Merge remote-tracking branch 'origin' into dependabot/npm_and_yarn/frontend/babel/traverse-and-babel/traverse-and-storybook/addon-essentials-and-storybook/csf-tools-and-storybook-7.23.2
@ -0,0 +1,91 @@
|
||||
import { Request, Response } from "express";
|
||||
import { validateRequest } from "../../../helpers/validation";
|
||||
import * as reqValidator from "../../validation/secretRotation";
|
||||
import * as secretRotationService from "../../secretRotation/service";
|
||||
import {
|
||||
getUserProjectPermissions,
|
||||
ProjectPermissionActions,
|
||||
ProjectPermissionSub
|
||||
} from "../../services/ProjectRoleService";
|
||||
import { ForbiddenError } from "@casl/ability";
|
||||
|
||||
export const createSecretRotation = async (req: Request, res: Response) => {
|
||||
const {
|
||||
body: {
|
||||
provider,
|
||||
customProvider,
|
||||
interval,
|
||||
outputs,
|
||||
secretPath,
|
||||
environment,
|
||||
workspaceId,
|
||||
inputs
|
||||
}
|
||||
} = await validateRequest(reqValidator.createSecretRotationV1, req);
|
||||
|
||||
const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
|
||||
ForbiddenError.from(permission).throwUnlessCan(
|
||||
ProjectPermissionActions.Create,
|
||||
ProjectPermissionSub.SecretRotation
|
||||
);
|
||||
|
||||
const secretRotation = await secretRotationService.createSecretRotation({
|
||||
workspaceId,
|
||||
inputs,
|
||||
environment,
|
||||
secretPath,
|
||||
outputs,
|
||||
interval,
|
||||
customProvider,
|
||||
provider
|
||||
});
|
||||
|
||||
return res.send({ secretRotation });
|
||||
};
|
||||
|
||||
export const restartSecretRotations = async (req: Request, res: Response) => {
|
||||
const {
|
||||
body: { id }
|
||||
} = await validateRequest(reqValidator.restartSecretRotationV1, req);
|
||||
|
||||
const doc = await secretRotationService.getSecretRotationById({ id });
|
||||
const { permission } = await getUserProjectPermissions(req.user._id, doc.workspace.toString());
|
||||
ForbiddenError.from(permission).throwUnlessCan(
|
||||
ProjectPermissionActions.Edit,
|
||||
ProjectPermissionSub.SecretRotation
|
||||
);
|
||||
|
||||
const secretRotation = await secretRotationService.restartSecretRotation({ id });
|
||||
return res.send({ secretRotation });
|
||||
};
|
||||
|
||||
export const deleteSecretRotations = async (req: Request, res: Response) => {
|
||||
const {
|
||||
params: { id }
|
||||
} = await validateRequest(reqValidator.removeSecretRotationV1, req);
|
||||
|
||||
const doc = await secretRotationService.getSecretRotationById({ id });
|
||||
const { permission } = await getUserProjectPermissions(req.user._id, doc.workspace.toString());
|
||||
ForbiddenError.from(permission).throwUnlessCan(
|
||||
ProjectPermissionActions.Delete,
|
||||
ProjectPermissionSub.SecretRotation
|
||||
);
|
||||
|
||||
const secretRotations = await secretRotationService.deleteSecretRotation({ id });
|
||||
return res.send({ secretRotations });
|
||||
};
|
||||
|
||||
export const getSecretRotations = async (req: Request, res: Response) => {
|
||||
const {
|
||||
query: { workspaceId }
|
||||
} = await validateRequest(reqValidator.getSecretRotationV1, req);
|
||||
|
||||
const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
|
||||
ForbiddenError.from(permission).throwUnlessCan(
|
||||
ProjectPermissionActions.Read,
|
||||
ProjectPermissionSub.SecretRotation
|
||||
);
|
||||
|
||||
const secretRotations = await secretRotationService.getSecretRotationOfWorkspace(workspaceId);
|
||||
return res.send({ secretRotations });
|
||||
};
|
@ -0,0 +1,28 @@
|
||||
import { Request, Response } from "express";
|
||||
import { validateRequest } from "../../../helpers/validation";
|
||||
import * as reqValidator from "../../validation/secretRotationProvider";
|
||||
import * as secretRotationProviderService from "../../secretRotation/service";
|
||||
import {
|
||||
getUserProjectPermissions,
|
||||
ProjectPermissionActions,
|
||||
ProjectPermissionSub
|
||||
} from "../../services/ProjectRoleService";
|
||||
import { ForbiddenError } from "@casl/ability";
|
||||
|
||||
export const getProviderTemplates = async (req: Request, res: Response) => {
|
||||
const {
|
||||
params: { workspaceId }
|
||||
} = await validateRequest(reqValidator.getSecretRotationProvidersV1, req);
|
||||
|
||||
const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
|
||||
ForbiddenError.from(permission).throwUnlessCan(
|
||||
ProjectPermissionActions.Read,
|
||||
ProjectPermissionSub.SecretRotation
|
||||
);
|
||||
|
||||
const rotationProviderList = await secretRotationProviderService.getProviderTemplate({
|
||||
workspaceId
|
||||
});
|
||||
|
||||
return res.send(rotationProviderList);
|
||||
};
|
@ -0,0 +1,41 @@
|
||||
import express from "express";
|
||||
|
||||
import { AuthMode } from "../../../variables";
|
||||
import { requireAuth } from "../../../middleware";
|
||||
import { secretRotationController } from "../../controllers/v1";
|
||||
|
||||
const router = express.Router();
|
||||
|
||||
router.post(
|
||||
"/",
|
||||
requireAuth({
|
||||
acceptedAuthModes: [AuthMode.JWT]
|
||||
}),
|
||||
secretRotationController.createSecretRotation
|
||||
);
|
||||
|
||||
router.post(
|
||||
"/restart",
|
||||
requireAuth({
|
||||
acceptedAuthModes: [AuthMode.JWT]
|
||||
}),
|
||||
secretRotationController.restartSecretRotations
|
||||
);
|
||||
|
||||
router.get(
|
||||
"/",
|
||||
requireAuth({
|
||||
acceptedAuthModes: [AuthMode.JWT]
|
||||
}),
|
||||
secretRotationController.getSecretRotations
|
||||
);
|
||||
|
||||
router.delete(
|
||||
"/:id",
|
||||
requireAuth({
|
||||
acceptedAuthModes: [AuthMode.JWT]
|
||||
}),
|
||||
secretRotationController.deleteSecretRotations
|
||||
);
|
||||
|
||||
export default router;
|
@ -0,0 +1,17 @@
|
||||
import express from "express";
|
||||
|
||||
import { AuthMode } from "../../../variables";
|
||||
import { requireAuth } from "../../../middleware";
|
||||
import { secretRotationProviderController } from "../../controllers/v1";
|
||||
|
||||
const router = express.Router();
|
||||
|
||||
router.get(
|
||||
"/:workspaceId",
|
||||
requireAuth({
|
||||
acceptedAuthModes: [AuthMode.JWT]
|
||||
}),
|
||||
secretRotationProviderController.getProviderTemplates
|
||||
);
|
||||
|
||||
export default router;
|
@ -0,0 +1,91 @@
|
||||
import { Schema, model } from "mongoose";
|
||||
import {
|
||||
ALGORITHM_AES_256_GCM,
|
||||
ENCODING_SCHEME_BASE64,
|
||||
ENCODING_SCHEME_UTF8
|
||||
} from "../../variables";
|
||||
import { ISecretRotation } from "./types";
|
||||
|
||||
const secretRotationSchema = new Schema(
|
||||
{
|
||||
workspace: {
|
||||
type: Schema.Types.ObjectId,
|
||||
ref: "Workspace"
|
||||
},
|
||||
provider: {
|
||||
type: String,
|
||||
required: true
|
||||
},
|
||||
customProvider: {
|
||||
type: Schema.Types.ObjectId,
|
||||
ref: "SecretRotationProvider"
|
||||
},
|
||||
environment: {
|
||||
type: String,
|
||||
required: true
|
||||
},
|
||||
secretPath: {
|
||||
type: String,
|
||||
required: true
|
||||
},
|
||||
interval: {
|
||||
type: Number,
|
||||
required: true
|
||||
},
|
||||
lastRotatedAt: {
|
||||
type: String
|
||||
},
|
||||
status: {
|
||||
type: String,
|
||||
enum: ["success", "failed"]
|
||||
},
|
||||
statusMessage: {
|
||||
type: String
|
||||
},
|
||||
// encrypted data on input keys and secrets got
|
||||
encryptedData: {
|
||||
type: String,
|
||||
select: false
|
||||
},
|
||||
encryptedDataIV: {
|
||||
type: String,
|
||||
select: false
|
||||
},
|
||||
encryptedDataTag: {
|
||||
type: String,
|
||||
select: false
|
||||
},
|
||||
algorithm: {
|
||||
// the encryption algorithm used
|
||||
type: String,
|
||||
enum: [ALGORITHM_AES_256_GCM],
|
||||
required: true,
|
||||
select: false,
|
||||
default: ALGORITHM_AES_256_GCM
|
||||
},
|
||||
keyEncoding: {
|
||||
type: String,
|
||||
enum: [ENCODING_SCHEME_UTF8, ENCODING_SCHEME_BASE64],
|
||||
required: true,
|
||||
select: false,
|
||||
default: ENCODING_SCHEME_UTF8
|
||||
},
|
||||
outputs: [
|
||||
{
|
||||
key: {
|
||||
type: String,
|
||||
required: true
|
||||
},
|
||||
secret: {
|
||||
type: Schema.Types.ObjectId,
|
||||
ref: "Secret"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
timestamps: true
|
||||
}
|
||||
);
|
||||
|
||||
export const SecretRotation = model<ISecretRotation>("SecretRotation", secretRotationSchema);
|
@ -0,0 +1,288 @@
|
||||
import Queue, { Job } from "bull";
|
||||
import { client, getEncryptionKey, getRootEncryptionKey } from "../../../config";
|
||||
import { BotService, EventService, TelemetryService } from "../../../services";
|
||||
import { SecretRotation } from "../models";
|
||||
import { rotationTemplates } from "../templates";
|
||||
import {
|
||||
ISecretRotationData,
|
||||
ISecretRotationEncData,
|
||||
ISecretRotationProviderTemplate,
|
||||
TProviderFunctionTypes
|
||||
} from "../types";
|
||||
import {
|
||||
decryptSymmetric128BitHexKeyUTF8,
|
||||
encryptSymmetric128BitHexKeyUTF8
|
||||
} from "../../../utils/crypto";
|
||||
import { ISecret, Secret } from "../../../models";
|
||||
import { ENCODING_SCHEME_BASE64, ENCODING_SCHEME_UTF8, SECRET_SHARED } from "../../../variables";
|
||||
import { EESecretService } from "../../services";
|
||||
import { SecretVersion } from "../../models";
|
||||
import { eventPushSecrets } from "../../../events";
|
||||
import { logger } from "../../../utils/logging";
|
||||
|
||||
import {
|
||||
secretRotationPreSetFn,
|
||||
secretRotationRemoveFn,
|
||||
secretRotationSetFn,
|
||||
secretRotationTestFn
|
||||
} from "./queue.utils";
|
||||
|
||||
const secretRotationQueue = new Queue("secret-rotation-service", process.env.REDIS_URL as string);
|
||||
|
||||
secretRotationQueue.process(async (job: Job) => {
|
||||
logger.info(`secretRotationQueue.process: [rotationDocument=${job.data.rotationDocId}]`);
|
||||
const rotationStratDocId = job.data.rotationDocId;
|
||||
const secretRotation = await SecretRotation.findById(rotationStratDocId)
|
||||
.select("+encryptedData +encryptedDataTag +encryptedDataIV +keyEncoding")
|
||||
.populate<{
|
||||
outputs: [
|
||||
{
|
||||
key: string;
|
||||
secret: ISecret;
|
||||
}
|
||||
];
|
||||
}>("outputs.secret");
|
||||
|
||||
const infisicalRotationProvider = rotationTemplates.find(
|
||||
({ name }) => name === secretRotation?.provider
|
||||
);
|
||||
|
||||
try {
|
||||
if (!infisicalRotationProvider || !secretRotation)
|
||||
throw new Error("Failed to find rotation strategy");
|
||||
|
||||
if (secretRotation.outputs.some(({ secret }) => !secret))
|
||||
throw new Error("Secrets not found in dashboard");
|
||||
|
||||
const workspaceId = secretRotation.workspace;
|
||||
|
||||
// deep copy
|
||||
const provider = JSON.parse(
|
||||
JSON.stringify(infisicalRotationProvider)
|
||||
) as ISecretRotationProviderTemplate;
|
||||
|
||||
// decrypt user provided inputs for secret rotation
|
||||
const encryptionKey = await getEncryptionKey();
|
||||
const rootEncryptionKey = await getRootEncryptionKey();
|
||||
let decryptedData = "";
|
||||
if (rootEncryptionKey && secretRotation.keyEncoding === ENCODING_SCHEME_BASE64) {
|
||||
// case: encoding scheme is base64
|
||||
decryptedData = client.decryptSymmetric(
|
||||
secretRotation.encryptedData,
|
||||
rootEncryptionKey,
|
||||
secretRotation.encryptedDataIV,
|
||||
secretRotation.encryptedDataTag
|
||||
);
|
||||
} else if (encryptionKey && secretRotation.keyEncoding === ENCODING_SCHEME_UTF8) {
|
||||
// case: encoding scheme is utf8
|
||||
decryptedData = decryptSymmetric128BitHexKeyUTF8({
|
||||
ciphertext: secretRotation.encryptedData,
|
||||
iv: secretRotation.encryptedDataIV,
|
||||
tag: secretRotation.encryptedDataTag,
|
||||
key: encryptionKey
|
||||
});
|
||||
}
|
||||
|
||||
const variables = JSON.parse(decryptedData) as ISecretRotationEncData;
|
||||
|
||||
// rotation set cycle
|
||||
const newCredential: ISecretRotationData = {
|
||||
inputs: variables.inputs,
|
||||
outputs: {},
|
||||
internal: {}
|
||||
};
|
||||
// special glue code for database
|
||||
if (provider.template.functions.set.type === TProviderFunctionTypes.DB) {
|
||||
const lastCred = variables.creds.at(-1);
|
||||
if (lastCred && variables.creds.length === 1) {
|
||||
newCredential.internal.username =
|
||||
lastCred.internal.username === variables.inputs.username1
|
||||
? variables.inputs.username2
|
||||
: variables.inputs.username1;
|
||||
} else {
|
||||
newCredential.internal.username = lastCred
|
||||
? lastCred.internal.username
|
||||
: variables.inputs.username1;
|
||||
}
|
||||
}
|
||||
if (provider.template.functions.set?.pre) {
|
||||
secretRotationPreSetFn(provider.template.functions.set.pre, newCredential);
|
||||
}
|
||||
await secretRotationSetFn(provider.template.functions.set, newCredential);
|
||||
await secretRotationTestFn(provider.template.functions.test, newCredential);
