Tuan Dang
7 months ago
commit
5fb406884d
@ -1,37 +1,44 @@
|
||||
---
|
||||
title: "Secret Rotation Overview"
|
||||
description: "Keep your credentials safe by rotation"
|
||||
---
|
||||
# Secret Rotation Overview
|
||||
|
||||
Secret rotation is the process of periodically changing the values of secrets. This is done to reduce the risk of secrets being compromised and used to gain unauthorized access to systems or data.
|
||||
## Introduction
|
||||
|
||||
Rotated secrets can be
|
||||
1. API key for an external service
|
||||
2. Database credentials
|
||||
Secret rotation is a process that involves updating secret credentials periodically to minimize the risk of their compromise.
|
||||
Rotating secrets helps prevent unauthorized access to systems and sensitive data by ensuring that old credentials are replaced with new ones regularly.
|
||||
|
||||
## How does the rotation happen?
|
||||
Rotated secrets may include, but are not limited to:
|
||||
|
||||
There are four phases in secret rotation and its triggered periodically in an internval.
|
||||
1. API keys for external services
|
||||
2. Database credentials for various platforms
|
||||
|
||||
1. Creation
|
||||
## Rotation Process
|
||||
|
||||
System will create secret by calling an external service like an API call, or randomly generate a value.
|
||||
Now there exist three valid secrets.
|
||||
The practice of rotating secrets is a systematic and interval-based operation, carried out in four fundamental phases.
|
||||
|
||||
2. Test
|
||||
### 1. Creation
|
||||
|
||||
Test the new secret key by some check to ensure its working one. Thus only two will be considered active and the other is considered inactive.
|
||||
The system initiates the rotation process by either making an API call to an external service or generating a new secret value internally.
|
||||
Upon successful creation, the system will temporarily have three versions of the secret:
|
||||
|
||||
3. Deletion
|
||||
- **Current active secret**: The one currently in use.
|
||||
- **Future active secret (pending)**: The newly created secret, awaiting validation.
|
||||
- **Previous active secret**: The old secret, soon to be retired.
|
||||
|
||||
System will remove the inactive secret and now there exist two valid secrets
|
||||
### 2. Testing
|
||||
|
||||
4. Finish
|
||||
The newly generated secret is subjected to a verification process to ensure its validity and functionality.
|
||||
This involves conducting checks or tests that simulate actual operations the secret would perform.
|
||||
Only the current active and the future active (pending) secrets are considered operational at this stage, while the previous active secret remains in standby mode.
|
||||
|
||||
System will switch the secret value from the rotated ones and trigger side effects like webhooks and events.
|
||||
### 3. Deletion
|
||||
|
||||
Post-verification, the system deactivates and deletes the previous active secret, leaving only the current and future active (pending) secrets in the system.
|
||||
|
||||
### 4. Activation
|
||||
|
||||
Finally, the system promotes the future active (pending) secret to be the new current active secret. It then triggers necessary side effects, such as invoking webhooks and generating events, to notify other services of the change.
