github/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-01-09 15:38:03 -05:00
Code Issues Packages Projects Releases Wiki Activity

Address PR comments for Azure Client Secret Rotation

Browse Source
This commit is contained in:
carlosmonastyrski
2025-04-29 20:19:30 -03:00
parent 511becabd8
commit 2a28d74bde
16 changed files with 54 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
backend/src/ee/services/secret-rotation-v2/azure-client-secret/azure-client-secret-rotation-fns.ts
View File

@@ -1,3 +1,5 @@
import { AxiosError } from "axios";
import {
AzureAddPasswordResponse,
TAzureClientSecretRotationGeneratedCredentials,
@@ -11,7 +13,7 @@ import {
TRotationFactoryRotateCredentials
} from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
import { request } from "@app/lib/config/request";
import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
import { BadRequestError } from "@app/lib/errors";
import { getAzureConnectionAccessToken } from "@app/services/app-connection/azure-client-secrets";
const GRAPH_API_BASE = "https://graph.microsoft.com/v1.0";
@@ -23,8 +25,7 @@ export const azureClientSecretRotationFactory: TRotationFactory<
const {
connection,
parameters: { appId },
secretsMapping,
rotationInterval
secretsMapping
} = secretRotation;
/**
@@ -34,11 +35,6 @@ export const azureClientSecretRotationFactory: TRotationFactory<
const accessToken = await getAzureConnectionAccessToken(connection.id, appConnectionDAL, kmsService);
const endpoint = `${GRAPH_API_BASE}/applications/${appId}/addPassword`;
await blockLocalAndPrivateIpAddresses(endpoint);
const endDateTime = new Date();
endDateTime.setDate(endDateTime.getDate() + rotationInterval);
const now = new Date();
const formattedDate = `${String(now.getMonth() + 1).padStart(2, "0")}-${String(now.getDate()).padStart(
2,
@@ -50,8 +46,7 @@ export const azureClientSecretRotationFactory: TRotationFactory<
endpoint,
{
passwordCredential: {
displayName: `Infisical Rotated Secret (${formattedDate})`,
endDateTime: endDateTime.toISOString()
displayName: `Infisical Rotated Secret (${formattedDate})`
}
},
{
@@ -70,9 +65,15 @@ export const azureClientSecretRotationFactory: TRotationFactory<
clientSecret: data.secretText,
clientId: data.keyId
};
} catch (err: unknown) {
const message = err instanceof Error ? err.message : String(err);
throw new Error(`Failed to add client secret to Azure app ${appId}: ${message}`);
} catch (error: unknown) {
if (error instanceof AxiosError) {
throw new BadRequestError({
message: `Failed to add client secret to Azure app ${appId}: ${error.message || "Unknown error"}`
});
}
throw new BadRequestError({
message: "Unable to validate connection: verify credentials"
});
}
};
@@ -83,8 +84,6 @@ export const azureClientSecretRotationFactory: TRotationFactory<
const accessToken = await getAzureConnectionAccessToken(connection.id, appConnectionDAL, kmsService);
const endpoint = `${GRAPH_API_BASE}/applications/${appId}/removePassword`;
await blockLocalAndPrivateIpAddresses(endpoint);
try {
await request.post(
endpoint,
@@ -96,9 +95,17 @@ export const azureClientSecretRotationFactory: TRotationFactory<
}
}
);
} catch (err: unknown) {
const message = err instanceof Error ? err.message : String(err);
throw new Error(`Failed to remove client secret with keyId ${clientId} from app ${appId}: ${message}`);
} catch (error: unknown) {
if (error instanceof AxiosError) {
throw new BadRequestError({
message: `Failed to remove client secret with keyId ${clientId} from app ${appId}: ${
error.message || "Unknown error"
}`
});
}
throw new BadRequestError({
message: "Unable to validate connection: verify credentials"
});
}
};

6
backend/src/ee/services/secret-rotation-v2/azure-client-secret/azure-client-secret-rotation-schemas.ts
View File