|
||||
|
||||
if (variables.creds.length === 2) {
|
||||
const deleteCycleCred = variables.creds.pop();
|
||||
if (deleteCycleCred && provider.template.functions.remove) {
|
||||
const deleteCycleVar = { inputs: variables.inputs, ...deleteCycleCred };
|
||||
await secretRotationRemoveFn(provider.template.functions.remove, deleteCycleVar);
|
||||
}
|
||||
}
|
||||
variables.creds.unshift({ outputs: newCredential.outputs, internal: newCredential.internal });
|
||||
const { ciphertext, iv, tag } = client.encryptSymmetric(
|
||||
JSON.stringify(variables),
|
||||
rootEncryptionKey
|
||||
);
|
||||
|
||||
// save the rotation state
|
||||
await SecretRotation.findByIdAndUpdate(rotationStratDocId, {
|
||||
encryptedData: ciphertext,
|
||||
encryptedDataIV: iv,
|
||||
encryptedDataTag: tag,
|
||||
status: "success",
|
||||
statusMessage: "Rotated successfully",
|
||||
lastRotatedAt: new Date().toUTCString()
|
||||
});
|
||||
|
||||
const key = await BotService.getWorkspaceKeyWithBot({
|
||||
workspaceId: secretRotation.workspace
|
||||
});
|
||||
|
||||
const encryptedSecrets = secretRotation.outputs.map(({ key: outputKey, secret }) => ({
|
||||
secret,
|
||||
value: encryptSymmetric128BitHexKeyUTF8({
|
||||
plaintext:
|
||||
typeof newCredential.outputs[outputKey] === "object"
|
||||
? JSON.stringify(newCredential.outputs[outputKey])
|
||||
: String(newCredential.outputs[outputKey]),
|
||||
key
|
||||
})
|
||||
}));
|
||||
|
||||
// now save the secret do a bulk update
|
||||
// can't use the updateSecret function due to various parameter required issue
|
||||
// REFACTOR(akhilmhdh): secret module should be lot more flexible. Ability to update bulk or individually by blindIndex, by id etc
|
||||
await Secret.bulkWrite(
|
||||
encryptedSecrets.map(({ secret, value }) => ({
|
||||
updateOne: {
|
||||
filter: {
|
||||
workspace: workspaceId,
|
||||
environment: secretRotation.environment,
|
||||
_id: secret._id,
|
||||
type: SECRET_SHARED
|
||||
},
|
||||
update: {
|
||||
$inc: {
|
||||
version: 1
|
||||
},
|
||||
secretValueCiphertext: value.ciphertext,
|
||||
secretValueIV: value.iv,
|
||||
secretValueTag: value.tag
|
||||
}
|
||||
}
|
||||
}))
|
||||
);
|
||||
|
||||
await EESecretService.addSecretVersions({
|
||||
secretVersions: encryptedSecrets.map(({ secret, value }) => {
|
||||
const {
|
||||
_id,
|
||||
version,
|
||||
workspace,
|
||||
type,
|
||||
folder,
|
||||
secretBlindIndex,
|
||||
secretKeyIV,
|
||||
secretKeyTag,
|
||||
secretKeyCiphertext,
|
||||
skipMultilineEncoding,
|
||||
environment,
|
||||
algorithm,
|
||||
keyEncoding
|
||||
} = secret;
|
||||
|
||||
return new SecretVersion({
|
||||
secret: _id,
|
||||
version: version + 1,
|
||||
workspace: workspace,
|
||||
type,
|
||||
folder,
|
||||
environment,
|
||||
isDeleted: false,
|
||||
secretBlindIndex: secretBlindIndex,
|
||||
secretKeyCiphertext: secretKeyCiphertext,
|
||||
secretKeyIV: secretKeyIV,
|
||||
secretKeyTag: secretKeyTag,
|
||||
secretValueCiphertext: value.ciphertext,
|
||||
secretValueIV: value.iv,
|
||||
secretValueTag: value.tag,
|
||||
algorithm,
|
||||
keyEncoding,
|
||||
skipMultilineEncoding
|
||||
});
|
||||
})
|
||||
});
|
||||
|
||||
// akhilmhdh: @tony need to do something about this as its depend on authData which is not possibile in here
|
||||
// await EEAuditLogService.createAuditLog(
|
||||
// {actor:ActorType.Machine},
|
||||
// {
|
||||
// type: EventType.UPDATE_SECRETS,
|
||||
// metadata: {
|
||||
// environment,
|
||||
// secretPath,
|
||||
// secrets: secretsToBeUpdated.map(({ _id, version, secretBlindIndex }) => ({
|
||||
// secretId: _id.toString(),
|
||||
// secretKey: secretBlindIndexToKey[secretBlindIndex || ""],
|
||||
// secretVersion: version + 1
|
||||
// }))
|
||||
// }
|
||||
// },
|
||||
// {
|
||||
// workspaceId
|
||||
// }
|
||||
// );
|
||||
|
||||
const folderId = encryptedSecrets?.[0]?.secret?.folder;
|
||||
// (EE) take a secret snapshot
|
||||
await EESecretService.takeSecretSnapshot({
|
||||
workspaceId,
|
||||
environment: secretRotation.environment,
|
||||
folderId
|
||||
});
|
||||
|
||||
await EventService.handleEvent({
|
||||
event: eventPushSecrets({
|
||||
workspaceId: secretRotation.workspace,
|
||||
environment: secretRotation.environment,
|
||||
secretPath: secretRotation.secretPath
|
||||
})
|
||||
});
|
||||
|
||||
const postHogClient = await TelemetryService.getPostHogClient();
|
||||
if (postHogClient) {
|
||||
postHogClient.capture({
|
||||
event: "secrets rotated",
|
||||
properties: {
|
||||
numberOfSecrets: encryptedSecrets.length,
|
||||
environment: secretRotation.environment,
|
||||
workspaceId,
|
||||
folderId
|
||||
}
|
||||
});
|
||||
}
|
||||
} catch (err) {
|
||||
logger.error(err);
|
||||
await SecretRotation.findByIdAndUpdate(rotationStratDocId, {
|
||||
status: "failed",
|
||||
statusMessage: (err as Error).message,
|
||||
lastRotatedAt: new Date().toUTCString()
|
||||
});
|
||||
}
|
||||
|
||||
return Promise.resolve();
|
||||
});
|
||||
|
||||
const daysToMillisecond = (days: number) => days * 24 * 60 * 60 * 1000;
|
||||
export const startSecretRotationQueue = async (rotationDocId: string, interval: number) => {
|
||||
// when migration to bull mq just use the option immedite to trigger repeatable immediately
|
||||
secretRotationQueue.add({ rotationDocId }, { jobId: rotationDocId, removeOnComplete: true });
|
||||
return secretRotationQueue.add(
|
||||
{ rotationDocId },
|
||||
{ repeat: { every: daysToMillisecond(interval) }, jobId: rotationDocId }
|
||||
);
|
||||
};
|
||||
|
||||
export const removeSecretRotationQueue = async (rotationDocId: string, interval: number) => {
|
||||
return secretRotationQueue.removeRepeatable({ every: interval * 1000, jobId: rotationDocId });
|
||||
};
|
@ -0,0 +1,179 @@
|
||||
import axios from "axios";
|
||||
import jmespath from "jmespath";
|
||||
import { customAlphabet } from "nanoid";
|
||||
import { Client as PgClient } from "pg";
|
||||
import mysql from "mysql2";
|
||||
import {
|
||||
ISecretRotationData,
|
||||
TAssignOp,
|
||||
TDbProviderClients,
|
||||
TDbProviderFunction,
|
||||
TDirectAssignOp,
|
||||
THttpProviderFunction,
|
||||
TProviderFunction,
|
||||
TProviderFunctionTypes
|
||||
} from "../types";
|
||||
const REGEX = /\${([^}]+)}/g;
|
||||
const SLUG_ALPHABETS = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
|
||||
const nanoId = customAlphabet(SLUG_ALPHABETS, 10);
|
||||
|
||||
export const interpolate = (data: any, getValue: (key: string) => unknown) => {
|
||||
if (!data) return;
|
||||
|
||||
if (typeof data === "number") return data;
|
||||
|
||||
if (typeof data === "string") {
|
||||
return data.replace(REGEX, (_a, b) => getValue(b) as string);
|
||||
}
|
||||
|
||||
if (typeof data === "object" && Array.isArray(data)) {
|
||||
data.forEach((el, index) => {
|
||||
data[index] = interpolate(el, getValue);
|
||||
});
|
||||
}
|
||||
|
||||
if (typeof data === "object") {
|
||||
if ((data as { ref: string })?.ref) return getValue((data as { ref: string }).ref);
|
||||
const temp = data as Record<string, unknown>; // for converting ts object to record type
|
||||
Object.keys(temp).forEach((key) => {
|
||||
temp[key as keyof typeof temp] = interpolate(data[key as keyof typeof temp], getValue);
|
||||
});
|
||||
}
|
||||
return data;
|
||||
};
|
||||
|
||||
const getInterpolationValue = (variables: ISecretRotationData) => (key: string) => {
|
||||
if (key.includes("|")) {
|
||||
const [keyword, ...arg] = key.split("|").map((el) => el.trim());
|
||||
switch (keyword) {
|
||||
case "random": {
|
||||
return nanoId(parseInt(arg[0], 10));
|
||||
}
|
||||
default: {
|
||||
throw Error(`Interpolation key not found - ${key}`);
|
||||
}
|
||||
}
|
||||
}
|
||||
const [type, keyName] = key.split(".").map((el) => el.trim());
|
||||
return variables[type as keyof ISecretRotationData][keyName];
|
||||
};
|
||||
|
||||
export const secretRotationHttpFn = async (
|
||||
func: THttpProviderFunction,
|
||||
variables: ISecretRotationData
|
||||
) => {
|
||||
// string interpolation
|
||||
const headers = interpolate(func.header, getInterpolationValue(variables));
|
||||
const url = interpolate(func.url, getInterpolationValue(variables));
|
||||
const body = interpolate(func.body, getInterpolationValue(variables));
|
||||
// axios will automatically throw error if req status is not between 2xx range
|
||||
return axios({ method: func.method, url, headers, data: body });
|
||||
};
|
||||
|
||||
export const secretRotationDbFn = async (
|
||||
func: TDbProviderFunction,
|
||||
variables: ISecretRotationData
|
||||
) => {
|
||||
const { type, client, pre, ...dbConnection } = func;
|
||||
const { username, password, host, database, port, query, ca } = interpolate(
|
||||
dbConnection,
|
||||
getInterpolationValue(variables)
|
||||
);
|
||||
const ssl = ca ? { rejectUnauthorized: false, ca } : undefined;
|
||||
if (host === "localhost" || host === "127.0.0.1") throw new Error("Invalid db host");
|
||||
if (client === TDbProviderClients.Pg) {
|
||||
const pgClient = new PgClient({ user: username, password, host, database, port, ssl });
|
||||
await pgClient.connect();
|
||||
const res = await pgClient.query(query);
|
||||
await pgClient.end();
|
||||
return res.rows[0];
|
||||
} else if (client === TDbProviderClients.Sql) {
|
||||
const sqlClient = mysql.createPool({
|
||||
user: username,
|
||||
password,
|
||||
host,
|
||||
database,
|
||||
port,
|
||||
connectionLimit: 1,
|
||||
ssl
|
||||
});
|
||||
const res = await new Promise((resolve, reject) => {
|
||||
sqlClient.query(query, (err, data) => {
|
||||
if (err) return reject(err);
|
||||
resolve(data);
|
||||
});
|
||||
});
|
||||
await new Promise((resolve, reject) => {
|
||||
sqlClient.end(function (err) {
|
||||
if (err) return reject(err);
|
||||
return resolve({});
|
||||
});
|
||||
});
|
||||
return (res as any)?.[0];
|
||||
}
|
||||
};
|
||||
|
||||
export const secretRotationPreSetFn = (
|
||||
op: Record<string, TDirectAssignOp>,
|
||||
variables: ISecretRotationData
|
||||
) => {
|
||||
const getValFn = getInterpolationValue(variables);
|
||||
Object.entries(op || {}).forEach(([key, assignFn]) => {
|
||||
const [type, keyName] = key.split(".") as [keyof ISecretRotationData, string];
|
||||
variables[type][keyName] = interpolate(assignFn.value, getValFn);
|
||||
});
|
||||
};
|
||||
|
||||
export const secretRotationSetFn = async (
|
||||
func: TProviderFunction,
|
||||
variables: ISecretRotationData
|
||||
) => {
|
||||
const getValFn = getInterpolationValue(variables);
|
||||
// http setter
|
||||
if (func.type === TProviderFunctionTypes.HTTP) {
|
||||
const res = await secretRotationHttpFn(func, variables);
|
||||
Object.entries(func.setter || {}).forEach(([key, assignFn]) => {
|
||||
const [type, keyName] = key.split(".") as [keyof ISecretRotationData, string];
|
||||
if (assignFn.assign === TAssignOp.JmesPath) {
|
||||
variables[type][keyName] = jmespath.search(res.data, assignFn.path);
|
||||
} else if (assignFn.value) {
|
||||
variables[type][keyName] = interpolate(assignFn.value, getValFn);
|
||||
}
|
||||
});
|
||||
// db setter
|
||||
} else if (func.type === TProviderFunctionTypes.DB) {
|
||||
const data = await secretRotationDbFn(func, variables);
|
||||
Object.entries(func.setter || {}).forEach(([key, assignFn]) => {
|
||||
const [type, keyName] = key.split(".") as [keyof ISecretRotationData, string];
|
||||
if (assignFn.assign === TAssignOp.JmesPath) {
|
||||
if (typeof data === "object") {
|
||||
variables[type][keyName] = jmespath.search(data, assignFn.path);
|
||||
}
|
||||
} else if (assignFn.value) {
|
||||
variables[type][keyName] = interpolate(assignFn.value, getValFn);
|
||||
}
|
||||
});
|
||||
}
|
||||
};
|
||||
|
||||
export const secretRotationTestFn = async (
|
||||
func: TProviderFunction,
|
||||
variables: ISecretRotationData
|
||||
) => {
|
||||
if (func.type === TProviderFunctionTypes.HTTP) {
|
||||
await secretRotationHttpFn(func, variables);
|
||||
} else if (func.type === TProviderFunctionTypes.DB) {
|
||||
await secretRotationDbFn(func, variables);
|
||||
}
|
||||
};
|
||||
|
||||
export const secretRotationRemoveFn = async (
|
||||
func: TProviderFunction,
|
||||
variables: ISecretRotationData
|
||||
) => {
|
||||
if (!func) return;
|
||||
if (func.type === TProviderFunctionTypes.HTTP) {
|
||||
// string interpolation
|
||||
return await secretRotationHttpFn(func, variables);
|
||||
}
|
||||
};
|
@ -0,0 +1,130 @@
|
||||
import { ISecretRotationEncData, TCreateSecretRotation, TGetProviderTemplates } from "./types";
|
||||
import { rotationTemplates } from "./templates";
|
||||
import { SecretRotation } from "./models";
|
||||
import { client, getEncryptionKey, getRootEncryptionKey } from "../../config";
|
||||
import { BadRequestError } from "../../utils/errors";
|
||||
import Ajv from "ajv";
