Merge branch 'feat/tls-identity-auth' of https://github.com/akhilmhdh/infisical into HEAD

certs/server.crt

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIExTCCA62gAwIBAgIUfLat+AulV/08NBkjBGc3SST07FkwDQYJKoZIhvcNAQEL
+BQAwQTELMAkGA1UEBhMCUEgxCzAJBgNVBAoTAlBIMQswCQYDVQQLEwJQSDELMAkG
+A1UECBMCUEgxCzAJBgNVBAcTAlBIMB4XDTI1MDYyNzE2NDQ0MFoXDTI2MDYyNzIy
+NDQ0MFowFDESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAvDgWhvaFH8c3hw1b9Cg+m9KTjlSmp/Z7/RT+WGhWJSLTiPLI
+xtiKLuKXWt2fqzw+6BuSlN75ABkQVGelNlkD6MU8NjCmCA209vXbpYs6lVLGxg78
+kl5Qtt0dkmYI0gR32IGNeNn1h8jwNZ0wUiD86HxG6TODRtDdYcrzEsfDgC0BGdub
+1E838YoOFeM4JOnb35Ub1UDovvqdmM6FjJJgKyV2J57+R4WjkdDLsfR+ABodfCDG
+yOAJbbjAJOrCjVWTWlLUyqzYiwCvuZvY05dV6pYf66uYmYdrboAjcJZCTEbCSH7E
+i7TvtETWl3bJIA4YosUlZhawj5mkc9R2JpcQZQIDAQABo4IB4DCCAdwwCQYDVR0T
+BAIwADBiBgNVHR8EWzBZMFegVaBThlFodHRwczovL2FwcC5pbmZpc2ljYWwuY29t
+L2FwaS92MS9wa2kvY3JsL2JhMzc1ODg4LWUyNmItNGZmMS04ZGNmLTJjYTdmOGQ0
+NWJkNS9kZXIwHwYDVR0jBBgwFoAUIBdB7m5bs/MAaQ3F6WJw76/a9EwwHQYDVR0O
+BBYEFE7ZzdsLO1Mlltx6FrlMP0vvF+y5MIGiBggrBgEFBQcBAQSBlTCBkjCBjwYI
+KwYBBQUHMAKGgYJodHRwczovL2FwcC5pbmZpc2ljYWwuY29tL2FwaS92MS9wa2kv
+Y2EvYWJiNmE3MTktNGZiZC00MmQzLTlhYjItYWU0NTYwY2QyMDI1L2NlcnRpZmlj
+YXRlcy8wMTQ3NzAyMi05ZjM0LTQyN2MtYTQ2My0wOWU3ZWIxMGZlNDIvZGVyMBEG
+A1UdIAQKMAgwBgYEVR0gADAPBgNVHQ8BAf8EBQMDB/+AMEgGA1UdJQEB/wQ+MDwG
+CCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMJBggrBgEFBQcD
+AQYIKwYBBQUHAwgwGAYDVR0RBBEwD4INbG9jYWxob3N0LmNvbTANBgkqhkiG9w0B
+AQsFAAOCAQEAafz9KPgUYh90JNYrk7CVdt1Yti11xuWg8BKb9g/xnYnw1C7Vk45t
+XIsSH5KAB45Z4Llfmd7y4vn9NxWNaLSHyGeSnzJC8w8LvnKC534B9W2734D5USgT
+3eSdyQZuBjFwWKQ6G7CpGWmtvKBMO8CpcdfMsjK3GPgFHgqjXGiUKgg6CCTm7rgD
+nR2Y5rNXUJKNG00OYVy2Fb/t/s+YB7cdUagE2324QJNu+jj3OL4rQ0coJGQp/Egd
+8kcUtG8v0QktlnGmEdtORR4xRM4OQdewJa2n4vjk6suWrGELfc780S38XltMaeut
+CkRU2ElJXwqCj6MkV1zIeZcRM5fOZTeotA==
+-----END CERTIFICATE-----

