feat: dynamic secrets

.vscode/settings.json

@@ -32,5 +32,7 @@
   "[typescriptreact]": {
     "editor.defaultFormatter": "esbenp.prettier-vscode"
   },
-  "cSpell.words": ["organisation"] // Don't run prettier for files listed in .gitignore
+  "[typescript]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode"
+  } // Don't run prettier for files listed in .gitignore
 }

backend/api/auth.py

@@ -6,7 +6,7 @@
     get_token_type,
     token_is_expired_or_deleted,
 )
-from api.models import Environment
+from api.models import DynamicSecret, Environment, Secret
 from api.utils.access.permissions import (
     service_account_can_access_environment,
     user_can_access_environment,
@@ -44,34 +44,59 @@ def authenticate(self, request):
         if token_is_expired_or_deleted(auth_token):
             raise exceptions.AuthenticationFailed("Token expired or deleted")
 
-        env_id = request.headers.get("environment")
+        env = None
 
-        # Try resolving env from header
-        if env_id:
+        # Try resolving secret_id from header OR query params (supports Secret or DynamicSecret)
+        secret_id = request.headers.get("secret_id") or request.GET.get("secret_id")
+        if secret_id:
+            found = False
             try:
-                env = Environment.objects.get(id=env_id)
-            except Environment.DoesNotExist:
-                raise exceptions.AuthenticationFailed("Environment not found")
+                secret = Secret.objects.get(id=secret_id)
+                env = secret.environment
+                found = True
+            except Secret.DoesNotExist:
+                pass
+            if not found:
+                try:
+                    dyn_secret = DynamicSecret.objects.get(id=secret_id)
+                    env = dyn_secret.environment
+                    found = True
+                except DynamicSecret.DoesNotExist:
+                    pass
+            if not found:
+                raise exceptions.NotFound("Secret not found")
+
+        # If env is still None, try resolving from header or query params
+        if env is None:
+            env_id = request.headers.get("environment")
+            # Try resolving env from header
+            if env_id:
+                try:
+                    env = Environment.objects.get(id=env_id)
+                except Environment.DoesNotExist:
+                    raise exceptions.AuthenticationFailed("Environment not found")
 
-        # Try resolving env from query params
-        else:
-            try:
-                app_id = request.GET.get("app_id")
-                env_name = request.GET.get("env")
-                if not app_id:
-                    raise exceptions.AuthenticationFailed("Missing app_id parameter")
-                if not env_name:
-                    raise exceptions.AuthenticationFailed("Missing env parameter")
-                env = Environment.objects.get(app_id=app_id, name__iexact=env_name)
-            except Environment.DoesNotExist:
-                # Check if the app exists to give a more specific error
-                App = apps.get_model("api", "App")
-                if not App.objects.filter(id=app_id).exists():
-                    raise exceptions.NotFound(f"App with ID {app_id} not found")
-                else:
-                    raise exceptions.NotFound(
-                        f"Environment '{env_name}' not found in App {app_id}"
-                    )
+            # Try resolving env from query params
+            else:
+                try:
+                    app_id = request.GET.get("app_id")
+                    env_name = request.GET.get("env")
+                    if not app_id:
+                        raise exceptions.AuthenticationFailed(
+                            "Missing app_id parameter"
+                        )
+                    if not env_name:
+                        raise exceptions.AuthenticationFailed("Missing env parameter")
+                    env = Environment.objects.get(app_id=app_id, name__iexact=env_name)
+                except Environment.DoesNotExist:
+                    # Check if the app exists to give a more specific error
+                    App = apps.get_model("api", "App")
+                    if not App.objects.filter(id=app_id).exists():
+                        raise exceptions.NotFound(f"App with ID {app_id} not found")
+                    else:
+                        raise exceptions.NotFound(
+                            f"Environment '{env_name}' not found in App {app_id}"
+                        )
 
