revert schema name

Merge pull request #1810 from Infisical/check-saml-email-verification
Update isEmailVerified field upon invite signups
2025-07-22 13:29:55 +00:00 · 2024-05-09 13:42:23 -04:00 · 2024-05-09 13:03:52 -04:00 · 2024-05-09 09:51:53 -07:00 · 2024-05-09 21:56:48 +05:30 · 2024-05-09 12:17:14 -04:00
16 changed files with 89 additions and 36 deletions
--- a/.github/workflows/build-staging-and-deploy-aws.yml
+++ b/.github/workflows/build-staging-and-deploy-aws.yml
@ -74,21 +74,21 @@ jobs:
        uses: pr-mpt/actions-commit-hash@v2
      - name: Download task definition
        run: |
-          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
+          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
      - name: Render Amazon ECS task definition
        id: render-web-container
        uses: aws-actions/amazon-ecs-render-task-definition@v1
        with:
          task-definition: task-definition.json
-          container-name: infisical-prod-platform
+          container-name: infisical-core-platform
          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
          environment-variables: "LOG_LEVEL=info"
      - name: Deploy to Amazon ECS service
        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
        with:
          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-prod-platform
-          cluster: infisical-prod-platform
+          service: infisical-core-platform
+          cluster: infisical-core-platform
          wait-for-service-stability: true

  production-postgres-deployment:
@ -135,6 +135,6 @@ jobs:
        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
        with:
          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-prod-platform
-          cluster: infisical-prod-platform
+          service: infisical-core-platform
+          cluster: infisical-core-platform
          wait-for-service-stability: true
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@ -49,7 +49,7 @@
        "libsodium-wrappers": "^0.7.13",
        "lodash.isequal": "^4.5.0",
        "ms": "^2.1.3",
-        "mysql2": "^3.9.4",
+        "mysql2": "^3.9.7",
        "nanoid": "^5.0.4",
        "nodemailer": "^6.9.9",
        "ora": "^7.0.1",
@ -10102,9 +10102,9 @@
      }
    },
    "node_modules/mysql2": {
-      "version": "3.9.4",
-      "resolved": "https://registry.npmjs.org/mysql2/-/mysql2-3.9.4.tgz",
-      "integrity": "sha512-OEESQuwxMza803knC1YSt7NMuc1BrK9j7gZhCSs2WAyxr1vfiI7QLaLOKTh5c9SWGz98qVyQUbK8/WckevNQhg==",
+      "version": "3.9.7",
+      "resolved": "https://registry.npmjs.org/mysql2/-/mysql2-3.9.7.tgz",
+      "integrity": "sha512-KnJT8vYRcNAZv73uf9zpXqNbvBG7DJrs+1nACsjZP1HMJ1TgXEy8wnNilXAn/5i57JizXKtrUtwDB7HxT9DDpw==",
      "dependencies": {
        "denque": "^2.1.0",
        "generate-function": "^2.3.1",
--- a/backend/src/db/migrations/20240405000045_org-memberships-unique-constraint.ts
+++ b/backend/src/db/migrations/20240405000045_org-memberships-unique-constraint.ts
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@ -288,7 +288,8 @@ export const RAW_SECRETS = {
    recursive:
      "Whether or not to fetch all secrets from the specified base path, and all of its subdirectories. Note, the max depth is 20 deep.",
    workspaceId: "The ID of the project to list secrets from.",
-    workspaceSlug: "The slug of the project to list secrets from. This parameter is only usable by machine identities.",
+    workspaceSlug:
+      "The slug of the project to list secrets from. This parameter is only applicable by machine identities.",
    environment: "The slug of the environment to list secrets from.",
    secretPath: "The secret path to list secrets from.",
    includeImports: "Weather to include imported secrets or not."
@ -307,6 +308,7 @@ export const RAW_SECRETS = {
  GET: {
    secretName: "The name of the secret to get.",
    workspaceId: "The ID of the project to get the secret from.",
+    workspaceSlug: "The slug of the project to get the secret from.",
    environment: "The slug of the environment to get the secret from.",
    secretPath: "The path of the secret to get.",
    version: "The version of the secret to get.",
@ -625,7 +627,8 @@ export const INTEGRATION = {
      shouldAutoRedeploy: "Used by Render to trigger auto deploy.",
      secretGCPLabel: "The label for GCP secrets.",
      secretAWSTag: "The tags for AWS secrets.",
-      kmsKeyId: "The ID of the encryption key from AWS KMS."
+      kmsKeyId: "The ID of the encryption key from AWS KMS.",
+      shouldDisableDelete: "The flag to disable deletion of secrets in AWS Parameter Store."
    }
  },
  UPDATE: {
--- a/backend/src/server/routes/v1/integration-router.ts
+++ b/backend/src/server/routes/v1/integration-router.ts
@ -66,7 +66,8 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
              )
              .optional()
              .describe(INTEGRATION.CREATE.metadata.secretAWSTag),
-            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId)
+            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId),
+            shouldDisableDelete: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldDisableDelete)
          })
          .default({})
      }),
--- a/backend/src/server/routes/v3/secret-router.ts
+++ b/backend/src/server/routes/v3/secret-router.ts
@ -293,6 +293,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      }),
      querystring: z.object({
        workspaceId: z.string().trim().optional().describe(RAW_SECRETS.GET.workspaceId),
+        workspaceSlug: z.string().trim().optional().describe(RAW_SECRETS.GET.workspaceSlug),
        environment: z.string().trim().optional().describe(RAW_SECRETS.GET.environment),
        secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.GET.secretPath),
        version: z.coerce.number().optional().describe(RAW_SECRETS.GET.version),
@ -311,6 +312,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
+      const { workspaceSlug } = req.query;
      let { secretPath, environment, workspaceId } = req.query;
      if (req.auth.actor === ActorType.SERVICE) {
        const scope = ServiceTokenScopes.parse(req.auth.serviceToken.scopes);
@ -322,7 +324,9 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        }
      }

