Merge branch 'main' into feat--better-titles

Author: rohan-chaturvedi

.vscode/settings.json

@@ -32,5 +32,7 @@
   "[typescriptreact]": {
     "editor.defaultFormatter": "esbenp.prettier-vscode"
   },
-  "cSpell.words": ["organisation"] // Don't run prettier for files listed in .gitignore
+  "[typescript]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode"
+  } // Don't run prettier for files listed in .gitignore
 }

CONTRIBUTING.md

@@ -57,12 +57,12 @@ Any third-party components incorporated into our code are licensed under the ori
 
 3. Install the dependencies:
     ```bash
-    docker compose -f dev-docker-compose.yml build
+    docker compose --env-file .env.dev  -f dev-docker-compose.yml build
     ```
 
 4. Start the containers in dev mode using:
     ```bash
-    docker compose -f dev-docker-compose.yml up
+    docker compose --env-file .env.dev -f dev-docker-compose.yml up -d
     ```
 
 5. The Console is now running at <https://localhost> with [HMR (Hot Module Replacement)](https://webpack.js.org/concepts/hot-module-replacement) and a self-signed certificate.

backend/Dockerfile.dev

@@ -1,4 +1,4 @@
-FROM python:3.12.1-alpine3.19@sha256:28230397c48cf4e2619822beb834ae7e46ebcd255b8f7cef58eff932fd75d2ce
+FROM python:3.12.1-alpine3.19
 
 ENV PYTHONUNBUFFERED 1
 

backend/api/auth.py

@@ -6,7 +6,7 @@
     get_token_type,
     token_is_expired_or_deleted,
 )
-from api.models import Environment
+from api.models import DynamicSecret, Environment, Secret
 from api.utils.access.permissions import (
     service_account_can_access_environment,
     user_can_access_environment,
@@ -17,6 +17,18 @@
 logger = logging.getLogger(__name__)
 
 
+class ServiceAccountUser:
+    """Mock ServiceAccount user"""
+    
+    def __init__(self, service_account):
+        self.userId = service_account.id
+        self.id = service_account.id
+        self.is_authenticated = True
+        self.is_active = True
+        self.username = service_account.name
+        self.service_account = service_account
+
+
 class PhaseTokenAuthentication(authentication.BaseAuthentication):
     def authenticate(self, request):
 
@@ -44,34 +56,59 @@ def authenticate(self, request):
         if token_is_expired_or_deleted(auth_token):
             raise exceptions.AuthenticationFailed("Token expired or deleted")
 
-        env_id = request.headers.get("environment")
+        env = None
 
-        # Try resolving env from header
-        if env_id:
+        # Try resolving secret_id from header OR query params (supports Secret or DynamicSecret)
+        secret_id = request.headers.get("secret_id") or request.GET.get("secret_id")
+        if secret_id:
+            found = False
             try:
-                env = Environment.objects.get(id=env_id)
-            except Environment.DoesNotExist:
-                raise exceptions.AuthenticationFailed("Environment not found")
+                secret = Secret.objects.get(id=secret_id)
+                env = secret.environment
+                found = True
+            except Secret.DoesNotExist:
+                pass
+            if not found:
+                try:
+                    dyn_secret = DynamicSecret.objects.get(id=secret_id)
+                    env = dyn_secret.environment
+                    found = True
+                except DynamicSecret.DoesNotExist:
+                    pass
+            if not found:
+                raise exceptions.NotFound("Secret not found")
+
+        # If env is still None, try resolving from header or query params
+        if env is None:
+            env_id = request.headers.get("environment")
+            # Try resolving env from header
+            if env_id:
+                try:
+                    env = Environment.objects.get(id=env_id)
+                except Environment.DoesNotExist:
+                    raise exceptions.AuthenticationFailed("Environment not found")
 
