Merge remote-tracking branch 'origin' into scim

Infisical · Feb 14, 2024 · e15ed4c · e15ed4c
2 parents c73ee49 + 8a0fd62
commit e15ed4c
Show file tree

Hide file tree

Showing 78 changed files with 1,008 additions and 5,559 deletions.
diff --git a/.env.example b/.env.example
@@ -3,16 +3,18 @@
 # THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
 ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218
 
+# Required
+DB_CONNECTION_URI=postgres://infisical:infisical@db:5432/infisical
+
 # JWT
 # Required secrets to sign JWT tokens
 # THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION
 AUTH_SECRET=5lrMXKKWCVocS/uerPsl7V+TX/aaUaI7iDkgl3tSmLE=
 
-# MongoDB
-# Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref
-# to the MongoDB container instance or Mongo Cloud
-# Required
-MONGO_URL=mongodb://root:example@mongo:27017/?authSource=admin
+# Postgres creds
+POSTGRES_PASSWORD=infisical
+POSTGRES_USER=infisical
+POSTGRES_DB=infisical
 
 # Redis
 REDIS_URL=redis://redis:6379

diff --git a/.env.migration.example b/.env.migration.example
@@ -0,0 +1 @@
+DB_CONNECTION_URI=
diff --git a/.github/workflows/check-api-for-breaking-changes.yml b/.github/workflows/check-api-for-breaking-changes.yml
@@ -14,36 +14,62 @@ jobs:
     steps:
       - name: Checkout source
         uses: actions/checkout@v3
-      - name: Setup Node 20
-        uses: actions/setup-node@v3
-        with:
-          node-version: "20"
-      # uncomment this when testing locally using nektos/act
-      # - uses: KengoTODA/actions-setup-docker-compose@v1
-      #   if: ${{ env.ACT }}
-      #   name: Install `docker-compose` for local simulations
+      # - name: Setup Node 20
+      #   uses: actions/setup-node@v3
       #   with:
-      #     version: "2.14.2"
+      #     node-version: "20"
+      # uncomment this when testing locally using nektos/act
+      - uses: KengoTODA/actions-setup-docker-compose@v1
+        if: ${{ env.ACT }}
+        name: Install `docker-compose` for local simulations
+        with:
+          version: "2.14.2"
       - name: 📦Build the latest image
         run: docker build --tag infisical-api .
         working-directory: backend
       - name: Start postgres and redis
-        run: touch .env && docker-compose -f docker-compose.pg.yml up -d db redis
+        run: touch .env && docker-compose -f docker-compose.prod.yml up -d db redis
       - name: Start the server
-        run: docker run --name infisical-api -d -p 4000:4000 -e DB_CONNECTION_URI=$DB_CONNECTION_URI -e REDIS_URL=$REDIS_URL -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET --entrypoint '/bin/sh' infisical-api -c "npm run migration:latest && ls && node dist/main.mjs"
+        run: |
+            echo "SECRET_SCANNING_GIT_APP_ID=793712" >> .env
+            echo "SECRET_SCANNING_PRIVATE_KEY=some-random" >> .env
+            echo "SECRET_SCANNING_WEBHOOK_SECRET=some-random" >> .env
+            docker run --name infisical-api -d -p 4000:4000 -e DB_CONNECTION_URI=$DB_CONNECTION_URI -e REDIS_URL=$REDIS_URL -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET --env-file .env --entrypoint '/bin/sh' infisical-api -c "npm run migration:latest && ls && node dist/main.mjs"
         env:
           REDIS_URL: redis://172.17.0.1:6379
           DB_CONNECTION_URI: postgres://infisical:infisical@172.17.0.1:5432/infisical?sslmode=disable
           JWT_AUTH_SECRET: something-random
-      - name: Install openapi api diff
-        run: npm install -g openapi-diff
-      - name: Wait for containers to be stable
-        run: timeout 60s sh -c 'until docker ps | grep infisical-api | grep -q healthy; do echo "Waiting for container to be healthy..."; sleep 2; done'
-      - name: Get changes made in API
-        id: openapi-diff
-        run: openapi-diff https://app.infisical.com/api/docs/json http://localhost:4000/api/docs/json
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.21.5'
+      - name: Wait for container to be stable and check logs
+        run: |
+          SECONDS=0
+          HEALTHY=0
+          while [ $SECONDS -lt 60 ]; do
+            if docker ps | grep infisical-api | grep -q healthy; then
+              echo "Container is healthy."
+              HEALTHY=1
+              break
+            fi
+            echo "Waiting for container to be healthy... ($SECONDS seconds elapsed)"
+
+            docker logs infisical-api
+
+            sleep 2
+            SECONDS=$((SECONDS+2))
+          done
+      
+          if [ $HEALTHY -ne 1 ]; then
+            echo "Container did not become healthy in time"
+            exit 1
+          fi
+      - name: Install openapi-diff
+        run: go install github.com/tufin/oasdiff@latest
+      - name: Running OpenAPI Spec diff action
+        run: oasdiff breaking https://app.infisical.com/api/docs/json http://localhost:4000/api/docs/json --fail-on ERR
       - name: cleanup
-        run: | 
+        run: |
           docker-compose -f "docker-compose.pg.yml" down
           docker stop infisical-api
           docker remove infisical-api
diff --git a/.gitignore b/.gitignore
@@ -6,7 +6,7 @@ node_modules
 .env.gamma
 .env.prod
 .env.infisical
-
+.env.migration
 *~
 *.swp
 *.swo