-      if (!workspaceId || !environment) throw new BadRequestError({ message: "Missing workspace id or environment" });
+      if (!environment) throw new BadRequestError({ message: "Missing environment" });
+      if (!workspaceId && !workspaceSlug)
+        throw new BadRequestError({ message: "You must provide workspaceSlug or workspaceId" });

      const secret = await server.services.secret.getSecretByNameRaw({
        actorId: req.permission.id,
@ -331,6 +335,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        actorOrgId: req.permission.orgId,
        environment,
        projectId: workspaceId,
+        projectSlug: workspaceSlug,
        path: secretPath,
        secretName: req.params.secretName,
        type: req.query.type,
@ -339,7 +344,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
      });

      await server.services.auditLog.createAuditLog({
-        projectId: req.query.workspaceId,
+        projectId: secret.workspace,
        ...req.auditLogInfo,
        event: {
          type: EventType.GET_SECRET,
@ -358,7 +363,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        distinctId: getTelemetryDistinctId(req),
        properties: {
          numberOfSecrets: 1,
-          workspaceId,
+          workspaceId: secret.workspace,
          environment,
          secretPath: req.query.secretPath,
          channel: getUserAgentType(req.headers["user-agent"]),
--- a/backend/src/services/identity-ua/identity-ua-service.ts
+++ b/backend/src/services/identity-ua/identity-ua-service.ts
@ -52,7 +52,7 @@ export const identityUaServiceFactory = ({
 }: TIdentityUaServiceFactoryDep) => {
  const login = async (clientId: string, clientSecret: string, ip: string) => {
    const identityUa = await identityUaDAL.findOne({ clientId });
-    if (!identityUa) throw new UnauthorizedError();
+    if (!identityUa) throw new UnauthorizedError({ message: "Invalid credentials" });

    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityUa.identityId });

@ -68,7 +68,7 @@ export const identityUaServiceFactory = ({
    const validClientSecretInfo = clientSecrtInfo.find(({ clientSecretHash }) =>
      bcrypt.compareSync(clientSecret, clientSecretHash)
    );
-    if (!validClientSecretInfo) throw new UnauthorizedError();
+    if (!validClientSecretInfo) throw new UnauthorizedError({ message: "Invalid credentials" });

    const { clientSecretTTL, clientSecretNumUses, clientSecretNumUsesLimit } = validClientSecretInfo;
    if (Number(clientSecretTTL) > 0) {
--- a/backend/src/services/integration-auth/integration-sync-secret.ts
+++ b/backend/src/services/integration-auth/integration-sync-secret.ts
@ -517,20 +517,22 @@ const syncSecretsAWSParameterStore = async ({
    })
  );

