Merge remote-tracking branch 'origin' into ssh-certs

Infisical · Dec 18, 2024 · fed99a1 · fed99a1
2 parents d4cfee9 + 6a8be75
commit fed99a1
Show file tree

Hide file tree

Showing 56 changed files with 1,368 additions and 511 deletions.
diff --git a/backend/e2e-test/mocks/queue.ts b/backend/e2e-test/mocks/queue.ts
@@ -22,8 +22,10 @@ export const mockQueue = (): TQueueServiceFactory => {
     listen: (name, event) => {
       events[name] = event;
     },
+    getRepeatableJobs: async () => [],
     clearQueue: async () => {},
     stopJobById: async () => {},
-    stopRepeatableJobByJobId: async () => true
+    stopRepeatableJobByJobId: async () => true,
+    stopRepeatableJobByKey: async () => true
   };
 };
diff --git a/backend/src/lib/api-docs/constants.ts b/backend/src/lib/api-docs/constants.ts
@@ -1137,6 +1137,7 @@ export const INTEGRATION = {
       shouldAutoRedeploy: "Used by Render to trigger auto deploy.",
       secretGCPLabel: "The label for GCP secrets.",
       secretAWSTag: "The tags for AWS secrets.",
+      azureLabel: "Define which label to assign to secrets created in Azure App Configuration.",
       githubVisibility:
         "Define where the secrets from the Github Integration should be visible. Option 'selected' lets you directly define which repositories to sync secrets to.",
       githubVisibilityRepoIds:

diff --git a/backend/src/lib/knex/index.ts b/backend/src/lib/knex/index.ts
@@ -20,11 +20,12 @@ export const withTransaction = <K extends object>(db: Knex, dal: K) => ({
 
 export type TFindFilter<R extends object = object> = Partial<R> & {
   $in?: Partial<{ [k in keyof R]: R[k][] }>;
+  $notNull?: Array<keyof R>;
   $search?: Partial<{ [k in keyof R]: R[k] }>;
   $complex?: TKnexDynamicOperator<R>;
 };
 export const buildFindFilter =
-  <R extends object = object>({ $in, $search, $complex, ...filter }: TFindFilter<R>) =>
+  <R extends object = object>({ $in, $notNull, $search, $complex, ...filter }: TFindFilter<R>) =>
   (bd: Knex.QueryBuilder<R, R>) => {
     void bd.where(filter);
     if ($in) {
@@ -34,6 +35,13 @@ export const buildFindFilter =
         }
       });
     }
+
+    if ($notNull?.length) {
+      $notNull.forEach((key) => {
+        void bd.whereNotNull(key as never);
+      });
+    }
+
     if ($search) {
       Object.entries($search).forEach(([key, val]) => {
         if (val) {

diff --git a/backend/src/queue/queue-service.ts b/backend/src/queue/queue-service.ts
@@ -317,6 +317,13 @@ export const queueServiceFactory = (
     }
   };
 
+  const getRepeatableJobs = (name: QueueName, startOffset?: number, endOffset?: number) => {
+    const q = queueContainer[name];
+    if (!q) throw new Error(`Queue '${name}' not initialized`);
+
+    return q.getRepeatableJobs(startOffset, endOffset);
+  };
+
   const stopRepeatableJobByJobId = async <T extends QueueName>(name: T, jobId: string) => {
     const q = queueContainer[name];
     const job = await q.getJob(jobId);
@@ -326,6 +333,11 @@ export const queueServiceFactory = (
     return q.removeRepeatableByKey(job.repeatJobKey);
   };
 
+  const stopRepeatableJobByKey = async <T extends QueueName>(name: T, repeatJobKey: string) => {
+    const q = queueContainer[name];
+    return q.removeRepeatableByKey(repeatJobKey);
+  };
+
   const stopJobById = async <T extends QueueName>(name: T, jobId: string) => {
     const q = queueContainer[name];
     const job = await q.getJob(jobId);
@@ -349,8 +361,10 @@ export const queueServiceFactory = (
     shutdown,
     stopRepeatableJob,
     stopRepeatableJobByJobId,
+    stopRepeatableJobByKey,
     clearQueue,
     stopJobById,
+    getRepeatableJobs,
     startPg,
     queuePg
   };

diff --git a/backend/src/server/routes/index.ts b/backend/src/server/routes/index.ts
@@ -551,7 +551,11 @@ export const registerRoutes = async (
 
   const orgService = orgServiceFactory({
     userAliasDAL,
+    queueService,
     identityMetadataDAL,
+    secretDAL,
+    secretV2BridgeDAL,
+    folderDAL,
     licenseService,
     samlConfigDAL,
     orgRoleDAL,
@@ -572,6 +576,7 @@ export const registerRoutes = async (
     groupDAL,
     orgBotDAL,
     oidcConfigDAL,
+    loginService,
     projectBotService
   });
   const signupService = authSignupServiceFactory({
@@ -805,10 +810,58 @@ export const registerRoutes = async (
     projectTemplateDAL
   });
 
