,
auditLogsRetentionDays: 0,
samlSSO: false,
status: null,
trial_end: null,
has_used_trial: true,
secretApproval: false,
secretRotation: true
};
};

1
backend/src/ee/services/license/licence-fns.ts

@ -24,6 +24,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
auditLogs: false,
auditLogsRetentionDays: 0,
samlSSO: false,
scim: false,
status: null,
trial_end: null,
has_used_trial: true,

1
backend/src/ee/services/license/license-types.ts

@ -25,6 +25,7 @@ export type TFeatureSet = {
auditLogs: false;
auditLogsRetentionDays: 0;
samlSSO: false;
scim: false;
status: null;
trial_end: null;
has_used_trial: true;

7
backend/src/ee/services/permission/org-permission.ts

@ -16,6 +16,7 @@ export enum OrgPermissionSubjects {
Settings = "settings",
IncidentAccount = "incident-contact",
Sso = "sso",
Scim = "scim",
Billing = "billing",
SecretScanning = "secret-scanning",
Identity = "identity"
@ -29,6 +30,7 @@ export type OrgPermissionSet =
| [OrgPermissionActions, OrgPermissionSubjects.Settings]
| [OrgPermissionActions, OrgPermissionSubjects.IncidentAccount]
| [OrgPermissionActions, OrgPermissionSubjects.Sso]
| [OrgPermissionActions, OrgPermissionSubjects.Scim]
| [OrgPermissionActions, OrgPermissionSubjects.SecretScanning]
| [OrgPermissionActions, OrgPermissionSubjects.Billing]
| [OrgPermissionActions, OrgPermissionSubjects.Identity];
@ -69,6 +71,11 @@ const buildAdminPermission = () => {
can(OrgPermissionActions.Edit, OrgPermissionSubjects.Sso);
can(OrgPermissionActions.Delete, OrgPermissionSubjects.Sso);
can(OrgPermissionActions.Read, OrgPermissionSubjects.Scim);
can(OrgPermissionActions.Create, OrgPermissionSubjects.Scim);
can(OrgPermissionActions.Edit, OrgPermissionSubjects.Scim);
can(OrgPermissionActions.Delete, OrgPermissionSubjects.Scim);
can(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
can(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
can(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);

2
backend/src/ee/services/permission/permission-service.ts

@ -177,6 +177,8 @@ export const permissionServiceFactory = ({
const getServiceTokenProjectPermission = async (serviceTokenId: string, projectId: string) => {
const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
if (!serviceToken) throw new BadRequestError({ message: "Service token not found" });
if (serviceToken.projectId !== projectId)
throw new UnauthorizedError({
message: "Failed to find service authorization for given project"

17
backend/src/ee/services/saml-config/saml-config-service.ts

@ -195,7 +195,7 @@ export const samlConfigServiceFactory = ({
updateQuery.certTag = certTag;
}
const [ssoConfig] = await samlConfigDAL.update({ orgId }, updateQuery);
await orgDAL.updateById(orgId, { authEnforced: false });
await orgDAL.updateById(orgId, { authEnforced: false, scimEnabled: false });
return ssoConfig;
};
@ -300,19 +300,9 @@ export const samlConfigServiceFactory = ({
};
};
const samlLogin = async ({
firstName,
email,
lastName,
authProvider,
orgId,
relayState,
isSignupAllowed
}: TSamlLoginDTO) => {
const samlLogin = async ({ firstName, email, lastName, authProvider, orgId, relayState }: TSamlLoginDTO) => {
const appCfg = getConfig();
let user = await userDAL.findUserByEmail(email);
const isSamlSignUpDisabled = !isSignupAllowed && !user;
if (isSamlSignUpDisabled) throw new BadRequestError({ message: "User signup disabled", name: "Saml SSO login" });
const organization = await orgDAL.findOrgById(orgId);
if (!organization) throw new BadRequestError({ message: "Org not found" });
@ -348,7 +338,8 @@ export const samlConfigServiceFactory = ({
email,
firstName,
lastName,
authMethods: [AuthMethod.EMAIL]
authMethods: [AuthMethod.EMAIL],
isGhost: false
},
tx
);

1
backend/src/ee/services/saml-config/saml-config-types.ts

@ -41,7 +41,6 @@ export type TSamlLoginDTO = {
lastName?: string;
authProvider: string;
orgId: string;
isSignupAllowed: boolean;
// saml thingy
relayState?: string;
};

10
backend/src/ee/services/scim/scim-dal.ts Normal file

@ -0,0 +1,10 @@
import { TDbClient } from "@app/db";
import { TableName } from "@app/db/schemas";
import { ormify } from "@app/lib/knex";
export type TScimDALFactory = ReturnType<typeof scimDALFactory>;
export const scimDALFactory = (db: TDbClient) => {
const scimTokenOrm = ormify(db, TableName.ScimToken);
return scimTokenOrm;
};

58
backend/src/ee/services/scim/scim-fns.ts Normal file

@ -0,0 +1,58 @@
import { TListScimUsers, TScimUser } from "./scim-types";
export const buildScimUserList = ({
scimUsers,
offset,
limit
}: {
scimUsers: TScimUser[];
offset: number;
limit: number;
}): TListScimUsers => {
return {
Resources: scimUsers,
itemsPerPage: limit,
schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
startIndex: offset,
totalResults: scimUsers.length
};
};
export const buildScimUser = ({
userId,
firstName,
lastName,
email,
active
}: {
userId: string;
firstName: string;
lastName: string;
email: string;
active: boolean;
}): TScimUser => {
return {
schemas: ["urn:ietf:params:scim:schemas:core:2.0:User"],
id: userId,
userName: email,
displayName: `${firstName} ${lastName}`,
name: {
givenName: firstName,
middleName: null,
familyName: lastName
},
emails: [
{
primary: true,
value: email,
type: "work"
}
],
active,
groups: [],
meta: {
resourceType: "User",
location: null
}
};
};

