Merge branch 'main' of https://github.com/Infisical/infisical into chore/unify-license-key

2026-01-08 15:13:55 -05:00 · 2025-11-18 01:43:59 +05:30
parent df7aeecf50 4b11dd1519
commit 1213ef96e3
13 changed files with 113 additions and 31 deletions
--- a/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
+++ b/backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts
@@ -354,16 +354,21 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
          (tx || db.replicaNode())(TableName.SecretApprovalRequest)
            .join(TableName.SecretFolder, `${TableName.SecretApprovalRequest}.folderId`, `${TableName.SecretFolder}.id`)
            .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
-            .join(
-              TableName.SecretApprovalPolicyApprover,
-              `${TableName.SecretApprovalRequest}.policyId`,
-              `${TableName.SecretApprovalPolicyApprover}.policyId`
-            )
            .join(
              TableName.SecretApprovalPolicy,
              `${TableName.SecretApprovalRequest}.policyId`,
              `${TableName.SecretApprovalPolicy}.id`
            )
+            .leftJoin(
+              TableName.SecretApprovalPolicyApprover,
+              `${TableName.SecretApprovalPolicy}.id`,
+              `${TableName.SecretApprovalPolicyApprover}.policyId`
+            )
+            .leftJoin(
+              TableName.UserGroupMembership,
+              `${TableName.SecretApprovalPolicyApprover}.approverGroupId`,
+              `${TableName.UserGroupMembership}.groupId`
+            )
            .where({ projectId })
            .where((qb) => {
              if (policyId) void qb.where(`${TableName.SecretApprovalPolicy}.id`, policyId);
@@ -373,10 +378,10 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
                void bd
                  .where(`${TableName.SecretApprovalPolicyApprover}.approverUserId`, userId)
                  .orWhere(`${TableName.SecretApprovalRequest}.committerUserId`, userId)
+                  .orWhere(`${TableName.UserGroupMembership}.userId`, userId)
            )
            .select("status", `${TableName.SecretApprovalRequest}.id`)
            .groupBy(`${TableName.SecretApprovalRequest}.id`, "status")
-            .count("status")
        )
        .select("status")
        .from("temp")
@@ -499,7 +504,6 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {

      const query = (tx || db.replicaNode())
        .select("*")
-        .select(db.raw("count(*) OVER() as total_count"))
        .from(innerQuery)
        .orderBy("createdAt", "desc") as typeof innerQuery;

@@ -519,6 +523,14 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
        });
      }

+      // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
+      const countResult = await (tx || db.replicaNode())
+        .count({ count: "*" })
+        .from(query.clone().as("count_query"))
+        .first();
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+      const totalCount = Number(countResult?.count || 0);
+
      const docs = await (tx || db)
        .with("w", query)
        .select("*")
@@ -526,9 +538,6 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
        .where("w.rank", ">=", offset)
        .andWhere("w.rank", "<", offset + limit);

-      // @ts-expect-error knex does not infer
-      const totalCount = Number(docs[0]?.total_count || 0);
-
      const formattedDoc = sqlNestRelationships({
        data: docs,
        key: "id",
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -742,6 +742,7 @@
                    "pages": [
                      "documentation/platform/pki/enrollment-methods/overview",
                      "documentation/platform/pki/enrollment-methods/api",
+                      "documentation/platform/pki/enrollment-methods/acme",
                      "documentation/platform/pki/enrollment-methods/est"
                    ]
                  },
--- a/docs/documentation/getting-started/introduction.mdx
+++ b/docs/documentation/getting-started/introduction.mdx
@@ -35,7 +35,7 @@ Infisical consists of several tightly integrated products, each designed to solv