|
||||
|
||||
## Infisical Secret Rotation Strategies
|
||||
|
||||
1. [SendGrid](./sendgrid)
|
||||
2. [PostgreSQL/CockroachDB](./postgres)
|
||||
3. [MySQL/MariaDB](./mysql)
|
||||
1. [SendGrid Integration](./sendgrid)
|
||||
2. [PostgreSQL/CockroachDB Implementation](./postgres)
|
||||
3. [MySQL/MariaDB Configuration](./mysql)
|
||||
|
||||
@ -0,0 +1,98 @@
|
||||
import { ProjectPermissionCan } from "@app/components/permissions";
|
||||
import {
|
||||
decryptAssymmetric,
|
||||
decryptSymmetric
|
||||
} from "@app/components/utilities/cryptography/crypto";
|
||||
import { Button, Spinner } from "@app/components/v2";
|
||||
import { ProjectPermissionActions, ProjectPermissionSub, useWorkspace } from "@app/context";
|
||||
import { useToggle } from "@app/hooks";
|
||||
import { useGetWorkspaceIndexStatus, useNameWorkspaceSecrets } from "@app/hooks/api";
|
||||
import { UserWsKeyPair } from "@app/hooks/api/types";
|
||||
import { fetchWorkspaceSecrets } from "@app/hooks/api/workspace/queries";
|
||||
|
||||
// TODO: add check so that this only shows up if user is
|
||||
// an admin in the workspace
|
||||
type Props = {
|
||||
decryptFileKey: UserWsKeyPair;
|
||||
};
|
||||
|
||||
export const ProjectIndexSecretsSection = ({ decryptFileKey }: Props) => {
|
||||
const { currentWorkspace } = useWorkspace();
|
||||
const { data: isBlindIndexed, isLoading: isBlindIndexedLoading } = useGetWorkspaceIndexStatus(
|
||||
currentWorkspace?._id ?? ""
|
||||
);
|
||||
const [isIndexing, setIsIndexing] = useToggle();
|
||||
const nameWorkspaceSecrets = useNameWorkspaceSecrets();
|
||||
|
||||
const onEnableBlindIndices = async () => {
|
||||
if (!currentWorkspace?._id) return;
|
||||
setIsIndexing.on();
|
||||
try {
|
||||
const encryptedSecrets = await fetchWorkspaceSecrets(currentWorkspace._id);
|
||||
|
||||
const key = decryptAssymmetric({
|
||||
ciphertext: decryptFileKey.encryptedKey,
|
||||
nonce: decryptFileKey.nonce,
|
||||
publicKey: decryptFileKey.sender.publicKey,
|
||||
privateKey: localStorage.getItem("PRIVATE_KEY") as string
|
||||
});
|
||||
|
||||
const secretsToUpdate = encryptedSecrets.map((encryptedSecret) => {
|
||||
const secretName = decryptSymmetric({
|
||||
ciphertext: encryptedSecret.secretKeyCiphertext,
|
||||
iv: encryptedSecret.secretKeyIV,
|
||||
tag: encryptedSecret.secretKeyTag,
|
||||
key
|
||||
});
|
||||
|
||||
return {
|
||||
secretName,
|
||||
_id: encryptedSecret._id
|
||||
};
|
||||
});
|
||||
await nameWorkspaceSecrets.mutateAsync({
|
||||
workspaceId: currentWorkspace._id,
|
||||
secretsToUpdate
|
||||
});
|
||||
} catch (err) {
|
||||
console.log(err);
|
||||
} finally {
|
||||
setIsIndexing.off();
|
||||
}
|
||||
};
|
||||
|
||||
return !isBlindIndexedLoading && !isBlindIndexed ? (
|
||||
<div className="p-4 mt-4 bg-mineshaft-900 rounded-lg border border-mineshaft-600">
|
||||
{isIndexing && (
|
||||
<div className="w-screen absolute top-0 left-0 h-screen z-50 bg-bunker-500 bg-opacity-80 flex items-center justify-center">
|
||||
<Spinner size="lg" className="text-primary" />
|
||||
<div className="flex flex-col space-y-1 ml-4">
|
||||
<div className="text-3xl font-medium">Please wait</div>
|
||||
<span className="inline-block">Re-indexing your secrets...</span>
|
||||
</div>
|
||||
</div>
|
||||
)}
|
||||
<p className="mb-2 text-lg font-semibold">Enable Blind Indices</p>
|
||||
<p className="text-gray-400 mb-4 leading-7">
|
||||
Your project was created before the introduction of blind indexing.