431
backend/src/ee/services/scim/scim-service.ts Normal file

@ -0,0 +1,431 @@
import { ForbiddenError } from "@casl/ability";
import jwt from "jsonwebtoken";
import { OrgMembershipRole, OrgMembershipStatus } from "@app/db/schemas";
import { TScimDALFactory } from "@app/ee/services/scim/scim-dal";
import { getConfig } from "@app/lib/config/env";
import { BadRequestError, ScimRequestError, UnauthorizedError } from "@app/lib/errors";
import { TOrgPermission } from "@app/lib/types";
import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
import { TOrgDALFactory } from "@app/services/org/org-dal";
import { deleteOrgMembership } from "@app/services/org/org-fns";
import { TProjectDALFactory } from "@app/services/project/project-dal";
import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
import { TUserDALFactory } from "@app/services/user/user-dal";
import { TLicenseServiceFactory } from "../license/license-service";
import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
import { TPermissionServiceFactory } from "../permission/permission-service";
import { buildScimUser, buildScimUserList } from "./scim-fns";
import {
TCreateScimTokenDTO,
TCreateScimUserDTO,
TDeleteScimTokenDTO,
TGetScimUserDTO,
TListScimUsers,
TListScimUsersDTO,
TReplaceScimUserDTO,
TScimTokenJwtPayload,
TUpdateScimUserDTO
} from "./scim-types";
type TScimServiceFactoryDep = {
scimDAL: Pick<TScimDALFactory, "create" | "find" | "findById" | "deleteById">;
userDAL: Pick<TUserDALFactory, "findOne" | "create" | "transaction">;
orgDAL: Pick<
TOrgDALFactory,
"createMembership" | "findById" | "findMembership" | "deleteMembershipById" | "transaction"
>;
projectDAL: Pick<TProjectDALFactory, "find">;
projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find" | "delete">;
licenseService: Pick<TLicenseServiceFactory, "getPlan">;
permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
smtpService: TSmtpService;
};
export type TScimServiceFactory = ReturnType<typeof scimServiceFactory>;
export const scimServiceFactory = ({
licenseService,
scimDAL,
userDAL,
orgDAL,
projectDAL,
projectMembershipDAL,
permissionService,
smtpService
}: TScimServiceFactoryDep) => {
const createScimToken = async ({ actor, actorId, actorOrgId, orgId, description, ttlDays }: TCreateScimTokenDTO) => {
const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Scim);
const plan = await licenseService.getPlan(orgId);
if (!plan.scim)
throw new BadRequestError({
message: "Failed to create a SCIM token due to plan restriction. Upgrade plan to create a SCIM token."
});
const appCfg = getConfig();
const scimTokenData = await scimDAL.create({
orgId,
description,
ttlDays
});
const scimToken = jwt.sign(
{
scimTokenId: scimTokenData.id,
authTokenType: AuthTokenType.SCIM_TOKEN
},
appCfg.AUTH_SECRET
);
return { scimToken };
};
const listScimTokens = async ({ actor, actorId, actorOrgId, orgId }: TOrgPermission) => {
const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorOrgId);
ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Scim);
const plan = await licenseService.getPlan(orgId);
if (!plan.scim)
throw new BadRequestError({
message: "Failed to get SCIM tokens due to plan restriction. Upgrade plan to get SCIM tokens."
});
const scimTokens = await scimDAL.find({ orgId });
return scimTokens;
};
const deleteScimToken = async ({ scimTokenId, actor, actorId, actorOrgId }: TDeleteScimTokenDTO) => {
let scimToken = await scimDAL.findById(scimTokenId);
if (!scimToken) throw new BadRequestError({ message: "Failed to find SCIM token to delete" });
const { permission } = await permissionService.getOrgPermission(actor, actorId, scimToken.orgId, actorOrgId);
ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Scim);
const plan = await licenseService.getPlan(scimToken.orgId);
if (!plan.scim)
throw new BadRequestError({
message: "Failed to delete the SCIM token due to plan restriction. Upgrade plan to delete the SCIM token."
});
scimToken = await scimDAL.deleteById(scimTokenId);
return scimToken;
};
// SCIM server endpoints
const listScimUsers = async ({ offset, limit, filter, orgId }: TListScimUsersDTO): Promise<TListScimUsers> => {
const org = await orgDAL.findById(orgId);
if (!org.scimEnabled)
throw new ScimRequestError({
detail: "SCIM is disabled for the organization",
status: 403
});
const parseFilter = (filterToParse: string | undefined) => {
if (!filterToParse) return {};
const [parsedName, parsedValue] = filterToParse.split("eq").map((s) => s.trim());
let attributeName = parsedName;
if (parsedName === "userName") {
attributeName = "email";
}
return { [attributeName]: parsedValue };
};
const findOpts = {
...(offset && { offset }),
...(limit && { limit })
};
const users = await orgDAL.findMembership(
{
orgId,
...parseFilter(filter)
},
findOpts
);
const scimUsers = users.map(({ userId, firstName, lastName, email }) =>
buildScimUser({
userId: userId ?? "",
firstName: firstName ?? "",
lastName: lastName ?? "",
email,
active: true
})
);
return buildScimUserList({
scimUsers,
offset,
limit
});
};
const getScimUser = async ({ userId, orgId }: TGetScimUserDTO) => {
const [membership] = await orgDAL
.findMembership({
userId,
orgId
})
.catch(() => {
throw new ScimRequestError({
detail: "User not found",
status: 404
});
});
if (!membership)
throw new ScimRequestError({
detail: "User not found",
status: 404
});
if (!membership.scimEnabled)
throw new ScimRequestError({
detail: "SCIM is disabled for the organization",
status: 403
});
return buildScimUser({
userId: membership.userId as string,
firstName: membership.firstName as string,
lastName: membership.lastName as string,
email: membership.email,
active: true
});
};
const createScimUser = async ({ firstName, lastName, email, orgId }: TCreateScimUserDTO) => {
const org = await orgDAL.findById(orgId);
if (!org)
throw new ScimRequestError({
detail: "Organization not found",
status: 404
});
if (!org.scimEnabled)
throw new ScimRequestError({
detail: "SCIM is disabled for the organization",
status: 403
});
let user = await userDAL.findOne({
email
});
if (user) {
await userDAL.transaction(async (tx) => {
const [orgMembership] = await orgDAL.findMembership({ userId: user.id, orgId }, { tx });
if (orgMembership)
throw new ScimRequestError({
detail: "User already exists in the database",
status: 409
});
if (!orgMembership) {
await orgDAL.createMembership(
{
userId: user.id,
orgId,
inviteEmail: email,
role: OrgMembershipRole.Member,
status: OrgMembershipStatus.Invited
},
tx
);
}
});
} else {
user = await userDAL.transaction(async (tx) => {
const newUser = await userDAL.create(
{
email,
firstName,
lastName,
authMethods: [AuthMethod.EMAIL],
isGhost: false
},
tx
);
await orgDAL.createMembership(
{
inviteEmail: email,
orgId,
userId: newUser.id,
role: OrgMembershipRole.Member,
status: OrgMembershipStatus.Invited
},
tx
);
return newUser;
});
}
const appCfg = getConfig();
await smtpService.sendMail({
template: SmtpTemplates.ScimUserProvisioned,
subjectLine: "Infisical organization invitation",
recipients: [email],
substitutions: {
organizationName: org.name,
callback_url: `${appCfg.SITE_URL}/api/v1/sso/redirect/saml2/organizations/${org.slug}`
}
});
return buildScimUser({
userId: user.id,
firstName: user.firstName as string,
lastName: user.lastName as string,
email: user.email,
active: true
});
};
const updateScimUser = async ({ userId, orgId, operations }: TUpdateScimUserDTO) => {
const [membership] = await orgDAL
.findMembership({
userId,
orgId
})
.catch(() => {
throw new ScimRequestError({
detail: "User not found",
status: 404
});
});
if (!membership)
throw new ScimRequestError({
detail: "User not found",
status: 404
});
if (!membership.scimEnabled)
throw new ScimRequestError({
detail: "SCIM is disabled for the organization",
status: 403
});
let active = true;
operations.forEach((operation) => {
if (operation.op.toLowerCase() === "replace") {
if (operation.path === "active" && operation.value === "False") {
// azure scim op format
active = false;
} else if (typeof operation.value === "object" && operation.value.active === false) {
// okta scim op format
active = false;
}
}
});
if (!active) {
await deleteOrgMembership({
orgMembershipId: membership.id,
orgId: membership.orgId,
orgDAL,
projectDAL,
projectMembershipDAL
});
}
return buildScimUser({
userId: membership.userId as string,
firstName: membership.firstName as string,
lastName: membership.lastName as string,
email: membership.email,
active
});
};
const replaceScimUser = async ({ userId, active, orgId }: TReplaceScimUserDTO) => {
const [membership] = await orgDAL
.findMembership({
userId,
orgId
})
.catch(() => {
throw new ScimRequestError({
detail: "User not found",
status: 404
});
});
if (!membership)
throw new ScimRequestError({
detail: "User not found",
status: 404
});
if (!membership.scimEnabled)
throw new ScimRequestError({
detail: "SCIM is disabled for the organization",
status: 403
});
if (!active) {
// tx
await deleteOrgMembership({
orgMembershipId: membership.id,
orgId: membership.orgId,
orgDAL,
projectDAL,
projectMembershipDAL
});
}
return buildScimUser({
userId: membership.userId as string,
firstName: membership.firstName as string,
lastName: membership.lastName as string,
email: membership.email,
active
});
};
const fnValidateScimToken = async (token: TScimTokenJwtPayload) => {
const scimToken = await scimDAL.findById(token.scimTokenId);
if (!scimToken) throw new UnauthorizedError();
const { ttlDays, createdAt } = scimToken;
// ttl check
if (Number(ttlDays) > 0) {
const currentDate = new Date();
const scimTokenCreatedAt = new Date(createdAt);
const ttlInMilliseconds = Number(scimToken.ttlDays) * 86400 * 1000;
const expirationDate = new Date(scimTokenCreatedAt.getTime() + ttlInMilliseconds);
if (currentDate > expirationDate)
throw new ScimRequestError({
detail: "The access token expired",
status: 401
});
}
return { scimTokenId: scimToken.id, orgId: scimToken.orgId };
};
return {
createScimToken,
listScimTokens,
deleteScimToken,
listScimUsers,
getScimUser,
createScimUser,
updateScimUser,
replaceScimUser,
fnValidateScimToken
};
};

87
backend/src/ee/services/scim/scim-types.ts Normal file

@ -0,0 +1,87 @@
import { TOrgPermission } from "@app/lib/types";
export type TCreateScimTokenDTO = {
description: string;
ttlDays: number;
} & TOrgPermission;
export type TDeleteScimTokenDTO = {
scimTokenId: string;
} & Omit<TOrgPermission, "orgId">;
// SCIM server endpoint types
export type TListScimUsersDTO = {
offset: number;
limit: number;
filter?: string;
orgId: string;
};
export type TListScimUsers = {
schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"];
totalResults: number;
Resources: TScimUser[];
itemsPerPage: number;
startIndex: number;
};
export type TGetScimUserDTO = {
userId: string;
orgId: string;
};
export type TCreateScimUserDTO = {
email: string;
firstName: string;
lastName: string;
orgId: string;
};
export type TUpdateScimUserDTO = {
userId: string;
orgId: string;
operations: {
op: string;
path?: string;
value?:
| string
| {
active: boolean;
};
}[];
};
export type TReplaceScimUserDTO = {
userId: string;
active: boolean;
orgId: string;
};
export type TScimTokenJwtPayload = {
scimTokenId: string;
authTokenType: string;
};
export type TScimUser = {
schemas: string[];
id: string;
userName: string;
displayName: string;
name: {
givenName: string;
middleName: null;
familyName: string;
};
emails: {
primary: boolean;
value: string;
type: string;
}[];
active: boolean;
groups: string[];
meta: {
resourceType: string;
location: null;
};
};

39
backend/src/ee/services/secret-approval-request/secret-approval-request-secret-dal.ts

@ -1,8 +1,13 @@
import { Knex } from "knex";
import { TDbClient } from "@app/db";
import { SecretApprovalRequestsSecretsSchema, TableName, TSecretTags } from "@app/db/schemas";
import { DatabaseError } from "@app/lib/errors";
import {
SecretApprovalRequestsSecretsSchema,
TableName,
TSecretApprovalRequestsSecrets,
TSecretTags
} from "@app/db/schemas";
import { BadRequestError, DatabaseError } from "@app/lib/errors";
import { ormify, selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";
export type TSecretApprovalRequestSecretDALFactory = ReturnType<typeof secretApprovalRequestSecretDALFactory>;
@ -11,6 +16,35 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
const secretApprovalRequestSecretOrm = ormify(db, TableName.SecretApprovalRequestSecret);
const secretApprovalRequestSecretTagOrm = ormify(db, TableName.SecretApprovalRequestSecretTag);
const bulkUpdateNoVersionIncrement = async (data: TSecretApprovalRequestsSecrets[], tx?: Knex) => {
try {
const existingApprovalSecrets = await secretApprovalRequestSecretOrm.find(
{
$in: {
id: data.map((el) => el.id)
}
},
{ tx }
);
if (existingApprovalSecrets.length !== data.length) {
throw new BadRequestError({ message: "Some of the secret approvals do not exist" });
}
if (data.length === 0) return [];
const updatedApprovalSecrets = await (tx || db)(TableName.SecretApprovalRequestSecret)
.insert(data)
.onConflict("id") // this will cause a conflict then merge the data
.merge() // Merge the data with the existing data
.returning("*");
return updatedApprovalSecrets;
} catch (error) {
throw new DatabaseError({ error, name: "bulk update secret" });
}
};
const findByRequestId = async (requestId: string, tx?: Knex) => {
try {
const doc = await (tx || db)({
@ -190,6 +224,7 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
return {
...secretApprovalRequestSecretOrm,
findByRequestId,
bulkUpdateNoVersionIncrement,
insertApprovalSecretTags: secretApprovalRequestSecretTagOrm.insertMany
};
};

5
backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@ -11,6 +11,7 @@ import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
import { groupBy, pick, unique } from "@app/lib/fn";
import { alphaNumericNanoId } from "@app/lib/nanoid";
import { ActorType } from "@app/services/auth/auth-type";
import { TProjectDALFactory } from "@app/services/project/project-dal";
import { TSecretQueueFactory } from "@app/services/secret/secret-queue";
import { TSecretServiceFactory } from "@app/services/secret/secret-service";
import { TSecretVersionDALFactory } from "@app/services/secret/secret-version-dal";
@ -47,6 +48,7 @@ type TSecretApprovalRequestServiceFactoryDep = {
secretBlindIndexDAL: Pick<TSecretBlindIndexDALFactory, "findOne">;
snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
secretVersionDAL: Pick<TSecretVersionDALFactory, "findLatestVersionMany">;
projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus">;
secretService: Pick<
TSecretServiceFactory,
| "fnSecretBulkInsert"
@ -67,6 +69,7 @@ export const secretApprovalRequestServiceFactory = ({
secretApprovalRequestReviewerDAL,
secretApprovalRequestSecretDAL,
secretBlindIndexDAL,
projectDAL,
permissionService,
snapshotService,
secretService,
@ -434,6 +437,8 @@ export const secretApprovalRequestServiceFactory = ({
subject(ProjectPermissionSub.Secrets, { environment, secretPath })
);
await projectDAL.checkProjectUpgradeStatus(projectId);
const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
if (!folder) throw new BadRequestError({ message: "Folder not found", name: "GenSecretApproval" });
const folderId = folder.id;