-        # Try resolving env from query params
-        else:
-            try:
-                app_id = request.GET.get("app_id")
-                env_name = request.GET.get("env")
-                if not app_id:
-                    raise exceptions.AuthenticationFailed("Missing app_id parameter")
-                if not env_name:
-                    raise exceptions.AuthenticationFailed("Missing env parameter")
-                env = Environment.objects.get(app_id=app_id, name__iexact=env_name)
-            except Environment.DoesNotExist:
-                # Check if the app exists to give a more specific error
-                App = apps.get_model("api", "App")
-                if not App.objects.filter(id=app_id).exists():
-                    raise exceptions.NotFound(f"App with ID {app_id} not found")
-                else:
-                    raise exceptions.NotFound(
-                        f"Environment '{env_name}' not found in App {app_id}"
-                    )
+            # Try resolving env from query params
+            else:
+                try:
+                    app_id = request.GET.get("app_id")
+                    env_name = request.GET.get("env")
+                    if not app_id:
+                        raise exceptions.AuthenticationFailed(
+                            "Missing app_id parameter"
+                        )
+                    if not env_name:
+                        raise exceptions.AuthenticationFailed("Missing env parameter")
+                    env = Environment.objects.get(app_id=app_id, name__iexact=env_name)
+                except Environment.DoesNotExist:
+                    # Check if the app exists to give a more specific error
+                    App = apps.get_model("api", "App")
+                    if not App.objects.filter(id=app_id).exists():
+                        raise exceptions.NotFound(f"App with ID {app_id} not found")
+                    else:
+                        raise exceptions.NotFound(
+                            f"Environment '{env_name}' not found in App {app_id}"
+                        )
 
         auth["environment"] = env
 
@@ -97,8 +134,14 @@ def authenticate(self, request):
 
             try:
                 service_token = get_service_token(auth_token)
-                service_account = get_service_account_from_token(auth_token)
-                user = service_token.created_by.user
+                service_account = get_service_account_from_token(auth_token)          
+                
+                creator = getattr(service_token, "created_by", None)
+                if creator:
+                    user = creator.user
+                else:
+                    user = ServiceAccountUser(service_account)
+                    
                 auth["service_account"] = service_account
                 auth["service_account_token"] = service_token
 

backend/api/identity_providers.py

@@ -0,0 +1,57 @@
+class IdentityProviders:
+    """
+    Configuration for supported identity providers.
+    Similar to Providers in services.py but specifically for identity authentication.
+    """
+    
+    AWS_IAM = {
+        "id": "aws_iam",
+        "name": "AWS IAM",
+        "description": "Use AWS STS GetCallerIdentity to authenticate.",
+        "icon_id": "aws",  # Maps to ProviderIcon component
+        "supported": True,
+    }
+    
+    # Future identity providers can be added here:
+    # GitHub OIDC
+    #     "id": "github_oidc", 
+    #     "name": "GitHub OIDC",
+    #     "description": "Use GitHub OIDC for authentication.",
+    #     "icon_id": "github",
+    #     "supported": False,
+    # }
+    #
+    # Kubernetes OIDC
+    #     "id": "kubernetes_oidc",
+    #     "name": "Kubernetes OIDC", 
+    #     "description": "Use Kubernetes OIDC for authentication.",
+    #     "icon_id": "kubernetes",
+    #     "supported": False,
+    # }
+
+    @classmethod
+    def get_all_providers(cls):
+        """Get all identity providers, including unsupported ones for future roadmap display."""
+        return [
+            provider
+            for provider in cls.__dict__.values()
+            if isinstance(provider, dict)
+        ]
+    
+    @classmethod
+    def get_supported_providers(cls):
+        """Get only currently supported identity providers."""
+        return [
+            provider
+            for provider in cls.__dict__.values()
+            if isinstance(provider, dict) and provider.get("supported", False)
+        ]
+    
+    @classmethod
+    def get_provider_config(cls, provider_id):
+        """Get configuration for a specific provider by ID."""
+        for provider in cls.__dict__.values():
+            if isinstance(provider, dict) and provider["id"] == provider_id:
+                return provider
+        raise ValueError(f"Identity provider '{provider_id}' not found")
+