|
||||
To continue accessing secrets by name through the SDK, public API and web dashboard, please enable blind
|
||||
indexing. <b>This is a one time process.</b>
|
||||
</p>
|
||||
<ProjectPermissionCan I={ProjectPermissionActions.Edit} a={ProjectPermissionSub.Settings}>
|
||||
{(isAllowed) => (
|
||||
<Button
|
||||
onClick={onEnableBlindIndices}
|
||||
isDisabled={!isAllowed}
|
||||
color="mineshaft"
|
||||
type="submit"
|
||||
isLoading={isIndexing}
|
||||
>
|
||||
Enable Blind Indexing
|
||||
</Button>
|
||||
)}
|
||||
</ProjectPermissionCan>
|
||||
</div>
|
||||
) : (
|
||||
<div />
|
||||
);
|
||||
};
|
||||
@ -1,81 +1,70 @@
|
||||
import { useRouter } from "next/router";
|
||||
|
||||
import { useNotificationContext } from "@app/components/context/Notifications/NotificationProvider";
|
||||
import {
|
||||
Button,
|
||||
DeleteActionModal
|
||||
} from "@app/components/v2";
|
||||
import { useOrganization, useUser } from "@app/context";
|
||||
import {
|
||||
useDeleteOrgById,
|
||||
useGetOrgUsers
|
||||
} from "@app/hooks/api";
|
||||
import { Button, DeleteActionModal } from "@app/components/v2";
|
||||
import { useOrganization, useOrgPermission } from "@app/context";
|
||||
import { useDeleteOrgById } from "@app/hooks/api";
|
||||
import { usePopUp } from "@app/hooks/usePopUp";
|
||||
import { navigateUserToOrg } from "@app/views/Login/Login.utils";
|
||||
|
||||
export const OrgDeleteSection = () => {
|
||||
const router = useRouter();
|
||||
const { currentOrg } = useOrganization();
|
||||
const { user } = useUser();
|
||||
const { createNotification } = useNotificationContext();
|
||||
const { data: members } = useGetOrgUsers(currentOrg?._id ?? "");
|
||||
|
||||
const membershipOrg = members?.find((member) => member.user._id === user._id);
|
||||
const router = useRouter();
|
||||
const { currentOrg } = useOrganization();
|
||||
const { createNotification } = useNotificationContext();
|
||||
const { membership } = useOrgPermission();
|
||||
|
||||
const { popUp, handlePopUpOpen, handlePopUpClose, handlePopUpToggle } = usePopUp([
|
||||
"deleteOrg"
|
||||
] as const);
|
||||
const { popUp, handlePopUpOpen, handlePopUpClose, handlePopUpToggle } = usePopUp([
|
||||
"deleteOrg"
|
||||
] as const);
|
||||
|
||||
const { mutateAsync, isLoading } = useDeleteOrgById();
|
||||
|
||||
const handleDeleteOrgSubmit = async () => {
|
||||
try {
|
||||
if (!currentOrg?._id) return;
|
||||
|
||||
await mutateAsync({
|
||||
organizationId: currentOrg?._id
|
||||
});
|
||||
|
||||
createNotification({
|
||||
text: "Successfully deleted organization",
|
||||
type: "success"
|
||||
});
|
||||
const { mutateAsync, isLoading } = useDeleteOrgById();
|
||||
|
||||
await navigateUserToOrg(router);
|
||||
|
||||
handlePopUpClose("deleteOrg");
|
||||
} catch (err) {
|
||||
console.error(err);
|
||||
createNotification({
|
||||
text: "Failed to delete organization",
|
||||
type: "error"
|
||||
});
|
||||
}
|
||||
const handleDeleteOrgSubmit = async () => {
|
||||
try {
|
||||
if (!currentOrg?._id) return;
|
||||
|
||||
await mutateAsync({
|
||||
organizationId: currentOrg?._id
|
||||
});
|
||||
|
||||
createNotification({
|
||||
text: "Successfully deleted organization",
|
||||
type: "success"
|
||||
});
|
||||
|
||||
await navigateUserToOrg(router);
|
||||
|
||||
handlePopUpClose("deleteOrg");
|
||||
} catch (err) {
|
||||
console.error(err);
|
||||
createNotification({
|
||||
text: "Failed to delete organization",
|
||||
type: "error"
|
||||
});
|
||||
}
|
||||
};
|
||||
|
||||
return (
|
||||
<div className="p-4 bg-mineshaft-900 rounded-lg border border-mineshaft-600 mb-6">
|
||||
<p className="text-xl font-semibold text-mineshaft-100 mb-4">
|
||||
Danger Zone
|
||||
</p>
|
||||
<Button
|
||||
isLoading={isLoading}
|
||||
colorSchema="danger"
|
||||
variant="outline_bg"
|
||||
type="submit"
|
||||
onClick={() => handlePopUpOpen("deleteOrg")}
|
||||
isDisabled={(membershipOrg && membershipOrg.role !== "admin")}
|
||||
>
|
||||
{`Delete ${currentOrg?.name}`}
|
||||
</Button>
|
||||
<DeleteActionModal
|
||||
isOpen={popUp.deleteOrg.isOpen}
|
||||
title="Are you sure want to delete this organization?"