         auth["environment"] = env
 

backend/api/migrations/0106_dynamicsecret_dynamicsecretlease_and_more.py

@@ -0,0 +1,59 @@
+# Generated by Django 4.2.22 on 2025-08-20 08:11
+
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0105_environmentkey_unique_envkey_user_and_more'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='DynamicSecret',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('name', models.TextField()),
+                ('description', models.TextField(blank=True)),
+                ('path', models.TextField(default='/')),
+                ('default_ttl', models.DurationField(help_text='Default TTL for leases (must be <= max_ttl).')),
+                ('max_ttl', models.DurationField(help_text='Maximum allowed TTL for leases.')),
+                ('provider', models.CharField(choices=[('aws', 'AWS')], help_text='Which provider this secret is associated with.', max_length=50)),
+                ('config', models.JSONField()),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('updated_at', models.DateTimeField(auto_now=True)),
+                ('deleted_at', models.DateTimeField(blank=True, null=True)),
+                ('authentication', models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='api.providercredentials')),
+                ('environment', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.environment')),
+                ('folder', models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='api.secretfolder')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='DynamicSecretLease',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('name', models.TextField()),
+                ('description', models.TextField(blank=True)),
+                ('ttl', models.DurationField()),
+                ('status', models.CharField(choices=[('active', 'Active'), ('renewed', 'Renewed'), ('revoked', 'Revoked'), ('expired', 'Expired')], default='active', help_text='Current status of the lease', max_length=50)),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('renewed_at', models.DateTimeField(null=True)),
+                ('expires_at', models.DateTimeField(null=True)),
+                ('revoked_at', models.DateTimeField(null=True)),
+                ('deleted_at', models.DateTimeField(null=True)),
+                ('organisation_member', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, to='api.organisationmember')),
+                ('secret', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='leases', to='api.dynamicsecret')),
+                ('service_account', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, to='api.serviceaccount')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='DynamicSecretLeaseEvent',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('lease', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.dynamicsecretlease')),
+            ],
+        ),
+    ]

backend/api/migrations/0107_dynamicsecret_key_map_dynamicsecretlease_credentials_and_more.py

@@ -0,0 +1,76 @@
+# Generated by Django 4.2.22 on 2025-08-26 09:16
+
+from django.db import migrations, models
+import django.db.models.deletion
+import django.utils.timezone
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0106_dynamicsecret_dynamicsecretlease_and_more'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='dynamicsecret',
+            name='key_map',
+            field=models.JSONField(default=list, help_text="Provider-agnostic mapping of keys: [{'id': '<key_id>', 'name': '<key_name>'}, ...]"),
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretlease',
+            name='credentials',
+            field=models.JSONField(default=list),
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretleaseevent',
+            name='created_at',
+            field=models.DateTimeField(auto_now_add=True, default=django.utils.timezone.now),
+            preserve_default=False,
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretleaseevent',
+            name='event_type',
+            field=models.CharField(choices=[('created', 'Created'), ('active', 'Active'), ('renewed', 'Renewed'), ('revoked', 'Revoked'), ('expired', 'Expired')], default='created', max_length=50),
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretleaseevent',
+            name='ip_address',
+            field=models.GenericIPAddressField(blank=True, null=True),
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretleaseevent',
+            name='metadata',
+            field=models.JSONField(blank=True, default=dict),
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretleaseevent',
+            name='organisation_member',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='lease_events', to='api.organisationmember'),
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretleaseevent',
+            name='service_account',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='lease_events', to='api.serviceaccount'),
+        ),
+        migrations.AddField(
+            model_name='dynamicsecretleaseevent',
+            name='user_agent',
+            field=models.TextField(blank=True, null=True),
+        ),
+        migrations.AlterField(
+            model_name='dynamicsecretlease',
+            name='status',
+            field=models.CharField(choices=[('created', 'Created'), ('active', 'Active'), ('renewed', 'Renewed'), ('revoked', 'Revoked'), ('expired', 'Expired')], default='active', help_text='Current status of the lease', max_length=50),
+        ),
+        migrations.AlterField(
+            model_name='dynamicsecretleaseevent',
+            name='id',
+            field=models.BigAutoField(primary_key=True, serialize=False),
+        ),
+        migrations.AlterField(
+            model_name='dynamicsecretleaseevent',
+            name='lease',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='events', to='api.dynamicsecretlease'),
+        ),
+    ]

backend/api/migrations/0108_dynamicsecretlease_cleanup_job_id_and_more.py

@@ -0,0 +1,24 @@
+# Generated by Django 4.2.22 on 2025-08-28 08:49
+
+from django.db import migrations, models
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0107_dynamicsecret_key_map_dynamicsecretlease_credentials_and_more'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='dynamicsecretlease',
+            name='cleanup_job_id',
+            field=models.TextField(default=uuid.uuid4),
+        ),
+        migrations.AlterField(
+            model_name='dynamicsecretlease',
+            name='credentials',
+            field=models.JSONField(default=dict),
+        ),
+    ]

backend/api/migrations/0109_alter_dynamicsecret_key_map.py

@@ -0,0 +1,18 @@
+# Generated by Django 4.2.22 on 2025-09-12 05:18
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0108_dynamicsecretlease_cleanup_job_id_and_more'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='dynamicsecret',
+            name='key_map',
+            field=models.JSONField(default=list, help_text="Provider-agnostic mapping of keys: [{'id': '<key_id>', 'key_name': '<encrypted_key_name>', 'key_digest': '<key_digest>'}, ...]"),
+        ),
+    ]