@@ -21,11 +21,7 @@ export const AzureClientSecretRotationGeneratedCredentialsSchema = z
const AzureClientSecretRotationParametersSchema = z.object({
appId: z.string().trim().min(1, "App ID Required").describe(SecretRotations.PARAMETERS.AZURE_CLIENT_SECRET.appId),
appName: z
.string()
.trim()
.min(1, "App Name Required")
.describe(SecretRotations.PARAMETERS.AZURE_CLIENT_SECRET.appName)
appName: z.string().trim().describe(SecretRotations.PARAMETERS.AZURE_CLIENT_SECRET.appName).optional()
});
const AzureClientSecretRotationSecretsMappingSchema = z.object({

4
backend/src/lib/api-docs/constants.ts
View File

@@ -1875,6 +1875,10 @@ export const AppConnections = {
TEAMCITY: {
instanceUrl: "The TeamCity instance URL to connect with.",
accessToken: "The access token to use to connect with TeamCity."
},
AZURE_CLIENT_SECRETS: {
code: "The OAuth code to use to connect with Azure Client Secrets.",
tenantId: "The Tenant ID to use to connect with Azure Client Secrets."
}
}
};

10
backend/src/services/app-connection/azure-client-secrets/azure-client-secrets-connection-schemas.ts
View File

@@ -11,12 +11,16 @@ import {
import { AzureClientSecretsConnectionMethod } from "./azure-client-secrets-connection-enums";
export const AzureClientSecretsConnectionOAuthInputCredentialsSchema = z.object({
code: z.string().trim().min(1, "OAuth code required"),
tenantId: z.string().trim().optional()
code: z.string().trim().min(1, "OAuth code required").describe(AppConnections.CREDENTIALS.AZURE_CLIENT_SECRETS.code),
tenantId: z
.string()
.trim()
.min(1, "Tenant ID required")
.describe(AppConnections.CREDENTIALS.AZURE_CLIENT_SECRETS.tenantId)
});
export const AzureClientSecretsConnectionOAuthOutputCredentialsSchema = z.object({
tenantId: z.string().optional(),
tenantId: z.string(),
accessToken: z.string(),
refreshToken: z.string(),
expiresAt: z.number()

2
backend/src/services/app-connection/azure-client-secrets/azure-client-secrets-service.ts
View File

@@ -1,6 +1,5 @@
import { request } from "@app/lib/config/request";
import { OrgServiceActor } from "@app/lib/types";
import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
import { AppConnection } from "@app/services/app-connection/app-connection-enums";
import { getAzureConnectionAccessToken } from "@app/services/app-connection/azure-client-secrets/azure-client-secrets-connection-fns";
@@ -26,7 +25,6 @@ const listAzureRegisteredApps = async (
const accessToken = await getAzureConnectionAccessToken(appConnection.id, appConnectionDAL, kmsService);
const graphEndpoint = `https://graph.microsoft.com/v1.0/applications`;
await blockLocalAndPrivateIpAddresses(graphEndpoint);
const apps: TAzureRegisteredApp[] = [];
let nextLink = graphEndpoint;

5
docs/api-reference/endpoints/app-connections/azure-client-secret/create.mdx
View File

@@ -4,6 +4,7 @@ openapi: "POST /api/v1/app-connections/azure-client-secrets"
---
<Note>
Check out the configuration docs for [Azure Client Secret Connections](/integrations/app-connections/azure-client-secrets) to learn how to obtain the
required credentials.
Azure Client Secret Connections must be created through the Infisical UI.
Check out the configuration docs for [Azure Client Secret Connections](/integrations/app-connections/azure-client-secrets) for a step-by-step
guide.
</Note>

7
docs/api-reference/endpoints/app-connections/azure-client-secret/update.mdx
View File

@@ -4,6 +4,7 @@ openapi: "PATCH /api/v1/app-connections/azure-client-secrets/{connectionId}"
---
<Note>
Check out the configuration docs for [Azure Client Secret Connections](/integrations/app-connections/azure-client-secrets) to learn how to obtain the
required credentials.
</Note>
Azure Client Secret Connections must be updated through the Infisical UI.
Check out the configuration docs for [Azure Client Secret Connections](/integrations/app-connections/azure-client-secrets) for a step-by-step
guide.
</Note>