certs/server.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC8OBaG9oUfxzeH
+DVv0KD6b0pOOVKan9nv9FP5YaFYlItOI8sjG2Iou4pda3Z+rPD7oG5KU3vkAGRBU
+Z6U2WQPoxTw2MKYIDbT29dulizqVUsbGDvySXlC23R2SZgjSBHfYgY142fWHyPA1
+nTBSIPzofEbpM4NG0N1hyvMSx8OALQEZ25vUTzfxig4V4zgk6dvflRvVQOi++p2Y
+zoWMkmArJXYnnv5HhaOR0Mux9H4AGh18IMbI4AltuMAk6sKNVZNaUtTKrNiLAK+5
+m9jTl1Xqlh/rq5iZh2tugCNwlkJMRsJIfsSLtO+0RNaXdskgDhiixSVmFrCPmaRz
+1HYmlxBlAgMBAAECggEACM2ofu87+57zVBEKm5ApLFvA5HoOiyjkC29NOQdZamr1
+A1fGjtnOO6AEGSF6ioDKuQJ7bIJELBCSVD4HpAqthWqehMUyl/fWcNl2tmR42EbV
+TGFaNXSothTbgV9LgghWChkRtQcyepXOsLD8c3QViVLDUAXXx5reJsReTdnaXAcF
+ltgQwTCaPwyG1oe/66o/71zrRo/fsjzxY4IK4D9mdDABc1/sBU1kFKbW+ld37qHC
+st9q+WJquniAdjCbII4YnhfUXfLbVqfDRU5N6s5u9lfetb6Uuc10BeGO4oxLtOUA
+twseUmABdgHaleZoI8H5s2ormtjyecFkeCBka65bFQKBgQD3nM8ROEVQvuGkloFv
+tSVXvBG9MRpu5dSRH/hiaDCh4YI4sHzt0F1PXHQuZ2Gvcub5KCggimG1xQ30X80l
+rq2wOLZMogmcogdTxL2PZPJpUrYaq9QhFOgNmhItsr7AszCsZ4NbmDtNlr2ZRzBY
+l8S3Ku87+qcH2CjSpaoqN5kSvwKBgQDCmD6NoWzqoJVtekxOOux1TiRuLsYvOTK6
+ARMSYQDReJhIMfmDoIXuH+ejvh9FBDMjXk466zs01sXG+cXSsz6kj+YI/pk5U3XT
+8HEQtCjpF6HwngwRAxYd5nrmi3RpSnlxOrpSEwE9rjL+e4Nd91dZZ/RYgZfmDdGt
+38A7xei52wKBgQCE4ieSIzO30KjBrm/KZlmjCvAuK0L3TupT8+dV0HqA9cfv6m8x
+JUheRcyn9p1LDgv8nNtkEz+60ATcJ+mtll/qGZVj7PXhlGcAQq5EXTVm5peKGrre
+Ah1C53NoCOwr+D5f17F8H2d8DTC1KKo+cTyF3EnFU4/+Org1y+hVfb7tewKBgBRm
+z9Abh4bF1UTIGK3vAZF+4tTmdILI9WeI6032+5X6lcSj8Kv7LW98ytVg/nhG63Ge
+1obY2Lk+dzfYQgRIJJ4uNAjnYHshI+5XfBMrQErH3oOSnmM+Nphl7Ka1IjxTwY28
+gYJPWcb0t4X0vx4f63mFK5oH5DwLYNtg5Q+fPToXAoGBAJBd0uYfkqAONG/qQfl7
+FsqacjX2QT5LTV47TrPm/5Bswe8TKVjHrXzjqHl/9lin5YwMA+E9xRfIQgm32MTJ
+lS1FuAw1/810Bb0mKPyj56capozfGOOlpP4m3aekNH3cbrkp1wemUe7/1YLGeUvh
+WREq3xdnmdockLlGwSEP44Zy
+-----END PRIVATE KEY-----