12
backend/src/lib/crypto/encryption.ts

@ -8,6 +8,9 @@ import { SecretEncryptionAlgo, SecretKeyEncoding } from "@app/db/schemas";
import { getConfig } from "../config/env";
export const decodeBase64 = (s: string) => naclUtils.decodeBase64(s);
export const encodeBase64 = (u: Uint8Array) => naclUtils.encodeBase64(u);
export type TDecryptSymmetricInput = {
ciphertext: string;
iv: string;
@ -44,7 +47,7 @@ export const encryptSymmetric = (plaintext: string, key: string) => {
};
};
export const encryptSymmetric128BitHexKeyUTF8 = (plaintext: string, key: string) => {
export const encryptSymmetric128BitHexKeyUTF8 = (plaintext: string, key: string | Buffer) => {
const iv = crypto.randomBytes(BLOCK_SIZE_BYTES_16);
const cipher = crypto.createCipheriv(SecretEncryptionAlgo.AES_256_GCM, key, iv);
@ -58,7 +61,12 @@ export const encryptSymmetric128BitHexKeyUTF8 = (plaintext: string, key: string)
};
};
export const decryptSymmetric128BitHexKeyUTF8 = ({ ciphertext, iv, tag, key }: TDecryptSymmetricInput): string => {
export const decryptSymmetric128BitHexKeyUTF8 = ({
ciphertext,
iv,
tag,
key
}: Omit<TDecryptSymmetricInput, "key"> & { key: string | Buffer }): string => {
const decipher = crypto.createDecipheriv(SecretEncryptionAlgo.AES_256_GCM, key, Buffer.from(iv, "base64"));
decipher.setAuthTag(Buffer.from(tag, "base64"));

8
backend/src/lib/crypto/index.ts

@ -1,12 +1,20 @@
export {
buildSecretBlindIndexFromName,
createSecretBlindIndex,
decodeBase64,
decryptAsymmetric,
decryptSymmetric,
decryptSymmetric128BitHexKeyUTF8,
encodeBase64,
encryptAsymmetric,
encryptSymmetric,
encryptSymmetric128BitHexKeyUTF8,
generateAsymmetricKeyPair
} from "./encryption";
export {
decryptIntegrationAuths,
decryptSecretApprovals,
decryptSecrets,
decryptSecretVersions
} from "./secret-encryption";
export { generateSrpServerKey, srpCheckClientProof } from "./srp";

293
backend/src/lib/crypto/secret-encryption.ts Normal file

@ -0,0 +1,293 @@
import crypto from "crypto";
import { z } from "zod";
import {
IntegrationAuthsSchema,
SecretApprovalRequestsSecretsSchema,
SecretsSchema,
SecretVersionsSchema,
TIntegrationAuths,
TProjectKeys,
TSecretApprovalRequestsSecrets,
TSecrets,
TSecretVersions
} from "../../db/schemas";
import { decryptAsymmetric } from "./encryption";
const DecryptedValuesSchema = z.object({
id: z.string(),
secretKey: z.string(),
secretValue: z.string(),
secretComment: z.string().optional()
});
const DecryptedSecretSchema = z.object({
decrypted: DecryptedValuesSchema,
original: SecretsSchema
});
const DecryptedIntegrationAuthsSchema = z.object({
decrypted: z.object({
id: z.string(),
access: z.string(),
accessId: z.string(),
refresh: z.string()
}),
original: IntegrationAuthsSchema
});
const DecryptedSecretVersionsSchema = z.object({
decrypted: DecryptedValuesSchema,
original: SecretVersionsSchema
});
const DecryptedSecretApprovalsSchema = z.object({
decrypted: DecryptedValuesSchema,
original: SecretApprovalRequestsSecretsSchema
});
type DecryptedSecret = z.infer<typeof DecryptedSecretSchema>;
type DecryptedSecretVersions = z.infer<typeof DecryptedSecretVersionsSchema>;
type DecryptedSecretApprovals = z.infer<typeof DecryptedSecretApprovalsSchema>;
type DecryptedIntegrationAuths = z.infer<typeof DecryptedIntegrationAuthsSchema>;
type TLatestKey = TProjectKeys & {
sender: {
publicKey: string;
};
};
const decryptCipher = ({
ciphertext,
iv,
tag,
key
}: {
ciphertext: string;
iv: string;
tag: string;
key: string | Buffer;
}) => {
const decipher = crypto.createDecipheriv("aes-256-gcm", key, Buffer.from(iv, "base64"));
decipher.setAuthTag(Buffer.from(tag, "base64"));
let cleartext = decipher.update(ciphertext, "base64", "utf8");
cleartext += decipher.final("utf8");
return cleartext;
};
const getDecryptedValues = (data: Array<{ ciphertext: string; iv: string; tag: string }>, key: string | Buffer) => {
const results: string[] = [];
for (const { ciphertext, iv, tag } of data) {
if (!ciphertext || !iv || !tag) {
results.push("");
} else {
results.push(decryptCipher({ ciphertext, iv, tag, key }));
}
}
return results;
};
export const decryptSecrets = (encryptedSecrets: TSecrets[], privateKey: string, latestKey: TLatestKey) => {
const key = decryptAsymmetric({
ciphertext: latestKey.encryptedKey,
nonce: latestKey.nonce,
publicKey: latestKey.sender.publicKey,
privateKey
});
const decryptedSecrets: DecryptedSecret[] = [];
encryptedSecrets.forEach((encSecret) => {
const [secretKey, secretValue, secretComment] = getDecryptedValues(
[
{
ciphertext: encSecret.secretKeyCiphertext,
iv: encSecret.secretKeyIV,
tag: encSecret.secretKeyTag
},
{
ciphertext: encSecret.secretValueCiphertext,
iv: encSecret.secretValueIV,
tag: encSecret.secretValueTag
},
{
ciphertext: encSecret.secretCommentCiphertext || "",
iv: encSecret.secretCommentIV || "",
tag: encSecret.secretCommentTag || ""
}
],
key
);
const decryptedSecret: DecryptedSecret = {
decrypted: {
secretKey,
secretValue,
secretComment,
id: encSecret.id
},
original: encSecret
};
decryptedSecrets.push(DecryptedSecretSchema.parse(decryptedSecret));
});
return decryptedSecrets;
};
export const decryptSecretVersions = (
encryptedSecretVersions: TSecretVersions[],
privateKey: string,
latestKey: TLatestKey
) => {
const key = decryptAsymmetric({
ciphertext: latestKey.encryptedKey,
nonce: latestKey.nonce,
publicKey: latestKey.sender.publicKey,
privateKey
});
const decryptedSecrets: DecryptedSecretVersions[] = [];
encryptedSecretVersions.forEach((encSecret) => {
const [secretKey, secretValue, secretComment] = getDecryptedValues(
[
{
ciphertext: encSecret.secretKeyCiphertext,
iv: encSecret.secretKeyIV,
tag: encSecret.secretKeyTag
},
{
ciphertext: encSecret.secretValueCiphertext,
iv: encSecret.secretValueIV,
tag: encSecret.secretValueTag
},
{
ciphertext: encSecret.secretCommentCiphertext || "",
iv: encSecret.secretCommentIV || "",
tag: encSecret.secretCommentTag || ""
}
],
key
);
const decryptedSecret: DecryptedSecretVersions = {
decrypted: {
secretKey,
secretValue,
secretComment,
id: encSecret.id
},
original: encSecret
};
decryptedSecrets.push(DecryptedSecretVersionsSchema.parse(decryptedSecret));
});
return decryptedSecrets;
};
export const decryptSecretApprovals = (
encryptedSecretApprovals: TSecretApprovalRequestsSecrets[],
privateKey: string,
latestKey: TLatestKey
) => {
const key = decryptAsymmetric({
ciphertext: latestKey.encryptedKey,
nonce: latestKey.nonce,
publicKey: latestKey.sender.publicKey,
privateKey
});
const decryptedSecrets: DecryptedSecretApprovals[] = [];
encryptedSecretApprovals.forEach((encApproval) => {
const [secretKey, secretValue, secretComment] = getDecryptedValues(
[
{
ciphertext: encApproval.secretKeyCiphertext,
iv: encApproval.secretKeyIV,
tag: encApproval.secretKeyTag
},
{
ciphertext: encApproval.secretValueCiphertext,
iv: encApproval.secretValueIV,
tag: encApproval.secretValueTag
},
{
ciphertext: encApproval.secretCommentCiphertext || "",
iv: encApproval.secretCommentIV || "",
tag: encApproval.secretCommentTag || ""
}
],
key
);
const decryptedSecret: DecryptedSecretApprovals = {
decrypted: {
secretKey,
secretValue,
secretComment,
id: encApproval.id
},
original: encApproval
};
decryptedSecrets.push(DecryptedSecretApprovalsSchema.parse(decryptedSecret));
});
return decryptedSecrets;
};
export const decryptIntegrationAuths = (
encryptedIntegrationAuths: TIntegrationAuths[],
privateKey: string,
latestKey: TLatestKey
) => {
const key = decryptAsymmetric({
ciphertext: latestKey.encryptedKey,
nonce: latestKey.nonce,
publicKey: latestKey.sender.publicKey,
privateKey
});
const decryptedIntegrationAuths: DecryptedIntegrationAuths[] = [];
encryptedIntegrationAuths.forEach((encAuth) => {
const [access, accessId, refresh] = getDecryptedValues(
[
{
ciphertext: encAuth.accessCiphertext || "",
iv: encAuth.accessIV || "",
tag: encAuth.accessTag || ""
},
{
ciphertext: encAuth.accessIdCiphertext || "",
iv: encAuth.accessIdIV || "",
tag: encAuth.accessIdTag || ""
},
{
ciphertext: encAuth.refreshCiphertext || "",
iv: encAuth.refreshIV || "",
tag: encAuth.refreshTag || ""
}
],
key
);
decryptedIntegrationAuths.push({
decrypted: {
id: encAuth.id,
access,
accessId,
refresh
},
original: encAuth
});
});
return decryptedIntegrationAuths;
};