 - [Secrets Management](/documentation/platform/secrets-mgmt/overview): Securely store, access, and distribute secrets across environments with fine-grained controls, automatic rotation, and audit logging.
 - [Secrets Scanning](/documentation/platform/secret-scanning/overview): Detect hardcoded secrets in code, CI pipelines, and infrastructure—integrated with GitHub, GitLab, Bitbucket, and more.
- [Infisical PKI](/documentation/platform/pki/overview): Issue and manage X.509 certificates using protocols like EST, with support for internal and external CAs.
+- [Certificate Management](/documentation/platform/pki/overview): Issue and manage X.509 certificates using protocols like EST, with support for internal and external CAs.
 - [Infisical SSH](/documentation/platform/ssh/overview): Provide short-lived SSH access to servers using certificate-based authentication, replacing static keys with policy-driven, time-bound control.
 - [Infisical KMS](/documentation/platform/kms/overview): Encrypt and decrypt data using centrally managed keys with enforced access policies and full audit visibility.
 - [Infisical PAM](/documentation/platform/pam/overview): Manage access to resources like databases, servers, and accounts with policy-based controls and approvals.
--- a/docs/documentation/platform/pki/certificates/certificates.mdx
+++ b/docs/documentation/platform/pki/certificates/certificates.mdx
@@ -22,10 +22,7 @@ where you can manage various aspects of its lifecycle including deployment to cl
 To issue a certificate, you must first create a [certificate profile](/documentation/platform/pki/certificates/profiles) and a [certificate template](/documentation/platform/pki/certificates/templates) to go along with it.

 The [enrollment method](/documentation/platform/pki/enrollment-methods/overview) configured on the certificate profile determines how a certificate is issued for it.
-Refer to the documentation for each enrollment method below to learn more about how to issue certificates using it.
-
- [API](/documentation/platform/pki/enrollment-methods/api): Issue a certificate over UI or by making an API request to Infisical.
- [EST](/documentation/platform/pki/enrollment-methods/est): Issue a certificate over the EST protocol.
+Refer to the documentation for each enrollment method to learn more about how to issue certificates using it.

 ## Guide to Renewing Certificates

@@ -61,9 +58,9 @@ A certificate can be considered for auto-renewal at time of issuance if the **En

 The following examples demonstrate different approaches to certificate renewal:

- Using the ACME enrollment method, you may connect an ACME client like [certbot](https://certbot.eff.org/) to fetch back and renew certificates for Apache, Nginx, or other server. The ACME client will pursue a client-driven approach and submit certificate requests upon certificate expiration for you, saving renewed certificates back to the server's configuration.
- Using the ACME enrollment method, you may use [cert-manager](https://cert-manager.io/) with Infisical to issue and renew certificates for Kubernetes workloads; cert-manager will pursue a client-driven approach and submit certificate requests upon certificate expiration for you, saving renewed certificates back to Kubernetes secrets.
- Using the API enrollment method, you may push and auto-renew certificates to AWS and Azure using [certificate syncs](/documentation/platform/pki/certificate-syncs/overview). Certificates issued over the API enrollment method, where key pairs are generated server-side, are also eligible for server-side auto-renewal; once renewed, certificates are automatically pushed back to their sync destination.
+- Using the [ACME enrollment method](/documentation/platform/pki/enrollment-methods/acme), you may connect an ACME client like [certbot](https://certbot.eff.org/) to fetch back and renew certificates for [Apache](/documentation/platform/pki/integration-guides/apache-certbot), [Nginx](/documentation/platform/pki/integration-guides/nginx-certbot), or other server. The ACME client will pursue a client-driven approach and submit certificate requests upon certificate expiration for you, saving renewed certificates back to the server's configuration.
+- Using the [ACME enrollment method](/documentation/platform/pki/enrollment-methods/acme), you may use [cert-manager](https://cert-manager.io/) with Infisical to issue and renew certificates for Kubernetes workloads; cert-manager will pursue a client-driven approach and submit certificate requests upon certificate expiration for you, saving renewed certificates back to Kubernetes secrets.
+- Using the [API enrollment method](/documentation/platform/pki/enrollment-methods/api), you may push and auto-renew certificates to AWS and Azure using [certificate syncs](/documentation/platform/pki/certificate-syncs/overview). Certificates issued over the API enrollment method, where key pairs are generated server-side, are also eligible for server-side auto-renewal; once renewed, certificates are automatically pushed back to their sync destination.