+  const integrationAuthService = integrationAuthServiceFactory({
+    integrationAuthDAL,
+    integrationDAL,
+    permissionService,
+    projectBotService,
+    kmsService
+  });
+
+  const secretQueueService = secretQueueFactory({
+    keyStore,
+    queueService,
+    secretDAL,
+    folderDAL,
+    integrationAuthService,
+    projectBotService,
+    integrationDAL,
+    secretImportDAL,
+    projectEnvDAL,
+    webhookDAL,
+    orgDAL,
+    auditLogService,
+    userDAL,
+    projectMembershipDAL,
+    smtpService,
+    projectDAL,
+    projectBotDAL,
+    secretVersionDAL,
+    secretBlindIndexDAL,
+    secretTagDAL,
+    secretVersionTagDAL,
+    kmsService,
+    secretVersionV2BridgeDAL,
+    secretV2BridgeDAL,
+    secretVersionTagV2BridgeDAL,
+    secretRotationDAL,
+    integrationAuthDAL,
+    snapshotDAL,
+    snapshotSecretV2BridgeDAL,
+    secretApprovalRequestDAL,
+    projectKeyDAL,
+    projectUserMembershipRoleDAL,
+    orgService
+  });
+
   const projectService = projectServiceFactory({
     permissionService,
     projectDAL,
+    secretDAL,
+    secretV2BridgeDAL,
+    queueService,
     projectQueue: projectQueueService,
+    projectBotService,
     identityProjectDAL,
     identityOrgMembershipDAL,
     projectKeyDAL,
@@ -891,48 +944,6 @@ export const registerRoutes = async (
     projectDAL
   });
 
-  const integrationAuthService = integrationAuthServiceFactory({
-    integrationAuthDAL,
-    integrationDAL,
-    permissionService,
-    projectBotService,
-    kmsService
-  });
-  const secretQueueService = secretQueueFactory({
-    keyStore,
-    queueService,
-    secretDAL,
-    folderDAL,
-    integrationAuthService,
-    projectBotService,
-    integrationDAL,
-    secretImportDAL,
-    projectEnvDAL,
-    webhookDAL,
-    orgDAL,
-    auditLogService,
-    userDAL,
-    projectMembershipDAL,
-    smtpService,
-    projectDAL,
-    projectBotDAL,
-    secretVersionDAL,
-    secretBlindIndexDAL,
-    secretTagDAL,
-    secretVersionTagDAL,
-    kmsService,
-    secretVersionV2BridgeDAL,
-    secretV2BridgeDAL,
-    secretVersionTagV2BridgeDAL,
-    secretRotationDAL,
-    integrationAuthDAL,
-    snapshotDAL,
-    snapshotSecretV2BridgeDAL,
-    secretApprovalRequestDAL,
-    projectKeyDAL,
-    projectUserMembershipRoleDAL,
-    orgService
-  });
   const secretImportService = secretImportServiceFactory({
     licenseService,
     projectBotService,
@@ -1261,6 +1272,7 @@ export const registerRoutes = async (
     auditLogDAL,
     queueService,
     secretVersionDAL,
+    secretDAL,
     secretFolderVersionDAL: folderVersionDAL,
     snapshotDAL,
     identityAccessTokenDAL,

diff --git a/backend/src/server/routes/v1/integration-auth-router.ts b/backend/src/server/routes/v1/integration-auth-router.ts
@@ -1185,4 +1185,50 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
       return { spaces };
     }
   });
+
+  server.route({
+    method: "GET",
+    url: "/:integrationAuthId/circleci/organizations",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        integrationAuthId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          organizations: z
+            .object({
+              name: z.string(),
+              slug: z.string(),
+              projects: z
+                .object({
+                  name: z.string(),
+                  id: z.string()
+                })
+                .array(),
+              contexts: z
+                .object({
+                  name: z.string(),
+                  id: z.string()
+                })
+                .array()
+            })
+            .array()
+        })
+      }
+    },
+    handler: async (req) => {
+      const organizations = await server.services.integrationAuth.getCircleCIOrganizations({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.integrationAuthId
+      });
+      return { organizations };
+    }
+  });
 };
diff --git a/backend/src/server/routes/v1/organization-router.ts b/backend/src/server/routes/v1/organization-router.ts
@@ -16,6 +16,7 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode, MfaMethod } from "@app/services/auth/auth-type";
+import { sanitizedOrganizationSchema } from "@app/services/org/org-schema";
 
 import { integrationAuthPubSchema } from "../sanitizedSchemas";
 