104
backend/src/lib/crypto/srp.ts

@ -1,4 +1,12 @@
import argon2 from "argon2";
import crypto from "crypto";
import jsrp from "jsrp";
import nacl from "tweetnacl";
import tweetnacl from "tweetnacl-util";
import { TUserEncryptionKeys } from "@app/db/schemas";
import { decryptSymmetric, encryptAsymmetric, encryptSymmetric } from "./encryption";
export const generateSrpServerKey = async (salt: string, verifier: string) => {
// eslint-disable-next-line new-cap
@ -24,3 +32,99 @@ export const srpCheckClientProof = async (
server.setClientPublicKey(clientPublicKey);
return server.checkClientProof(clientProof);
};
// Ghost user related:
// This functionality is intended for ghost user logic. This happens on the frontend when a user is being created.
// We replicate the same functionality on the backend when creating a ghost user.
export const generateUserSrpKeys = async (email: string, password: string) => {
const pair = nacl.box.keyPair();
const secretKeyUint8Array = pair.secretKey;
const publicKeyUint8Array = pair.publicKey;
const privateKey = tweetnacl.encodeBase64(secretKeyUint8Array);
const publicKey = tweetnacl.encodeBase64(publicKeyUint8Array);
// eslint-disable-next-line
const client = new jsrp.client();
await new Promise((resolve) => {
client.init({ username: email, password }, () => resolve(null));
});
const { salt, verifier } = await new Promise<{ salt: string; verifier: string }>((resolve, reject) => {
client.createVerifier((err, res) => {
if (err) return reject(err);
return resolve(res);
});
});
const derivedKey = await argon2.hash(password, {
salt: Buffer.from(salt),
memoryCost: 65536,
timeCost: 3,
parallelism: 1,
hashLength: 32,
type: argon2.argon2id,
raw: true
});
if (!derivedKey) throw new Error("Failed to derive key from password");
const key = crypto.randomBytes(32);
// create encrypted private key by encrypting the private
// key with the symmetric key [key]
const {
ciphertext: encryptedPrivateKey,
iv: encryptedPrivateKeyIV,
tag: encryptedPrivateKeyTag
} = encryptSymmetric(privateKey, key.toString("base64"));
// create the protected key by encrypting the symmetric key
// [key] with the derived key
const {
ciphertext: protectedKey,
iv: protectedKeyIV,
tag: protectedKeyTag
} = encryptSymmetric(key.toString("hex"), derivedKey.toString("base64"));
return {
protectedKey,
plainPrivateKey: privateKey,
protectedKeyIV,
protectedKeyTag,
publicKey,
encryptedPrivateKey,
encryptedPrivateKeyIV,
encryptedPrivateKeyTag,
salt,
verifier
};
};
export const getUserPrivateKey = async (password: string, user: TUserEncryptionKeys) => {
const derivedKey = await argon2.hash(password, {
salt: Buffer.from(user.salt),
memoryCost: 65536,
timeCost: 3,
parallelism: 1,
hashLength: 32,
type: argon2.argon2id,
raw: true
});
if (!derivedKey) throw new Error("Failed to derive key from password");
const key = decryptSymmetric({
ciphertext: user.protectedKey!,
iv: user.protectedKeyIV!,
tag: user.protectedKeyTag!,
key: derivedKey.toString("base64")
});
const privateKey = decryptSymmetric({
ciphertext: user.encryptedPrivateKey,
iv: user.iv,
tag: user.tag,
key
});
return privateKey;
};
export const buildUserProjectKey = async (privateKey: string, publickey: string) => {
const randomBytes = crypto.randomBytes(16).toString("hex");
const { nonce, ciphertext } = encryptAsymmetric(randomBytes, publickey, privateKey);
return { nonce, ciphertext };
};

32
backend/src/lib/errors/index.ts

@ -58,3 +58,35 @@ export class BadRequestError extends Error {
this.error = error;
}
}
export class ScimRequestError extends Error {
name: string;
schemas: string[];
detail: string;
status: number;
error: unknown;
constructor({
name,
error,
detail,
status
}: {
message?: string;
name?: string;
error?: unknown;
detail: string;
status: number;
}) {
super(detail ?? "The request is invalid");
this.name = name || "ScimRequestError";
this.schemas = ["urn:ietf:params:scim:api:messages:2.0:Error"];
this.error = error;
this.detail = detail;
this.status = status;
}
}

21
backend/src/queue/queue-service.ts

@ -1,6 +1,7 @@
import { Job, JobsOptions, Queue, QueueOptions, RepeatOptions, Worker, WorkerListener } from "bullmq";
import Redis from "ioredis";
import { SecretKeyEncoding } from "@app/db/schemas";
import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
import {
TScanFullRepoEventPayload,
@ -15,7 +16,8 @@ export enum QueueName {
IntegrationSync = "sync-integrations",
SecretWebhook = "secret-webhook",
SecretFullRepoScan = "secret-full-repo-scan",
SecretPushEventScan = "secret-push-event-scan"
SecretPushEventScan = "secret-push-event-scan",
UpgradeProjectToGhost = "upgrade-project-to-ghost"
}
export enum QueueJobs {
@ -25,7 +27,8 @@ export enum QueueJobs {
AuditLogPrune = "audit-log-prune-job",
SecWebhook = "secret-webhook-trigger",
IntegrationSync = "secret-integration-pull",
SecretScan = "secret-scan"
SecretScan = "secret-scan",
UpgradeProjectToGhost = "upgrade-project-to-ghost-job"
}
export type TQueueJobTypes = {
@ -64,6 +67,20 @@ export type TQueueJobTypes = {
payload: TScanFullRepoEventPayload;
};
[QueueName.SecretPushEventScan]: { name: QueueJobs.SecretScan; payload: TScanPushEventPayload };
[QueueName.UpgradeProjectToGhost]: {
name: QueueJobs.UpgradeProjectToGhost;
payload: {
projectId: string;
startedByUserId: string;
encryptedPrivateKey: {
encryptedKey: string;
encryptedKeyIv: string;
encryptedKeyTag: string;
keyEncoding: SecretKeyEncoding;
};
};
};
};
export type TQueueServiceFactory = ReturnType<typeof queueServiceFactory>;

2
backend/src/server/app.ts

@ -37,7 +37,7 @@ type TMain = {
export const main = async ({ db, smtp, logger, queue }: TMain) => {
const appCfg = getConfig();
const server = fasitfy({
logger,
logger: appCfg.NODE_ENV === "test" ? false : logger,
trustProxy: true,
connectionTimeout: 30 * 1000,
ignoreTrailingSlash: true

17
backend/src/server/lib/telemetry.ts Normal file

@ -0,0 +1,17 @@
import { FastifyRequest } from "fastify";
import { ActorType } from "@app/services/auth/auth-type";
// this is a unique id for sending posthog event
export const getTelemetryDistinctId = (req: FastifyRequest) => {
if (req.auth.actor === ActorType.USER) {
return req.auth.user.email;
}
if (req.auth.actor === ActorType.IDENTITY) {
return `identity-${req.auth.identityId}`;
}
if (req.auth.actor === ActorType.SERVICE) {
return req.auth.serviceToken.createdByEmail || `service-token-null-creator-${req.auth.serviceTokenId}`; // when user gets removed from system
}
return "unknown-auth-data";
};

5
backend/src/server/plugins/audit-log.ts

@ -63,6 +63,11 @@ export const injectAuditLogInfo = fp(async (server: FastifyZodProvider) => {
identityId: req.auth.identityId
}
};
} else if (req.auth.actor === ActorType.SCIM_CLIENT) {
payload.actor = {
type: ActorType.SCIM_CLIENT,
metadata: {}
};
} else {
throw new BadRequestError({ message: "Missing logic for other actor" });
}

21
backend/src/server/plugins/auth/inject-identity.ts

@ -3,6 +3,7 @@ import fp from "fastify-plugin";
import jwt, { JwtPayload } from "jsonwebtoken";
import { TServiceTokens, TUsers } from "@app/db/schemas";
import { TScimTokenJwtPayload } from "@app/ee/services/scim/scim-types";
import { getConfig } from "@app/lib/config/env";
import { UnauthorizedError } from "@app/lib/errors";
import { ActorType, AuthMode, AuthModeJwtTokenPayload, AuthTokenType } from "@app/services/auth/auth-type";
@ -26,7 +27,7 @@ export type TAuthMode =
}
| {
authMode: AuthMode.SERVICE_TOKEN;
serviceToken: TServiceTokens;
serviceToken: TServiceTokens & { createdByEmail: string };
actor: ActorType.SERVICE;
serviceTokenId: string;
}
@ -35,6 +36,12 @@ export type TAuthMode =
actor: ActorType.IDENTITY;
identityId: string;
identityName: string;
}
| {
authMode: AuthMode.SCIM_TOKEN;
actor: ActorType.SCIM_CLIENT;
scimTokenId: string;
orgId: string;
};
const extractAuth = async (req: FastifyRequest, jwtSecret: string) => {
@ -55,6 +62,7 @@ const extractAuth = async (req: FastifyRequest, jwtSecret: string) => {
}
const decodedToken = jwt.verify(authTokenValue, jwtSecret) as JwtPayload;
switch (decodedToken.authTokenType) {
case AuthTokenType.ACCESS_TOKEN:
return {
@ -70,6 +78,12 @@ const extractAuth = async (req: FastifyRequest, jwtSecret: string) => {
token: decodedToken as TIdentityAccessTokenJwtPayload,
actor: ActorType.IDENTITY
} as const;
case AuthTokenType.SCIM_TOKEN:
return {
authMode: AuthMode.SCIM_TOKEN,
token: decodedToken as TScimTokenJwtPayload,
actor: ActorType.SCIM_CLIENT
} as const;
default:
return { authMode: null, token: null } as const;
}
@ -113,6 +127,11 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
req.auth = { authMode: AuthMode.API_KEY as const, userId: user.id, actor, user };
break;
}
case AuthMode.SCIM_TOKEN: {
const { orgId, scimTokenId } = await server.services.scim.fnValidateScimToken(token);
req.auth = { authMode: AuthMode.SCIM_TOKEN, actor, scimTokenId, orgId };
break;
}
default:
throw new UnauthorizedError({ name: "Unknown token strategy" });
}