 ## Guide to Downloading Certificates

--- a/docs/documentation/platform/pki/certificates/templates.mdx
+++ b/docs/documentation/platform/pki/certificates/templates.mdx
@@ -7,7 +7,7 @@ sidebarTitle: "Templates"

 A certificate template is a policy structure specifying permitted attributes for requested certificates. This includes constraints around subject naming conventions, SAN fields, key usages, and extended key usages.

-Each certificate requested against a profile is validated against the template bound to that profile. If the request fails any criteria included in the template, the certificate is not issued. This helps administrators enforce uniformity and security standards across all issued certificates.
+Each certificate requested against a [certificate profile](/documentation/platform/pki/certificates/profiles) is validated against the template bound to that profile. If the request fails any criteria included in the template, the certificate is not issued. This helps administrators enforce uniformity and security standards across all issued certificates.

 ## Guide to Creating a Certificate Template

--- a/docs/documentation/platform/pki/enrollment-methods/acme.mdx
+++ b/docs/documentation/platform/pki/enrollment-methods/acme.mdx
@@ -3,6 +3,62 @@ title: "Certificate Enrollment via ACME"
 sidebarTitle: "ACME"
 ---

-<Info>
-  ACME-based certificate enrollment is currently under development and will be included in a future release.
-</Info>
+## Concept
+
+The ACME enrollment method allows you to issue and manage certificates against a specific [certificate profile](/documentation/platform/pki/certificates/profiles) using the [ACME protocol](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment).
+This method is suitable for web servers, load balancers, and other general-purpose servers that can run an [ACME client](https://letsencrypt.org/docs/client-options/) for automated certificate management.
+
+Infisical's ACME enrollment method is based on [RFC 8555](https://datatracker.ietf.org/doc/html/rfc8555/).
+
+## Prerequisites
+
+Install an [ACME client](https://letsencrypt.org/docs/client-options/) onto your server. This client will handle [ACME challenges](https://letsencrypt.org/docs/challenge-types/) and request/renew certificates from Infisical.
+
+## Guide to Certificate Enrollment via ACME
+
+In the following steps, we explore how to issue a X.509 certificate using the ACME enrollment method.
+
+<Steps>
+  <Step title="Create a certificate profile in Infisical">
+    Create a [certificate
+    profile](/documentation/platform/pki/certificates/profiles) with **ACME**
+    selected as the enrollment method.
+
+    ![pki acme config](/images/platform/pki/enrollment-methods/acme/acme-config.png)
+
+  </Step>
+  <Step title="Obtain the ACME configuration">
+    Once you've created the certificate profile, you can obtain its ACME configuration details by clicking the **Reveal ACME EAB** option on the profile.
+    
+    ![pki acme eab config](/images/platform/pki/enrollment-methods/acme/acme-eab.png)
+
+    From the ACME configuration, gather the following values:
+
+    - ACME Directory URL: The URL that the ACME client will use to communicate with Infisical's ACME server.
+    - EAB Key Identifier (KID): A unique identifier that tells Infisical which ACME account is making the request.
+    - EAB Secret: A secret key that authenticates your ACME client with Infisical.
+
+  </Step>
+  <Step title="Configure your ACME client">
+    Provide the **ACME Directory URL**, **EAB KID**, and **EAB Secret** from Step 2 to your ACME client to authenticate with Infisical and request a certificate.
+    
+    For example, if using [Certbot](https://certbot.eff.org/) as an ACME client, you can configure and start requesting certificates with the following command:
+
+    ```bash
+    sudo certbot certonly \
+      --standalone \
+      --server "https://your-infisical-instance.com/api/v1/pki/certificate-profiles/{profile-id}/acme/directory" \
+      --eab-kid "your-eab-kid" \
+      --eab-hmac-key "your-eab-secret" \
+      -d example.infisical.com \
+      --email admin@example.com \
+      --agree-tos \
+      --non-interactive
+    ```
+
+    Certbot stores the private key and resulting leaf certificate and full certificate chain in `/etc/letsencrypt/live/{domain-name}/`.
+
+    For client-specific setup and usage instructions, refer to the documentation for your ACME client.
+
+  </Step>
+</Steps>
--- a/docs/documentation/platform/pki/enrollment-methods/api.mdx
+++ b/docs/documentation/platform/pki/enrollment-methods/api.mdx
@@ -5,7 +5,7 @@ sidebarTitle: "API"

 ## Concept

-The API enrollment method allows you to issue certificates against a specific certificate profile over Web UI or by making an API request to Infisical.
+The API enrollment method allows you to issue certificates against a specific [certificate profile](/documentation/platform/pki/certificates/profiles) over Web UI or by making an API request to Infisical.