-  // Identify secrets to delete
-  await Promise.all(
-    Object.keys(awsParameterStoreSecretsObj).map(async (key) => {
-      if (!(key in secrets)) {
-        // case:
-        // -> delete secret
-        await ssm
-          .deleteParameter({
-            Name: awsParameterStoreSecretsObj[key].Name as string
-          })
-          .promise();
-      }
-    })
-  );
+  if (!metadata.shouldDisableDelete) {
+    // Identify secrets to delete
+    await Promise.all(
+      Object.keys(awsParameterStoreSecretsObj).map(async (key) => {
+        if (!(key in secrets)) {
+          // case:
+          // -> delete secret
+          await ssm
+            .deleteParameter({
+              Name: awsParameterStoreSecretsObj[key].Name as string
+            })
+            .promise();
+        }
+      })
+    );
+  }
 };

 /**
--- a/backend/src/services/integration/integration-types.ts
+++ b/backend/src/services/integration/integration-types.ts
@ -27,6 +27,7 @@ export type TCreateIntegrationDTO = {
      value: string;
    }[];
    kmsKeyId?: string;
+    shouldDisableDelete?: boolean;
  };
 } & Omit<TProjectPermission, "projectId">;

--- a/backend/src/services/org/org-service.ts
+++ b/backend/src/services/org/org-service.ts
@ -546,6 +546,10 @@ export const orgServiceFactory = ({
      code
    });

+    await userDAL.updateById(user.id, {
+      isEmailVerified: true
+    });
+
    if (user.isAccepted) {
      // this means user has already completed signup process
      // isAccepted is set true when keys are exchanged
--- a/backend/src/services/secret/secret-service.ts
+++ b/backend/src/services/secret/secret-service.ts
@ -972,7 +972,8 @@ export const secretServiceFactory = ({
    path,
    actor,
    environment,
-    projectId,
+    projectId: workspaceId,
+    projectSlug,
    actorId,
    actorOrgId,
    actorAuthMethod,
@ -980,6 +981,8 @@ export const secretServiceFactory = ({
    includeImports,
    version
  }: TGetASecretRawDTO) => {
+    const projectId = workspaceId || (await projectDAL.findProjectBySlug(projectSlug as string, actorOrgId)).id;
+
    const botKey = await projectBotService.getBotKey(projectId);
    if (!botKey) throw new BadRequestError({ message: "Project bot not found", name: "bot_not_found_error" });

--- a/backend/src/services/secret/secret-types.ts
+++ b/backend/src/services/secret/secret-types.ts
@ -152,7 +152,9 @@ export type TGetASecretRawDTO = {
  type: "shared" | "personal";
  includeImports?: boolean;
  version?: number;
-} & TProjectPermission;
+  projectSlug?: string;
+  projectId?: string;
+} & Omit<TProjectPermission, "projectId">;

 export type TCreateSecretRawDTO = TProjectPermission & {
  secretPath: string;
--- a/docs/documentation/platform/identities/universal-auth.mdx
+++ b/docs/documentation/platform/identities/universal-auth.mdx
@ -5,6 +5,25 @@ description: "Learn how to authenticate to Infisical from any platform or enviro

 **Universal Auth** is a platform-agnostic authentication method that can be configured for a [machine identity](/documentation/platform/identities/machine-identities) suitable to authenticate from any platform/environment.

+## Diagram
+
+The following sequence digram illustrates the Universal Auth workflow for authenticating clients with Infisical.
+
+```mermaid
+sequenceDiagram
+  participant Client as Client
+  participant Infis as Infisical
+
+  Note over Client,Infis: Step 1: Login Operation
+  Client->>Infis: Send Client ID and Client Secret
+
+  Note over Infis: Step 2: Client ID and Client Secret validation
+  Infis->>Client: Return short-lived access token
+
+  Note over Client,Infis: Step 3: Access Infisical API with Token
+  Client->>Infis: Make authenticated requests using the short-lived access token
+```
+
 ## Concept

 In this method, Infisical authenticates an identity by verifying the credentials issued for it at the `/api/v1/auth/universal-auth/login` endpoint. If successful,
@ -12,7 +31,7 @@ then Infisical returns a short-lived access token that can be used to make authe

 In Universal Auth, an identity is given a **Client ID** and one or more **Client Secret(s)**. Together, a **Client ID** and **Client Secret** can be exchanged for a short-lived access token to authenticate with the Infisical API.