2
backend/src/server/plugins/auth/inject-permission.ts

@ -14,6 +14,8 @@ export const injectPermission = fp(async (server) => {
req.permission = { type: ActorType.IDENTITY, id: req.auth.identityId };
} else if (req.auth.actor === ActorType.SERVICE) {
req.permission = { type: ActorType.SERVICE, id: req.auth.serviceTokenId };
} else if (req.auth.actor === ActorType.SCIM_CLIENT) {
req.permission = { type: ActorType.SCIM_CLIENT, id: req.auth.scimTokenId, orgId: req.auth.orgId };
}
});
});

14
backend/src/server/plugins/error-handler.ts

@ -2,7 +2,13 @@ import { ForbiddenError } from "@casl/ability";
import fastifyPlugin from "fastify-plugin";
import { ZodError } from "zod";
import { BadRequestError, DatabaseError, InternalServerError, UnauthorizedError } from "@app/lib/errors";
import {
BadRequestError,
DatabaseError,
InternalServerError,
ScimRequestError,
UnauthorizedError
} from "@app/lib/errors";
export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider) => {
server.setErrorHandler((error, req, res) => {
@ -21,6 +27,12 @@ export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider
error: "PermissionDenied",
message: `You are not allowed to ${error.action} on ${error.subjectType}`
});
} else if (error instanceof ScimRequestError) {
void res.status(error.status).send({
schemas: error.schemas,
status: error.status,
detail: error.detail
});
} else {
void res.send(error);
}

6
backend/src/server/plugins/swagger.ts

@ -25,13 +25,13 @@ export const fastifySwagger = fp(async (fastify) => {
],
components: {
securitySchemes: {
bearer: {
bearerAuth: {
type: "http",
scheme: "bearer",
bearerFormat: "JWT",
description: "A service token in Infisical"
description: "An access token in Infisical"
},
apiKey: {
apiKeyAuth: {
type: "apiKey",
in: "header",
name: "X-API-Key",

82
backend/src/server/routes/index.ts

@ -11,6 +11,8 @@ import { permissionDALFactory } from "@app/ee/services/permission/permission-dal
import { permissionServiceFactory } from "@app/ee/services/permission/permission-service";
import { samlConfigDALFactory } from "@app/ee/services/saml-config/saml-config-dal";
import { samlConfigServiceFactory } from "@app/ee/services/saml-config/saml-config-service";
import { scimDALFactory } from "@app/ee/services/scim/scim-dal";
import { scimServiceFactory } from "@app/ee/services/scim/scim-service";
import { secretApprovalPolicyApproverDALFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-approver-dal";
import { secretApprovalPolicyDALFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-dal";
import { secretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
@ -63,6 +65,7 @@ import { orgRoleDALFactory } from "@app/services/org/org-role-dal";
import { orgRoleServiceFactory } from "@app/services/org/org-role-service";
import { orgServiceFactory } from "@app/services/org/org-service";
import { projectDALFactory } from "@app/services/project/project-dal";
import { projectQueueFactory } from "@app/services/project/project-queue";
import { projectServiceFactory } from "@app/services/project/project-service";
import { projectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
import { projectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
@ -155,6 +158,7 @@ export const registerRoutes = async (
const auditLogDAL = auditLogDALFactory(db);
const trustedIpDAL = trustedIpDALFactory(db);
const scimDAL = scimDALFactory(db);
// ee db layer ops
const permissionDAL = permissionDALFactory(db);
@ -188,6 +192,7 @@ export const registerRoutes = async (
trustedIpDAL,
permissionService
});
const auditLogQueue = auditLogQueueServiceFactory({
auditLogDAL,
queueService,
@ -210,6 +215,16 @@ export const registerRoutes = async (
samlConfigDAL,
licenseService
});
const scimService = scimServiceFactory({
licenseService,
scimDAL,
userDAL,
orgDAL,
projectDAL,
projectMembershipDAL,
permissionService,
smtpService
});
const telemetryService = telemetryServiceFactory();
const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL });
@ -266,19 +281,13 @@ export const registerRoutes = async (
secretScanningDAL,
secretScanningQueue
});
const projectService = projectServiceFactory({
permissionService,
projectDAL,
secretBlindIndexDAL,
projectEnvDAL,
projectMembershipDAL,
folderDAL,
licenseService
});
const projectBotService = projectBotServiceFactory({ permissionService, projectBotDAL, projectDAL });
const projectMembershipService = projectMembershipServiceFactory({
projectMembershipDAL,
projectDAL,
permissionService,
projectBotDAL,
orgDAL,
userDAL,
smtpService,
@ -286,6 +295,46 @@ export const registerRoutes = async (
projectRoleDAL,
licenseService
});
const projectKeyService = projectKeyServiceFactory({
permissionService,
projectKeyDAL,
projectMembershipDAL
});
const projectQueueService = projectQueueFactory({
queueService,
secretDAL,
folderDAL,
projectDAL,
orgDAL,
integrationAuthDAL,
orgService,
projectEnvDAL,
userDAL,
secretVersionDAL,
projectKeyDAL,
projectBotDAL,
projectMembershipDAL,
secretApprovalRequestDAL,
secretApprovalSecretDAL: sarSecretDAL
});
const projectService = projectServiceFactory({
permissionService,
projectDAL,
projectQueue: projectQueueService,
secretBlindIndexDAL,
identityProjectDAL,
identityOrgMembershipDAL,
projectBotDAL,
projectKeyDAL,
userDAL,
projectEnvDAL,
orgService,
projectMembershipDAL,
folderDAL,
licenseService
});
const projectEnvService = projectEnvServiceFactory({
permissionService,
projectEnvDAL,
@ -293,11 +342,7 @@ export const registerRoutes = async (
projectDAL,
folderDAL
});
const projectKeyService = projectKeyServiceFactory({
permissionService,
projectKeyDAL,
projectMembershipDAL
});
const projectRoleService = projectRoleServiceFactory({ permissionService, projectRoleDAL });
const snapshotService = secretSnapshotServiceFactory({
@ -332,9 +377,9 @@ export const registerRoutes = async (
folderDAL,
permissionService,
secretImportDAL,
projectDAL,
secretDAL
});
const projectBotService = projectBotServiceFactory({ permissionService, projectBotDAL });
const integrationAuthService = integrationAuthServiceFactory({
integrationAuthDAL,
integrationDAL,
@ -368,6 +413,7 @@ export const registerRoutes = async (
secretVersionTagDAL,
secretBlindIndexDAL,
permissionService,
projectDAL,
secretDAL,
secretTagDAL,
snapshotService,
@ -381,6 +427,7 @@ export const registerRoutes = async (
secretTagDAL,
secretApprovalRequestSecretDAL: sarSecretDAL,
secretApprovalRequestReviewerDAL: sarReviewerDAL,
projectDAL,
secretVersionDAL,
secretBlindIndexDAL,
secretApprovalRequestDAL,
@ -486,6 +533,7 @@ export const registerRoutes = async (
secretScanning: secretScanningService,
license: licenseService,
trustedIp: trustedIpService,
scim: scimService,
secretBlindIndex: secretBlindIndexService,
telemetry: telemetryService
});
@ -537,4 +585,8 @@ export const registerRoutes = async (
);
await server.register(registerV2Routes, { prefix: "/api/v2" });
await server.register(registerV3Routes, { prefix: "/api/v3" });
server.addHook("onClose", async () => {
await telemetryService.flushAll();
});
};

15
backend/src/server/routes/v1/admin-router.ts

@ -1,6 +1,6 @@
import { z } from "zod";
import { SuperAdminSchema, UsersSchema } from "@app/db/schemas";
import { OrganizationsSchema, SuperAdminSchema, UsersSchema } from "@app/db/schemas";
import { getConfig } from "@app/lib/config/env";
import { UnauthorizedError } from "@app/lib/errors";
import { verifySuperAdmin } from "@app/server/plugins/auth/superAdmin";
@ -31,7 +31,8 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
method: "PATCH",
schema: {
body: z.object({
allowSignUp: z.boolean().optional()
allowSignUp: z.boolean().optional(),
allowedSignUpDomain: z.string().optional().nullable()
}),
response: {
200: z.object({
@ -72,7 +73,9 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
200: z.object({
message: z.string(),
user: UsersSchema,
token: z.string()
organization: OrganizationsSchema,
token: z.string(),
new: z.string()
})
}
},
@ -81,7 +84,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
const serverCfg = await getServerCfg();
if (serverCfg.initialized)
throw new UnauthorizedError({ name: "Admin sign up", message: "Admin has been created" });
const { user, token } = await server.services.superAdmin.adminSignUp({
const { user, token, organization } = await server.services.superAdmin.adminSignUp({
...req.body,
ip: req.realIp,
userAgent: req.headers["user-agent"] || ""
@ -107,7 +110,9 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
return {
message: "Successfully set up admin account",
user: user.user,
token: token.access
token: token.access,
organization,
new: "123"
};
}
});

1
backend/src/server/routes/v1/identity-access-token-router.ts

@ -5,6 +5,7 @@ export const registerIdentityAccessTokenRouter = async (server: FastifyZodProvid
url: "/token/renew",
method: "POST",
schema: {
description: "Renew access token",
body: z.object({
accessToken: z.string().trim()
}),

37
backend/src/server/routes/v1/identity-router.ts

@ -2,15 +2,23 @@ import { z } from "zod";
import { IdentitiesSchema, OrgMembershipRole } from "@app/db/schemas";
import { EventType } from "@app/ee/services/audit-log/audit-log-types";
import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
import { AuthMode } from "@app/services/auth/auth-type";
import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
export const registerIdentityRouter = async (server: FastifyZodProvider) => {
server.route({
method: "POST",
url: "/",
onRequest: verifyAuth([AuthMode.JWT]),
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: {
description: "Create identity",
security: [
{
bearerAuth: []
}
],
body: z.object({
name: z.string().trim(),
organizationId: z.string().trim(),
@ -43,6 +51,17 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
}
});
server.services.telemetry.sendPostHogEvents({
event: PostHogEventTypes.MachineIdentityCreated,
distinctId: getTelemetryDistinctId(req),
properties: {
orgId: req.body.organizationId,
name: identity.name,
identityId: identity.id,
...req.auditLogInfo
}
});
return { identity };
}
});
@ -50,8 +69,14 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
server.route({
method: "PATCH",
url: "/:identityId",
onRequest: verifyAuth([AuthMode.JWT]),
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: {
description: "Update identity",
security: [
{
bearerAuth: []
}
],
params: z.object({
identityId: z.string()
}),
@ -93,8 +118,14 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
server.route({
method: "DELETE",
url: "/:identityId",
onRequest: verifyAuth([AuthMode.JWT]),
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: {
description: "Delete identity",
security: [
{
bearerAuth: []
}
],
params: z.object({
identityId: z.string()
}),