diff --git a/Makefile b/Makefile
@@ -5,16 +5,10 @@ push:
 	docker-compose -f docker-compose.yml push
 
 up-dev:
-	docker-compose -f docker-compose.dev.yml up --build
-
-up-pg-dev:
-	docker compose -f docker-compose.pg.yml up --build
-
-i-dev:
-	infisical run -- docker-compose -f docker-compose.dev.yml up --build
+	docker compose -f docker-compose.dev.yml up --build
 
 up-prod:
-	docker-compose -f docker-compose.yml up --build
+	docker-compose -f docker-compose.prod.yml up --build
 
 down:
 	docker-compose down
diff --git a/README.md b/README.md
@@ -84,13 +84,13 @@ To set up and run Infisical locally, make sure you have Git and Docker installed
 Linux/macOS:
 
 ```console
-git clone https://github.com/Infisical/infisical && cd "$(basename $_ .git)" && cp .env.example .env && docker-compose -f docker-compose.yml up
+git clone https://github.com/Infisical/infisical && cd "$(basename $_ .git)" && cp .env.example .env && docker-compose -f docker-compose.prod.yml up
 ```
 
 Windows Command Prompt:
 
 ```console
-git clone https://github.com/Infisical/infisical && cd infisical && copy .env.example .env && docker-compose -f docker-compose.yml up
+git clone https://github.com/Infisical/infisical && cd infisical && copy .env.example .env && docker-compose -f docker-compose.prod.yml up
 ```
 
 Create an account at `http://localhost:80`

diff --git a/backend/scripts/generate-schema-types.ts b/backend/scripts/generate-schema-types.ts
@@ -3,13 +3,9 @@ import dotenv from "dotenv";
 import path from "path";
 import knex from "knex";
 import { writeFileSync } from "fs";
-import promptSync from "prompt-sync";
-
-const prompt = promptSync({ sigint: true });
 
 dotenv.config({
-  path: path.join(__dirname, "../.env"),
-  debug: true
+  path: path.join(__dirname, "../../.env.migration")
 });
 
 const db = knex({
@@ -94,17 +90,7 @@ const main = async () => {
       .orderBy("table_name")
   ).filter((el) => !el.tableName.includes("_migrations"));
 