|
||||
subTitle={`Permanently remove ${currentOrg?.name} and all of its data. This action is not reversible, so please be careful.`}
|
||||
onChange={(isOpen) => handlePopUpToggle("deleteOrg", isOpen)}
|
||||
deleteKey="confirm"
|
||||
onDeleteApproved={handleDeleteOrgSubmit}
|
||||
/>
|
||||
</div>
|
||||
);
|
||||
}
|
||||
return (
|
||||
<div className="p-4 bg-mineshaft-900 rounded-lg border border-mineshaft-600 mb-6">
|
||||
<p className="text-xl font-semibold text-mineshaft-100 mb-4">Danger Zone</p>
|
||||
<Button
|
||||
isLoading={isLoading}
|
||||
colorSchema="danger"
|
||||
variant="outline_bg"
|
||||
type="submit"
|
||||
onClick={() => handlePopUpOpen("deleteOrg")}
|
||||
isDisabled={Boolean(membership && membership.role !== "admin")}
|
||||
>
|
||||
{`Delete ${currentOrg?.name}`}
|
||||
</Button>
|
||||
<DeleteActionModal
|
||||
isOpen={popUp.deleteOrg.isOpen}
|
||||
title="Are you sure want to delete this organization?"
|
||||
subTitle={`Permanently remove ${currentOrg?.name} and all of its data. This action is not reversible, so please be careful.`}
|
||||
onChange={(isOpen) => handlePopUpToggle("deleteOrg", isOpen)}
|
||||
deleteKey="confirm"
|
||||
onDeleteApproved={handleDeleteOrgSubmit}
|
||||
/>
|
||||
</div>
|
||||
);
|
||||
};
|
||||
|
||||
@ -1,24 +1,17 @@
|
||||
import { useOrganization, useUser } from "@app/context";
|
||||
import { useGetOrgUsers } from "@app/hooks/api";
|
||||
import { useOrgPermission } from "@app/context";
|
||||
|
||||
import { OrgDeleteSection } from "../OrgDeleteSection";
|
||||
import { OrgIncidentContactsSection } from "../OrgIncidentContactsSection";
|
||||
import { OrgNameChangeSection } from "../OrgNameChangeSection";
|
||||
|
||||
export const OrgGeneralTab = () => {
|
||||
const { currentOrg } = useOrganization();
|
||||
const { user } = useUser();
|
||||
const { data: members } = useGetOrgUsers(currentOrg?._id ?? "");
|
||||
|
||||
const membershipOrg = members?.find((member) => member.user._id === user?._id);
|
||||
const { membership } = useOrgPermission();
|
||||
|
||||
return (
|
||||
<div>
|
||||
<OrgNameChangeSection />
|
||||
<OrgIncidentContactsSection />
|
||||
{(membershipOrg && membershipOrg.role === "admin") && (
|
||||
<OrgDeleteSection />
|
||||
)}
|
||||
{membership && membership.role === "admin" && <OrgDeleteSection />}
|
||||
</div>
|
||||
);
|
||||
};
|
||||
|
||||
@ -1,84 +0,0 @@
|
||||
import { ProjectPermissionCan } from "@app/components/permissions";
|
||||
import {
|
||||
decryptAssymmetric,
|
||||
decryptSymmetric
|
||||
} from "@app/components/utilities/cryptography/crypto";
|
||||
import { Button } from "@app/components/v2";
|
||||
import { ProjectPermissionActions, ProjectPermissionSub, useWorkspace } from "@app/context";