|
||||
import { removeSecretRotationQueue, startSecretRotationQueue } from "./queue/queue";
|
||||
import {
|
||||
ALGORITHM_AES_256_GCM,
|
||||
ENCODING_SCHEME_BASE64,
|
||||
ENCODING_SCHEME_UTF8
|
||||
} from "../../variables";
|
||||
import { encryptSymmetric128BitHexKeyUTF8 } from "../../utils/crypto";
|
||||
|
||||
const ajv = new Ajv({ strict: false });
|
||||
|
||||
export const getProviderTemplate = async ({ workspaceId }: TGetProviderTemplates) => {
|
||||
return {
|
||||
custom: [],
|
||||
providers: rotationTemplates
|
||||
};
|
||||
};
|
||||
|
||||
export const createSecretRotation = async ({
|
||||
workspaceId,
|
||||
secretPath,
|
||||
environment,
|
||||
provider,
|
||||
interval,
|
||||
inputs,
|
||||
outputs
|
||||
}: TCreateSecretRotation) => {
|
||||
const rotationTemplate = rotationTemplates.find(({ name }) => name === provider);
|
||||
if (!rotationTemplate) throw BadRequestError({ message: "Provider not found" });
|
||||
|
||||
const formattedInputs: Record<string, unknown> = {};
|
||||
Object.entries(inputs).forEach(([key, value]) => {
|
||||
const type = rotationTemplate.template.inputs.properties[key].type;
|
||||
if (type === "string") {
|
||||
formattedInputs[key] = value;
|
||||
return;
|
||||
}
|
||||
if (type === "integer") {
|
||||
formattedInputs[key] = parseInt(value as string, 10);
|
||||
return;
|
||||
}
|
||||
formattedInputs[key] = JSON.parse(value as string);
|
||||
});
|
||||
// ensure input one follows the correct schema
|
||||
const valid = ajv.validate(rotationTemplate.template.inputs, formattedInputs);
|
||||
if (!valid) {
|
||||
throw BadRequestError({ message: ajv.errors?.[0].message });
|
||||
}
|
||||
|
||||
const encData: Partial<ISecretRotationEncData> = {
|
||||
inputs: formattedInputs,
|
||||
creds: []
|
||||
};
|
||||
|
||||
const secretRotation = new SecretRotation({
|
||||
workspace: workspaceId,
|
||||
provider,
|
||||
environment,
|
||||
secretPath,
|
||||
interval,
|
||||
outputs: Object.entries(outputs).map(([key, secret]) => ({ key, secret }))
|
||||
});
|
||||
|
||||
const encryptionKey = await getEncryptionKey();
|
||||
const rootEncryptionKey = await getRootEncryptionKey();
|
||||
|
||||
if (rootEncryptionKey) {
|
||||
const { ciphertext, iv, tag } = client.encryptSymmetric(
|
||||
JSON.stringify(encData),
|
||||
rootEncryptionKey
|
||||
);
|
||||
secretRotation.encryptedDataIV = iv;
|
||||
secretRotation.encryptedDataTag = tag;
|
||||
secretRotation.encryptedData = ciphertext;
|
||||
secretRotation.algorithm = ALGORITHM_AES_256_GCM;
|
||||
secretRotation.keyEncoding = ENCODING_SCHEME_BASE64;
|
||||
} else if (encryptionKey) {
|
||||
const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8({
|
||||
plaintext: JSON.stringify(encData),
|
||||
key: encryptionKey
|
||||
});
|
||||
secretRotation.encryptedDataIV = iv;
|
||||
secretRotation.encryptedDataTag = tag;
|
||||
secretRotation.encryptedData = ciphertext;
|
||||
secretRotation.algorithm = ALGORITHM_AES_256_GCM;
|
||||
secretRotation.keyEncoding = ENCODING_SCHEME_UTF8;
|
||||
}
|
||||
|
||||
await secretRotation.save();
|
||||
await startSecretRotationQueue(secretRotation._id.toString(), interval);
|
||||
|
||||
return secretRotation;
|
||||
};
|
||||
|
||||
export const deleteSecretRotation = async ({ id }: { id: string }) => {
|
||||
const doc = await SecretRotation.findByIdAndRemove(id);
|
||||
if (!doc) throw BadRequestError({ message: "Rotation not found" });
|
||||
|
||||
await removeSecretRotationQueue(doc._id.toString(), doc.interval);
|
||||
return doc;
|
||||
};
|
||||
|
||||
export const restartSecretRotation = async ({ id }: { id: string }) => {
|
||||
const secretRotation = await SecretRotation.findById(id);
|
||||
if (!secretRotation) throw BadRequestError({ message: "Rotation not found" });
|
||||
|
||||
await removeSecretRotationQueue(secretRotation._id.toString(), secretRotation.interval);
|
||||
await startSecretRotationQueue(secretRotation._id.toString(), secretRotation.interval);
|
||||
|
||||
return secretRotation;
|
||||
};
|
||||
|
||||
export const getSecretRotationById = async ({ id }: { id: string }) => {
|
||||
const doc = await SecretRotation.findById(id);
|
||||
if (!doc) throw BadRequestError({ message: "Rotation not found" });
|
||||
return doc;
|
||||
};
|
||||
|
||||
export const getSecretRotationOfWorkspace = async (workspaceId: string) => {
|
||||
const secretRotations = await SecretRotation.find({
|
||||
workspace: workspaceId
|
||||
}).populate("outputs.secret");
|
||||
|
||||
return secretRotations;
|
||||
};
|
@ -0,0 +1,28 @@
|
||||
import { ISecretRotationProviderTemplate } from "../types";
|
||||
import { MYSQL_TEMPLATE } from "./mysql";
|
||||
import { POSTGRES_TEMPLATE } from "./postgres";
|
||||
import { SENDGRID_TEMPLATE } from "./sendgrid";
|
||||
|
||||
export const rotationTemplates: ISecretRotationProviderTemplate[] = [
|
||||
{
|
||||
name: "sendgrid",
|
||||
title: "Twilio Sendgrid",
|
||||
image: "sendgrid.png",
|
||||
description: "Rotate Twilio Sendgrid API keys",
|
||||
template: SENDGRID_TEMPLATE
|
||||
},
|
||||
{
|
||||
name: "postgres",
|
||||
title: "PostgreSQL",
|
||||
image: "postgres.png",
|
||||
description: "Rotate PostgreSQL/CockroachDB user credentials",
|
||||
template: POSTGRES_TEMPLATE
|
||||
},
|
||||
{
|
||||
name: "mysql",
|
||||
title: "MySQL",
|
||||
image: "mysql.png",
|
||||
description: "Rotate MySQL@7/MariaDB user credentials",
|
||||
template: MYSQL_TEMPLATE
|
||||
}
|
||||
];
|
@ -0,0 +1,83 @@
|
||||
import { TAssignOp, TDbProviderClients, TProviderFunctionTypes } from "../types";
|
||||
|
||||
export const MYSQL_TEMPLATE = {
|
||||
inputs: {
|
||||
type: "object" as const,
|
||||
properties: {
|
||||
admin_username: { type: "string" as const },
|
||||
admin_password: { type: "string" as const },
|
||||
host: { type: "string" as const },
|
||||
database: { type: "string" as const },
|
||||
port: { type: "integer" as const, default: "3306" },
|
||||
username1: {
|
||||
type: "string",
|
||||
default: "infisical-sql-user1",
|
||||
desc: "This user must be created in your database"
|
||||
},
|
||||
username2: {
|
||||
type: "string",
|
||||
default: "infisical-sql-user2",
|
||||
desc: "This user must be created in your database"
|
||||
},
|
||||
ca: { type: "string", desc: "SSL certificate for db auth(string)" }
|
||||
},
|
||||
required: [
|
||||
"admin_username",
|
||||
"admin_password",
|
||||
"host",
|
||||
"database",
|
||||
"username1",
|
||||
"username2",
|
||||
"port"
|
||||
],
|
||||
additionalProperties: false
|
||||
},
|
||||
outputs: {
|
||||
db_username: { type: "string" },
|
||||
db_password: { type: "string" }
|
||||
},
|
||||
internal: {
|
||||
rotated_password: { type: "string" },
|
||||
username: { type: "string" }
|
||||
},
|
||||
functions: {
|
||||
set: {
|
||||
type: TProviderFunctionTypes.DB as const,
|
||||
client: TDbProviderClients.Sql,
|
||||
username: "${inputs.admin_username}",
|
||||
password: "${inputs.admin_password}",
|
||||
host: "${inputs.host}",
|
||||
database: "${inputs.database}",
|
||||
port: "${inputs.port}",
|
||||
ca: "${inputs.ca}",
|
||||
query: "ALTER USER ${internal.username} IDENTIFIED BY '${internal.rotated_password}'",
|
||||
setter: {
|
||||
"outputs.db_username": {
|
||||
assign: TAssignOp.Direct as const,
|
||||
value: "${internal.username}"
|
||||
},
|
||||
"outputs.db_password": {
|
||||
assign: TAssignOp.Direct as const,
|
||||
value: "${internal.rotated_password}"
|
||||
}
|
||||
},
|
||||
pre: {
|
||||
"internal.rotated_password": {
|
||||
assign: TAssignOp.Direct as const,
|
||||
value: "${random | 32}"
|
||||
}
|
||||
}
|
||||
},
|
||||
test: {
|
||||
type: TProviderFunctionTypes.DB as const,
|
||||
client: TDbProviderClients.Sql,
|
||||
username: "${internal.username}",
|
||||
password: "${internal.rotated_password}",
|
||||
host: "${inputs.host}",
|
||||
database: "${inputs.database}",
|
||||
port: "${inputs.port}",
|
||||
ca: "${inputs.ca}",
|
||||
query: "SELECT NOW()"
|
||||
}
|
||||
}
|
||||
};
|
@ -0,0 +1,83 @@
|
||||
import { TAssignOp, TDbProviderClients, TProviderFunctionTypes } from "../types";
|
||||
|
||||
export const POSTGRES_TEMPLATE = {
|
||||
inputs: {
|
||||
type: "object" as const,
|
||||
properties: {
|
||||
admin_username: { type: "string" as const },
|
||||
admin_password: { type: "string" as const },
|
||||
host: { type: "string" as const },
|
||||
database: { type: "string" as const },
|
||||
port: { type: "integer" as const, default: "5432" },
|
||||
username1: {
|
||||
type: "string",
|
||||
default: "infisical-pg-user1",
|
||||
desc: "This user must be created in your database"
|
||||
},
|
||||
username2: {
|
||||
type: "string",
|
||||
default: "infisical-pg-user2",
|
||||
desc: "This user must be created in your database"
|
||||
},
|
||||
ca: { type: "string", desc: "SSL certificate for db auth(string)" }
|
||||
},
|
||||
required: [
|
||||
"admin_username",
|
||||
"admin_password",
|
||||
"host",
|
||||
"database",
|
||||
"username1",
|
||||
"username2",
|
||||
"port"
|
||||
],
|
||||
additionalProperties: false
|
||||
},
|
||||
outputs: {
|
||||
db_username: { type: "string" },
|
||||
db_password: { type: "string" }
|
||||
},
|
||||
internal: {
|
||||
rotated_password: { type: "string" },
|
||||
username: { type: "string" }
|
||||
},
|
||||
functions: {
|
||||
set: {
|
||||
type: TProviderFunctionTypes.DB as const,
|
||||
client: TDbProviderClients.Pg,
|
||||
username: "${inputs.admin_username}",
|
||||
password: "${inputs.admin_password}",
|
||||
host: "${inputs.host}",
|
||||
database: "${inputs.database}",
|
||||
port: "${inputs.port}",
|
||||
ca: "${inputs.ca}",
|
||||
query: "ALTER USER ${internal.username} WITH PASSWORD '${internal.rotated_password}'",
|
||||
setter: {
|
||||
"outputs.db_username": {
|
||||
assign: TAssignOp.Direct as const,
|
||||
value: "${internal.username}"
|
||||
},
|
||||
"outputs.db_password": {
|
||||
assign: TAssignOp.Direct as const,
|
||||
value: "${internal.rotated_password}"
|
||||
}
|
||||
},
|
||||
pre: {
|
||||
"internal.rotated_password": {
|
||||
assign: TAssignOp.Direct as const,
|
||||
value: "${random | 32}"
|
||||
}
|
||||
}
|
||||
},
|
||||
test: {
|
||||
type: TProviderFunctionTypes.DB as const,
|
||||
client: TDbProviderClients.Pg,
|
||||
username: "${internal.username}",
|
||||
password: "${internal.rotated_password}",
|
||||
host: "${inputs.host}",
|
||||
database: "${inputs.database}",
|
||||
port: "${inputs.port}",
|
||||
ca: "${inputs.ca}",
|
||||
query: "SELECT NOW()"
|
||||
}
|
||||
}
|
||||
};
|
@ -0,0 +1,63 @@
|
||||
import { TAssignOp, TProviderFunctionTypes } from "../types";
|
||||
|
||||
export const SENDGRID_TEMPLATE = {
|
||||
inputs: {
|
||||
type: "object" as const,
|
||||
properties: {
|
||||
admin_api_key: { type: "string" as const, desc: "Sendgrid admin api key to create new keys" },
|
||||
api_key_scopes: {
|
||||
type: "array",
|
||||
items: { type: "string" as const },
|
||||
desc: "Scopes for created tokens by rotation(Array)"
|
||||
}
|
||||
},
|
||||
required: ["admin_api_key", "api_key_scopes"],
|
||||
additionalProperties: false
|
||||
},
|
||||
outputs: {
|
||||
api_key: { type: "string" }
|
||||
},
|
||||
internal: {
|
||||
api_key_id: { type: "string" }
|
||||
},
|
||||
functions: {
|
||||
set: {
|
||||
type: TProviderFunctionTypes.HTTP as const,
|
||||
url: "https://api.sendgrid.com/v3/api_keys",
|
||||
method: "POST",
|
||||
header: {
|
||||
Authorization: "Bearer ${inputs.admin_api_key}"
|
||||
},
|
||||
body: {
|
||||
name: "infisical-${random | 16}",
|
||||
scopes: { ref: "inputs.api_key_scopes" }
|
||||
},
|
||||
setter: {
|
||||
"outputs.api_key": {
|
||||
assign: TAssignOp.JmesPath as const,
|
||||
path: "api_key"
|
||||
},
|
||||
"internal.api_key_id": {
|
||||
assign: TAssignOp.JmesPath as const,
|
||||
path: "api_key_id"
|
||||
}
|
||||
}
|
||||
},
|
||||
remove: {
|
||||
type: TProviderFunctionTypes.HTTP as const,
|
||||
url: "https://api.sendgrid.com/v3/api_keys/${internal.api_key_id}",
|
||||
header: {
|
||||
Authorization: "Bearer ${inputs.admin_api_key}"
|
||||
},
|
||||
method: "DELETE"
|
||||
},
|
||||
test: {
|
||||
type: TProviderFunctionTypes.HTTP as const,
|
||||
url: "https://api.sendgrid.com/v3/api_keys/${internal.api_key_id}",
|
||||
header: {
|
||||
Authorization: "Bearer ${inputs.admin_api_key}"
|
||||
},
|
||||
method: "GET"
|
||||
}
|
||||
}
|
||||
};
|
@ -0,0 +1,131 @@
|
||||
import { Document, Types } from "mongoose";
|
||||
|
||||
export interface ISecretRotation extends Document {
|
||||
_id: Types.ObjectId;
|
||||
name: string;
|
||||
interval: number;
|
||||
provider: string;
|
||||
customProvider: Types.ObjectId;
|
||||
workspace: Types.ObjectId;
|
||||
environment: string;
|
||||
secretPath: string;
|
||||
outputs: Array<{
|
||||
key: string;
|
||||
secret: Types.ObjectId;
|