-  console.log("Select a table to generate schema");
-  console.table(tables);
-  console.log("all: all tables");
-  const selectedTables = prompt("Type table numbers comma seperated: ");
-  const tableNumbers =
-    selectedTables !== "all" ? selectedTables.split(",").map((el) => Number(el)) : [];
-
   for (let i = 0; i < tables.length; i += 1) {
-    // skip if not desired table
-    if (selectedTables !== "all" && !tableNumbers.includes(i)) continue;
-
     const { tableName } = tables[i];
     const columns = await db(tableName).columnInfo();
     const columnNames = Object.keys(columns);
@@ -124,16 +110,16 @@ const main = async () => {
       if (colInfo.nullable) {
         ztype = ztype.concat(".nullable().optional()");
       }
-      schema = schema.concat(`${!schema ? "\n" : ""}  ${columnName}: ${ztype},\n`);
+      schema = schema.concat(
+        `${!schema ? "\n" : ""}  ${columnName}: ${ztype}${colNum === columnNames.length - 1 ? "" : ","}\n`
+      );
     }
 
     const dashcase = tableName.split("_").join("-");
     const pascalCase = tableName
       .split("_")
-      .reduce(
-        (prev, curr) => prev + `${curr.at(0)?.toUpperCase()}${curr.slice(1).toLowerCase()}`,
-        ""
-      );
+      .reduce((prev, curr) => prev + `${curr.at(0)?.toUpperCase()}${curr.slice(1).toLowerCase()}`, "");
+
     writeFileSync(
       path.join(__dirname, "../src/db/schemas", `${dashcase}.ts`),
       `// Code generated by automation script, DO NOT EDIT.
@@ -152,15 +138,6 @@ export type T${pascalCase}Insert = Omit<T${pascalCase}, TImmutableDBKeys>;
 export type T${pascalCase}Update = Partial<Omit<T${pascalCase}, TImmutableDBKeys>>;
 `
     );
-
-    // const file = readFileSync(path.join(__dirname, "../src/db/schemas/index.ts"), "utf8");
-    // if (!file.includes(`export * from "./${dashcase};"`)) {
-    //   appendFileSync(
-    //     path.join(__dirname, "../src/db/schemas/index.ts"),
-    //     `\nexport * from "./${dashcase}";`,
-    //     "utf8"
-    //   );
-    // }
   }
 
   process.exit(0);

diff --git a/backend/src/db/knexfile.ts b/backend/src/db/knexfile.ts
@@ -5,9 +5,9 @@ import dotenv from "dotenv";
 import type { Knex } from "knex";
 import path from "path";
 
-// Update with your config settings.
+// Update with your config settings. .
 dotenv.config({
-  path: path.join(__dirname, "../../.env"),
+  path: path.join(__dirname, "../../../.env.migration"),
   debug: true
 });
 export default {

diff --git a/backend/src/ee/routes/v1/project-router.ts b/backend/src/ee/routes/v1/project-router.ts
@@ -11,6 +11,13 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     method: "GET",
     url: "/:workspaceId/secret-snapshots",
     schema: {
+      description: "Return project secret snapshots ids",
+      security: [
+        {
+          apiKeyAuth: [],
+          bearerAuth: []
+        }
+      ],
       params: z.object({
         workspaceId: z.string().trim()
       }),
@@ -74,6 +81,13 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     method: "GET",
     url: "/:workspaceId/audit-logs",
     schema: {
+      description: "Return audit logs",
+      security: [
+        {
+          bearerAuth: [],
+          apiKeyAuth: []
+        }
+      ],
       params: z.object({
         workspaceId: z.string().trim()
       }),

diff --git a/backend/src/ee/routes/v1/saml-router.ts b/backend/src/ee/routes/v1/saml-router.ts
@@ -19,7 +19,6 @@ import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 
 type TSAMLConfig = {
   callbackUrl: string;
@@ -28,6 +27,7 @@ type TSAMLConfig = {
   cert: string;
   audience: string;
   wantAuthnResponseSigned?: boolean;
+  disableRequestedAuthnContext?: boolean;
 };
 
