Skip to content

Commit

Permalink
Merge pull request #1970 from akhilmhdh/feat/ui-permission-check-broken
Browse files Browse the repository at this point in the history 
Allow secret tag api for machine identity and raw secret endpoint tag support
  • Loading branch information
@akhilmhdh
akhilmhdh committed Jun 14, 2024
2 parents 44928a2 + 2780414 commit 5d45237
Show file tree
Hide file tree
Showing 11 changed files with 112 additions and 18 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/check-api-for-breaking-changes.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ jobs:
echo "SECRET_SCANNING_GIT_APP_ID=793712" >> .env
echo "SECRET_SCANNING_PRIVATE_KEY=some-random" >> .env
echo "SECRET_SCANNING_WEBHOOK_SECRET=some-random" >> .env
docker run --name infisical-api -d -p 4000:4000 -e DB_CONNECTION_URI=$DB_CONNECTION_URI -e REDIS_URL=$REDIS_URL -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET --env-file .env --entrypoint '/bin/sh' infisical-api -c "npm run migration:latest && ls && node dist/main.mjs"
docker run --name infisical-api -d -p 4000:4000 -e DB_CONNECTION_URI=$DB_CONNECTION_URI -e REDIS_URL=$REDIS_URL -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET -e ENCRYPTION_KEY=$ENCRYPTION_KEY --env-file .env --entrypoint '/bin/sh' infisical-api -c "npm run migration:latest && ls && node dist/main.mjs"
env:
REDIS_URL: redis://172.17.0.1:6379
DB_CONNECTION_URI: postgres://infisical:[email protected]:5432/infisical?sslmode=disable
Expand Down
25 changes: 25 additions & 0 deletions backend/src/db/migrations/20240614115952_tag-machine-identity.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
import { Knex } from "knex";

import { ActorType } from "@app/services/auth/auth-type";

import { TableName } from "../schemas";

export async function up(knex: Knex): Promise<void> {
const hasCreatedByActorType = await knex.schema.hasColumn(TableName.SecretTag, "createdByActorType");
await knex.schema.alterTable(TableName.SecretTag, (tb) => {
if (!hasCreatedByActorType) {
tb.string("createdByActorType").notNullable().defaultTo(ActorType.USER);
tb.dropForeign("createdBy");
}
});
}

export async function down(knex: Knex): Promise<void> {
const hasCreatedByActorType = await knex.schema.hasColumn(TableName.SecretTag, "createdByActorType");
await knex.schema.alterTable(TableName.SecretTag, (tb) => {
if (hasCreatedByActorType) {
tb.dropColumn("createdByActorType");
tb.foreign("createdBy").references("id").inTable(TableName.Users).onDelete("SET NULL");
}
});
}
3 changes: 2 additions & 1 deletion backend/src/db/schemas/secret-tags.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,8 @@ export const SecretTagsSchema = z.object({
createdAt: z.date(),
updatedAt: z.date(),
createdBy: z.string().uuid().nullable().optional(),
projectId: z.string()
projectId: z.string(),
createdByActorType: z.string().default("user")
});