 ## Guide to Certificate Enrollment via API

@@ -15,7 +15,7 @@ In the following steps, we explore how to issue a X.509 certificate using the AP
  <Tab title="Infisical UI">

 <Steps>
-  <Step title="Create a certificate profile">
+  <Step title="Create a certificate profile in Infisical">
  Create a [certificate
    profile](/documentation/platform/pki/certificates/profiles) with **API**
    selected as the enrollment method.
@@ -54,7 +54,7 @@ Here, select the certificate profile from step 1 that will be used to issue the
  <Tab title="API">

 <Steps>
-  <Step title="Create a certificate profile">
+  <Step title="Create a certificate profile in Infisical">

    To create a certificate [profile](/documentation/platform/pki/certificates/profiles), make an API request to the [Create Certificate Profile](/api-reference/endpoints/certificate-profiles/create) API endpoint.

--- a/docs/documentation/platform/pki/enrollment-methods/est.mdx
+++ b/docs/documentation/platform/pki/enrollment-methods/est.mdx
@@ -5,7 +5,7 @@ sidebarTitle: "EST"

 ## Concept

-The API enrollment method allows you to issue and manage certificates against a specific certificate profile using the [EST protocol](https://en.wikipedia.org/wiki/Enrollment_over_Secure_Transport).
+The EST enrollment method allows you to issue and manage certificates against a specific [certificate profile](/documentation/platform/pki/certificates/profiles) using the [EST protocol](https://en.wikipedia.org/wiki/Enrollment_over_Secure_Transport).
 This method is suitable for environments requiring strong authentication and encrypted communication, such as in IoT, enterprise networks, and secure web services.

 Infisical's EST service is based on [RFC 7030](https://datatracker.ietf.org/doc/html/rfc7030) and implements the following endpoints:
@@ -32,7 +32,7 @@ and structured under `https://app.infisical.com:8443/.well-known/est/{profile_id
 In the following steps, we explore how to issue a X.509 certificate using the EST enrollment method.

 <Steps>
-  <Step title="Set up up a certificate profile">
+  <Step title="Create a certificate profile in Infisical">
    Create a [certificate
    profile](/documentation/platform/pki/certificates/profiles) with **EST**
    selected as the enrollment method and fill in EST-specific configuration.
--- a/docs/documentation/platform/pki/enrollment-methods/overview.mdx
+++ b/docs/documentation/platform/pki/enrollment-methods/overview.mdx
@@ -5,7 +5,10 @@ sidebarTitle: "Overview"

 Enrollment methods determine how certificates are issued and managed for a [certificate profile](/documentation/platform/pki/certificates/profiles).

-Refer to the documentation for each enrollment method to learn more about how to enroll certificates using it.
+Refer to the documentation for each enrollment method below to learn more about how to enroll certificates using it.

 - [API](/documentation/platform/pki/enrollment-methods/api): Enroll certificates via API.
- [EST](/documentation/platform/pki/enrollment-methods/est): Enroll certificates via EST protocol.
+- [ACME](/documentation/platform/pki/enrollment-methods/acme): Enroll certificates using the ACME protocol.
+- [EST](/documentation/platform/pki/enrollment-methods/est): Enroll certificates using the EST protocol.
+
+Note that beyond using an enrollment method, you can also deliver a certificate to a target destination using supported [certificate syncs](https://infisical.com/docs/documentation/platform/pki/certificate-syncs/overview).
--- a/docs/documentation/platform/pki/overview.mdx
+++ b/docs/documentation/platform/pki/overview.mdx
@@ -12,7 +12,7 @@ Core capabilities include:

 - [Private CA](/documentation/platform/pki/ca/private-ca): Create and manage your own private CA hierarchy including root and intermediate CAs.
 - [External CA integration](/documentation/platform/pki/ca/external-ca): Integrate with external public and private CAs including [Azure ADCS](/documentation/platform/pki/ca/azure-adcs) and [ACME-compatible CAs](/documentation/platform/pki/ca/acme-ca) like Let's Encrypt and DigiCert.
- [Certificate Enrollment](/documentation/platform/pki/enrollment-methods/overview): Support enrollment methods including [API](/documentation/platform/pki/enrollment-methods/api), ACME, [EST](/documentation/platform/pki/enrollment-methods/est), and more to automate certificate issuance for services, devices, and workloads.
+- [Certificate Enrollment](/documentation/platform/pki/enrollment-methods/overview): Support enrollment methods including [API](/documentation/platform/pki/enrollment-methods/api), [ACME](/documentation/platform/pki/enrollment-methods/acme), [EST](/documentation/platform/pki/enrollment-methods/est), and more to automate certificate issuance for services, devices, and workloads.
 - Certificate Inventory: Track and monitor issued X.509 certificates, maintaining a comprehensive inventory of all active and expired certificates.
 - Certificate Lifecycle Automation: Automate issuance, [renewal](/documentation/platform/pki/certificates/certificates#guide-to-renewing-certificates), and [revocation](/documentation/platform/pki/certificates/certificates#guide-to-revoking-certificates) with policy-based workflows, ensuring certificates remain valid, compliant, and up to date across your infrastructure.
 - [Certificate Syncs](/documentation/platform/pki/certificate-syncs/overview): Push certificates to cloud certificate managers like [AWS Certificate Manager](/documentation/platform/pki/certificate-syncs/aws-certificate-manager) and [Azure Key Vault](/documentation/platform/pki/certificate-syncs/azure-key-vault).
--- a/docs/images/platform/pki/enrollment-methods/acme/acme-config.png
+++ b/docs/images/platform/pki/enrollment-methods/acme/acme-config.png
--- a/docs/images/platform/pki/enrollment-methods/acme/acme-eab.png
+++ b/docs/images/platform/pki/enrollment-methods/acme/acme-eab.png
--- a/docs/self-hosting/guides/production-hardening.mdx
+++ b/docs/self-hosting/guides/production-hardening.mdx
@@ -694,4 +694,20 @@ For enterprise deployments requiring compliance certifications:

 ### Standards Compliance

-**FIPS 140-3 Compliance**. Infisical is actively working on FIPS 140-3 compliance to meet U.S. and Canadian government cryptographic standards. This will provide validated cryptographic modules for organizations requiring certified encryption implementations.
+#### FIPS 140-3 Compliance
+
+Infisical is compliant with FIPS 140-3, meeting U.S. and Canadian government cryptographic standards through validated cryptographic modules.
+This certification is designed for organizations that require government-approved encryption implementations.
+To deploy a FIPS-compliant instance, use the [infisical/infisical-fips](https://hub.docker.com/r/infisical/infisical-fips) Docker image, available to Enterprise customers.
+Our FIPS 140-3 attestation letter is available in the [Infisical Trust Center](https://trust.infisical.com/).
+
+#### SOC 2 Compliance
+
+Infisical is SOC 2 compliant, demonstrating adherence to rigorous security, availability, and confidentiality standards established by the American Institute of CPAs (AICPA).
+This certification validates our security controls and operational practices for organizations requiring third-party audited security assurance. Our SOC 2 report is available in the [Infisical Trust Center](https://trust.infisical.com/).
+
+#### HIPAA Compliance
+
+Infisical is HIPAA compliant, meeting the security and privacy requirements of the Health Insurance Portability and Accountability Act.
+This compliance framework ensures appropriate safeguards for protected health information (PHI) for healthcare organizations and their business associates.
+Our HIPAA certification is available in the [Infisical Trust Center](https://trust.infisical.com/).