-## Workflow
+## Guide

 In the following steps, we explore how to create and use identities for your workloads and applications to access the Infisical API
 using the Universal Auth authentication method.
--- a/frontend/src/hooks/api/integrations/queries.tsx
+++ b/frontend/src/hooks/api/integrations/queries.tsx
@ -68,6 +68,7 @@ export const useCreateIntegration = () => {
          value: string;
        }[];
        kmsKeyId?: string;
+        shouldDisableDelete?: boolean;
      };
    }) => {
      const {
--- a/frontend/src/pages/integrations/aws-parameter-store/create.tsx
+++ b/frontend/src/pages/integrations/aws-parameter-store/create.tsx
@ -89,6 +89,7 @@ export default function AWSParameterStoreCreateIntegrationPage() {

  const [isLoading, setIsLoading] = useState(false);
  const [shouldTag, setShouldTag] = useState(false);
+  const [shouldDisableDelete, setShouldDisableDelete] = useState(false);
  const [tagKey, setTagKey] = useState("");
  const [tagValue, setTagValue] = useState("");
  const [kmsKeyId, setKmsKeyId] = useState("");
@ -144,7 +145,8 @@ export default function AWSParameterStoreCreateIntegrationPage() {
                ]
              }
            : {}),
-          ...(kmsKeyId && { kmsKeyId })
+          ...(kmsKeyId && { kmsKeyId }),
+          ...(shouldDisableDelete && { shouldDisableDelete })
        }
      });

@ -273,6 +275,15 @@ export default function AWSParameterStoreCreateIntegrationPage() {
              exit={{ opacity: 0, translateX: 30 }}
            >
              <div className="mt-2 ml-1">
+                <Switch
+                  id="delete-aws"
+                  onCheckedChange={() => setShouldDisableDelete(!shouldDisableDelete)}
+                  isChecked={shouldDisableDelete}
+                >
+                  Disable deleting secrets in AWS Parameter Store
+                </Switch>
+              </div>
+              <div className="mt-4 ml-1">
                <Switch
                  id="tag-aws"
                  onCheckedChange={() => setShouldTag(!shouldTag)}
--- a/pg-migrator/src/models/integration/types.ts
+++ b/pg-migrator/src/models/integration/types.ts
@ -10,4 +10,5 @@ export type Metadata = {
        value: string;
    }[]
    kmsKeyId?: string;
+    shouldDisableDelete?: boolean;
 }
Author	SHA1	Message	Date
Maidul Islam	7c77a4f049	revert schema name	2024-05-09 13:42:23 -04:00
Maidul Islam	9dfb587032	Merge pull request #1810 from Infisical/check-saml-email-verification Update isEmailVerified field upon invite signups	2024-05-09 13:03:52 -04:00
Tuan Dang	3952ad9a2e	Update isEmailVerified field upon invite signups	2024-05-09 09:51:53 -07:00
Akhil Mohan	9c15cb407d	Merge pull request #1806 from Infisical/aws-non-delete Add option to not delete secrets in parameter store	2024-05-09 21:56:48 +05:30
Maidul Islam	cb17efa10b	Merge pull request #1809 from akhilmhdh/fix/patches-v2 Workspace slug support in secret v3 Get Key	2024-05-09 12:17:14 -04:00
Maidul Islam	4adc2c4927	update api descriptions	2024-05-09 12:11:46 -04:00
Maidul Islam	1a26b34ad8	Merge pull request #1805 from Infisical/revise-aws-auth Reframe AWS IAM auth to AWS Auth with IAM type	2024-05-09 12:06:31 -04:00
=	21c339d27a	fix: better error message on ua based login error	2024-05-09 21:32:09 +05:30
=	20f29c752d	fix: added workspaceSlug support get secret by key	2024-05-09 21:23:57 +05:30
BlackMagiq	29ea12f8b1	Merge pull request #1807 from Infisical/mermaid-universal-auth Add mermaid diagram for Universal Auth	2024-05-08 22:05:12 -07:00
Tuan Dang	b4f1cce587	Add mermaid diagram for universal auth	2024-05-08 22:03:57 -07:00
Maidul Islam	5a92520ca3	Update build-staging-and-deploy-aws.yml	2024-05-09 00:53:42 -04:00
Vladyslav Matsiiako	79704e9c98	add option to not delete secrets in parameter store	2024-05-08 21:49:09 -07:00
Maidul Islam	1165d11816	Update build-staging-and-deploy-aws.yml	2024-05-09 00:27:21 -04:00
Maidul Islam	86d4d88b58	package json lock	2024-05-09 00:19:44 -04:00
Maidul Islam	a12ad91e59	Update build-staging-and-deploy-aws.yml	2024-05-09 00:15:42 -04:00