||||
}>;
|
||||
status?: "success" | "failed";
|
||||
lastRotatedAt?: string;
|
||||
statusMessage?: string;
|
||||
encryptedData: string;
|
||||
encryptedDataIV: string;
|
||||
encryptedDataTag: string;
|
||||
algorithm: string;
|
||||
keyEncoding: string;
|
||||
}
|
||||
|
||||
export type ISecretRotationEncData = {
|
||||
inputs: Record<string, unknown>;
|
||||
creds: Array<{
|
||||
outputs: Record<string, unknown>;
|
||||
internal: Record<string, unknown>;
|
||||
}>;
|
||||
};
|
||||
|
||||
export type ISecretRotationData = {
|
||||
inputs: Record<string, unknown>;
|
||||
outputs: Record<string, unknown>;
|
||||
internal: Record<string, unknown>;
|
||||
};
|
||||
|
||||
export type ISecretRotationProviderTemplate = {
|
||||
name: string;
|
||||
title: string;
|
||||
image?: string;
|
||||
description?: string;
|
||||
template: TProviderTemplate;
|
||||
};
|
||||
|
||||
export enum TProviderFunctionTypes {
|
||||
HTTP = "http",
|
||||
DB = "database"
|
||||
}
|
||||
|
||||
export enum TDbProviderClients {
|
||||
// postgres, cockroack db, amazon red shift
|
||||
Pg = "pg",
|
||||
// mysql and maria db
|
||||
Sql = "sql"
|
||||
}
|
||||
|
||||
export enum TAssignOp {
|
||||
Direct = "direct",
|
||||
JmesPath = "jmesopath"
|
||||
}
|
||||
|
||||
export type TJmesPathAssignOp = {
|
||||
assign: TAssignOp.JmesPath;
|
||||
path: string;
|
||||
};
|
||||
|
||||
export type TDirectAssignOp = {
|
||||
assign: TAssignOp.Direct;
|
||||
value: string;
|
||||
};
|
||||
|
||||
export type TAssignFunction = TJmesPathAssignOp | TDirectAssignOp;
|
||||
|
||||
export type THttpProviderFunction = {
|
||||
type: TProviderFunctionTypes.HTTP;
|
||||
url: string;
|
||||
method: string;
|
||||
header?: Record<string, string>;
|
||||
query?: Record<string, string>;
|
||||
body?: Record<string, unknown>;
|
||||
setter?: Record<string, TAssignFunction>;
|
||||
pre?: Record<string, TDirectAssignOp>;
|
||||
};
|
||||
|
||||
export type TDbProviderFunction = {
|
||||
type: TProviderFunctionTypes.DB;
|
||||
client: TDbProviderClients;
|
||||
username: string;
|
||||
password: string;
|
||||
host: string;
|
||||
database: string;
|
||||
port: string;
|
||||
query: string;
|
||||
setter?: Record<string, TAssignFunction>;
|
||||
pre?: Record<string, TDirectAssignOp>;
|
||||
};
|
||||
|
||||
export type TProviderFunction = THttpProviderFunction | TDbProviderFunction;
|
||||
|
||||
export type TProviderTemplate = {
|
||||
inputs: {
|
||||
type: "object";
|
||||
properties: Record<string, { type: string; [x: string]: unknown; desc?: string }>;
|
||||
required?: string[];
|
||||
};
|
||||
outputs: Record<string, unknown>;
|
||||
functions: {
|
||||
set: TProviderFunction;
|
||||
remove?: TProviderFunction;
|
||||
test: TProviderFunction;
|
||||
};
|
||||
};
|
||||
|
||||
// function type args
|
||||
export type TGetProviderTemplates = {
|
||||
workspaceId: string;
|
||||
};
|
||||
|
||||
export type TCreateSecretRotation = {
|
||||
provider: string;
|
||||
customProvider?: string;
|
||||
workspaceId: string;
|
||||
secretPath: string;
|
||||
environment: string;
|
||||
interval: number;
|
||||
inputs: Record<string, unknown>;
|
||||
outputs: Record<string, string>;
|
||||
};
|
@ -0,0 +1,32 @@
|
||||
import { z } from "zod";
|
||||
|
||||
export const createSecretRotationV1 = z.object({
|
||||
body: z.object({
|
||||
workspaceId: z.string().trim(),
|
||||
secretPath: z.string().trim(),
|
||||
environment: z.string().trim(),
|
||||
interval: z.number().min(1),
|
||||
provider: z.string().trim(),
|
||||
customProvider: z.string().trim().optional(),
|
||||
inputs: z.record(z.unknown()),
|
||||
outputs: z.record(z.string())
|
||||
})
|
||||
});
|
||||
|
||||
export const restartSecretRotationV1 = z.object({
|
||||
body: z.object({
|
||||
id: z.string().trim()
|
||||
})
|
||||
});
|
||||
|
||||
export const getSecretRotationV1 = z.object({
|
||||
query: z.object({
|
||||
workspaceId: z.string().trim()
|
||||
})
|
||||
});
|
||||
|
||||
export const removeSecretRotationV1 = z.object({
|
||||
params: z.object({
|
||||
id: z.string().trim()
|
||||
})
|
||||
});
|
@ -0,0 +1,7 @@
|
||||
import { z } from "zod";
|
||||
|
||||
export const getSecretRotationProvidersV1 = z.object({
|
||||
params: z.object({
|
||||
workspaceId: z.string()
|
||||
})
|
||||
});
|
@ -1,39 +1,27 @@
|
||||
import { Types } from "mongoose";
|
||||
import {
|
||||
IServiceTokenData,
|
||||
IServiceTokenDataV3,
|
||||
IUser,
|
||||
} from "../../models";
|
||||
import {
|
||||
ServiceActor,
|
||||
ServiceActorV3,
|
||||
UserActor,
|
||||
UserAgentType
|
||||
} from "../../ee/models";
|
||||
import { IServiceTokenData, IServiceTokenDataV3, IUser } from "../../models";
|
||||
import { ServiceActor, ServiceActorV3, UserActor, UserAgentType } from "../../ee/models";
|
||||
|
||||
interface BaseAuthData {
|
||||
ipAddress: string;
|
||||
userAgent: string;
|
||||
userAgentType: UserAgentType;
|
||||
tokenVersionId?: Types.ObjectId;
|
||||
ipAddress: string;
|
||||
userAgent: string;
|
||||
userAgentType: UserAgentType;
|
||||
tokenVersionId?: Types.ObjectId;
|
||||
}
|
||||
|
||||
export interface UserAuthData extends BaseAuthData {
|
||||
actor: UserActor;
|
||||
authPayload: IUser;
|
||||
actor: UserActor;
|
||||
authPayload: IUser;
|
||||
}
|
||||
|
||||
export interface ServiceTokenV3AuthData extends BaseAuthData {
|
||||
actor: ServiceActorV3;
|
||||
authPayload: IServiceTokenDataV3;
|
||||
actor: ServiceActorV3;
|
||||
authPayload: IServiceTokenDataV3;
|
||||
}
|
||||
|
||||
export interface ServiceTokenAuthData extends BaseAuthData {
|
||||
actor: ServiceActor;
|
||||
authPayload: IServiceTokenData;
|
||||
actor: ServiceActor;
|
||||
authPayload: IServiceTokenData;
|
||||
}
|
||||
|
||||
export type AuthData =
|
||||
| UserAuthData
|
||||
| ServiceTokenV3AuthData
|
||||
| ServiceTokenAuthData;
|
||||
export type AuthData = UserAuthData | ServiceTokenV3AuthData | ServiceTokenAuthData;
|
||||
|
@ -1,435 +0,0 @@
|
||||
import express from "express";
|
||||
import passport from "passport";
|
||||
import { Types } from "mongoose";
|
||||
import { AuthData } from "../interfaces/middleware";
|
||||
import {
|
||||
AuthMethod,
|
||||
MembershipOrg,
|
||||
Organization,
|
||||
ServiceAccount,
|
||||
ServiceTokenData,
|
||||
ServiceTokenDataV3,
|
||||
User
|
||||
} from "../models";
|
||||
import { createToken } from "../helpers/auth";
|
||||
import {
|
||||
getAuthSecret,
|
||||
getClientIdGitHubLogin,
|
||||
getClientIdGitLabLogin,
|
||||
getClientIdGoogleLogin,
|
||||
getClientSecretGitHubLogin,
|
||||
getClientSecretGitLabLogin,
|
||||
getClientSecretGoogleLogin,
|
||||
getJwtProviderAuthLifetime,
|
||||
getSiteURL,
|
||||
getUrlGitLabLogin
|
||||
} from "../config";
|
||||
import { getSSOConfigHelper } from "../ee/helpers/organizations";
|
||||
import { InternalServerError, OrganizationNotFoundError } from "./errors";
|
||||
import { ACCEPTED, AuthTokenType, INTEGRATION_GITHUB_API_URL, INVITED, MEMBER } from "../variables";
|
||||
import { standardRequest } from "../config/request";
|
||||
|
||||
// eslint-disable-next-line @typescript-eslint/no-var-requires
|
||||
const GoogleStrategy = require("passport-google-oauth20").Strategy;
|
||||
// eslint-disable-next-line @typescript-eslint/no-var-requires
|
||||
const GitHubStrategy = require("passport-github").Strategy;
|
||||
// eslint-disable-next-line @typescript-eslint/no-var-requires
|
||||
const GitLabStrategy = require("passport-gitlab2").Strategy;
|
||||
// eslint-disable-next-line @typescript-eslint/no-var-requires
|
||||
const { MultiSamlStrategy } = require("@node-saml/passport-saml");
|
||||
|
||||
/**
|
||||
* Returns an object containing the id of the authentication data payload
|
||||
* @param {AuthData} authData - authentication data object
|
||||
* @returns
|
||||
*/
|
||||
const getAuthDataPayloadIdObj = (authData: AuthData) => {
|
||||
if (authData.authPayload instanceof User) {
|
||||
return { userId: authData.authPayload._id };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceAccount) {
|
||||
return { serviceAccountId: authData.authPayload._id };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceTokenData) {
|
||||
return { serviceTokenDataId: authData.authPayload._id };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceTokenDataV3) {
|
||||
return { serviceTokenDataId: authData.authPayload._id };
|
||||
}
|
||||
};
|
||||
|
||||
/**
|
||||
* Returns an object containing the user associated with the authentication data payload
|
||||
* @param {AuthData} authData - authentication data object
|
||||
* @returns
|
||||
*/
|
||||
const getAuthDataPayloadUserObj = (authData: AuthData) => {
|
||||
if (authData.authPayload instanceof User) {
|
||||
return { user: authData.authPayload._id };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceAccount) {
|
||||
return { user: authData.authPayload.user };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceTokenData) {
|
||||
return { user: authData.authPayload.user };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceTokenDataV3) {
|
||||
return { user: authData.authPayload.user };
|
||||
}
|
||||
}
|
||||
|
||||
const initializePassport = async () => {
|
||||
const clientIdGoogleLogin = await getClientIdGoogleLogin();
|
||||
const clientSecretGoogleLogin = await getClientSecretGoogleLogin();
|
||||
const clientIdGitHubLogin = await getClientIdGitHubLogin();
|
||||
const clientSecretGitHubLogin = await getClientSecretGitHubLogin();
|
||||
const urlGitLab = await getUrlGitLabLogin();
|
||||
const clientIdGitLabLogin = await getClientIdGitLabLogin();
|
||||
const clientSecretGitLabLogin = await getClientSecretGitLabLogin();
|
||||
|
||||
if (clientIdGoogleLogin && clientSecretGoogleLogin) {
|
||||
passport.use(new GoogleStrategy({
|
||||
passReqToCallback: true,
|
||||
clientID: clientIdGoogleLogin,
|
||||
clientSecret: clientSecretGoogleLogin,
|
||||
callbackURL: "/api/v1/sso/google",
|
||||
scope: ["profile", " email"],
|
||||
}, async (
|
||||
req: express.Request,
|
||||
accessToken: string,
|
||||
refreshToken: string,
|
||||
profile: any,
|
||||
done: any
|
||||
) => {
|
||||
try {
|
||||
const email = profile.emails[0].value;
|
||||
|
||||
let user = await User.findOne({
|
||||
email
|
||||
}).select("+publicKey");
|
||||
|
||||
if (!user) {
|
||||
user = await new User({
|
||||
email,
|
||||
authMethods: [AuthMethod.GOOGLE],
|
||||
firstName: profile.name.givenName,
|
||||
lastName: profile.name.familyName
|
||||
}).save();
|
||||
}
|
||||
|
||||
let isLinkingRequired = false;
|
||||
if (!user.authMethods.includes(AuthMethod.GOOGLE)) {
|
||||
isLinkingRequired = true;
|
||||
}
|
||||
|
||||
const isUserCompleted = !!user.publicKey;
|
||||
const providerAuthToken = createToken({
|
||||
payload: {
|
||||
authTokenType: AuthTokenType.PROVIDER_TOKEN,
|
||||
userId: user._id.toString(),
|
||||
email: user.email,
|
||||
firstName: user.firstName,
|
||||
lastName: user.lastName,
|
||||
authMethod: AuthMethod.GOOGLE,
|
||||
isUserCompleted,
|
||||
isLinkingRequired,
|
||||
...(req.query.state ? {
|
||||
callbackPort: req.query.state as string
|
||||
} : {})
|
||||
},
|
||||
expiresIn: await getJwtProviderAuthLifetime(),
|
||||
secret: await getAuthSecret(),
|
||||
});
|
||||
|
||||
req.isUserCompleted = isUserCompleted;
|
||||
req.providerAuthToken = providerAuthToken;
|
||||
done(null, profile);
|
||||
} catch (err) {
|
||||
done(null, false);
|
||||
}
|
||||
}));
|
||||
}
|
||||
|
||||
if (clientIdGitHubLogin && clientSecretGitHubLogin) {
|
||||
passport.use(new GitHubStrategy({
|
||||
passReqToCallback: true,
|
||||
clientID: clientIdGitHubLogin,
|
||||
clientSecret: clientSecretGitHubLogin,
|
||||
callbackURL: "/api/v1/sso/github",
|
||||
scope: ["user:email"]
|
||||
},
|
||||
async (req : express.Request, accessToken : any, refreshToken : any, profile : any, done : any) => {
|
||||
interface GitHubEmail {
|
||||
email: string;
|
||||
primary: boolean;
|
||||
verified: boolean;
|
||||
visibility: null | string;
|
||||
}
|
||||
|
||||
const { data }: { data: GitHubEmail[] } = await standardRequest.get(
|
||||
`${INTEGRATION_GITHUB_API_URL}/user/emails`,
|
||||
{
|
||||
headers: {
|
||||
Authorization: `Bearer ${accessToken}`
|
||||
}
|
||||
}
|
||||
);
|
||||
|
||||
const primaryEmail = data.filter((gitHubEmail: GitHubEmail) => gitHubEmail.primary)[0];
|
||||
const email = primaryEmail.email;
|
||||
|
||||
let user = await User.findOne({
|
||||
email
|
||||
}).select("+publicKey");
|
||||
|
||||
if (!user) {
|
||||
user = await new User({
|
||||
email: email,
|
||||
authMethods: [AuthMethod.GITHUB],
|
||||
firstName: profile.displayName,
|
||||
lastName: ""
|
||||
}).save();
|
||||
}
|
||||
|
||||
let isLinkingRequired = false;
|
||||
if (!user.authMethods.includes(AuthMethod.GITHUB)) {
|
||||
isLinkingRequired = true;
|
||||
}
|
