github/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-01-06 22:23:53 -05:00
Code Issues Packages Projects Releases Wiki Activity

pass metadata to factory & validate CA setup

Browse Source
This commit is contained in:
x032205
2025-12-18 23:53:43 -05:00
parent e383a3e342
commit 37fd3a3351
3 changed files with 40 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
backend/src/ee/services/pam-account/pam-account-service.ts
View File

@@ -164,12 +164,22 @@ export const pamAccountServiceFactory = ({
kmsService
});
// Decrypt resource metadata if available
const resourceMetadata = resource.encryptedResourceMetadata
? await decryptResourceMetadata({
encryptedMetadata: resource.encryptedResourceMetadata,
projectId: resource.projectId,
kmsService
})
: undefined;
const factory = PAM_RESOURCE_FACTORY_MAP[resource.resourceType as PamResource](
resource.resourceType as PamResource,
connectionDetails,
resource.gatewayId,
gatewayV2Service,
resource.projectId
resource.projectId,
resourceMetadata
);
const validatedCredentials = await factory.validateAccountCredentials(credentials);
@@ -280,12 +290,22 @@ export const pamAccountServiceFactory = ({
kmsService
});
// Decrypt resource metadata if available
const resourceMetadata = resource.encryptedResourceMetadata
? await decryptResourceMetadata({
encryptedMetadata: resource.encryptedResourceMetadata,
projectId: account.projectId,
kmsService
})
: undefined;
const factory = PAM_RESOURCE_FACTORY_MAP[resource.resourceType as PamResource](
resource.resourceType as PamResource,
connectionDetails,
resource.gatewayId,
gatewayV2Service,
account.projectId
account.projectId,
resourceMetadata
);
const decryptedCredentials = await decryptAccountCredentials({

3
backend/src/ee/services/pam-resource/pam-resource-types.ts
View File

@@ -89,7 +89,8 @@ export type TPamResourceFactory<T extends TPamResourceConnectionDetails, C exten
connectionDetails: T,
gatewayId: string | null | undefined,
gatewayV2Service: Pick<TGatewayV2ServiceFactory, "getPlatformConnectionDetailsByGatewayId">,
projectId: string | null | undefined
projectId: string | null | undefined,
resourceMetadata?: TPamResourceMetadata
) => {
validateConnection: TPamResourceFactoryValidateConnection<T>;
validateAccountCredentials: TPamResourceFactoryValidateAccountCredentials<C>;

21
backend/src/ee/services/pam-resource/ssh/ssh-resource-factory.ts
View File

@@ -14,7 +14,7 @@ import {
TPamResourceFactoryValidateAccountCredentials
} from "../pam-resource-types";
import { SSHAuthMethod } from "./ssh-resource-enums";
import { TSSHAccountCredentials, TSSHResourceConnectionDetails } from "./ssh-resource-types";
import { TSSHAccountCredentials, TSSHResourceConnectionDetails, TSSHResourceMetadata } from "./ssh-resource-types";
const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000;
@@ -56,7 +56,9 @@ export const sshResourceFactory: TPamResourceFactory<TSSHResourceConnectionDetai
resourceType,
connectionDetails,
gatewayId,
gatewayV2Service
gatewayV2Service,
_projectId,
resourceMetadata?: TSSHResourceMetadata
) => {
const validateConnection = async () => {
try {
@@ -192,11 +194,20 @@ export const sshResourceFactory: TPamResourceFactory<TSSHResourceConnectionDetai
});
break;
case SSHAuthMethod.Certificate:
// For certificate auth, we don't validate by connecting to the SSH server
// The certificate will be issued on-demand when the session is accessed
// We cant fully validate the connection since ssh2 doesn't support cert auth
if (!resourceMetadata) {
reject(
new BadRequestError({
message:
"SSH CA is not configured for this resource. Please set up the CA first using the SSH CA setup script."
})
);
return;
}
logger.info(
{ username: credentials.username },
"[SSH Resource Factory] Certificate auth method selected - skipping SSH connection validation"
"[SSH Resource Factory] Certificate auth - CA is configured, skipping connection validation"
);
resolve();
break;