export type TSecretTags = z.infer<typeof SecretTagsSchema>;
Expand Down
6 changes: 4 additions & 2 deletions backend/src/lib/api-docs/constants.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -343,7 +343,8 @@ export const RAW_SECRETS = {
secretValue: "The value of the secret to create.",
skipMultilineEncoding: "Skip multiline encoding for the secret value.",
type: "The type of the secret to create.",
workspaceId: "The ID of the project to create the secret in."
workspaceId: "The ID of the project to create the secret in.",
tagIds: "The ID of the tags to be attached to the created secret."
},
GET: {
secretName: "The name of the secret to get.",
Expand All @@ -364,7 +365,8 @@ export const RAW_SECRETS = {
skipMultilineEncoding: "Skip multiline encoding for the secret value.",
type: "The type of the secret to update.",
projectSlug: "The slug of the project to update the secret in.",
workspaceId: "The ID of the project to update the secret in."
workspaceId: "The ID of the project to update the secret in.",
tagIds: "The ID of the tags to be attached to the updated secret."
},
DELETE: {
secretName: "The name of the secret to delete.",
Expand Down
6 changes: 3 additions & 3 deletions backend/src/server/routes/v1/secret-tag-router.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
})
}
},
onRequest: verifyAuth([AuthMode.JWT]),
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
handler: async (req) => {
const workspaceTags = await server.services.secretTag.getProjectTags({
actor: req.permission.type,
Expand Down Expand Up @@ -57,7 +57,7 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
})
}
},
onRequest: verifyAuth([AuthMode.JWT]),
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
handler: async (req) => {
const workspaceTag = await server.services.secretTag.createTag({
actor: req.permission.type,
Expand Down Expand Up @@ -88,7 +88,7 @@ export const registerSecretTagRouter = async (server: FastifyZodProvider) => {
})
}
},
onRequest: verifyAuth([AuthMode.JWT]),
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
handler: async (req) => {
const workspaceTag = await server.services.secretTag.deleteTag({
actor: req.permission.type,
Expand Down
21 changes: 17 additions & 4 deletions backend/src/server/routes/v3/secret-router.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -306,7 +306,16 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
}),
response: {
200: z.object({
secret: secretRawSchema
secret: secretRawSchema.extend({
tags: SecretTagsSchema.pick({
id: true,
slug: true,
name: true,
color: true
})
.array()
.optional()
})
})
}
},
Expand Down Expand Up @@ -404,6 +413,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
.transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
.describe(RAW_SECRETS.CREATE.secretValue),
secretComment: z.string().trim().optional().default("").describe(RAW_SECRETS.CREATE.secretComment),
tagIds: z.string().array().optional().describe(RAW_SECRETS.CREATE.tagIds),
skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.CREATE.skipMultilineEncoding),
type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.CREATE.type)
}),
Expand All @@ -427,7 +437,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
type: req.body.type,
secretValue: req.body.secretValue,
skipMultilineEncoding: req.body.skipMultilineEncoding,
secretComment: req.body.secretComment
secretComment: req.body.secretComment,
tagIds: req.body.tagIds
});

await server.services.auditLog.createAuditLog({
Expand Down Expand Up @@ -492,7 +503,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
.transform(removeTrailingSlash)
.describe(RAW_SECRETS.UPDATE.secretPath),
skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.UPDATE.skipMultilineEncoding),
type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.UPDATE.type)
type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.UPDATE.type),
tagIds: z.string().array().optional().describe(RAW_SECRETS.UPDATE.tagIds)
}),
response: {
200: z.object({
Expand All @@ -513,7 +525,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
secretName: req.params.secretName,
type: req.body.type,
secretValue: req.body.secretValue,
skipMultilineEncoding: req.body.skipMultilineEncoding
skipMultilineEncoding: req.body.skipMultilineEncoding,
tagIds: req.body.tagIds
});

await server.services.auditLog.createAuditLog({
Expand Down
3 changes: 2 additions & 1 deletion backend/src/services/secret-tag/secret-tag-service.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,8 @@ export const secretTagServiceFactory = ({ secretTagDAL, permissionService }: TSe
name,
slug,
color,
createdBy: actorId
createdBy: actorId,
createdByActorType: actor
});
return newTag;
};
Expand Down
35 changes: 35 additions & 0 deletions backend/src/services/secret/secret-dal.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -311,13 +311,48 @@ export const secretDALFactory = (db: TDbClient) => {
}
};

const findOneWithTags = async (filter: Partial<TSecrets>, tx?: Knex) => {
try {
const rawDocs = await (tx || db)(TableName.Secret)
.where(filter)
.leftJoin(TableName.JnSecretTag, `${TableName.Secret}.id`, `${TableName.JnSecretTag}.${TableName.Secret}Id`)
.leftJoin(TableName.SecretTag, `${TableName.JnSecretTag}.${TableName.SecretTag}Id`, `${TableName.SecretTag}.id`)
.select(selectAllTableCols(TableName.Secret))
.select(db.ref("id").withSchema(TableName.SecretTag).as("tagId"))
.select(db.ref("color").withSchema(TableName.SecretTag).as("tagColor"))
.select(db.ref("slug").withSchema(TableName.SecretTag).as("tagSlug"))
.select(db.ref("name").withSchema(TableName.SecretTag).as("tagName"));
const docs = sqlNestRelationships({
data: rawDocs,
key: "id",
parentMapper: (el) => ({ _id: el.id, ...SecretsSchema.parse(el) }),
childrenMapper: [
{
key: "tagId",
label: "tags" as const,
mapper: ({ tagId: id, tagColor: color, tagSlug: slug, tagName: name }) => ({
id,
color,
slug,
name
})
}
]
});
return docs?.[0];
} catch (error) {
throw new DatabaseError({ error, name: "FindOneWIthTags" });
}
};