||||
|
||||
const isUserCompleted = !!user.publicKey;
|
||||
const providerAuthToken = createToken({
|
||||
payload: {
|
||||
authTokenType: AuthTokenType.PROVIDER_TOKEN,
|
||||
userId: user._id.toString(),
|
||||
email: user.email,
|
||||
firstName: user.firstName,
|
||||
lastName: user.lastName,
|
||||
authMethod: AuthMethod.GITHUB,
|
||||
isUserCompleted,
|
||||
isLinkingRequired,
|
||||
...(req.query.state ? {
|
||||
callbackPort: req.query.state as string
|
||||
} : {})
|
||||
},
|
||||
expiresIn: await getJwtProviderAuthLifetime(),
|
||||
secret: await getAuthSecret(),
|
||||
});
|
||||
|
||||
req.isUserCompleted = isUserCompleted;
|
||||
req.providerAuthToken = providerAuthToken;
|
||||
return done(null, profile);
|
||||
}
|
||||
));
|
||||
}
|
||||
|
||||
if (urlGitLab && clientIdGitLabLogin && clientSecretGitLabLogin) {
|
||||
passport.use(new GitLabStrategy({
|
||||
passReqToCallback: true,
|
||||
clientID: clientIdGitLabLogin,
|
||||
clientSecret: clientSecretGitLabLogin,
|
||||
callbackURL: "/api/v1/sso/gitlab",
|
||||
baseURL: urlGitLab
|
||||
},
|
||||
async (req : express.Request, accessToken : any, refreshToken : any, profile : any, done : any) => {
|
||||
const email = profile.emails[0].value;
|
||||
|
||||
let user = await User.findOne({
|
||||
email
|
||||
}).select("+publicKey");
|
||||
|
||||
if (!user) {
|
||||
user = await new User({
|
||||
email: email,
|
||||
authMethods: [AuthMethod.GITLAB],
|
||||
firstName: profile.displayName,
|
||||
lastName: ""
|
||||
}).save();
|
||||
}
|
||||
|
||||
let isLinkingRequired = false;
|
||||
if (!user.authMethods.includes(AuthMethod.GITLAB)) {
|
||||
isLinkingRequired = true;
|
||||
}
|
||||
|
||||
const isUserCompleted = !!user.publicKey;
|
||||
const providerAuthToken = createToken({
|
||||
payload: {
|
||||
authTokenType: AuthTokenType.PROVIDER_TOKEN,
|
||||
userId: user._id.toString(),
|
||||
email: user.email,
|
||||
firstName: user.firstName,
|
||||
lastName: user.lastName,
|
||||
authMethod: AuthMethod.GITLAB,
|
||||
isUserCompleted,
|
||||
isLinkingRequired,
|
||||
...(req.query.state ? {
|
||||
callbackPort: req.query.state as string
|
||||
} : {})
|
||||
},
|
||||
expiresIn: await getJwtProviderAuthLifetime(),
|
||||
secret: await getAuthSecret(),
|
||||
});
|
||||
|
||||
req.isUserCompleted = isUserCompleted;
|
||||
req.providerAuthToken = providerAuthToken;
|
||||
return done(null, profile);
|
||||
}
|
||||
));
|
||||
}
|
||||
|
||||
passport.use("saml", new MultiSamlStrategy(
|
||||
{
|
||||
passReqToCallback: true,
|
||||
getSamlOptions: async (req: any, done: any) => {
|
||||
const { ssoIdentifier } = req.params;
|
||||
|
||||
const ssoConfig = await getSSOConfigHelper({
|
||||
ssoConfigId: new Types.ObjectId(ssoIdentifier)
|
||||
});
|
||||
|
||||
interface ISAMLConfig {
|
||||
callbackUrl: string;
|
||||
entryPoint: string;
|
||||
issuer: string;
|
||||
cert: string;
|
||||
audience: string;
|
||||
wantAuthnResponseSigned?: boolean;
|
||||
}
|
||||
|
||||
const samlConfig: ISAMLConfig = ({
|
||||
callbackUrl: `${await getSiteURL()}/api/v1/sso/saml2/${ssoIdentifier}`,
|
||||
entryPoint: ssoConfig.entryPoint,
|
||||
issuer: ssoConfig.issuer,
|
||||
cert: ssoConfig.cert,
|
||||
audience: await getSiteURL()
|
||||
});
|
||||
|
||||
if (ssoConfig.authProvider.toString() === AuthMethod.JUMPCLOUD_SAML.toString()) {
|
||||
samlConfig.wantAuthnResponseSigned = false;
|
||||
}
|
||||
|
||||
if (ssoConfig.authProvider.toString() === AuthMethod.AZURE_SAML.toString()) {
|
||||
if (req.body.RelayState && JSON.parse(req.body.RelayState).spInitiated) {
|
||||
samlConfig.audience = `spn:${ssoConfig.issuer}`;
|
||||
}
|
||||
}
|
||||
|
||||
req.ssoConfig = ssoConfig;
|
||||
|
||||
done(null, samlConfig);
|
||||
},
|
||||
},
|
||||
async (req: any, profile: any, done: any) => {
|
||||
if (!req.ssoConfig.isActive) return done(InternalServerError());
|
||||
|
||||
const organization = await Organization.findById(req.ssoConfig.organization);
|
||||
|
||||
if (!organization) return done(OrganizationNotFoundError());
|
||||
|
||||
const email = profile.email;
|
||||
const firstName = profile.firstName;
|
||||
const lastName = profile.lastName;
|
||||
|
||||
let user = await User.findOne({
|
||||
email
|
||||
}).select("+publicKey");
|
||||
|
||||
if (user) {
|
||||
// if user does not have SAML enabled then update
|
||||
const hasSamlEnabled = user.authMethods
|
||||
.some(
|
||||
(authMethod: AuthMethod) => [
|
||||
AuthMethod.OKTA_SAML,
|
||||
AuthMethod.AZURE_SAML,
|
||||
AuthMethod.JUMPCLOUD_SAML
|
||||
].includes(authMethod)
|
||||
);
|
||||
|
||||
if (!hasSamlEnabled) {
|
||||
await User.findByIdAndUpdate(
|
||||
user._id,
|
||||
{
|
||||
authMethods: [req.ssoConfig.authProvider]
|
||||
},
|
||||
{
|
||||
new: true
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
let membershipOrg = await MembershipOrg.findOne(
|
||||
{
|
||||
user: user._id,
|
||||
organization: organization._id
|
||||
}
|
||||
);
|
||||
|
||||
if (!membershipOrg) {
|
||||
membershipOrg = await new MembershipOrg({
|
||||
inviteEmail: email,
|
||||
user: user._id,
|
||||
organization: organization._id,
|
||||
role: MEMBER,
|
||||
status: ACCEPTED
|
||||
}).save();
|
||||
}
|
||||
|
||||
if (membershipOrg.status === INVITED) {
|
||||
membershipOrg.status = ACCEPTED;
|
||||
await membershipOrg.save();
|
||||
}
|
||||
} else {
|
||||
user = await new User({
|
||||
email,
|
||||
authMethods: [req.ssoConfig.authProvider],
|
||||
firstName,
|
||||
lastName
|
||||
}).save();
|
||||
|
||||
await new MembershipOrg({
|
||||
inviteEmail: email,
|
||||
user: user._id,
|
||||
organization: organization._id,
|
||||
role: MEMBER,
|
||||
status: INVITED
|
||||
}).save();
|
||||
}
|
||||
|
||||
const isUserCompleted = !!user.publicKey;
|
||||
const providerAuthToken = createToken({
|
||||
payload: {
|
||||
authTokenType: AuthTokenType.PROVIDER_TOKEN,
|
||||
userId: user._id.toString(),
|
||||
email: user.email,
|
||||
firstName,
|
||||
lastName,
|
||||
organizationName: organization?.name,
|
||||
authMethod: req.ssoConfig.authProvider,
|
||||
isUserCompleted,
|
||||
...(req.body.RelayState ? {
|
||||
callbackPort: JSON.parse(req.body.RelayState).callbackPort as string
|
||||
} : {})
|
||||
},
|
||||
expiresIn: await getJwtProviderAuthLifetime(),
|
||||
secret: await getAuthSecret(),
|
||||
});
|
||||
|
||||
req.isUserCompleted = isUserCompleted;
|
||||
req.providerAuthToken = providerAuthToken;
|
||||
|
||||
done(null, profile);
|
||||
}
|
||||
));
|
||||
}
|
||||
|
||||
export {
|
||||
getAuthDataPayloadIdObj,
|
||||
getAuthDataPayloadUserObj,
|
||||
initializePassport,
|
||||
}
|
@ -0,0 +1,50 @@
|
||||
import { Types } from "mongoose";
|
||||
import {
|
||||
APIKeyData,
|
||||
IUser,
|
||||
User
|
||||
} from "../../../models";
|
||||
import { AccountNotFoundError, UnauthorizedRequestError } from "../../errors";
|
||||
import bcrypt from "bcrypt";
|
||||
|
||||
interface ValidateAPIKeyParams {
|
||||
authTokenValue: string;
|
||||
}
|
||||
|
||||
export const validateAPIKey = async ({
|
||||
authTokenValue
|
||||
}: ValidateAPIKeyParams) => {
|
||||
|
||||
const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split(".", 3);
|
||||
|
||||
let apiKeyData = await APIKeyData
|
||||
.findById(TOKEN_IDENTIFIER, "+secretHash +expiresAt")
|
||||
.populate<{ user: IUser }>("user", "+publicKey");
|
||||
|
||||
if (!apiKeyData) {
|
||||
throw UnauthorizedRequestError();
|
||||
} else if (apiKeyData?.expiresAt && new Date(apiKeyData.expiresAt) < new Date()) {
|
||||
// case: API key expired
|
||||
await APIKeyData.findByIdAndDelete(apiKeyData._id);
|
||||
throw UnauthorizedRequestError();
|
||||
}
|
||||
|
||||
const isMatch = await bcrypt.compare(TOKEN_SECRET, apiKeyData.secretHash);
|
||||
if (!isMatch) throw UnauthorizedRequestError();
|
||||
|
||||
apiKeyData = await APIKeyData.findOneAndUpdate({
|
||||
_id: new Types.ObjectId(TOKEN_IDENTIFIER),
|
||||
}, {
|
||||
lastUsed: new Date(),
|
||||
}, {
|
||||
new: true,
|
||||
});
|
||||
|
||||
if (!apiKeyData) throw UnauthorizedRequestError();
|
||||
|
||||
const user = await User.findById(apiKeyData.user).select("+publicKey");
|
||||
|
||||
if (!user) throw AccountNotFoundError();
|
||||
|
||||
return user;
|
||||
}
|
@ -0,0 +1,39 @@
|
||||
import jwt from "jsonwebtoken";
|
||||
import { APIKeyDataV2, User } from "../../../models";
|
||||
import { getAuthSecret } from "../../../config";
|
||||
import { AuthTokenType } from "../../../variables";
|
||||
import { AccountNotFoundError, UnauthorizedRequestError } from "../../errors";
|
||||
|
||||
interface ValidateAPIKeyV2Params {
|
||||
authTokenValue: string;
|
||||
}
|
||||
|
||||
export const validateAPIKeyV2 = async ({
|
||||
authTokenValue
|
||||
}: ValidateAPIKeyV2Params) => {
|
||||
|
||||
const decodedToken = <jwt.UserIDJwtPayload>(
|
||||
jwt.verify(authTokenValue, await getAuthSecret())
|
||||
);
|
||||
|
||||
if (decodedToken.authTokenType !== AuthTokenType.API_KEY) throw UnauthorizedRequestError();
|
||||
|
||||
const apiKeyData = await APIKeyDataV2.findByIdAndUpdate(
|
||||
decodedToken.apiKeyDataId,
|
||||
{
|
||||
lastUsed: new Date(),
|
||||
$inc: { usageCount: 1 }
|
||||
},
|
||||
{
|
||||
new: true
|
||||
}
|
||||
);
|
||||
|
||||
if (!apiKeyData) throw UnauthorizedRequestError();
|
||||
|
||||
const user = await User.findById(apiKeyData.user).select("+publicKey");
|
||||
|
||||
if (!user) throw AccountNotFoundError();
|
||||
|
||||
return user;
|
||||
}
|
@ -0,0 +1,5 @@
|
||||
export * from "./apiKey";
|
||||
export * from "./apiKeyV2";
|
||||
export * from "./jwt";
|
||||
export * from "./serviceTokenV2";
|
||||
export * from "./serviceTokenV3";
|
@ -0,0 +1,41 @@
|
||||
import jwt from "jsonwebtoken";
|
||||
import { Types } from "mongoose";
|
||||
import { TokenVersion, User } from "../../../models";
|
||||
import { getAuthSecret } from "../../../config";
|
||||
import { AuthTokenType } from "../../../variables";
|
||||
import { AccountNotFoundError, UnauthorizedRequestError } from "../../errors";
|
||||
|
||||
interface ValidateJWTParams {
|
||||
authTokenValue: string;
|
||||
}
|
||||
|
||||
export const validateJWT = async ({
|
||||
authTokenValue
|
||||
}: ValidateJWTParams) => {
|
||||
|
||||
const decodedToken = <jwt.UserIDJwtPayload>(
|
||||
jwt.verify(authTokenValue, await getAuthSecret())
|
||||
);
|
||||
|
||||
if (decodedToken.authTokenType !== AuthTokenType.ACCESS_TOKEN) throw UnauthorizedRequestError();
|
||||
|
||||
const tokenVersion = await TokenVersion.findOneAndUpdate({
|
||||
_id: new Types.ObjectId(decodedToken.tokenVersionId),
|
||||
user: decodedToken.userId
|
||||
}, {
|
||||
lastUsed: new Date(),
|
||||
});
|
||||
|
||||
if (!tokenVersion) throw UnauthorizedRequestError();
|
||||
if (decodedToken.accessVersion !== tokenVersion.accessVersion) throw UnauthorizedRequestError();
|
||||
|
||||
const user = await User.findOne({
|
||||
_id: new Types.ObjectId(decodedToken.userId),
|
||||
}).select("+publicKey");
|
||||
|
||||
if (!user) throw AccountNotFoundError({ message: "Failed to find user" });
|
||||
|
||||
if (!user?.publicKey) throw UnauthorizedRequestError({ message: "Failed to authenticate user with partially set up account" });
|
||||
|
||||
return user;
|
||||
}
|
@ -0,0 +1,44 @@
|
||||
import { Types } from "mongoose";
|
||||
import { ServiceTokenData } from "../../../models";
|
||||
import { ResourceNotFoundError, UnauthorizedRequestError } from "../../errors";
|
||||
import bcrypt from "bcrypt";
|
||||
|
||||
interface ValidateServiceTokenV2Params {
|
||||
authTokenValue: string;
|
||||
}
|
||||
|
||||
export const validateServiceTokenV2 = async ({
|
||||
authTokenValue
|
||||
}: ValidateServiceTokenV2Params) => {
|
||||
const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split(".", 3);
|
||||
|
||||
const serviceTokenData = await ServiceTokenData
|
||||
.findById(TOKEN_IDENTIFIER, "+secretHash +expiresAt")
|
||||
|
||||
if (!serviceTokenData) {
|
||||
throw UnauthorizedRequestError();
|
||||
} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
|
||||
// case: service token expired
|
||||
await ServiceTokenData.findByIdAndDelete(serviceTokenData._id);
|
||||
throw UnauthorizedRequestError({
|
||||
message: "Failed to authenticate expired service token",
|
||||
});
|
||||
}
|
||||
|
||||
const isMatch = await bcrypt.compare(TOKEN_SECRET, serviceTokenData.secretHash);
|
||||
if (!isMatch) throw UnauthorizedRequestError();
|
||||
|
||||
const serviceTokenDataToReturn = await ServiceTokenData
|
||||
.findOneAndUpdate({
|
||||
_id: new Types.ObjectId(TOKEN_IDENTIFIER),
|
||||
}, {
|
||||
lastUsed: new Date(),
|
||||
}, {
|
||||
new: true,
|
||||
})
|
||||
.select("+encryptedKey +iv +tag")
|
||||
|
||||
if (!serviceTokenDataToReturn) throw ResourceNotFoundError();
|
||||
|
||||
return serviceTokenDataToReturn;
|
||||
}
|
