test#6062
Draft
victorvhs017 wants to merge 639 commits intofeat/auth-revampfrom
Draft
Conversation
Collaborator
⛔ Snyk checks have failed. 1 issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
️✅ There are no secrets present in this pull request anymore.If these secrets were true positive and are still valid, we highly recommend you to revoke them. 🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request. |
…after-write-issue
* feat(pki): add AWS ACM Public CA support Adds a new external CA type that issues, renews, and revokes public certificates via AWS Certificate Manager with Route 53 DNS validation. - New aws-acm-public-ca service module (client, fns, schemas, validators) - Route 53 DNS provider for ACM CNAME validation records - externalMetadata jsonb column on certificates (stores ARN/region) - Issuance queue tuned for ACM: 30 attempts with fixed backoff, retryable validation-pending errors, final-attempt request FAIL hook - Pre-flight validation rejects CSR, non-DNS SANs, subject fields, custom validity, and CA certs (ACM constraints) - Profile service restricts ACM CAs to API enrollment - v1/v2 list endpoints, ExternalCaModal UI, frontend types/hooks * chore(backend): add @aws-sdk/client-acm dependency * chore(pki): remove ACM development mock client * fix(pki): surface AWS errors and fix ACM renewal polling - Wrap ACM/Route 53 preflight calls in createCertificateAuthority and updateCertificateAuthority so IAM errors surface as BadRequestError with the AWS message, instead of a generic 500. - Skip the fixed-validity TTL check on renewal — ACM sets validity itself and the TTL derived from the original cert can floor below 198 days. - Require notAfter to advance before exporting a renewed cert. ACM returns the original cert from ExportCertificate until the renewal is fully re-issued, which was causing duplicate-serial insert failures. * fix(pki): retry ACM export when renewal relation not yet ready * chore(pki): clean up ACM extras and add docs - Drop dead `calculateAcmRenewBeforeDays` clamp; profile schema already caps `renewBeforeDays` at 30, so the 198-day clamp never triggered. - Drop the redundant `basicConstraints` plumbing for the ACM validator; `certificate-v3-service.ts` already blocks CA issuance for all external CAs upstream. - Run pre-flight ACM input validation before the approval branch so bad inputs (TTL, SANs, subject fields) are rejected at submit time instead of after an approver has already approved. - Use serial-number comparison to detect a renewed cert body in ACM, instead of relying on `NotAfter` advancement (which can lag). - Persist `keyUsages` / `extendedKeyUsages` parsed from the issued cert rather than echoing the request, so DB matches what AWS actually issued. - Add docs page covering setup, IAM, auto-renewal, troubleshooting, and an FAQ; wire it into docs.json under the External CAs section. * fix(pki): make external CA revocation atomic and surface AWS errors - Call the upstream CA revoke before updating the local cert row, so a failed AWS call (e.g., a reason ACM rejects) doesn't leave the cert marked revoked locally while still active at the issuer. - Wrap the ACM RevokeCertificate call so AWS errors come back as a BadRequestError with the underlying message, instead of falling through to the generic "Something went wrong" 500. * fix(pki): preserve original region on ACM renewal and hoist AWS calls out of CA update transaction - On renewal, store the original certificate's region in externalMetadata instead of the CA's current region, so subsequent revoke/renew keep targeting the correct region-locked ARN even if the CA was edited. - In updateCertificateAuthority, run ACM ListCertificates and Route 53 GetHostedZone before opening the DB transaction, mirroring createCertificateAuthority so slow AWS calls don't pin a pool connection. * fix(pki): derive ACM signature algorithm from issued cert ACM picks the signature algorithm server-side and has no SigningAlgorithm parameter on RequestCertificate, so the caller-supplied signatureAlgorithm was being persisted without ever matching what AWS actually signed with. Parse it from the issued cert and normalize to CertSignatureAlgorithm before writing to the DB. Drop the now-dead parameter from the ACM orderCertificateFromProfile signature. * chore(pki): remove unused AwsAcmKeyAlgorithm enum * refactor(pki): generate ACM export passphrase with nanoid customAlphabet Uses nanoid's customAlphabet instead of manual modular sampling, matching the pattern used elsewhere in the codebase (e.g. dynamic-secret providers). Eliminates the modular bias where the first 8 alphabet characters appeared slightly