client-cert/cert.pem

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEnDCCA4SgAwIBAgIUS5lVY5ilccwNiiK/UPaA1q85YqAwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEChMJY2xpZW50LWNhMB4XDTI1MDYyNzE2NTcwMVoXDTI2MDYy
+NzIyNTcwMVowGDEWMBQGA1UEAxMNbXktY2xpZW50LmNvbTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAOlDpYHyBgfI3iYxITxI/AL9Wv/QyoegdVEQGLCv
+V2yNP4Vs3Q6MF6SpiPgxgj3uWDm6frqreDi0J48wmnW24Hvhc1G9Gih44e+xb808
+we9dB+cgK4Tk5QWNvSi6GEsoyDqZE51GVuu58gvrKT3ZAEeD/F8gcdWFDXnxRbA+
+6Nbx9i0vA4VBVoD/N0kAmvuMK+l0kq1qSSaG+t5GIR2k7rqNLUK9imGnRqycTMed
+2Gqz2cmUSQavUzzhNZchNqaP5N0cIBw3DDLnUrYdwt7hs0xOHYg6nsRGnW05Ql1b
+AQfdLcktthAzQKHVhsZgfH7oIM8JVn0JITUWFigtccbWFW8CAwEAAaOCAeAwggHc
+MAkGA1UdEwQCMAAwYgYDVR0fBFswWTBXoFWgU4ZRaHR0cHM6Ly9hcHAuaW5maXNp
+Y2FsLmNvbS9hcGkvdjEvcGtpL2NybC8wYWI1ZTY3OC1mM2E2LTRmZmUtODFmMy02
+NGFjYTU5OWE1NzgvZGVyMB8GA1UdIwQYMBaAFHm6PIGGRDT1ovFvl+uoeiRKNmwi
+MB0GA1UdDgQWBBSKQFs8zUvZV5c1EVOxgikDjLB1HjCBogYIKwYBBQUHAQEEgZUw
+gZIwgY8GCCsGAQUFBzAChoGCaHR0cHM6Ly9hcHAuaW5maXNpY2FsLmNvbS9hcGkv
+djEvcGtpL2NhLzAzNDU3NzdhLTM1MTQtNGNjNi1hZDZkLWUwNGQ3MDNiMzlkYi9j
+ZXJ0aWZpY2F0ZXMvNTVmNTY3YjMtN2IxZi00NDRlLWFjODEtNThlYmY5YjBjOGEx
+L2RlcjARBgNVHSAECjAIMAYGBFUdIAAwDwYDVR0PAQH/BAUDAwf/gDBIBgNVHSUB
+Af8EPjA8BggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCQYI
+KwYBBQUHAwEGCCsGAQUFBwMIMBgGA1UdEQQRMA+CDW15LWNsaWVudC5jb20wDQYJ
+KoZIhvcNAQELBQADggEBAAktLnY93gBhNvBuDM2gI5JS3NK+GV75lF665K2flJB9
+SMM2Bw64nrQveMeNpYEX8FOgQlGKKPVUEAxYAWbp5IHyjfpCSYJDsTk2DkyjgAmi
+RxIPCR4UMVKszmzhU+yiSALdLxGhdNWG/1wTjhQ7JCnyXW/DI8xueraEGgtKEUGa
+PSdgXzrqcsj/MhOAeGF3a0CrfhpTLsnU0nYcAj0c6BWDk0OCZaGVf3Qz+mKLPn37
+hpOb+9TzKQSEUCrRhiPGJXqQZyFr6BeiwHip6MY2/diAr9i+fqYw3o9lcHXr83RY
+tOk8ooBMAtGjLtRF2ze1yJXdC2fJJXRmEPsrPSfndeU=
+-----END CERTIFICATE-----

client-cert/chain.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+DCCAeCgAwIBAgIUWd+4Vphs3TCLo8yTsPIWkvwM8C4wDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEChMJY2xpZW50LWNhMB4XDTI1MDYyNzE2NTYyMFoXDTM1MDYy
+ODAwMDAwMFowFDESMBAGA1UEChMJY2xpZW50LWNhMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAwipE/aDty9zB/yRAiavsEFAMiDpJqaK0r3foVJN80vyV
+5M0KX/0FlWdCZZ3X/uWL2Hmo342cJuqwy/F+u3fuMlwq/857SF+hoLH21Rb7KvJb
+1P8zAVfY7mtQgWgdFJSUWlCym2nEhuc08hMPgI7bJgYAEuZoHVBL7p8/unm4Uu+D
+HQHCS+kDdszU+3CZ/OVX730PMunnel5CqUnzlQuJ1ytjPiTCVxRfvxZk5bF7g77Z
+mYxAuBwuO9LSIxqW5zw/DIwYwON+jl6uJ7D49FIP4BpFxybraHYOJuPB1XDBLQFB
+U15ZtoyrpMBPXTQ1CmlmAAceAyeqL9G56MtPF89r4wIDAQABo0IwQDAPBgNVHRMB
+Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUebo8gYZENPWi8W+X
+66h6JEo2bCIwDQYJKoZIhvcNAQELBQADggEBALU27Uym4eryVwvcs9cbnPyw4v0C
+oWpwgyQrC0NMw+Gm0IVhEJxzp53DQLQ74r04gSHNfaCTlMv3lypF1bligZjrRFA5
+sGEWqZ9jMTgkNRZPUMjgzfPgDOaRQEnUeLUksTX81h04fu5XNYll12Q/91fSEJcT
+BbuXE0fvxYgou5HsbXR7BTK4CFFJj9dI4c59nTrGg4DlCtbA6UlbxNNM3YePdb5A
+tlyY8tXJYXS3bulbW4/uJuqhZAv8WGgQ9bCh4OdcHQ2hI6IB3P2tPGh5bjDICdbP
+10FBSwOuMxpiQuAKljMnfOsSzn09j4GgNBc0Ek1OlTIr26ybXvXxw1V532s=
+-----END CERTIFICATE-----