@@ -29,9 +30,11 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
     schema: {
       response: {
         200: z.object({
-          organizations: OrganizationsSchema.extend({
-            orgAuthMethod: z.string()
-          }).array()
+          organizations: sanitizedOrganizationSchema
+            .extend({
+              orgAuthMethod: z.string()
+            })
+            .array()
         })
       }
     },

diff --git a/backend/src/server/routes/v2/organization-router.ts b/backend/src/server/routes/v2/organization-router.ts
@@ -10,6 +10,7 @@ import {
   UsersSchema
 } from "@app/db/schemas";
 import { ORGANIZATIONS } from "@app/lib/api-docs";
+import { getConfig } from "@app/lib/config/env";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
@@ -363,21 +364,35 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          organization: OrganizationsSchema
+          organization: OrganizationsSchema,
+          accessToken: z.string()
         })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY]),
-    handler: async (req) => {
+    handler: async (req, res) => {
       if (req.auth.actor !== ActorType.USER) return;
 
-      const organization = await server.services.org.deleteOrganizationById(
-        req.permission.id,
-        req.params.organizationId,
-        req.permission.authMethod,
-        req.permission.orgId
-      );
-      return { organization };
+      const cfg = getConfig();
+
+      const { organization, tokens } = await server.services.org.deleteOrganizationById({
+        userId: req.permission.id,
+        orgId: req.params.organizationId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        authorizationHeader: req.headers.authorization,
+        userAgentHeader: req.headers["user-agent"],
+        ipAddress: req.realIp
+      });
+
+      void res.setCookie("jid", tokens.refreshToken, {
+        httpOnly: true,
+        path: "/",
+        sameSite: "strict",
+        secure: cfg.HTTPS_ENABLED
+      });
+
+      return { organization, accessToken: tokens.accessToken };
     }
   });
 };
diff --git a/backend/src/server/routes/v2/user-router.ts b/backend/src/server/routes/v2/user-router.ts
@@ -1,10 +1,11 @@
 import { z } from "zod";
 
-import { AuthTokenSessionsSchema, OrganizationsSchema, UserEncryptionKeysSchema, UsersSchema } from "@app/db/schemas";
+import { AuthTokenSessionsSchema, UserEncryptionKeysSchema, UsersSchema } from "@app/db/schemas";
 import { ApiKeysSchema } from "@app/db/schemas/api-keys";
 import { authRateLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMethod, AuthMode, MfaMethod } from "@app/services/auth/auth-type";
+import { sanitizedOrganizationSchema } from "@app/services/org/org-schema";
 
 export const registerUserRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -134,7 +135,7 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
       description: "Return organizations that current user is part of",
       response: {
         200: z.object({
-          organizations: OrganizationsSchema.array()
+          organizations: sanitizedOrganizationSchema.array()
         })
       }
     },

diff --git a/backend/src/services/auth-token/auth-token-dal.ts b/backend/src/services/auth-token/auth-token-dal.ts
@@ -12,9 +12,12 @@ export type TTokenDALFactory = ReturnType<typeof tokenDALFactory>;
 export const tokenDALFactory = (db: TDbClient) => {
   const authOrm = ormify(db, TableName.AuthTokens);
 
-  const findOneTokenSession = async (filter: Partial<TAuthTokenSessions>): Promise<TAuthTokenSessions | undefined> => {
+  const findOneTokenSession = async (
+    filter: Partial<TAuthTokenSessions>,
+    tx?: Knex
+  ): Promise<TAuthTokenSessions | undefined> => {
     try {
-      const doc = await db.replicaNode()(TableName.AuthTokenSession).where(filter).first();
+      const doc = await (tx || db.replicaNode())(TableName.AuthTokenSession).where(filter).first();
       return doc;
     } catch (error) {
       throw new DatabaseError({ error, name: "FindOneTokenSession" });
@@ -54,10 +57,11 @@ export const tokenDALFactory = (db: TDbClient) => {
   const insertTokenSession = async (
     userId: string,
     ip: string,
-    userAgent: string
+    userAgent: string,
+    tx?: Knex
   ): Promise<TAuthTokenSessions | undefined> => {
     try {
-      const [session] = await db(TableName.AuthTokenSession)
+      const [session] = await (tx || db)(TableName.AuthTokenSession)
         .insert({
           userId,
           ip,