more frequently than the others. * fix(ui): mark AWS Connection field as required in ACM external CA form Matches the sibling fields (Route 53 Connection, Hosted Zone ID, Region) which already had the required indicator. * docs(pki): clarify ACM auto-renewal and refresh screenshots Explain that AWS itself attempts managed renewal 45 days before expiry, and what Infisical's own auto-renewal does in that case (skip RenewCertificate if AWS already renewed, otherwise trigger it). Swap "export" wording for plainer "save"/"pull in". Add new setup screenshots. * docs(pki): add ACM public CA API reference pages * refactor(pki): share Route 53 helper and tidy ACM internals - Extract Route 53 into a shared dns-providers/route53.ts reused by both ACME and ACM Public CA. Adds an optional comment field so ACME keeps its original change-history strings. The ACME delete path also now applies sha256=CustomAWSHasher and useFipsEndpoint consistently with upsert. - Move the two ACM validation error classes into a dedicated -errors.ts and rename to AcmPendingError / AcmTerminalError, since they also cover renewal and export paths beyond the original DNS-validation signal. - Replace single-character regex strips (: and -) with split/join, and wrap the AWS error-message match in RE2 to match the rest of the repo. * feat(ui): pre-fill and lock TTL for ACM Public CA profiles AWS ACM Public CA issues certificates with a fixed 198-day validity and the backend rejects any other value. When the selected CA on a certificate profile is AWS ACM Public CA, the TTL field now pre-fills to 198 and is disabled, with a tooltip explaining the fixed validity. * docs(pki): expand ACM Public CA guide and document permissions on AWS connection - Rewrite the ACM Public CA overview to scope explicitly to public certificates and drop the comparison with AWS Private CA. - Expand the enrollment-method FAQ entry to explain that only API enrollment applies, because EST, SCEP, and ACME all submit a CSR and ACM generates the private key itself. - Add an AWS ACM Public CA accordion (ACM + Route 53 permissions) to both the IAM Role and IAM User sections of the AWS app connection docs so users can set up permissions alongside existing services. * fix(pki): skip AWS ACM revoke for superseded certificates When an ACM certificate is renewed, the ARN is reused for the new certificate body and the superseded cert is no longer present at AWS. Calling RevokeCertificate on that ARN would revoke the currently-active renewed cert. When revoking a cert that has renewedByCertificateId set, skip the AWS call and let the service layer mark the DB row as REVOKED on its own — matching the pattern already used in PKI syncs for superseded certificates.
…PAM services requestMemoize caches null unconditionally, so concurrent project deletion between a session/account read and the project lookup produces a TypeError rather than a NotFoundError. Restore if (!project) guards and replace project.id with session.projectId in uploadEventBatch return value.
fix: table re-render without debounce
…achakra The external URL (cdn.simpleicons.org/kubernetes/000000) was failing to load as an img element in Mintlify, resulting in a broken image. Replaced with the Font Awesome 'dharmachakra' icon, which is already used for Kubernetes icons elsewhere in the docs (e.g. PAM overview, Vault migration guide). Co-Authored-By: ashwin <ashwin@infisical.com>
…byid improvement(eng-4874): memoize org findByID
improvement(frontend): update secret sharing UI
…es-icon fix(docs): replace broken Kubernetes icon URL with Font Awesome dharmachakra
feat(e2e-tests): fips mode
feat(secrets-overview): add tag, metadata and multiline encoding support to csv upload
Include the confirmation code directly in the email subject so users can see it in their inbox without opening the email. Updates all 6 locations that send confirmation code emails: - signup verification - email verification (resend) - OAuth provider email verification - SAML login email verification - LDAP login email verification - OIDC login email verification Co-Authored-By: Vlad Matsiiako <vm265@cornell.edu>
…t-code fix(email): include confirmation code in email subject line
feat: added filter to audit log and improves the crypto
* store identityId as the actor in the auth methods * include LDAP auth
feat: user controlled ssl rejection option for dynamic secret
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
14 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
Screenshots
Steps to verify the change
Type
Checklist
type(scope): short description(scope is optional, e.g.,fix: prevent crash on syncorfix(api): handle null response).