github/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-01-08 23:18:05 -05:00
Code Issues Packages Projects Releases Wiki Activity

endpoint just to get ca pub key

Browse Source
This commit is contained in:
x032205
2025-12-19 14:48:11 -05:00
parent d5e766b0d6
commit 22e75002e6
3 changed files with 39 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
backend/src/ee/routes/v1/pam-resource-routers/index.ts
View File

@@ -25,7 +25,11 @@ import {
UpdateSSHResourceSchema UpdateSSHResourceSchema
} from "@app/ee/services/pam-resource/ssh/ssh-resource-schemas"; } from "@app/ee/services/pam-resource/ssh/ssh-resource-schemas";
import { registerPamResourceEndpoints, registerSshCaSetupEndpoint } from "./pam-resource-endpoints"; import {
registerPamResourceEndpoints,
registerSshCaPublicKeyEndpoint,
registerSshCaSetupEndpoint
} from "./pam-resource-endpoints";
export const PAM_RESOURCE_REGISTER_ROUTER_MAP: Record<PamResource, (server: FastifyZodProvider) => Promise<void>> = { export const PAM_RESOURCE_REGISTER_ROUTER_MAP: Record<PamResource, (server: FastifyZodProvider) => Promise<void>> = {
[PamResource.Postgres]: async (server: FastifyZodProvider) => { [PamResource.Postgres]: async (server: FastifyZodProvider) => {
@@ -54,6 +58,7 @@ export const PAM_RESOURCE_REGISTER_ROUTER_MAP: Record<PamResource, (server: Fast
createResourceSchema: CreateSSHResourceSchema, createResourceSchema: CreateSSHResourceSchema,
updateResourceSchema: UpdateSSHResourceSchema updateResourceSchema: UpdateSSHResourceSchema
}); });
registerSshCaPublicKeyEndpoint(server);
registerSshCaSetupEndpoint(server); registerSshCaSetupEndpoint(server);
}, },
[PamResource.Kubernetes]: async (server: FastifyZodProvider) => { [PamResource.Kubernetes]: async (server: FastifyZodProvider) => {

26
backend/src/ee/routes/v1/pam-resource-routers/pam-resource-endpoints.ts
View File

@@ -199,6 +199,32 @@ export const registerPamResourceEndpoints = <T extends TPamResource>({
}); });
}; };
export const registerSshCaPublicKeyEndpoint = (server: FastifyZodProvider) => {
server.route({
method: "GET",
url: "/:resourceId/ssh-ca-public-key",
config: {
rateLimit: readLimit
},
schema: {
description: "Get the SSH CA public key for the PAM resource",
params: z.object({
resourceId: z.string().uuid()
}),
response: {
200: z.string()
}
},
onRequest: verifyAuth([AuthMode.JWT]),
handler: async (req, reply) => {
const { caPublicKey } = await server.services.pamResource.getOrCreateSshCa(req.params.resourceId, req.permission);
void reply.header("Content-Type", "text/plain; charset=utf-8");
return caPublicKey;
}
});
};
export const registerSshCaSetupEndpoint = (server: FastifyZodProvider) => { export const registerSshCaSetupEndpoint = (server: FastifyZodProvider) => {
server.route({ server.route({
method: "GET", method: "GET",

7
docs/documentation/platform/pam/getting-started/resources/ssh.mdx
View File

@@ -201,6 +201,13 @@ Certificate authentication requires additional setup on your SSH server to trust
<Warning> <Warning>
**Manual setup**: If you prefer to configure the server manually, you can download just the CA public key and configure sshd yourself: **Manual setup**: If you prefer to configure the server manually, you can download just the CA public key and configure sshd yourself:
```bash
curl -H "Authorization: Bearer <YOUR_TOKEN>" \
"https://app.infisical.com/api/v1/pam/resources/ssh/<RESOURCE_ID>/ssh-ca-public-key" \
| sudo tee /etc/ssh/infisical_ca.pub
```
Then configure sshd:
1. Add to `/etc/ssh/sshd_config`: 1. Add to `/etc/ssh/sshd_config`:
``` ```
TrustedUserCAKeys /etc/ssh/infisical_ca.pub TrustedUserCAKeys /etc/ssh/infisical_ca.pub