@ -0,0 +1,64 @@
|
||||
import jwt from "jsonwebtoken";
|
||||
import { Types } from "mongoose";
|
||||
import { ServiceTokenDataV3 } from "../../../models";
|
||||
import { getAuthSecret } from "../../../config";
|
||||
import { AuthTokenType } from "../../../variables";
|
||||
import { UnauthorizedRequestError } from "../../errors";
|
||||
|
||||
interface ValidateServiceTokenV3Params {
|
||||
authTokenValue: string;
|
||||
}
|
||||
|
||||
export const validateServiceTokenV3 = async ({
|
||||
authTokenValue
|
||||
}: ValidateServiceTokenV3Params) => {
|
||||
const decodedToken = <jwt.ServiceRefreshTokenJwtPayload>(
|
||||
jwt.verify(authTokenValue, await getAuthSecret())
|
||||
);
|
||||
|
||||
if (decodedToken.authTokenType !== AuthTokenType.SERVICE_ACCESS_TOKEN) throw UnauthorizedRequestError();
|
||||
|
||||
const serviceTokenData = await ServiceTokenDataV3.findOne({
|
||||
_id: new Types.ObjectId(decodedToken.serviceTokenDataId),
|
||||
isActive: true
|
||||
});
|
||||
|
||||
if (!serviceTokenData) {
|
||||
throw UnauthorizedRequestError({
|
||||
message: "Failed to authenticate"
|
||||
});
|
||||
} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
|
||||
// case: service token expired
|
||||
await ServiceTokenDataV3.findByIdAndUpdate(
|
||||
serviceTokenData._id,
|
||||
{
|
||||
isActive: false
|
||||
},
|
||||
{
|
||||
new: true
|
||||
}
|
||||
);
|
||||
|
||||
throw UnauthorizedRequestError({
|
||||
message: "Failed to authenticate",
|
||||
});
|
||||
} else if (decodedToken.tokenVersion !== serviceTokenData.tokenVersion) {
|
||||
// TODO: raise alarm
|
||||
throw UnauthorizedRequestError({
|
||||
message: "Failed to authenticate",
|
||||
});
|
||||
}
|
||||
|
||||
await ServiceTokenDataV3.findByIdAndUpdate(
|
||||
serviceTokenData._id,
|
||||
{
|
||||
accessTokenLastUsed: new Date(),
|
||||
$inc: { accessTokenUsageCount: 1 }
|
||||
},
|
||||
{
|
||||
new: true
|
||||
}
|
||||
);
|
||||
|
||||
return serviceTokenData;
|
||||
}
|
@ -0,0 +1,53 @@
|
||||
import { AuthData } from "../../../interfaces/middleware";
|
||||
import {
|
||||
ServiceAccount,
|
||||
ServiceTokenData,
|
||||
ServiceTokenDataV3,
|
||||
User
|
||||
} from "../../../models";
|
||||
|
||||
/**
|
||||
* Returns an object containing the id of the authentication data payload
|
||||
* @param {AuthData} authData - authentication data object
|
||||
* @returns
|
||||
*/
|
||||
export const getAuthDataPayloadIdObj = (authData: AuthData) => {
|
||||
if (authData.authPayload instanceof User) {
|
||||
return { userId: authData.authPayload._id };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceAccount) {
|
||||
return { serviceAccountId: authData.authPayload._id };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceTokenData) {
|
||||
return { serviceTokenDataId: authData.authPayload._id };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceTokenDataV3) {
|
||||
return { serviceTokenDataId: authData.authPayload._id };
|
||||
}
|
||||
};
|
||||
|
||||
/**
|
||||
* Returns an object containing the user associated with the authentication data payload
|
||||
* @param {AuthData} authData - authentication data object
|
||||
* @returns
|
||||
*/
|
||||
export const getAuthDataPayloadUserObj = (authData: AuthData) => {
|
||||
if (authData.authPayload instanceof User) {
|
||||
return { user: authData.authPayload._id };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceAccount) {
|
||||
return { user: authData.authPayload.user };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceTokenData) {
|
||||
return { user: authData.authPayload.user };
|
||||
}
|
||||
|
||||
if (authData.authPayload instanceof ServiceTokenDataV3) {
|
||||
return { user: authData.authPayload.user };
|
||||
}
|
||||
}
|
@ -0,0 +1,195 @@
|
||||
import { AuthData } from "../../../interfaces/middleware";
|
||||
import jwt from "jsonwebtoken";
|
||||
import { getAuthSecret } from "../../../config";
|
||||
import { ActorType } from "../../../ee/models";
|
||||
import { AuthMode, AuthTokenType } from "../../../variables";
|
||||
import { UnauthorizedRequestError } from "../../errors";
|
||||
import {
|
||||
validateAPIKey,
|
||||
validateAPIKeyV2,
|
||||
validateJWT,
|
||||
validateServiceTokenV2,
|
||||
validateServiceTokenV3
|
||||
} from "../authModeValidators";
|
||||
import { getUserAgentType } from "../../posthog";
|
||||
|
||||
export * from "./authDataExtractors";
|
||||
|
||||
interface ExtractAuthModeParams {
|
||||
headers: { [key: string]: string | string[] | undefined }
|
||||
}
|
||||
|
||||
interface ExtractAuthModeReturn {
|
||||
authMode: AuthMode;
|
||||
authTokenValue: string;
|
||||
}
|
||||
|
||||
interface GetAuthDataParams {
|
||||
authMode: AuthMode;
|
||||
authTokenValue: string;
|
||||
ipAddress: string;
|
||||
userAgent: string;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the recognized authentication mode based on token in [headers]; accepted token types include:
|
||||
* - SERVICE_TOKEN
|
||||
* - API_KEY
|
||||
* - JWT
|
||||
* - SERVICE_ACCESS_TOKEN (from ST V3)
|
||||
* - API_KEY_V2
|
||||
* @param {Object} params
|
||||
* @param {Object.<string, (string|string[]|undefined)>} params.headers - The HTTP request headers, usually from Express's `req.headers`.
|
||||
* @returns {Promise<AuthMode>} The derived authentication mode based on the headers.
|
||||
* @throws {UnauthorizedError} Throws an error if no applicable authMode is found.
|
||||
*/
|
||||
export const extractAuthMode = async ({
|
||||
headers
|
||||
}: ExtractAuthModeParams): Promise<ExtractAuthModeReturn> => {
|
||||
|
||||
const apiKey = headers["x-api-key"] as string;
|
||||
const authHeader = headers["authorization"] as string;
|
||||
|
||||
if (apiKey) {
|
||||
return { authMode: AuthMode.API_KEY, authTokenValue: apiKey };
|
||||
}
|
||||
|
||||
if (!authHeader) throw UnauthorizedRequestError({
|
||||
message: "Failed to authenticate unknown authentication method"
|
||||
});
|
||||
|
||||
if (!authHeader.startsWith("Bearer ")) throw UnauthorizedRequestError({
|
||||
message: "Failed to authenticate unknown authentication method"
|
||||
});
|
||||
|
||||
const authTokenValue = authHeader.slice(7);
|
||||
|
||||
if (authTokenValue.startsWith("st.")) {
|
||||
return { authMode: AuthMode.SERVICE_TOKEN, authTokenValue };
|
||||
}
|
||||
|
||||
const decodedToken = <jwt.AuthnJwtPayload>(
|
||||
jwt.verify(authTokenValue, await getAuthSecret())
|
||||
);
|
||||
|
||||
switch (decodedToken.authTokenType) {
|
||||
case AuthTokenType.ACCESS_TOKEN:
|
||||
return { authMode: AuthMode.JWT, authTokenValue };
|
||||
case AuthTokenType.API_KEY:
|
||||
return { authMode: AuthMode.API_KEY_V2, authTokenValue };
|
||||
case AuthTokenType.SERVICE_ACCESS_TOKEN:
|
||||
return { authMode: AuthMode.SERVICE_ACCESS_TOKEN, authTokenValue };
|
||||
default:
|
||||
throw UnauthorizedRequestError({
|
||||
message: "Failed to authenticate unknown authentication method"
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
export const getAuthData = async ({
|
||||
authMode,
|
||||
authTokenValue,
|
||||
ipAddress,
|
||||
userAgent
|
||||
}: GetAuthDataParams): Promise<AuthData> => {
|
||||
|
||||
const userAgentType = getUserAgentType(userAgent);
|
||||
|
||||
switch (authMode) {
|
||||
case AuthMode.SERVICE_TOKEN: {
|
||||
const serviceTokenData = await validateServiceTokenV2({
|
||||
authTokenValue
|
||||
});
|
||||
|
||||
return {
|
||||
actor: {
|
||||
type: ActorType.SERVICE,
|
||||
metadata: {
|
||||
serviceId: serviceTokenData._id.toString(),
|
||||
name: serviceTokenData.name
|
||||
}
|
||||
},
|
||||
authPayload: serviceTokenData,
|
||||
ipAddress,
|
||||
userAgent,
|
||||
userAgentType
|
||||
}
|
||||
}
|
||||
case AuthMode.SERVICE_ACCESS_TOKEN: {
|
||||
const serviceTokenData = await validateServiceTokenV3({
|
||||
authTokenValue
|
||||
});
|
||||
|
||||
return {
|
||||
actor: {
|
||||
type: ActorType.SERVICE_V3,
|
||||
metadata: {
|
||||
serviceId: serviceTokenData._id.toString(),
|
||||
name: serviceTokenData.name
|
||||
}
|
||||
},
|
||||
authPayload: serviceTokenData,
|
||||
ipAddress,
|
||||
userAgent,
|
||||
userAgentType
|
||||
}
|
||||
}
|
||||
case AuthMode.API_KEY: {
|
||||
const user = await validateAPIKey({
|
||||
authTokenValue
|
||||
});
|
||||
|
||||
return {
|
||||
actor: {
|
||||
type: ActorType.USER,
|
||||
metadata: {
|
||||
userId: user._id.toString(),
|
||||
email: user.email
|
||||
}
|
||||
},
|
||||
authPayload: user,
|
||||
ipAddress,
|
||||
userAgent,
|
||||
userAgentType
|
||||
}
|
||||
}
|
||||
case AuthMode.API_KEY_V2: {
|
||||
const user = await validateAPIKeyV2({
|
||||
authTokenValue
|
||||
});
|
||||
|
||||
return {
|
||||
actor: {
|
||||
type: ActorType.USER,
|
||||
metadata: {
|
||||
userId: user._id.toString(),
|
||||
email: user.email
|
||||
}
|
||||
},
|
||||
authPayload: user,
|
||||
ipAddress,
|
||||
userAgent,
|
||||
userAgentType
|
||||
}
|
||||
}
|
||||
case AuthMode.JWT: {
|
||||
const user = await validateJWT({
|
||||
authTokenValue
|
||||
});
|
||||
|
||||
return {
|
||||
actor: {
|
||||
type: ActorType.USER,
|
||||
metadata: {
|
||||
userId: user._id.toString(),
|
||||
email: user.email
|
||||
}
|
||||
},
|
||||
authPayload: user,
|
||||
ipAddress,
|
||||
userAgent,
|
||||
userAgentType
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,60 @@
|
||||
import express from "express";
|
||||
import passport from "passport";
|
||||
import {
|
||||
getClientIdGitHubLogin,
|
||||
getClientSecretGitHubLogin,
|
||||
} from "../../../config";
|
||||
import { standardRequest } from "../../../config/request";
|
||||
import { AuthMethod } from "../../../models";
|
||||
import { INTEGRATION_GITHUB_API_URL } from "../../../variables";
|
||||
import { handleSSOUserTokenFlow } from "./helpers";
|
||||
|
||||
// eslint-disable-next-line @typescript-eslint/no-var-requires
|
||||
const GitHubStrategy = require("passport-github").Strategy;
|
||||
|
||||
export const initializeGitHubStrategy = async () => {
|
||||
const clientIdGitHubLogin = await getClientIdGitHubLogin();
|
||||
const clientSecretGitHubLogin = await getClientSecretGitHubLogin();
|
||||
if (clientIdGitHubLogin && clientSecretGitHubLogin) {
|
||||
passport.use(
|
||||
new GitHubStrategy({
|
||||
passReqToCallback: true,
|
||||
clientID: clientIdGitHubLogin,
|
||||
clientSecret: clientSecretGitHubLogin,
|
||||
callbackURL: "/api/v1/sso/github",
|
||||
scope: ["user:email"]
|
||||
}, async (req : express.Request, accessToken : any, refreshToken : any, profile : any, done : any) => {
|
||||
interface GitHubEmail {
|
||||
email: string;
|
||||
primary: boolean;
|
||||
verified: boolean;
|
||||
visibility: null | string;
|
||||
}
|
||||
|
||||
const { data }: { data: GitHubEmail[] } = await standardRequest.get(
|
||||
`${INTEGRATION_GITHUB_API_URL}/user/emails`,
|
||||
{
|
||||
headers: {
|
||||
Authorization: `Bearer ${accessToken}`
|
||||
}
|
||||
}
|
||||
);
|
||||
|
||||
const primaryEmail = data.filter((gitHubEmail: GitHubEmail) => gitHubEmail.primary)[0];
|
||||
const email = primaryEmail.email;
|
||||
|
||||
const { isUserCompleted, providerAuthToken } = await handleSSOUserTokenFlow({
|
||||
email,
|
||||
firstName: profile.displayName,
|
||||
lastName: "",
|
||||
authMethod: AuthMethod.GITHUB,
|
||||
callbackPort: req.query.state as string
|
||||
});
|
||||
|
||||
req.isUserCompleted = isUserCompleted;
|
||||
req.providerAuthToken = providerAuthToken;
|
||||
return done(null, profile);
|
||||
})
|
||||
);
|
||||
}
|
||||
}
|
@ -0,0 +1,44 @@
|
||||
import express from "express";
|
||||
import passport from "passport";
|
||||
import {
|
||||
getClientIdGitLabLogin,
|
||||
getClientSecretGitLabLogin,
|
||||
getUrlGitLabLogin
|
||||
} from "../../../config";
|
||||
import { AuthMethod } from "../../../models";
|
||||
import { handleSSOUserTokenFlow } from "./helpers";
|
||||
|
||||
// eslint-disable-next-line @typescript-eslint/no-var-requires
|
||||
const GitLabStrategy = require("passport-gitlab2").Strategy;
|
||||
|
||||
export const initializeGitLabStrategy = async () => {
|
||||
const urlGitLab = await getUrlGitLabLogin();
|
||||
const clientIdGitLabLogin = await getClientIdGitLabLogin();
|
||||
const clientSecretGitLabLogin = await getClientSecretGitLabLogin();
|
||||
|
||||
if (urlGitLab && clientIdGitLabLogin && clientSecretGitLabLogin) {
|
||||
passport.use(
|
||||
new GitLabStrategy({
|
||||
passReqToCallback: true,
|
||||
clientID: clientIdGitLabLogin,
|
||||
clientSecret: clientSecretGitLabLogin,
|
||||
callbackURL: "/api/v1/sso/gitlab",
|
||||
baseURL: urlGitLab
|
||||
}, async (req : express.Request, accessToken : any, refreshToken : any, profile : any, done : any) => {
|
||||
const email = profile.emails[0].value;
|
||||
|
||||
const { isUserCompleted, providerAuthToken } = await handleSSOUserTokenFlow({
|
||||
email,
|
||||
firstName: profile.displayName,