37
backend/src/server/routes/v1/identity-ua.ts

@ -24,6 +24,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
url: "/universal-auth/login",
method: "POST",
schema: {
description: "Login with Universal Auth",
body: z.object({
clientId: z.string().trim(),
clientSecret: z.string().trim()
@ -67,6 +68,12 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
method: "POST",
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: {
description: "Attach Universal Auth configuration onto identity",
security: [
{
bearerAuth: []
}
],
params: z.object({
identityId: z.string().trim()
}),
@ -141,6 +148,12 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
method: "PATCH",
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: {
description: "Update Universal Auth configuration on identity",
security: [
{
bearerAuth: []
}
],
params: z.object({
identityId: z.string()
}),
@ -209,6 +222,12 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
method: "GET",
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: {
description: "Retrieve Universal Auth configuration on identity",
security: [
{
bearerAuth: []
}
],
params: z.object({
identityId: z.string()
}),
@ -246,6 +265,12 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
method: "POST",
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: {
description: "Create Universal Auth Client Secret for identity",
security: [
{
bearerAuth: []
}
],
params: z.object({
identityId: z.string()
}),
@ -291,6 +316,12 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
method: "GET",
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: {
description: "List Universal Auth Client Secrets for identity",
security: [
{
bearerAuth: []
}
],
params: z.object({
identityId: z.string()
}),
@ -327,6 +358,12 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
method: "POST",
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: {
description: "Revoke Universal Auth Client Secrets for identity",
security: [
{
bearerAuth: []
}
],
params: z.object({
identityId: z.string(),
clientSecretId: z.string()

1
backend/src/server/routes/v1/index.ts

@ -48,6 +48,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
await projectRouter.register(registerProjectMembershipRouter);
await projectRouter.register(registerSecretTagRouter);
},
{ prefix: "/workspace" }
);

46
backend/src/server/routes/v1/integration-router.ts

@ -3,8 +3,10 @@ import { z } from "zod";
import { IntegrationsSchema } from "@app/db/schemas";
import { EventType } from "@app/ee/services/audit-log/audit-log-types";
import { removeTrailingSlash, shake } from "@app/lib/fn";
import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
import { AuthMode } from "@app/services/auth/auth-type";
import { PostHogEventTypes, TIntegrationCreatedEvent } from "@app/services/telemetry/telemetry-types";
export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
server.route({
@ -53,28 +55,40 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
actorOrgId: req.permission.orgId,
...req.body
});
const createIntegrationEventProperty = shake({
integrationId: integration.id.toString(),
integration: integration.integration,
environment: req.body.sourceEnvironment,
secretPath: req.body.secretPath,
url: integration.url,
app: integration.app,
appId: integration.appId,
targetEnvironment: integration.targetEnvironment,
targetEnvironmentId: integration.targetEnvironmentId,
targetService: integration.targetService,
targetServiceId: integration.targetServiceId,
path: integration.path,
region: integration.region
}) as TIntegrationCreatedEvent["properties"];
await server.services.auditLog.createAuditLog({
...req.auditLogInfo,
projectId: integrationAuth.projectId,
event: {
type: EventType.CREATE_INTEGRATION,
// eslint-disable-next-line
metadata: shake({
integrationId: integration.id.toString(),
integration: integration.integration,
environment: req.body.sourceEnvironment,
secretPath: req.body.secretPath,
url: integration.url,
app: integration.app,
appId: integration.appId,
targetEnvironment: integration.targetEnvironment,
targetEnvironmentId: integration.targetEnvironmentId,
targetService: integration.targetService,
targetServiceId: integration.targetServiceId,
path: integration.path,
region: integration.region
// eslint-disable-next-line
}) as any
metadata: createIntegrationEventProperty
}
});
server.services.telemetry.sendPostHogEvents({
event: PostHogEventTypes.IntegrationCreated,
distinctId: getTelemetryDistinctId(req),
properties: {
...createIntegrationEventProperty,
projectId: integrationAuth.projectId,
...req.auditLogInfo
}
});
return { integration };

11
backend/src/server/routes/v1/invite-org-router.ts

@ -1,8 +1,10 @@
import { z } from "zod";
import { UsersSchema } from "@app/db/schemas";
import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
import { ActorType, AuthMode } from "@app/services/auth/auth-type";
import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
export const registerInviteOrgRouter = async (server: FastifyZodProvider) => {
server.route({
@ -30,6 +32,15 @@ export const registerInviteOrgRouter = async (server: FastifyZodProvider) => {
actorOrgId: req.permission.orgId
});
server.services.telemetry.sendPostHogEvents({
event: PostHogEventTypes.UserOrgInvitation,
distinctId: getTelemetryDistinctId(req),
properties: {
inviteeEmail: req.body.inviteeEmail,
...req.auditLogInfo
}
});
return {
completeInviteLink,
message: `Send an invite link to ${req.body.inviteeEmail}`

3
backend/src/server/routes/v1/organization-router.ts

@ -93,7 +93,8 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
.trim()
.regex(/^[a-zA-Z0-9-]+$/, "Name must only contain alphanumeric characters or hyphens")
.optional(),
authEnforced: z.boolean().optional()
authEnforced: z.boolean().optional(),
scimEnabled: z.boolean().optional()
}),
response: {
200: z.object({

21
backend/src/server/routes/v1/project-env-router.ts

@ -10,6 +10,13 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
url: "/:workspaceId/environments",
method: "POST",
schema: {
description: "Create environment",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
params: z.object({
workspaceId: z.string().trim()
}),
@ -58,6 +65,13 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
url: "/:workspaceId/environments/:id",
method: "PATCH",
schema: {
description: "Update environment",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
params: z.object({
workspaceId: z.string().trim(),
id: z.string().trim()
@ -114,6 +128,13 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
url: "/:workspaceId/environments/:id",
method: "DELETE",
schema: {
description: "Delete environment",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
params: z.object({
workspaceId: z.string().trim(),
id: z.string().trim()

34
backend/src/server/routes/v1/project-membership-router.ts

@ -1,6 +1,12 @@
import { z } from "zod";
import { OrgMembershipsSchema, ProjectMembershipsSchema, UserEncryptionKeysSchema, UsersSchema } from "@app/db/schemas";
import {
OrgMembershipsSchema,
ProjectMembershipRole,
ProjectMembershipsSchema,
UserEncryptionKeysSchema,
UsersSchema
} from "@app/db/schemas";
import { EventType } from "@app/ee/services/audit-log/audit-log-types";
import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
import { AuthMode } from "@app/services/auth/auth-type";
@ -10,6 +16,13 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
url: "/:workspaceId/memberships",
method: "GET",
schema: {
description: "Return project user memberships",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
params: z.object({
workspaceId: z.string().trim()
}),
@ -73,7 +86,10 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
actor: req.permission.type,
actorOrgId: req.permission.orgId,
projectId: req.params.workspaceId,
members: req.body.members
members: req.body.members.map((member) => ({
...member,
projectRole: ProjectMembershipRole.Member
}))
});
await server.services.auditLog.createAuditLog({
@ -96,6 +112,13 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
url: "/:workspaceId/memberships/:membershipId",
method: "PATCH",
schema: {
description: "Update project user membership",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
params: z.object({
workspaceId: z.string().trim(),
membershipId: z.string().trim()
@ -141,6 +164,13 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
url: "/:workspaceId/memberships/:membershipId",
method: "DELETE",
schema: {
description: "Delete project user membership",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
params: z.object({
workspaceId: z.string().trim(),
membershipId: z.string().trim()

83
backend/src/server/routes/v1/project-router.ts

@ -2,13 +2,11 @@ import { z } from "zod";
import {
IntegrationsSchema,
ProjectKeysSchema,
ProjectMembershipsSchema,
ProjectsSchema,
UserEncryptionKeysSchema,
UsersSchema
} from "@app/db/schemas";
import { EventType } from "@app/ee/services/audit-log/audit-log-types";
import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
import { AuthMode } from "@app/services/auth/auth-type";
@ -119,7 +117,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
})
}
},
onRequest: verifyAuth([AuthMode.JWT]),
onRequest: verifyAuth([AuthMode.JWT, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
handler: async (req) => {
const workspace = await server.services.project.getAProject({
actorId: req.permission.id,
@ -171,7 +169,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
})
}
},
onRequest: verifyAuth([AuthMode.JWT]),
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
handler: async (req) => {
const workspace = await server.services.project.deleteProject({
actorId: req.permission.id,
@ -216,6 +214,41 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
}
});
server.route({
url: "/:workspaceId",
method: "PATCH",
schema: {
params: z.object({
workspaceId: z.string().trim()
}),
body: z.object({
name: z.string().trim().optional(),
autoCapitalization: z.boolean().optional()
}),
response: {
200: z.object({
workspace: ProjectsSchema
})
}
},
onRequest: verifyAuth([AuthMode.JWT]),
handler: async (req) => {
const workspace = await server.services.project.updateProject({
actorId: req.permission.id,
actor: req.permission.type,
actorOrgId: req.permission.orgId,
projectId: req.params.workspaceId,
update: {
name: req.body.name,
autoCapitalization: req.body.autoCapitalization
}
});
return {
workspace
};
}
});
server.route({
url: "/:workspaceId/auto-capitalization",
method: "POST",
@ -249,48 +282,6 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
}
});
server.route({
url: "/:workspaceId/invite-signup",
method: "POST",
schema: {
params: z.object({
workspaceId: z.string().trim()
}),
body: z.object({
email: z.string().trim()
}),
response: {
200: z.object({
invitee: UsersSchema,
latestKey: ProjectKeysSchema.optional()
})
}
},
onRequest: verifyAuth([AuthMode.JWT]),
handler: async (req) => {
const { invitee, latestKey } = await server.services.projectMembership.inviteUserToProject({
actorId: req.permission.id,
actor: req.permission.type,
actorOrgId: req.permission.orgId,
projectId: req.params.workspaceId,
email: req.body.email
});
await server.services.auditLog.createAuditLog({
...req.auditLogInfo,
projectId: req.params.workspaceId,
event: {
type: EventType.ADD_WORKSPACE_MEMBER,
metadata: {
userId: invitee.id,
email: invitee.email
}
}
});
return { invitee, latestKey };
}
});
server.route({
url: "/:workspaceId/integrations",
method: "GET",