client-cert/exec.sh

@@ -0,0 +1,8 @@
+curl \
+  --request POST \
+  --insecure \
+  --cert cert.pem \
+  --key key.pem \
+  -d '{"identityId": "a87a7a3b-345c-46b2-a95a-54a608e0538b"}' \
+  -H "Content-Type: application/json" \
+  https://localhost:8443/api/v1/auth/tls-cert-auth/login

client-cert/key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQDpQ6WB8gYHyN4m
+MSE8SPwC/Vr/0MqHoHVREBiwr1dsjT+FbN0OjBekqYj4MYI97lg5un66q3g4tCeP
+MJp1tuB74XNRvRooeOHvsW/NPMHvXQfnICuE5OUFjb0ouhhLKMg6mROdRlbrufIL
+6yk92QBHg/xfIHHVhQ158UWwPujW8fYtLwOFQVaA/zdJAJr7jCvpdJKtakkmhvre
+RiEdpO66jS1CvYphp0asnEzHndhqs9nJlEkGr1M84TWXITamj+TdHCAcNwwy51K2
+HcLe4bNMTh2IOp7ERp1tOUJdWwEH3S3JLbYQM0Ch1YbGYHx+6CDPCVZ9CSE1FhYo
+LXHG1hVvAgMBAAECggEAAR6xOUeeeNznGGncy3Ny2RjKl2mGJN8p+2lgoFY3B13I
+cnkKfnn9nkLkz1GjosLQkxOAE6TX9nyJZB6N9Zos261dMk8vxGkmsB4zHLq1LrQS
+Zo/wgwWfLmwBDmNTCUnUnby84Js4uz2+5yhBKQWQpIGj/ApM/EZ4YvGjQMJs+z2B
+rNeeAozNCIe8iUGTnPj+etklJuNqEU2yurRxHfdLFz9NIqWdHCm/T3gpdNtMwNSk
+l85kNzUMzWsKY0B3LT28jEq4JFoPQcRsh2tB7lcO/raoL0GQfilTHDy9NwPj61Jd
+Xo9uiTHGOL9KucMFYkKcaFL6YdPXEH8OrqK59Cdx9QKBgQD9o03JLVzYhg+xo99X
+RZYG1L+tqA8U5IK5nLtTCjMHn6qpOW4NdjVhlpn6P/Fv7CPHFNXIiFfTA7jBciHR
+PRJB8EIL8rgGcQUys4uOeVWFH4O6bRslczuxeIaXetikE9JnsQUoSRRKGzTtbM4K
+i3mNRLvI4kKDlLNZ6WpNVGsjwwKBgQDrb8UdJSM7Cxat3lWtsSvBIg7txbYCaBOZ
++j00pYVpgmG8qxzMX3XHD/jgSS38O593NX7Xv+wjFOweJb6/3t3PEP2calYyEdJE
+n2O1EflDG5+j8hiiRV1yrMzV1fgr0gRYRdrS+BQngvZNQOJP2XiyI8dxlenA/P16
+pB53lYsI5QKBgHZXZYnCIpncIyJtJV3g19kkFrL9wNusqtnTqQtbrOeXtdbzNsgN
+KWb5D6rVft8LvL28mOrRwrhv+ho4GFM6PXSKlyZf/0DyJsy7PRgiwKY2SA4JrirR
+Ez8AzzuKU95qaTd8Pr3HKzJQc2d75r7AyNwC/+MAvqwKC4yd/b1K8BplAoGBAKER
+4mTCF4w5Vda1mSAvaaPDzTrWXGLhGSfqjx0JcHByhrMwzY70b/sz7ixjZFZ/4+UG
+cDTiVIbbtX4ajJlvu4gCM79i8H1ou9W+xdQG6+UBbQIYisnZcskVdz2EGTjBgb9y
+avaSSheN/Tt0/F9shKo62CPZUAZ8Dl5tEXr2kBwRAn8f9TVPVlwOnJJibgRv8uqc
+T7qewRNZ7+zgyPvp8jyNmue+f7UPiisKSws6znRBse6kknElfn2lsYe/mr0Dokfw
+YtjLzo3M04IjkqZlwDNR5VPtsCqhDeSi1OhfsDUYzZIGNtg6kMASLOxUthR5IQ/V
+kgQRIedGzc8Dz8CBnFIo
+-----END PRIVATE KEY-----