|
||||
lastName: "",
|
||||
authMethod: AuthMethod.GITLAB,
|
||||
callbackPort: req.query.state as string
|
||||
});
|
||||
|
||||
req.isUserCompleted = isUserCompleted;
|
||||
req.providerAuthToken = providerAuthToken;
|
||||
return done(null, profile);
|
||||
})
|
||||
);
|
||||
}
|
||||
}
|
@ -0,0 +1,48 @@
|
||||
import express from "express";
|
||||
import passport from "passport";
|
||||
import { getClientIdGoogleLogin, getClientSecretGoogleLogin } from "../../../config";
|
||||
import { AuthMethod } from "../../../models";
|
||||
|
||||
import { handleSSOUserTokenFlow } from "./helpers";
|
||||
|
||||
// eslint-disable-next-line @typescript-eslint/no-var-requires
|
||||
const GoogleStrategy = require("passport-google-oauth20").Strategy;
|
||||
|
||||
export const initializeGoogleStrategy = async () => {
|
||||
const clientIdGoogleLogin = await getClientIdGoogleLogin();
|
||||
const clientSecretGoogleLogin = await getClientSecretGoogleLogin();
|
||||
|
||||
if (clientIdGoogleLogin && clientSecretGoogleLogin) {
|
||||
passport.use(new GoogleStrategy({
|
||||
passReqToCallback: true,
|
||||
clientID: clientIdGoogleLogin,
|
||||
clientSecret: clientSecretGoogleLogin,
|
||||
callbackURL: "/api/v1/sso/google",
|
||||
scope: ["profile", " email"],
|
||||
}, async (
|
||||
req: express.Request,
|
||||
accessToken: string,
|
||||
refreshToken: string,
|
||||
profile: any,
|
||||
done: any
|
||||
) => {
|
||||
try {
|
||||
const email = profile.emails[0].value;
|
||||
|
||||
const { isUserCompleted, providerAuthToken } = await handleSSOUserTokenFlow({
|
||||
email,
|
||||
firstName: profile.name.givenName,
|
||||
lastName: profile.name.familyName,
|
||||
authMethod: AuthMethod.GOOGLE,
|
||||
callbackPort: req.query.state as string
|
||||
});
|
||||
|
||||
req.isUserCompleted = isUserCompleted;
|
||||
req.providerAuthToken = providerAuthToken;
|
||||
done(null, profile);
|
||||
} catch (err) {
|
||||
done(null, false);
|
||||
}
|
||||
}));
|
||||
}
|
||||
}
|
@ -0,0 +1,62 @@
|
||||
import {
|
||||
AuthMethod,
|
||||
User
|
||||
} from "../../../models";
|
||||
import { createToken } from "../../../helpers/auth";
|
||||
import { AuthTokenType } from "../../../variables";
|
||||
import { getAuthSecret, getJwtProviderAuthLifetime} from "../../../config";
|
||||
|
||||
interface SSOUserTokenFlowParams {
|
||||
email: string;
|
||||
firstName: string;
|
||||
lastName: string;
|
||||
authMethod: AuthMethod;
|
||||
callbackPort?: string;
|
||||
}
|
||||
|
||||
export const handleSSOUserTokenFlow = async ({
|
||||
email,
|
||||
firstName,
|
||||
lastName,
|
||||
authMethod,
|
||||
callbackPort
|
||||
}: SSOUserTokenFlowParams) => {
|
||||
let user = await User.findOne({
|
||||
email
|
||||
}).select("+publicKey");
|
||||
|
||||
if (!user) {
|
||||
user = await new User({
|
||||
email,
|
||||
authMethods: [authMethod],
|
||||
firstName,
|
||||
lastName
|
||||
}).save();
|
||||
}
|
||||
|
||||
let isLinkingRequired = false;
|
||||
if (!user.authMethods.includes(authMethod)) {
|
||||
isLinkingRequired = true;
|
||||
}
|
||||
|
||||
const isUserCompleted = !!user.publicKey;
|
||||
const providerAuthToken = createToken({
|
||||
payload: {
|
||||
authTokenType: AuthTokenType.PROVIDER_TOKEN,
|
||||
userId: user._id.toString(),
|
||||
email: user.email,
|
||||
firstName: user.firstName,
|
||||
lastName: user.lastName,
|
||||
authMethod,
|
||||
isUserCompleted,
|
||||
isLinkingRequired,
|
||||
...(callbackPort ? {
|
||||
callbackPort
|
||||
} : {})
|
||||
},
|
||||
expiresIn: await getJwtProviderAuthLifetime(),
|
||||
secret: await getAuthSecret(),
|
||||
});
|
||||
|
||||
return { isUserCompleted, providerAuthToken };
|
||||
}
|
@ -0,0 +1,4 @@
|
||||
export { initializeGoogleStrategy } from "./google";
|
||||
export { initializeGitHubStrategy } from "./github";
|
||||
export { initializeGitLabStrategy } from "./gitlab";
|
||||
export { initializeSamlStrategy } from "./saml";
|
@ -0,0 +1,173 @@
|
||||
import passport from "passport";
|
||||
import {
|
||||
getAuthSecret,
|
||||
getJwtProviderAuthLifetime,
|
||||
getSiteURL
|
||||
} from "../../../config";
|
||||
import {
|
||||
AuthMethod,
|
||||
MembershipOrg,
|
||||
Organization,
|
||||
User
|
||||
} from "../../../models";
|
||||
import {
|
||||
createToken
|
||||
} from "../../../helpers/auth";
|
||||
import {
|
||||
ACCEPTED,
|
||||
AuthTokenType,
|
||||
INVITED,
|
||||
MEMBER
|
||||
} from "../../../variables";
|
||||
import { Types } from "mongoose";
|
||||
import { getSSOConfigHelper } from "../../../ee/helpers/organizations";
|
||||
import { InternalServerError, OrganizationNotFoundError } from "../../errors";
|
||||
|
||||
// eslint-disable-next-line @typescript-eslint/no-var-requires
|
||||
const { MultiSamlStrategy } = require("@node-saml/passport-saml");
|
||||
|
||||
export const initializeSamlStrategy = async () => {
|
||||
passport.use("saml", new MultiSamlStrategy(
|
||||
{
|
||||
passReqToCallback: true,
|
||||
getSamlOptions: async (req: any, done: any) => {
|
||||
const { ssoIdentifier } = req.params;
|
||||
|
||||
const ssoConfig = await getSSOConfigHelper({
|
||||
ssoConfigId: new Types.ObjectId(ssoIdentifier)
|
||||
});
|
||||
|
||||
interface ISAMLConfig {
|
||||
callbackUrl: string;
|
||||
entryPoint: string;
|
||||
issuer: string;
|
||||
cert: string;
|
||||
audience: string;
|
||||
wantAuthnResponseSigned?: boolean;
|
||||
}
|
||||
|
||||
const samlConfig: ISAMLConfig = ({
|
||||
callbackUrl: `${await getSiteURL()}/api/v1/sso/saml2/${ssoIdentifier}`,
|
||||
entryPoint: ssoConfig.entryPoint,
|
||||
issuer: ssoConfig.issuer,
|
||||
cert: ssoConfig.cert,
|
||||
audience: await getSiteURL()
|
||||
});
|
||||
|
||||
if (ssoConfig.authProvider.toString() === AuthMethod.JUMPCLOUD_SAML.toString()) {
|
||||
samlConfig.wantAuthnResponseSigned = false;
|
||||
}
|
||||
|
||||
if (ssoConfig.authProvider.toString() === AuthMethod.AZURE_SAML.toString()) {
|
||||
if (req.body.RelayState && JSON.parse(req.body.RelayState).spInitiated) {
|
||||
samlConfig.audience = `spn:${ssoConfig.issuer}`;
|
||||
}
|
||||
}
|
||||
|
||||
req.ssoConfig = ssoConfig;
|
||||
|
||||
done(null, samlConfig);
|
||||
},
|
||||
},
|
||||
async (req: any, profile: any, done: any) => {
|
||||
if (!req.ssoConfig.isActive) return done(InternalServerError());
|
||||
|
||||
const organization = await Organization.findById(req.ssoConfig.organization);
|
||||
|
||||
if (!organization) return done(OrganizationNotFoundError());
|
||||
|
||||
const email = profile.email;
|
||||
const firstName = profile.firstName;
|
||||
const lastName = profile.lastName;
|
||||
|
||||
let user = await User.findOne({
|
||||
email
|
||||
}).select("+publicKey");
|
||||
|
||||
if (user) {
|
||||
// if user does not have SAML enabled then update
|
||||
const hasSamlEnabled = user.authMethods
|
||||
.some(
|
||||
(authMethod: AuthMethod) => [
|
||||
AuthMethod.OKTA_SAML,
|
||||
AuthMethod.AZURE_SAML,
|
||||
AuthMethod.JUMPCLOUD_SAML
|
||||
].includes(authMethod)
|
||||
);
|
||||
|
||||
if (!hasSamlEnabled) {
|
||||
await User.findByIdAndUpdate(
|
||||
user._id,
|
||||
{
|
||||
authMethods: [req.ssoConfig.authProvider]
|
||||
},
|
||||
{
|
||||
new: true
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
let membershipOrg = await MembershipOrg.findOne(
|
||||
{
|
||||
user: user._id,
|
||||
organization: organization._id
|
||||
}
|
||||
);
|
||||
|
||||
if (!membershipOrg) {
|
||||
membershipOrg = await new MembershipOrg({
|
||||
inviteEmail: email,
|
||||
user: user._id,
|
||||
organization: organization._id,
|
||||
role: MEMBER,
|
||||
status: ACCEPTED
|
||||
}).save();
|
||||
}
|
||||
|
||||
if (membershipOrg.status === INVITED) {
|
||||
membershipOrg.status = ACCEPTED;
|
||||
await membershipOrg.save();
|
||||
}
|
||||
} else {
|
||||
user = await new User({
|
||||
email,
|
||||
authMethods: [req.ssoConfig.authProvider],
|
||||
firstName,
|
||||
lastName
|
||||
}).save();
|
||||
|
||||
await new MembershipOrg({
|
||||
inviteEmail: email,
|
||||
user: user._id,
|
||||
organization: organization._id,
|
||||
role: MEMBER,
|
||||
status: INVITED
|
||||
}).save();
|
||||
}
|
||||
|
||||
const isUserCompleted = !!user.publicKey;
|
||||
const providerAuthToken = createToken({
|
||||
payload: {
|
||||
authTokenType: AuthTokenType.PROVIDER_TOKEN,
|
||||
userId: user._id.toString(),
|
||||
email: user.email,
|
||||
firstName,
|
||||
lastName,
|
||||
organizationName: organization?.name,
|
||||
authMethod: req.ssoConfig.authProvider,
|
||||
isUserCompleted,
|
||||
...(req.body.RelayState ? {
|
||||
callbackPort: JSON.parse(req.body.RelayState).callbackPort as string
|
||||
} : {})
|
||||
},
|
||||
expiresIn: await getJwtProviderAuthLifetime(),
|
||||
secret: await getAuthSecret(),
|
||||
});
|
||||
|
||||
req.isUserCompleted = isUserCompleted;
|
||||
req.providerAuthToken = providerAuthToken;
|
||||
|
||||
done(null, profile);
|
||||
}
|
||||
));
|
||||
}
|
@ -1,67 +0,0 @@
|
||||
/* eslint-disable no-console */
|
||||
import { createLogger, format, transports } from "winston";
|
||||
import LokiTransport from "winston-loki";
|
||||
import { getLokiHost, getNodeEnv } from "../config";
|
||||
|
||||
const { combine, colorize, label, printf, splat, timestamp } = format;
|
||||
|
||||
const logFormat = (prefix: string) => combine(
|
||||
timestamp(),
|
||||
splat(),
|
||||
label({ label: prefix }),
|
||||
printf((info) => `${info.timestamp} ${info.label} ${info.level}: ${info.message}`)
|
||||
);
|
||||
|
||||
const createLoggerWithLabel = async (level: string, label: string) => {
|
||||
const _level = level.toLowerCase() || "info"
|
||||
//* Always add Console output to transports
|
||||
const _transports: any[] = [
|
||||
new transports.Console({
|
||||
format: combine(
|
||||
colorize(),
|
||||
logFormat(label),
|
||||
// format.json()
|
||||
),
|
||||
}),
|
||||
]
|
||||
//* Add LokiTransport if it's enabled
|
||||
if((await getLokiHost()) !== undefined){
|
||||
_transports.push(
|
||||
new LokiTransport({
|
||||
host: await getLokiHost(),
|
||||
handleExceptions: true,
|
||||
handleRejections: true,
|
||||
batching: true,
|
||||
level: _level,
|
||||
timeout: 30000,
|
||||
format: format.combine(
|
||||
format.json()
|
||||
),
|
||||
labels: {
|
||||
app: process.env.npm_package_name,
|
||||
version: process.env.npm_package_version,
|
||||
environment: await getNodeEnv(),
|
||||
},
|
||||
onConnectionError: (err: Error)=> console.error("Connection error while connecting to Loki Server.\n", err),
|
||||
})
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
return createLogger({
|
||||
level: _level,
|
||||
transports: _transports,
|
||||
format: format.combine(
|
||||
logFormat(label),
|
||||
format.metadata({ fillExcept: ["message", "level", "timestamp", "label"] })
|
||||
),
|
||||
});
|
||||
}
|
||||
|
||||
export const getLogger = async (loggerName: "backend-main" | "database") => {
|
||||
const logger = {
|
||||
"backend-main": await createLoggerWithLabel("info", "[IFSC:backend-main]"),
|
||||
"database": await createLoggerWithLabel("info", "[IFSC:database]"),
|
||||
}
|
||||
return logger[loggerName]
|
||||
}
|
@ -0,0 +1 @@
|
||||
export { logger } from "./logger";
|
@ -0,0 +1,15 @@
|
||||
import pino from "pino";
|
||||
|
||||
export const logger = pino({
|
||||
level: process.env.PINO_LOG_LEVEL || "trace",
|
||||
timestamp: pino.stdTimeFunctions.isoTime,
|
||||
formatters: {
|
||||
bindings: (bindings) => {
|
||||
return {
|
||||
pid: bindings.pid,
|
||||
hostname: bindings.hostname
|
||||
// node_version: process.version
|
||||
};
|
||||
},
|
||||
}
|
||||
});
|
@ -1,17 +1,22 @@
|
||||
// TODO: merge [AuthTokenType] and [AuthMode]
|
||||
|
||||
export enum AuthTokenType {
|
||||
ACCESS_TOKEN = "accessToken",
|
||||
REFRESH_TOKEN = "refreshToken",
|
||||
SIGNUP_TOKEN = "signupToken",
|
||||
MFA_TOKEN = "mfaToken",
|
||||
PROVIDER_TOKEN = "providerToken",
|
||||
API_KEY = "apiKey"
|
||||
SIGNUP_TOKEN = "signupToken", // TODO: remove in favor of claim
|
||||
MFA_TOKEN = "mfaToken", // TODO: remove in favor of claim
|
||||
PROVIDER_TOKEN = "providerToken", // TODO: remove in favor of claim
|
||||
API_KEY = "apiKey",
|
||||
SERVICE_ACCESS_TOKEN = "serviceAccessToken",
|
||||
SERVICE_REFRESH_TOKEN = "serviceRefreshToken"
|
||||
}
|
||||
|
||||
export enum AuthMode {
|
||||
JWT = "jwt",
|
||||
SERVICE_TOKEN = "serviceToken",
|
||||
SERVICE_TOKEN_V3 = "serviceTokenV3",
|
||||
API_KEY = "apiKey"
|
||||
SERVICE_ACCESS_TOKEN = "serviceAccessToken",
|
||||
API_KEY = "apiKey",
|
||||
API_KEY_V2 = "apiKeyV2"
|
||||
}
|
||||
|
||||
export const K8_USER_AGENT_NAME = "k8-operator"
|
@ -0,0 +1,37 @@
|
||||
---
|
||||
title: "MySQL/MariaDB"
|
||||
description: "Rotated database user password of a MySQL or MariaDB"
|
||||
---
|
||||
|
||||
Infisical will update periodically the provided database user's password.