|
||||
import {
|
||||
useGetUserWsKey,
|
||||
useGetWorkspaceIndexStatus,
|
||||
useGetWorkspaceSecrets,
|
||||
useNameWorkspaceSecrets
|
||||
} from "@app/hooks/api";
|
||||
|
||||
// TODO: add check so that this only shows up if user is
|
||||
// an admin in the workspace
|
||||
|
||||
export const ProjectIndexSecretsSection = () => {
|
||||
const { currentWorkspace } = useWorkspace();
|
||||
const { data: isBlindIndexed, isLoading: isBlindIndexedLoading } = useGetWorkspaceIndexStatus(
|
||||
currentWorkspace?._id ?? ""
|
||||
);
|
||||
const { data: latestFileKey } = useGetUserWsKey(currentWorkspace?._id ?? "");
|
||||
const { data: encryptedSecrets } = useGetWorkspaceSecrets(currentWorkspace?._id ?? "");
|
||||
const nameWorkspaceSecrets = useNameWorkspaceSecrets();
|
||||
|
||||
const onEnableBlindIndices = async () => {
|
||||
if (!currentWorkspace?._id) return;
|
||||
if (!encryptedSecrets) return;
|
||||
if (!latestFileKey) return;
|
||||
|
||||
const key = decryptAssymmetric({
|
||||
ciphertext: latestFileKey.encryptedKey,
|
||||
nonce: latestFileKey.nonce,
|
||||
publicKey: latestFileKey.sender.publicKey,
|
||||
privateKey: localStorage.getItem("PRIVATE_KEY") as string
|
||||
});
|
||||
|
||||
const secretsToUpdate = encryptedSecrets.map((encryptedSecret) => {
|
||||
const secretName = decryptSymmetric({
|
||||
ciphertext: encryptedSecret.secretKeyCiphertext,
|
||||
iv: encryptedSecret.secretKeyIV,
|
||||
tag: encryptedSecret.secretKeyTag,
|
||||
key
|
||||
});
|
||||
|
||||
return {
|
||||
secretName,
|
||||
_id: encryptedSecret._id
|
||||
};
|
||||
});
|
||||
|
||||
await nameWorkspaceSecrets.mutateAsync({
|
||||
workspaceId: currentWorkspace._id,
|
||||
secretsToUpdate
|
||||
});
|
||||
};
|
||||
|
||||
return !isBlindIndexedLoading && !isBlindIndexed ? (
|
||||
<div className="mb-6 p-4 bg-mineshaft-900 rounded-lg border border-mineshaft-600">
|
||||
<p className="mb-3 text-xl font-semibold">Blind Indices</p>
|
||||
<p className="text-gray-400 mb-8">
|
||||
Your project, created before the introduction of blind indexing, contains unindexed secrets.
|
||||
To access individual secrets by name through the SDK and public API, please enable blind
|
||||
indexing.
|
||||
</p>
|
||||
<ProjectPermissionCan I={ProjectPermissionActions.Edit} a={ProjectPermissionSub.Settings}>
|
||||
{(isAllowed) => (
|
||||
<Button
|
||||
onClick={onEnableBlindIndices}
|
||||
isDisabled={!isAllowed}
|
||||
color="mineshaft"
|
||||
size="sm"
|
||||
type="submit"
|
||||
>
|
||||
Enable Blind Indexing
|
||||
</Button>
|
||||
)}
|
||||
</ProjectPermissionCan>
|
||||
</div>
|
||||
) : (
|
||||
<div />
|
||||
);
|
||||
};
|
||||
Loading…
Reference in new issue