2
docs/documentation/platform/secret-rotation/azure-client-secret.mdx
View File

@@ -5,7 +5,7 @@ description: "Learn how to automatically rotate Azure Client Secrets."
## Prerequisites
- Create an [Azure Client Secret Connection](/integrations/app-connections/azure-client-secrets) with the required **Secret Rotation** audience and permissions
- Create an [Azure Client Secret Connection](/integrations/app-connections/azure-client-secrets).
## Create an Azure Client Secret Rotation in Infisical

BIN
docs/images/app-connections/azure/client-secrets/config-credentials-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 566 KiB

BIN
docs/images/secret-rotations-v2/azure-client-secret/azure-app-client-id.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 551 KiB

After

Width:  |  Height:  |  Size: 576 KiB

4
docs/integrations/app-connections/azure-client-secrets.mdx
View File

@@ -42,9 +42,9 @@ Infisical currently only supports one method for connecting to Azure, which is O
</Step>
<Step title="Add your application credentials to Infisical">
Obtain the **Application (Client) ID** in Overview and generate a **Client Secret** in Certificate & secrets for your Azure application.
Obtain the **Application (Client) ID** and **Directory (Tenant) ID** in Overview and generate a **Client Secret** in Certificate & secrets for your Azure application.
![Azure client secrets](../../images/integrations/azure-app-configuration/config-credentials-1.png)
![Azure client secrets](../../images/app-connections/azure/client-secrets/config-credentials-1.png)
![Azure client secrets](../../images/integrations/azure-app-configuration/config-credentials-2.png)
![Azure client secrets](../../images/integrations/azure-app-configuration/config-credentials-3.png)

2
docs/mint.json
View File

@@ -433,8 +433,8 @@
"integrations/app-connections/auth0",
"integrations/app-connections/aws",
"integrations/app-connections/azure-app-configuration",
"integrations/app-connections/azure-key-vault",
"integrations/app-connections/azure-client-secrets",
"integrations/app-connections/azure-key-vault",
"integrations/app-connections/camunda",
"integrations/app-connections/databricks",
"integrations/app-connections/gcp",

4
frontend/src/components/secret-rotations-v2/forms/SecretRotationV2ParametersFields/AzureClientSecretRotationParametersFields.tsx
View File

@@ -38,8 +38,8 @@ export const AzureClientSecretRotationParametersFields = () => {
content={
<>
Ensure that your connection has the{" "}
<span className="font-semibold">read_clients</span> permission and the application
exists in the connection&#39;s audience.
<span className="font-semibold">Application.ReadWrite.All</span> permission and
the application exists in Azure.
</>
}
>

2
frontend/src/helpers/secretRotationsV2.ts
View File

@@ -23,7 +23,7 @@ export const SECRET_ROTATION_MAP: Record<
[SecretRotation.AzureClientSecret]: {
name: "Azure Client Secret",
image: "Microsoft Azure.png",
size: 35
size: 65
},
[SecretRotation.LdapPassword]: {
name: "LDAP Password",

2
frontend/src/hooks/api/appConnections/types/azure-client-secrets-connection.ts
View File

@@ -11,6 +11,6 @@ export type TAzureClientSecretsConnection = TRootAppConnection & {
method: AzureClientSecretsConnectionMethod.OAuth;
credentials: {
code: string;
tenantId?: string;
tenantId: string;
};
};

5
frontend/src/pages/organization/AppConnections/AppConnectionsPage/components/AppConnectionForm/AzureClientSecretsConnectionForm.tsx
View File

@@ -27,7 +27,7 @@ type Props = {
const formSchema = genericAppConnectionFieldsSchema.extend({
app: z.literal(AppConnection.AzureClientSecrets),
method: z.nativeEnum(AzureClientSecretsConnectionMethod),
tenantId: z.string().trim().optional()
tenantId: z.string().trim()
});
type FormData = z.infer<typeof formSchema>;
@@ -97,10 +97,9 @@ export const AzureClientSecretsConnectionForm = ({ appConnection }: Props) => {
control={control}
render={({ field, fieldState: { error } }) => (
<FormControl
tooltipText="The active Directory (Entra ID) Tenant ID."
tooltipText="The Active Directory (Entra ID) Tenant ID."
isError={Boolean(error?.message)}
label="Tenant ID"
isOptional
errorText={error?.message}
>
<Input {...field} placeholder="e4f34ea5-ad23-4291-8585-66d20d603cc8" />