|
||||
|
||||
<Warning>
|
||||
At present Infisical do require access to your database. We will soon be released Infisical agent based rotation which would help you rotate without direct database access from Infisical cloud.
|
||||
</Warning>
|
||||
|
||||
## Working
|
||||
|
||||
1. User's has to create the two user's for Infisical to rotate and provide them required database access
|
||||
2. Infisical will connect with your database with admin access
|
||||
3. If last rotated one was username1, then username2 is chosen to be rotated
|
||||
5. Update it's password with random value
|
||||
6. After testing it gets saved to the provided secret mapping
|
||||
|
||||
## Rotation Configuration
|
||||
|
||||
1. Head over to Secret Rotation configuration page of your project by clicking on side bar `Secret Rotation`
|
||||
2. Click on `MySQL`
|
||||
3. Provide the inputs
|
||||
- Admin Username: DB admin username
|
||||
- Admin Password: DB admin password
|
||||
- Host: DB host
|
||||
- Port: DB port(number)
|
||||
- Username1: The first username in two to rotate
|
||||
- Username2: The second username in two to rotate
|
||||
- CA: Certificate to connect with database(string)
|
||||
4. Final step
|
||||
- Select `Environment`, `Secret Path` and `Interval` to rotate the secrets
|
||||
- Finally select the secrets in your provided board to replace with new secret after each rotation
|
||||
- Your done and good to go.
|
||||
|
||||
Congrats. You have 10x your MySQL/MariaDB access security.
|
@ -0,0 +1,44 @@
|
||||
# Secret Rotation Overview
|
||||
|
||||
## Introduction
|
||||
|
||||
Secret rotation is a process that involves updating secret credentials periodically to minimize the risk of their compromise.
|
||||
Rotating secrets helps prevent unauthorized access to systems and sensitive data by ensuring that old credentials are replaced with new ones regularly.
|
||||
|
||||
Rotated secrets may include, but are not limited to:
|
||||
|
||||
1. API keys for external services
|
||||
2. Database credentials for various platforms
|
||||
|
||||
## Rotation Process
|
||||
|
||||
The practice of rotating secrets is a systematic and interval-based operation, carried out in four fundamental phases.
|
||||
|
||||
### 1. Creation
|
||||
|
||||
The system initiates the rotation process by either making an API call to an external service or generating a new secret value internally.
|
||||
Upon successful creation, the system will temporarily have three versions of the secret:
|
||||
|
||||
- **Current active secret**: The one currently in use.
|
||||
- **Future active secret (pending)**: The newly created secret, awaiting validation.
|
||||
- **Previous active secret**: The old secret, soon to be retired.
|
||||
|
||||
### 2. Testing
|
||||
|
||||
The newly generated secret is subjected to a verification process to ensure its validity and functionality.
|
||||
This involves conducting checks or tests that simulate actual operations the secret would perform.
|
||||
Only the current active and the future active (pending) secrets are considered operational at this stage, while the previous active secret remains in standby mode.
|
||||
|
||||
### 3. Deletion
|
||||
|
||||
Post-verification, the system deactivates and deletes the previous active secret, leaving only the current and future active (pending) secrets in the system.
|
||||
|
||||
### 4. Activation
|
||||
|
||||
Finally, the system promotes the future active (pending) secret to be the new current active secret. It then triggers necessary side effects, such as invoking webhooks and generating events, to notify other services of the change.
|
||||
|
||||
## Infisical Secret Rotation Strategies
|
||||
|
||||
1. [SendGrid Integration](./sendgrid)
|
||||
2. [PostgreSQL/CockroachDB Implementation](./postgres)
|
||||
3. [MySQL/MariaDB Configuration](./mysql)
|
@ -0,0 +1,37 @@
|
||||
---
|
||||
title: "PostgreSQL/CockroachDB"
|
||||
description: "Rotated database user password of a postgreSQL or cochroach db"
|
||||
---
|
||||
|
||||
Infisical will update periodically the provided database user's password.
|
||||
|
||||
<Warning>
|
||||
At present Infisical do require access to your database. We will soon be released Infisical agent based rotation which would help you rotate without direct database access from Infisical cloud.
|
||||
</Warning>
|
||||
|
||||
## Working
|
||||
|
||||
1. User's has to create the two user's for Infisical to rotate and provide them required database access
|
||||
2. Infisical will connect with your database with admin access
|
||||
3. If last rotated one was username1, then username2 is chosen to be rotated
|
||||
5. Update it's password with random value
|
||||
6. After testing it gets saved to the provided secret mapping
|
||||
|
||||
## Rotation Configuration
|
||||
|
||||
1. Head over to Secret Rotation configuration page of your project by clicking on side bar `Secret Rotation`
|
||||
2. Click on `PostgreSQL`
|
||||
3. Provide the inputs
|
||||
- Admin Username: DB admin username
|
||||
- Admin Password: DB admin password
|
||||
- Host: DB host
|
||||
- Port: DB port(number)
|
||||
- Username1: The first username in two to rotate
|
||||
- Username2: The second username in two to rotate
|
||||
- CA: Certificate to connect with database(string)
|
||||
4. Final step
|
||||
- Select `Environment`, `Secret Path` and `Interval` to rotate the secrets
|
||||
- Finally select the secrets in your provided board to replace with new secret after each rotation
|
||||
- Your done and good to go.
|
||||
|
||||
Congrats. You have 10x your PostgreSQL/CockroachDB access security.
|
@ -0,0 +1,31 @@
|
||||
---
|
||||
title: "Twilio SendGrid"
|
||||
description: "Rotate Twilio SendGrid API keys"
|
||||
---
|
||||
|
||||
Twilio SendGrid is a cloud-based email delivery platform that helps businesses send transactional and marketing emails.
|
||||
It uses an API key to do various operations. Using Infisical you can easily dynamically change the keys.
|
||||
|
||||
## Working
|
||||
|
||||
1. Infisical will need an admin token of SendGrid to create API keys dynamically.
|
||||
2. Using the given admin token and scope by user Infisical will create and rotate API keys periodically
|
||||
3. Under the hood infisical uses [SendGrid API](https://docs.sendgrid.com/api-reference/api-keys/create-api-keys)
|
||||
|
||||
## Rotation Configuration
|
||||
|
||||
1. Head over to Secret Rotation configuration page of your project by clicking on side bar `Secret Rotation`
|
||||
2. Click on `Twilio SendGrid Card`
|
||||
3. Provide the inputs
|
||||
- Admin API Key:
|
||||
SendGrid admin key to create lower scoped API keys.
|
||||
- API Key Scopes
|
||||
SendGrid generated API Key's scopes. For more info refer [this doc](https://docs.sendgrid.com/api-reference/api-key-permissions/api-key-permissions)
|
||||
|
||||
4. Final step
|
||||
- Select `Environment`, `Secret Path` and `Interval` to rotate the secrets
|
||||
- Finally select the secrets in your provided board to replace with new secret after each rotation
|
||||
- Your done and good to go.
|
||||
|
||||
Now your output mapped secret value will be replaced periodically by SendGrid.
|
||||
|
Before Width: | Height: | Size: 1.1 MiB After Width: | Height: | Size: 1.2 MiB |
Before Width: | Height: | Size: 2.3 MiB After Width: | Height: | Size: 2.8 MiB |
Before Width: | Height: | Size: 1.4 MiB After Width: | Height: | Size: 1.6 MiB |
After Width: | Height: | Size: 13 KiB |
After Width: | Height: | Size: 68 KiB |
After Width: | Height: | Size: 4.6 KiB |
@ -0,0 +1,78 @@
|
||||
import { Children, cloneElement, ReactElement, ReactNode } from "react";
|
||||
import { faCheck } from "@fortawesome/free-solid-svg-icons";
|
||||
import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
|
||||
import { twMerge } from "tailwind-merge";
|
||||
|
||||
export type StepperProps = {
|
||||
activeStep: number;
|
||||
children: ReactNode;
|
||||
direction: "vertical" | "horizontal";
|
||||
className?: string;
|
||||
};
|
||||
|
||||
export const Stepper = ({ activeStep, children, direction, className }: StepperProps) => {
|
||||
return (
|
||||
<div
|
||||
className={twMerge(
|
||||
"flex items-center w-full space-x-3 p-2 border border-bunker-300/30 rounded-md",
|
||||
className
|
||||
)}
|
||||
>
|
||||
{Children.map(children as ReactNode, (child: ReactNode, index) => {
|
||||
const isCompleted = activeStep > index;
|
||||
const isActive = index === activeStep;
|
||||
const isNotLast = index + 1 !== (children as Array<ReactNode>).length;
|
||||
return (
|
||||
<div
|
||||
className={twMerge(
|
||||
"flex items-center space-x-3 flex-shrink-0",
|
||||
isNotLast && "flex-grow"
|
||||
)}
|
||||
>
|
||||
<div className="flex items-center space-x-2 flex-shrink-0">
|
||||
<div
|
||||
className={twMerge(
|
||||
"w-7 h-7 flex items-center justify-center font-medium text-mineshaft-800 text-sm rounded-full transition-all",
|
||||
isCompleted ? "bg-primary" : "border text-bunker-300 border-primary/30",
|
||||
isActive && "bg-primary text-mineshaft-800"
|
||||
)}
|
||||
>
|
||||
{isCompleted ? <FontAwesomeIcon icon={faCheck} /> : index + 1}
|
||||
</div>
|
||||
{cloneElement(child as ReactElement, {
|
||||
direction,
|
||||
activeStep,
|
||||
isCompleted,
|
||||
isActive
|
||||
})}
|
||||
</div>
|
||||
{isNotLast && (
|
||||
<div
|
||||
style={{ height: "1px" }}
|
||||
className={twMerge("flex-grow bg-bunker-300/30", isCompleted && "bg-primary")}
|
||||
/>
|
||||
)}
|
||||
</div>
|
||||
);
|
||||
})}
|
||||
</div>
|
||||
);
|
||||
};
|
||||
|
||||
export type StepProps = {
|
||||
title: string;
|
||||
description?: ReactNode;
|
||||
// isActive?: boolean;
|
||||
// isCompleted?: boolean;
|
||||
// activeStep?: number;
|
||||
// direction?: "vertical" | "horizontal";
|
||||
};
|
||||
|
||||
export const Step = ({ title, description }: StepProps) => {
|
||||
return (
|
||||
<div className="flex flex-col text-gray-300">
|
||||
<div className="font-medium text-sm">{title}</div>
|
||||
{description && <div className="text-xs">{description}</div>}
|
||||
</div>
|
||||
);
|
||||
};
|
@ -0,0 +1,2 @@
|
||||
export type { StepperProps,StepProps } from "./Stepper";
|
||||
export { Step,Stepper } from "./Stepper";
|