github/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-01-08 23:18:05 -05:00
Code Issues Packages Projects Releases Wiki Activity

pass metadata to factory & validate CA setup

Browse Source
This commit is contained in:
x032205
2025-12-18 23:53:43 -05:00
parent e383a3e342
commit 37fd3a3351
3 changed files with 40 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
backend/src/ee/services/pam-account/pam-account-service.ts
View File

@@ -164,12 +164,22 @@ export const pamAccountServiceFactory = ({
kmsService kmsService
}); });
// Decrypt resource metadata if available
const resourceMetadata = resource.encryptedResourceMetadata
? await decryptResourceMetadata({
encryptedMetadata: resource.encryptedResourceMetadata,
projectId: resource.projectId,
kmsService
})
: undefined;
const factory = PAM_RESOURCE_FACTORY_MAP[resource.resourceType as PamResource]( const factory = PAM_RESOURCE_FACTORY_MAP[resource.resourceType as PamResource](
resource.resourceType as PamResource, resource.resourceType as PamResource,
connectionDetails, connectionDetails,
resource.gatewayId, resource.gatewayId,
gatewayV2Service, gatewayV2Service,
resource.projectId resource.projectId,
resourceMetadata
); );
const validatedCredentials = await factory.validateAccountCredentials(credentials); const validatedCredentials = await factory.validateAccountCredentials(credentials);
@@ -280,12 +290,22 @@ export const pamAccountServiceFactory = ({
kmsService kmsService
}); });
// Decrypt resource metadata if available
const resourceMetadata = resource.encryptedResourceMetadata
? await decryptResourceMetadata({
encryptedMetadata: resource.encryptedResourceMetadata,
projectId: account.projectId,
kmsService
})
: undefined;
const factory = PAM_RESOURCE_FACTORY_MAP[resource.resourceType as PamResource]( const factory = PAM_RESOURCE_FACTORY_MAP[resource.resourceType as PamResource](
resource.resourceType as PamResource, resource.resourceType as PamResource,
connectionDetails, connectionDetails,
resource.gatewayId, resource.gatewayId,
gatewayV2Service, gatewayV2Service,
account.projectId account.projectId,
resourceMetadata
); );
const decryptedCredentials = await decryptAccountCredentials({ const decryptedCredentials = await decryptAccountCredentials({

3
backend/src/ee/services/pam-resource/pam-resource-types.ts
View File

@@ -89,7 +89,8 @@ export type TPamResourceFactory<T extends TPamResourceConnectionDetails, C exten
connectionDetails: T, connectionDetails: T,
gatewayId: string | null | undefined, gatewayId: string | null | undefined,
gatewayV2Service: Pick<TGatewayV2ServiceFactory, "getPlatformConnectionDetailsByGatewayId">, gatewayV2Service: Pick<TGatewayV2ServiceFactory, "getPlatformConnectionDetailsByGatewayId">,
projectId: string | null | undefined projectId: string | null | undefined,
resourceMetadata?: TPamResourceMetadata
) => { ) => {
validateConnection: TPamResourceFactoryValidateConnection<T>; validateConnection: TPamResourceFactoryValidateConnection<T>;
validateAccountCredentials: TPamResourceFactoryValidateAccountCredentials<C>; validateAccountCredentials: TPamResourceFactoryValidateAccountCredentials<C>;

21
backend/src/ee/services/pam-resource/ssh/ssh-resource-factory.ts
View File

@@ -14,7 +14,7 @@ import {
TPamResourceFactoryValidateAccountCredentials TPamResourceFactoryValidateAccountCredentials
} from "../pam-resource-types"; } from "../pam-resource-types";
import { SSHAuthMethod } from "./ssh-resource-enums"; import { SSHAuthMethod } from "./ssh-resource-enums";
import { TSSHAccountCredentials, TSSHResourceConnectionDetails } from "./ssh-resource-types"; import { TSSHAccountCredentials, TSSHResourceConnectionDetails, TSSHResourceMetadata } from "./ssh-resource-types";
const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000; const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000;
@@ -56,7 +56,9 @@ export const sshResourceFactory: TPamResourceFactory<TSSHResourceConnectionDetai
resourceType, resourceType,
connectionDetails, connectionDetails,
gatewayId, gatewayId,
gatewayV2Service gatewayV2Service,
_projectId,
resourceMetadata?: TSSHResourceMetadata
) => { ) => {
const validateConnection = async () => { const validateConnection = async () => {
try { try {
@@ -192,11 +194,20 @@ export const sshResourceFactory: TPamResourceFactory<TSSHResourceConnectionDetai
}); });
break; break;
case SSHAuthMethod.Certificate: case SSHAuthMethod.Certificate:
// For certificate auth, we don't validate by connecting to the SSH server // We cant fully validate the connection since ssh2 doesn't support cert auth
// The certificate will be issued on-demand when the session is accessed if (!resourceMetadata) {
reject(
new BadRequestError({
message:
"SSH CA is not configured for this resource. Please set up the CA first using the SSH CA setup script."
})
);
return;
}
logger.info( logger.info(
{ username: credentials.username }, { username: credentials.username },
"[SSH Resource Factory] Certificate auth method selected - skipping SSH connection validation" "[SSH Resource Factory] Certificate auth - CA is configured, skipping connection validation"
); );
resolve(); resolve();
break; break;