backend/api/migrations/0106_dynamicsecret_dynamicsecretlease_and_more.py

@@ -0,0 +1,59 @@
+# Generated by Django 4.2.22 on 2025-08-20 08:11
+
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0105_environmentkey_unique_envkey_user_and_more'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='DynamicSecret',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('name', models.TextField()),
+                ('description', models.TextField(blank=True)),
+                ('path', models.TextField(default='/')),
+                ('default_ttl', models.DurationField(help_text='Default TTL for leases (must be <= max_ttl).')),
+                ('max_ttl', models.DurationField(help_text='Maximum allowed TTL for leases.')),
+                ('provider', models.CharField(choices=[('aws', 'AWS')], help_text='Which provider this secret is associated with.', max_length=50)),
+                ('config', models.JSONField()),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('updated_at', models.DateTimeField(auto_now=True)),
+                ('deleted_at', models.DateTimeField(blank=True, null=True)),
+                ('authentication', models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='api.providercredentials')),
+                ('environment', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.environment')),
+                ('folder', models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='api.secretfolder')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='DynamicSecretLease',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('name', models.TextField()),
+                ('description', models.TextField(blank=True)),
+                ('ttl', models.DurationField()),
+                ('status', models.CharField(choices=[('active', 'Active'), ('renewed', 'Renewed'), ('revoked', 'Revoked'), ('expired', 'Expired')], default='active', help_text='Current status of the lease', max_length=50)),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('renewed_at', models.DateTimeField(null=True)),
+                ('expires_at', models.DateTimeField(null=True)),
+                ('revoked_at', models.DateTimeField(null=True)),
+                ('deleted_at', models.DateTimeField(null=True)),
+                ('organisation_member', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, to='api.organisationmember')),
+                ('secret', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='leases', to='api.dynamicsecret')),
+                ('service_account', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, to='api.serviceaccount')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='DynamicSecretLeaseEvent',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('lease', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.dynamicsecretlease')),
+            ],
+        ),
+    ]

backend/api/migrations/0107_dynamicsecret_key_map_dynamicsecretlease_credentials_and_more.py

@@ -0,0 +1,76 @@
+# Generated by Django 4.2.22 on 2025-08-26 09:16
+
+from django.db import migrations, models
+import django.db.models.deletion
+import django.utils.timezone
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0106_dynamicsecret_dynamicsecretlease_and_more'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='dynamicsecret',
+            name='key_map',
+            field=models.JSONField(default=list, help_text="Provider-agnostic mapping of keys: [{'id': '<key_id>', 'name': '<key_name>'}, ...]"),
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretlease',
+            name='credentials',
+            field=models.JSONField(default=list),
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretleaseevent',
+            name='created_at',
+            field=models.DateTimeField(auto_now_add=True, default=django.utils.timezone.now),
+            preserve_default=False,
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretleaseevent',
+            name='event_type',
+            field=models.CharField(choices=[('created', 'Created'), ('active', 'Active'), ('renewed', 'Renewed'), ('revoked', 'Revoked'), ('expired', 'Expired')], default='created', max_length=50),
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretleaseevent',
+            name='ip_address',
+            field=models.GenericIPAddressField(blank=True, null=True),
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretleaseevent',
+            name='metadata',
+            field=models.JSONField(blank=True, default=dict),
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretleaseevent',
+            name='organisation_member',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='lease_events', to='api.organisationmember'),
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretleaseevent',
+            name='service_account',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='lease_events', to='api.serviceaccount'),
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretleaseevent',
+            name='user_agent',
+            field=models.TextField(blank=True, null=True),
+        ),
+        migrations.AlterField(
+            model_name='dynamicsecretlease',
+            name='status',
+            field=models.CharField(choices=[('created', 'Created'), ('active', 'Active'), ('renewed', 'Renewed'), ('revoked', 'Revoked'), ('expired', 'Expired')], default='active', help_text='Current status of the lease', max_length=50),
+        ),
+        migrations.AlterField(
+            model_name='dynamicsecretleaseevent',
+            name='id',
+            field=models.BigAutoField(primary_key=True, serialize=False),
+        ),
+        migrations.AlterField(
+            model_name='dynamicsecretleaseevent',
+            name='lease',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='events', to='api.dynamicsecretlease'),
+        ),
+    ]

backend/api/migrations/0108_dynamicsecretlease_cleanup_job_id_and_more.py

@@ -0,0 +1,24 @@
+# Generated by Django 4.2.22 on 2025-08-28 08:49
+
+from django.db import migrations, models
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0107_dynamicsecret_key_map_dynamicsecretlease_credentials_and_more'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='dynamicsecretlease',
+            name='cleanup_job_id',
+            field=models.TextField(default=uuid.uuid4),
+        ),
+        migrations.AlterField(
+            model_name='dynamicsecretlease',
+            name='credentials',
+            field=models.JSONField(default=dict),
+        ),
+    ]

backend/api/migrations/0109_alter_dynamicsecret_key_map.py

@@ -0,0 +1,18 @@
+# Generated by Django 4.2.22 on 2025-09-12 05:18
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0108_dynamicsecretlease_cleanup_job_id_and_more'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='dynamicsecret',
+            name='key_map',
+            field=models.JSONField(default=list, help_text="Provider-agnostic mapping of keys: [{'id': '<key_id>', 'key_name': '<encrypted_key_name>', 'key_digest': '<key_digest>'}, ...]"),
+        ),
+    ]