 export const registerSamlRouter = async (server: FastifyZodProvider) => {
@@ -77,6 +77,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
               samlConfig.wantAuthnResponseSigned = false;
             }
             if (ssoConfig.authProvider === SamlProviders.AZURE_SAML) {
+              samlConfig.disableRequestedAuthnContext = true;
               if (req.body?.RelayState && JSON.parse(req.body.RelayState).spInitiated) {
                 samlConfig.audience = `spn:${ssoConfig.issuer}`;
               }
@@ -92,7 +93,6 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
       // eslint-disable-next-line
       async (req, profile, cb) => {
         try {
-          const serverCfg = await getServerCfg();
           if (!profile) throw new BadRequestError({ message: "Missing profile" });
           const { firstName } = profile;
           const email = profile?.email ?? (profile?.emailAddress as string); // emailRippling is added because in Rippling the field `email` reserved
@@ -105,7 +105,6 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
             email,
             firstName: profile.firstName as string,
             lastName: profile.lastName as string,
-            isSignupAllowed: Boolean(serverCfg.allowSignUp),
             relayState: (req.body as { RelayState?: string }).RelayState,
             authProvider: (req as unknown as FastifyRequest).ssoConfig?.authProvider as string,
             orgId: (req as unknown as FastifyRequest).ssoConfig?.orgId as string

diff --git a/backend/src/ee/routes/v1/snapshot-router.ts b/backend/src/ee/routes/v1/snapshot-router.ts
@@ -57,6 +57,13 @@ export const registerSnapshotRouter = async (server: FastifyZodProvider) => {
     method: "POST",
     url: "/:secretSnapshotId/rollback",
     schema: {
+      description: "Roll back project secrets to those captured in a secret snapshot version.",
+      security: [
+        {
+          apiKeyAuth: [],
+          bearerAuth: []
+        }
+      ],
       params: z.object({
         secretSnapshotId: z.string().trim()
       }),

diff --git a/backend/src/ee/services/saml-config/saml-config-service.ts b/backend/src/ee/services/saml-config/saml-config-service.ts
@@ -300,19 +300,9 @@ export const samlConfigServiceFactory = ({
     };
   };
 
-  const samlLogin = async ({
-    firstName,
-    email,
-    lastName,
-    authProvider,
-    orgId,
-    relayState,
-    isSignupAllowed
-  }: TSamlLoginDTO) => {
+  const samlLogin = async ({ firstName, email, lastName, authProvider, orgId, relayState }: TSamlLoginDTO) => {
     const appCfg = getConfig();
     let user = await userDAL.findUserByEmail(email);
-    const isSamlSignUpDisabled = !isSignupAllowed && !user;
-    if (isSamlSignUpDisabled) throw new BadRequestError({ message: "User signup disabled", name: "Saml SSO login" });
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) throw new BadRequestError({ message: "Org not found" });

diff --git a/backend/src/ee/services/saml-config/saml-config-types.ts b/backend/src/ee/services/saml-config/saml-config-types.ts
@@ -41,7 +41,6 @@ export type TSamlLoginDTO = {
   lastName?: string;
   authProvider: string;
   orgId: string;
-  isSignupAllowed: boolean;
   // saml thingy
   relayState?: string;
 };
diff --git a/backend/src/server/plugins/swagger.ts b/backend/src/server/plugins/swagger.ts
@@ -25,13 +25,13 @@ export const fastifySwagger = fp(async (fastify) => {
       ],
       components: {
         securitySchemes: {
-          bearer: {
+          bearerAuth: {
             type: "http",
             scheme: "bearer",
             bearerFormat: "JWT",
-            description: "A service token in Infisical"
+            description: "An access token in Infisical"
           },
-          apiKey: {
+          apiKeyAuth: {
             type: "apiKey",
             in: "header",
             name: "X-API-Key",

diff --git a/backend/src/server/routes/v1/admin-router.ts b/backend/src/server/routes/v1/admin-router.ts
@@ -72,7 +72,8 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
         200: z.object({
           message: z.string(),
           user: UsersSchema,
-          token: z.string()
+          token: z.string(),
+          new: z.string()
         })
       }
     },
@@ -107,7 +108,8 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
       return {
         message: "Successfully set up admin account",
         user: user.user,
-        token: token.access
+        token: token.access,
+        new: "123"
       };
     }
   });

diff --git a/backend/src/server/routes/v1/identity-access-token-router.ts b/backend/src/server/routes/v1/identity-access-token-router.ts
@@ -5,6 +5,7 @@ export const registerIdentityAccessTokenRouter = async (server: FastifyZodProvid
     url: "/token/renew",
     method: "POST",
     schema: {
+      description: "Renew access token",
       body: z.object({
         accessToken: z.string().trim()
       }),