Tag based filtering for secret endpoint

backend/src/lib/api-docs/constants.ts

@@ -596,7 +596,8 @@ export const RAW_SECRETS = {
       "The slug of the project to list secrets from. This parameter is only applicable by machine identities.",
     environment: "The slug of the environment to list secrets from.",
     secretPath: "The secret path to list secrets from.",
-    includeImports: "Weather to include imported secrets or not."
+    includeImports: "Weather to include imported secrets or not.",
+    tagSlugs: "The comma seperated tag slugs to filter secrets"
   },
   CREATE: {
     secretName: "The name of the secret to create.",

backend/src/server/routes/v3/secret-router.ts

@@ -180,7 +180,13 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           .enum(["true", "false"])
           .default("false")
           .transform((value) => value === "true")
-          .describe(RAW_SECRETS.LIST.includeImports)
+          .describe(RAW_SECRETS.LIST.includeImports),
+        tagSlugs: z
+          .string()
+          .describe(RAW_SECRETS.LIST.tagSlugs)
+          .optional()
+          // split by comma and trim the strings
+          .transform((el) => (el ? el.split(",").map((i) => i.trim()) : []))
       }),
       response: {
         200: z.object({
@@ -251,7 +257,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         projectId: workspaceId,
         path: secretPath,
         includeImports: req.query.include_imports,
-        recursive: req.query.recursive
+        recursive: req.query.recursive,
+        tagSlugs: req.query.tagSlugs
       });
 
       await server.services.auditLog.createAuditLog({

backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts

@@ -429,6 +429,7 @@ export const secretV2BridgeServiceFactory = ({
     actorAuthMethod,
     includeImports,
     recursive,
+    tagSlugs = [],
     expandSecretReferences: shouldExpandSecretReferences
   }: TGetSecretsDTO) => {
     const { permission } = await permissionService.getProjectPermission(
@@ -496,6 +497,9 @@ export const secretV2BridgeServiceFactory = ({
           : ""
       })
     );
+    const filteredSecrets = tagSlugs.length
+      ? decryptedSecrets.filter((secret) => Boolean(secret.tags?.find((el) => tagSlugs.includes(el.slug))))
+      : decryptedSecrets;
     const expandSecretReferences = expandSecretReferencesFactory({
       projectId,
       folderDAL,
@@ -504,7 +508,7 @@ export const secretV2BridgeServiceFactory = ({
     });
 
     if (shouldExpandSecretReferences) {
-      const secretsGroupByPath = groupBy(decryptedSecrets, (i) => i.secretPath);
+      const secretsGroupByPath = groupBy(filteredSecrets, (i) => i.secretPath);
       for (const secretPathKey in secretsGroupByPath) {
         if (Object.hasOwn(secretsGroupByPath, secretPathKey)) {
           const secretsGroupByKey = secretsGroupByPath[secretPathKey].reduce(
@@ -530,7 +534,7 @@ export const secretV2BridgeServiceFactory = ({
 
     if (!includeImports) {
       return {
-        secrets: decryptedSecrets
+        secrets: filteredSecrets
       };
     }
 
@@ -558,7 +562,7 @@ export const secretV2BridgeServiceFactory = ({
     });
 
     return {
-      secrets: decryptedSecrets,
+      secrets: filteredSecrets,
       imports: importedSecrets
     };
   };

backend/src/services/secret-v2-bridge/secret-v2-bridge-types.ts

@@ -20,6 +20,7 @@ export type TGetSecretsDTO = {
   environment: string;
   includeImports?: boolean;
   recursive?: boolean;
+  tagSlugs?: string[];
 } & TProjectPermission;
 
 export type TGetASecretDTO = {

backend/src/services/secret/secret-service.ts

@@ -964,7 +964,8 @@ export const secretServiceFactory = ({
     environment,
     includeImports,
     expandSecretReferences,
-    recursive
+    recursive,
+    tagSlugs = []
   }: TGetSecretsRawDTO) => {
     const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
     if (shouldUseSecretV2Bridge) {
@@ -978,7 +979,8 @@ export const secretServiceFactory = ({
         path,
         recursive,
         actorAuthMethod,
-        includeImports
+        includeImports,
+        tagSlugs
       });
       return { secrets, imports };
     }
@@ -998,6 +1000,9 @@ export const secretServiceFactory = ({
     });
 
     const decryptedSecrets = secrets.map((el) => decryptSecretRaw(el, botKey));
+    const filteredSecrets = tagSlugs.length
+      ? decryptedSecrets.filter((secret) => Boolean(secret.tags?.find((el) => tagSlugs.includes(el.slug))))
+      : decryptedSecrets;
     const processedImports = (imports || [])?.map(({ secrets: importedSecrets, ...el }) => {
       const decryptedImportSecrets = importedSecrets.map((sec) =>
         decryptSecretRaw(
@@ -1106,14 +1111,14 @@ export const secretServiceFactory = ({
       };
 
       // expand secrets
-      await batchSecretsExpand(decryptedSecrets);
+      await batchSecretsExpand(filteredSecrets);
 
       // expand imports by batch
       await Promise.all(processedImports.map((processedImport) => batchSecretsExpand(processedImport.secrets)));
     }
 
     return {
-      secrets: decryptedSecrets,
+      secrets: filteredSecrets,
       imports: processedImports
     };
   };

backend/src/services/secret/secret-types.ts

@@ -149,6 +149,7 @@ export type TGetSecretsRawDTO = {
   environment: string;
   includeImports?: boolean;
   recursive?: boolean;
+  tagSlugs?: string[];
 } & TProjectPermission;
 
 export type TGetASecretRawDTO = {

cli/packages/api/api.go

@@ -404,6 +404,10 @@ func CallGetRawSecretsV3(httpClient *resty.Client, request GetRawSecretsV3Reques
 		SetQueryParam("environment", request.Environment).
 		SetQueryParam("secretPath", request.SecretPath)
 