28
backend/src/server/routes/v1/secret-folder-router.ts

@ -11,6 +11,13 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
url: "/",
method: "POST",
schema: {
description: "Create folders",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
body: z.object({
workspaceId: z.string().trim(),
environment: z.string().trim(),
@ -57,6 +64,13 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
url: "/:folderId",
method: "PATCH",
schema: {
description: "Update folder",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
params: z.object({
// old way this was name
folderId: z.string()
@ -109,6 +123,13 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
url: "/:folderId",
method: "DELETE",
schema: {
description: "Delete a folder",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
params: z.object({
folderId: z.string()
}),
@ -158,6 +179,13 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
url: "/",
method: "GET",
schema: {
description: "Get folders",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
querystring: z.object({
workspaceId: z.string().trim(),
environment: z.string().trim(),

28
backend/src/server/routes/v1/secret-import-router.ts

@ -11,6 +11,13 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
url: "/",
method: "POST",
schema: {
description: "Create secret imports",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
body: z.object({
workspaceId: z.string().trim(),
environment: z.string().trim(),
@ -65,6 +72,13 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
url: "/:secretImportId",
method: "PATCH",
schema: {
description: "Update secret imports",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
params: z.object({
secretImportId: z.string().trim()
}),
@ -128,6 +142,13 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
url: "/:secretImportId",
method: "DELETE",
schema: {
description: "Delete secret imports",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
params: z.object({
secretImportId: z.string().trim()
}),
@ -181,6 +202,13 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
url: "/",
method: "GET",
schema: {
description: "Get secret imports",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
querystring: z.object({
workspaceId: z.string().trim(),
environment: z.string().trim(),

13
backend/src/server/routes/v1/sso-router.ts

@ -18,7 +18,6 @@ import { BadRequestError } from "@app/lib/errors";
import { logger } from "@app/lib/logger";
import { fetchGithubEmails } from "@app/lib/requests/github";
import { AuthMethod } from "@app/services/auth/auth-type";
import { getServerCfg } from "@app/services/super-admin/super-admin-service";
export const registerSsoRouter = async (server: FastifyZodProvider) => {
const appCfg = getConfig();
@ -42,7 +41,6 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
async (req, _accessToken, _refreshToken, profile, cb) => {
try {
const email = profile?.emails?.[0]?.value;
const serverCfg = await getServerCfg();
if (!email)
throw new BadRequestError({
message: "Email not found",
@ -54,8 +52,7 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
firstName: profile?.name?.givenName || "",
lastName: profile?.name?.familyName || "",
authMethod: AuthMethod.GOOGLE,
callbackPort: req.query.state as string,
isSignupAllowed: Boolean(serverCfg.allowSignUp)
callbackPort: req.query.state as string
});
cb(null, { isUserCompleted, providerAuthToken });
} catch (error) {
@ -84,14 +81,12 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
try {
const ghEmails = await fetchGithubEmails(accessToken);
const { email } = ghEmails.filter((gitHubEmail) => gitHubEmail.primary)[0];
const serverCfg = await getServerCfg();
const { isUserCompleted, providerAuthToken } = await server.services.login.oauth2Login({
email,
firstName: profile.displayName,
lastName: "",
authMethod: AuthMethod.GITHUB,
callbackPort: req.query.state as string,
isSignupAllowed: Boolean(serverCfg.allowSignUp)
callbackPort: req.query.state as string
});
return cb(null, { isUserCompleted, providerAuthToken });
} catch (error) {
@ -120,14 +115,12 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
async (req: any, _accessToken: string, _refreshToken: string, profile: any, cb: any) => {
try {
const email = profile.emails[0].value;
const serverCfg = await getServerCfg();
const { isUserCompleted, providerAuthToken } = await server.services.login.oauth2Login({
email,
firstName: profile.displayName,
lastName: "",
authMethod: AuthMethod.GITLAB,
callbackPort: req.query.state as string,
isSignupAllowed: Boolean(serverCfg.allowSignUp)
callbackPort: req.query.state as string
});
return cb(null, { isUserCompleted, providerAuthToken });

7
backend/src/server/routes/v2/identity-org-router.ts

@ -10,6 +10,13 @@ export const registerIdentityOrgRouter = async (server: FastifyZodProvider) => {
url: "/:orgId/identity-memberships",
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: {
description: "Return organization identity memberships",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
params: z.object({
orgId: z.string().trim()
}),

18
backend/src/server/routes/v2/identity-project-router.ts

@ -46,6 +46,12 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
url: "/:projectId/identity-memberships/:identityId",
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: {
description: "Update project identity memberships",
security: [
{
bearerAuth: []
}
],
params: z.object({
projectId: z.string().trim(),
identityId: z.string().trim()
@ -77,6 +83,12 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
url: "/:projectId/identity-memberships/:identityId",
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: {
description: "Delete project identity memberships",
security: [
{
bearerAuth: []
}
],
params: z.object({
projectId: z.string().trim(),
identityId: z.string().trim()
@ -104,6 +116,12 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
url: "/:projectId/identity-memberships",
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
schema: {
description: "Return project identity memberships",
security: [
{
bearerAuth: []
}
],
params: z.object({
projectId: z.string().trim()
}),

2
backend/src/server/routes/v2/index.ts

@ -2,6 +2,7 @@ import { registerIdentityOrgRouter } from "./identity-org-router";
import { registerIdentityProjectRouter } from "./identity-project-router";
import { registerMfaRouter } from "./mfa-router";
import { registerOrgRouter } from "./organization-router";
import { registerProjectMembershipRouter } from "./project-membership-router";
import { registerProjectRouter } from "./project-router";
import { registerServiceTokenRouter } from "./service-token-router";
import { registerUserRouter } from "./user-router";
@ -21,6 +22,7 @@ export const registerV2Routes = async (server: FastifyZodProvider) => {
async (projectServer) => {
await projectServer.register(registerProjectRouter);
await projectServer.register(registerIdentityProjectRouter);
await projectServer.register(registerProjectMembershipRouter);
},
{ prefix: "/workspace" }
);

28
backend/src/server/routes/v2/organization-router.ts

@ -9,6 +9,13 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
method: "GET",
url: "/:organizationId/memberships",
schema: {
description: "Return organization user memberships",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
params: z.object({
organizationId: z.string().trim()
}),
@ -46,6 +53,13 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
method: "GET",
url: "/:organizationId/workspaces",
schema: {
description: "Return projects in organization that user is part of",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
params: z.object({
organizationId: z.string().trim()
}),
@ -84,6 +98,13 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
method: "PATCH",
url: "/:organizationId/memberships/:membershipId",
schema: {
description: "Update organization user memberships",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
params: z.object({ organizationId: z.string().trim(), membershipId: z.string().trim() }),
body: z.object({
role: z.string().trim()
@ -113,6 +134,13 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
method: "DELETE",
url: "/:organizationId/memberships/:membershipId",
schema: {
description: "Delete organization user memberships",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
params: z.object({ organizationId: z.string().trim(), membershipId: z.string().trim() }),
response: {
200: z.object({

95
backend/src/server/routes/v2/project-membership-router.ts Normal file

@ -0,0 +1,95 @@
import { z } from "zod";
import { ProjectMembershipsSchema } from "@app/db/schemas";
import { EventType } from "@app/ee/services/audit-log/audit-log-types";
import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
import { AuthMode } from "@app/services/auth/auth-type";
export const registerProjectMembershipRouter = async (server: FastifyZodProvider) => {
server.route({
method: "POST",
url: "/:projectId/memberships",
schema: {
params: z.object({
projectId: z.string().describe("The ID of the project.")
}),
body: z.object({
emails: z.string().email().array().describe("Emails of the users to add to the project.")
}),
response: {
200: z.object({
memberships: ProjectMembershipsSchema.array()
})
}
},
onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
handler: async (req) => {
const memberships = await server.services.projectMembership.addUsersToProjectNonE2EE({
projectId: req.params.projectId,
actorId: req.permission.id,
actor: req.permission.type,
emails: req.body.emails
});
await server.services.auditLog.createAuditLog({
projectId: req.params.projectId,
...req.auditLogInfo,
event: {
type: EventType.ADD_BATCH_WORKSPACE_MEMBER,
metadata: memberships.map(({ userId, id }) => ({
userId: userId || "",
membershipId: id,
email: ""
}))
}
});
return { memberships };
}
});
server.route({
method: "DELETE",
url: "/:projectId/memberships",
schema: {
params: z.object({
projectId: z.string().describe("The ID of the project.")
}),
body: z.object({
emails: z.string().email().array().describe("Emails of the users to remove from the project.")
}),
response: {
200: z.object({
memberships: ProjectMembershipsSchema.array()
})
}
},
onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
handler: async (req) => {
const memberships = await server.services.projectMembership.deleteProjectMemberships({
actorId: req.permission.id,
actor: req.permission.type,
actorOrgId: req.permission.orgId,
projectId: req.params.projectId,
emails: req.body.emails
});
for (const membership of memberships) {
// eslint-disable-next-line no-await-in-loop
await server.services.auditLog.createAuditLog({
...req.auditLogInfo,
projectId: req.params.projectId,
event: {
type: EventType.REMOVE_WORKSPACE_MEMBER,
metadata: {
userId: membership.userId,
email: ""
}
}
});
}
return { memberships };
}
});
};