return {
...secretOrm,
update,
bulkUpdate,
deleteMany,
bulkUpdateNoVersionIncrement,
getSecretTags,
findOneWithTags,
findByFolderId,
findByFolderIds,
findByBlindIndexes,
Expand Down
13 changes: 12 additions & 1 deletion backend/src/services/secret/secret-fns.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -356,7 +356,17 @@ export const interpolateSecrets = ({ projectId, secretEncKey, secretDAL, folderD
};

export const decryptSecretRaw = (
secret: TSecrets & { workspace: string; environment: string; secretPath: string },
secret: TSecrets & {
workspace: string;
environment: string;
secretPath: string;
tags?: {
id: string;
slug: string;
color?: string | null;
name: string;
}[];
},
key: string
) => {
const secretKey = decryptSymmetric128BitHexKeyUTF8({
Expand Down Expand Up @@ -396,6 +406,7 @@ export const decryptSecretRaw = (
_id: secret.id,
id: secret.id,
user: secret.userId,
tags: secret.tags,
skipMultilineEncoding: secret.skipMultilineEncoding
};
};
Expand Down
14 changes: 9 additions & 5 deletions backend/src/services/secret/secret-service.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -608,7 +608,7 @@ export const secretServiceFactory = ({
}

const secret = await (version === undefined
? secretDAL.findOne({
? secretDAL.findOneWithTags({
folderId,
type: secretType,
userId: secretType === SecretType.Personal ? actorId : null,
Expand Down Expand Up @@ -1120,7 +1120,8 @@ export const secretServiceFactory = ({
secretPath,
secretValue,
secretComment,
skipMultilineEncoding
skipMultilineEncoding,
tagIds
}: TCreateSecretRawDTO) => {
const botKey = await projectBotService.getBotKey(projectId);
if (!botKey) throw new BadRequestError({ message: "Project bot not found", name: "bot_not_found_error" });
Expand Down Expand Up @@ -1148,7 +1149,8 @@ export const secretServiceFactory = ({
secretCommentCiphertext: secretCommentEncrypted.ciphertext,
secretCommentIV: secretCommentEncrypted.iv,
secretCommentTag: secretCommentEncrypted.tag,
skipMultilineEncoding
skipMultilineEncoding,
tags: tagIds
});

return decryptSecretRaw(secret, botKey);
Expand All @@ -1165,7 +1167,8 @@ export const secretServiceFactory = ({
type,
secretPath,
secretValue,
skipMultilineEncoding
skipMultilineEncoding,
tagIds
}: TUpdateSecretRawDTO) => {
const botKey = await projectBotService.getBotKey(projectId);
if (!botKey) throw new BadRequestError({ message: "Project bot not found", name: "bot_not_found_error" });
Expand All @@ -1185,7 +1188,8 @@ export const secretServiceFactory = ({
secretValueCiphertext: secretValueEncrypted.ciphertext,
secretValueIV: secretValueEncrypted.iv,
secretValueTag: secretValueEncrypted.tag,
skipMultilineEncoding
skipMultilineEncoding,
tags: tagIds
});

await snapshotService.performSnapshot(secret.folderId);
Expand Down
2 changes: 2 additions & 0 deletions backend/src/services/secret/secret-types.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,7 @@ export type TCreateSecretRawDTO = TProjectPermission & {
secretName: string;
secretValue: string;
type: SecretType;
tagIds?: string[];
secretComment?: string;
skipMultilineEncoding?: boolean;
};
Expand All @@ -174,6 +175,7 @@ export type TUpdateSecretRawDTO = TProjectPermission & {
secretName: string;
secretValue?: string;
type: SecretType;
tagIds?: string[];
skipMultilineEncoding?: boolean;
secretReminderRepeatDays?: number | null;
secretReminderNote?: string | null;
Expand Down

0 comments on commit 5d45237

Please sign in to comment.