+	if request.TagSlugs != "" {
+		req.SetQueryParam("tagSlugs", request.TagSlugs)
+	}
+
 	if request.IncludeImport {
 		req.SetQueryParam("include_imports", "true")
 	}

cli/packages/api/model.go

@@ -574,6 +574,7 @@ type GetRawSecretsV3Request struct {
 	SecretPath    string `json:"secretPath"`
 	IncludeImport bool   `json:"include_imports"`
 	Recursive     bool   `json:"recursive"`
+	TagSlugs      string `json:"tagSlugs,omitempty"`
 }
 
 type GetRawSecretsV3Response struct {

cli/packages/cmd/agent.go

@@ -312,7 +312,7 @@ func ParseAgentConfig(configFile []byte) (*Config, error) {
 
 func secretTemplateFunction(accessToken string, existingEtag string, currentEtag *string) func(string, string, string) ([]models.SingleEnvironmentVariable, error) {
 	return func(projectID, envSlug, secretPath string) ([]models.SingleEnvironmentVariable, error) {
-		res, err := util.GetPlainTextSecretsV3(accessToken, projectID, envSlug, secretPath, false, false)
+		res, err := util.GetPlainTextSecretsV3(accessToken, projectID, envSlug, secretPath, false, false, "")
 		if err != nil {
 			return nil, err
 		}

cli/packages/util/secrets.go

@@ -20,7 +20,7 @@ import (
 	"github.com/zalando/go-keyring"
 )
 
-func GetPlainTextSecretsViaServiceToken(fullServiceToken string, environment string, secretPath string, includeImports bool, recursive bool) ([]models.SingleEnvironmentVariable, error) {
+func GetPlainTextSecretsViaServiceToken(fullServiceToken string, environment string, secretPath string, includeImports bool, recursive bool, tagSlugs string) ([]models.SingleEnvironmentVariable, error) {
 	serviceTokenParts := strings.SplitN(fullServiceToken, ".", 4)
 	if len(serviceTokenParts) < 4 {
 		return nil, fmt.Errorf("invalid service token entered. Please double check your service token and try again")
@@ -53,6 +53,7 @@ func GetPlainTextSecretsViaServiceToken(fullServiceToken string, environment str
 		SecretPath:    secretPath,
 		IncludeImport: includeImports,
 		Recursive:     recursive,
+		TagSlugs:      tagSlugs,
 	})
 
 	if err != nil {
@@ -76,7 +77,7 @@ func GetPlainTextSecretsViaServiceToken(fullServiceToken string, environment str
 
 }
 
-func GetPlainTextSecretsV3(accessToken string, workspaceId string, environmentName string, secretsPath string, includeImports bool, recursive bool) (models.PlaintextSecretResult, error) {
+func GetPlainTextSecretsV3(accessToken string, workspaceId string, environmentName string, secretsPath string, includeImports bool, recursive bool, tagSlugs string) (models.PlaintextSecretResult, error) {
 	httpClient := resty.New()
 	httpClient.SetAuthToken(accessToken).
 		SetHeader("Accept", "application/json")
@@ -86,7 +87,7 @@ func GetPlainTextSecretsV3(accessToken string, workspaceId string, environmentNa
 		Environment:   environmentName,
 		IncludeImport: includeImports,
 		Recursive:     recursive,
-		// TagSlugs:    tagSlugs,
+		TagSlugs:      tagSlugs,
 	}
 
 	if secretsPath != "" {
@@ -281,7 +282,7 @@ func GetAllEnvironmentVariables(params models.GetAllSecretsParameters, projectCo
 		}
 
 		res, err := GetPlainTextSecretsV3(loggedInUserDetails.UserCredentials.JTWToken, infisicalDotJson.WorkspaceId,
-			params.Environment, params.SecretsPath, params.IncludeImport, params.Recursive)
+			params.Environment, params.SecretsPath, params.IncludeImport, params.Recursive, params.TagSlugs)
 		log.Debug().Msgf("GetAllEnvironmentVariables: Trying to fetch secrets JTW token [err=%s]", err)
 
 		if err == nil {
@@ -303,15 +304,15 @@ func GetAllEnvironmentVariables(params models.GetAllSecretsParameters, projectCo
 	} else {
 		if params.InfisicalToken != "" {
 			log.Debug().Msg("Trying to fetch secrets using service token")
-			secretsToReturn, errorToReturn = GetPlainTextSecretsViaServiceToken(params.InfisicalToken, params.Environment, params.SecretsPath, params.IncludeImport, params.Recursive)
+			secretsToReturn, errorToReturn = GetPlainTextSecretsViaServiceToken(params.InfisicalToken, params.Environment, params.SecretsPath, params.IncludeImport, params.Recursive, params.TagSlugs)
 		} else if params.UniversalAuthAccessToken != "" {
 
 			if params.WorkspaceId == "" {
 				PrintErrorMessageAndExit("Project ID is required when using machine identity")
 			}
 
 			log.Debug().Msg("Trying to fetch secrets using universal auth")
-			res, err := GetPlainTextSecretsV3(params.UniversalAuthAccessToken, params.WorkspaceId, params.Environment, params.SecretsPath, params.IncludeImport, params.Recursive)
+			res, err := GetPlainTextSecretsV3(params.UniversalAuthAccessToken, params.WorkspaceId, params.Environment, params.SecretsPath, params.IncludeImport, params.Recursive, params.TagSlugs)
 
 			errorToReturn = err
 			secretsToReturn = res.Secrets