127
backend/src/server/routes/v2/project-router.ts

@ -1,15 +1,33 @@
import slugify from "@sindresorhus/slugify";
import { z } from "zod";
import { ProjectKeysSchema } from "@app/db/schemas";
import { ProjectKeysSchema, ProjectsSchema } from "@app/db/schemas";
import { EventType } from "@app/ee/services/audit-log/audit-log-types";
import { authRateLimit } from "@app/server/config/rateLimiter";
import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
import { AuthMode } from "@app/services/auth/auth-type";
import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
const projectWithEnv = ProjectsSchema.merge(
z.object({
_id: z.string(),
environments: z.object({ name: z.string(), slug: z.string(), id: z.string() }).array()
})
);
export const registerProjectRouter = async (server: FastifyZodProvider) => {
/* Get project key */
server.route({
url: "/:workspaceId/encrypted-key",
method: "GET",
schema: {
description: "Return encrypted project key",
security: [
{
apiKeyAuth: []
}
],
params: z.object({
workspaceId: z.string().trim()
}),
@ -28,8 +46,8 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
const key = await server.services.projectKey.getLatestProjectKey({
actor: req.permission.type,
actorId: req.permission.id,
projectId: req.params.workspaceId,
actorOrgId: req.permission.orgId
actorOrgId: req.permission.orgId,
projectId: req.params.workspaceId
});
await server.services.auditLog.createAuditLog({
@ -46,4 +64,107 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
return key;
}
});
/* Start upgrade of a project */
server.route({
url: "/:projectId/upgrade",
method: "POST",
schema: {
params: z.object({
projectId: z.string().trim()
}),
body: z.object({
userPrivateKey: z.string().trim()
}),
response: {
200: z.void()
}
},
onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY]),
handler: async (req) => {
await server.services.project.upgradeProject({
actorId: req.permission.id,
actor: req.permission.type,
projectId: req.params.projectId,
userPrivateKey: req.body.userPrivateKey
});
}
});
/* Get upgrade status of project */
server.route({
url: "/:projectId/upgrade/status",
method: "GET",
schema: {
params: z.object({
projectId: z.string().trim()
}),
response: {
200: z.object({
status: z.string().nullable()
})
}
},
onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY]),
handler: async (req) => {
const status = await server.services.project.getProjectUpgradeStatus({
projectId: req.params.projectId,
actor: req.permission.type,
actorId: req.permission.id
});
return { status };
}
});
/* Create new project */
server.route({
method: "POST",
url: "/",
config: {
rateLimit: authRateLimit
},
schema: {
body: z.object({
projectName: z.string().trim(),
slug: z
.string()
.min(5)
.max(36)
.refine((v) => slugify(v) === v, {
message: "Slug must be a valid slug"
})
.optional(),
organizationId: z.string().trim()
}),
response: {
200: z.object({
project: projectWithEnv
})
}
},
onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
handler: async (req) => {
const project = await server.services.project.createProject({
actorId: req.permission.id,
actor: req.permission.type,
orgId: req.body.organizationId,
workspaceName: req.body.projectName,
slug: req.body.slug
});
server.services.telemetry.sendPostHogEvents({
event: PostHogEventTypes.ProjectCreated,
distinctId: getTelemetryDistinctId(req),
properties: {
orgId: req.body.organizationId,
name: project.name,
...req.auditLogInfo
}
});
return { project };
}
});
};

6
backend/src/server/routes/v2/service-token-router.ts

@ -21,6 +21,12 @@ export const registerServiceTokenRouter = async (server: FastifyZodProvider) =>
method: "GET",
onRequest: verifyAuth([AuthMode.SERVICE_TOKEN]),
schema: {
description: "Return Infisical Token data",
security: [
{
bearerAuth: []
}
],
response: {
200: ServiceTokensSchema.merge(
z.object({

14
backend/src/server/routes/v2/user-router.ts

@ -71,6 +71,12 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
method: "GET",
url: "/me/organizations",
schema: {
description: "Return organizations that current user is part of",
security: [
{
apiKeyAuth: []
}
],
response: {
200: z.object({
organizations: OrganizationsSchema.array()
@ -179,13 +185,19 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
method: "GET",
url: "/me",
schema: {
description: "Retrieve the current user on the request",
security: [
{
apiKeyAuth: []
}
],
response: {
200: z.object({
user: UsersSchema.merge(UserEncryptionKeysSchema.omit({ verifier: true }))
})
}
},
onRequest: verifyAuth([AuthMode.JWT]),
onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY]),
handler: async (req) => {
const user = await server.services.user.getMe(req.permission.id);
return { user };

79
backend/src/server/routes/v3/secret-router.ts

@ -1,4 +1,3 @@
import { FastifyRequest } from "fastify";
import picomatch from "picomatch";
import { z } from "zod";
@ -13,6 +12,7 @@ import { EventType } from "@app/ee/services/audit-log/audit-log-types";
import { CommitType } from "@app/ee/services/secret-approval-request/secret-approval-request-types";
import { BadRequestError } from "@app/lib/errors";
import { removeTrailingSlash } from "@app/lib/fn";
import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
import { getUserAgentType } from "@app/server/plugins/audit-log";
import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
import { ActorType, AuthMode } from "@app/services/auth/auth-type";
@ -20,24 +20,18 @@ import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
import { secretRawSchema } from "../sanitizedSchemas";
const getDistinctId = (req: FastifyRequest) => {
if (req.auth.actor === ActorType.USER) {
return req.auth.user.email;
}
if (req.auth.actor === ActorType.IDENTITY) {
return `identity-${req.auth.identityId}`;
}
if (req.auth.actor === ActorType.SERVICE) {
return `service-token-${req.auth.serviceToken.id}`;
}
return "unknown-auth-data";
};
export const registerSecretRouter = async (server: FastifyZodProvider) => {
server.route({
url: "/raw",
method: "GET",
schema: {
description: "List secrets",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
querystring: z.object({
workspaceId: z.string().trim().optional(),
environment: z.string().trim().optional(),
@ -103,7 +97,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
server.services.telemetry.sendPostHogEvents({
event: PostHogEventTypes.SecretPulled,
distinctId: getDistinctId(req),
distinctId: getTelemetryDistinctId(req),
properties: {
numberOfSecrets: secrets.length,
workspaceId,
@ -121,6 +115,13 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
url: "/raw/:secretName",
method: "GET",
schema: {
description: "Get a secret by name",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
params: z.object({
secretName: z.string().trim()
}),
@ -186,7 +187,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
server.services.telemetry.sendPostHogEvents({
event: PostHogEventTypes.SecretPulled,
distinctId: getDistinctId(req),
distinctId: getTelemetryDistinctId(req),
properties: {
numberOfSecrets: 1,
workspaceId,
@ -204,6 +205,13 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
url: "/raw/:secretName",
method: "POST",
schema: {
description: "Create secret",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
params: z.object({
secretName: z.string().trim()
}),
@ -255,7 +263,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
server.services.telemetry.sendPostHogEvents({
event: PostHogEventTypes.SecretCreated,
distinctId: getDistinctId(req),
distinctId: getTelemetryDistinctId(req),
properties: {
numberOfSecrets: 1,
workspaceId: req.body.workspaceId,
@ -274,6 +282,13 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
url: "/raw/:secretName",
method: "PATCH",
schema: {
description: "Update secret",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
params: z.object({
secretName: z.string().trim()
}),
@ -323,7 +338,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
server.services.telemetry.sendPostHogEvents({
event: PostHogEventTypes.SecretUpdated,
distinctId: getDistinctId(req),
distinctId: getTelemetryDistinctId(req),
properties: {
numberOfSecrets: 1,
workspaceId: req.body.workspaceId,
@ -341,6 +356,13 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
url: "/raw/:secretName",
method: "DELETE",
schema: {
description: "Delete secret",
security: [
{
bearerAuth: [],
apiKeyAuth: []
}
],
params: z.object({
secretName: z.string().trim()
}),
@ -386,7 +408,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
server.services.telemetry.sendPostHogEvents({
event: PostHogEventTypes.SecretDeleted,
distinctId: getDistinctId(req),
distinctId: getTelemetryDistinctId(req),
properties: {
numberOfSecrets: 1,
workspaceId: req.body.workspaceId,
@ -492,7 +514,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
if (shouldCapture) {
server.services.telemetry.sendPostHogEvents({
event: PostHogEventTypes.SecretPulled,
distinctId: getDistinctId(req),
distinctId: getTelemetryDistinctId(req),
properties: {
numberOfSecrets: shouldRecordK8Event ? approximateNumberTotalSecrets : secrets.length,
workspaceId: req.query.workspaceId,
@ -569,7 +591,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
server.services.telemetry.sendPostHogEvents({
event: PostHogEventTypes.SecretPulled,
distinctId: getDistinctId(req),
distinctId: getTelemetryDistinctId(req),
properties: {
numberOfSecrets: 1,
workspaceId: req.query.workspaceId,
@ -732,7 +754,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
server.services.telemetry.sendPostHogEvents({
event: PostHogEventTypes.SecretCreated,
distinctId: getDistinctId(req),
distinctId: getTelemetryDistinctId(req),
properties: {
numberOfSecrets: 1,
workspaceId: req.body.workspaceId,
@ -914,7 +936,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
server.services.telemetry.sendPostHogEvents({
event: PostHogEventTypes.SecretUpdated,
distinctId: getDistinctId(req),
distinctId: getTelemetryDistinctId(req),
properties: {
numberOfSecrets: 1,
workspaceId: req.body.workspaceId,
@ -1032,7 +1054,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
server.services.telemetry.sendPostHogEvents({
event: PostHogEventTypes.SecretDeleted,
distinctId: getDistinctId(req),
distinctId: getTelemetryDistinctId(req),
properties: {
numberOfSecrets: 1,
workspaceId: req.body.workspaceId,
@ -1057,7 +1079,6 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
secrets: z
.object({
secretName: z.string().trim(),
type: z.nativeEnum(SecretType).default(SecretType.Shared),
secretKeyCiphertext: z.string().trim(),
secretKeyIV: z.string().trim(),
secretKeyTag: z.string().trim(),
@ -1104,7 +1125,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
projectId,
policy,
data: {
[CommitType.Create]: inputSecrets.filter(({ type }) => type === "shared")
[CommitType.Create]: inputSecrets
}
});
@ -1153,7 +1174,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
server.services.telemetry.sendPostHogEvents({
event: PostHogEventTypes.SecretCreated,
distinctId: getDistinctId(req),
distinctId: getTelemetryDistinctId(req),
properties: {
numberOfSecrets: secrets.length,
workspaceId: req.body.workspaceId,
@ -1273,7 +1294,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
server.services.telemetry.sendPostHogEvents({
event: PostHogEventTypes.SecretUpdated,
distinctId: getDistinctId(req),
distinctId: getTelemetryDistinctId(req),
properties: {
numberOfSecrets: secrets.length,
workspaceId: req.body.workspaceId,
@ -1381,7 +1402,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
server.services.telemetry.sendPostHogEvents({
event: PostHogEventTypes.SecretDeleted,
distinctId: getDistinctId(req),
distinctId: getTelemetryDistinctId(req),
properties: {
numberOfSecrets: secrets.length,
workspaceId: req.body.workspaceId,

Some files were not shown because too many files have changed in this diff Show More