docker-compose.dev.yml

@@ -4,12 +4,13 @@ services:
   nginx:
     container_name: infisical-dev-nginx
     image: nginx
-    restart: always
+    restart: "no"
     ports:
       - 8080:80
       - 8443:443
     volumes:
       - ./nginx/default.dev.conf:/etc/nginx/conf.d/default.conf:ro
+      - ./certs:/etc/ssl/certs
     depends_on:
       - backend
       - frontend

nginx/default.dev.conf

@@ -80,3 +80,122 @@ server {
         proxy_redirect off;
     }
 }
+
+server {
+    listen 443 ssl;
+
+    large_client_header_buffers 8 128k;
+    client_header_buffer_size 128k;
+
+    # SSL Configuration
+    ssl_certificate /etc/ssl/certs/server.crt;
+    ssl_certificate_key /etc/ssl/certs/server.key;
+    
+    # Client Certificate Configuration - Request cert but let API handle validation
+    ssl_verify_client optional_no_ca;  # Request client cert but don't enforce validation at nginx level
+
+    location ~ ^/(api|secret-scanning/webhooks) {
+        proxy_set_header X-Real-RIP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        proxy_set_header Host $http_host;
+        proxy_set_header X-NginX-Proxy true;
+
+        # Forward client certificate information
+        proxy_set_header X-SSL-Client-Cert $ssl_client_escaped_cert;
+        proxy_set_header X-SSL-Client-Verify $ssl_client_verify;
+        proxy_set_header X-SSL-Client-Subject-DN $ssl_client_s_dn;
+        proxy_set_header X-SSL-Client-Issuer-DN $ssl_client_i_dn;
+
+        proxy_pass http://backend:4000;
+        proxy_redirect off;
+
+        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    }
+
+    location /runtime-ui-env.js {
+        proxy_set_header X-Real-RIP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        proxy_set_header Host $http_host;
+        proxy_set_header X-NginX-Proxy true;
+
+        # Forward client certificate information
+        proxy_set_header X-SSL-Client-Cert $ssl_client_escaped_cert;
+        proxy_set_header X-SSL-Client-Verify $ssl_client_verify;
+        proxy_set_header X-SSL-Client-Subject-DN $ssl_client_s_dn;
+        proxy_set_header X-SSL-Client-Issuer-DN $ssl_client_i_dn;
+
+        proxy_pass http://backend:4000;
+        proxy_redirect off;
+
+        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    }
+
+    location /api/v3/migrate {
+        client_max_body_size 25M;
+
+        proxy_set_header X-Real-RIP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        proxy_set_header Host $http_host;
+        proxy_set_header X-NginX-Proxy true;
+
+        # Forward client certificate information
+        proxy_set_header X-SSL-Client-Cert $ssl_client_escaped_cert;
+        proxy_set_header X-SSL-Client-Verify $ssl_client_verify;
+        proxy_set_header X-SSL-Client-Subject-DN $ssl_client_s_dn;
+        proxy_set_header X-SSL-Client-Issuer-DN $ssl_client_i_dn;
+
+        proxy_pass http://backend:4000;
+        proxy_redirect off;
+
+        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    }
+
+    location /.well-known/est {
+        proxy_set_header X-Real-RIP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        proxy_set_header Host $http_host;
+        proxy_set_header X-NginX-Proxy true;
+
+        # Forward client certificate information
+        proxy_set_header X-SSL-Client-Cert $ssl_client_escaped_cert;
+        proxy_set_header X-SSL-Client-Verify $ssl_client_verify;
+        proxy_set_header X-SSL-Client-Subject-DN $ssl_client_s_dn;
+        proxy_set_header X-SSL-Client-Issuer-DN $ssl_client_i_dn;
+
+        proxy_pass http://backend:4000;
+        proxy_redirect off;
+
+        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    }
+
+    location / {
+        include /etc/nginx/mime.types;
+        
+        proxy_set_header X-Real-RIP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        proxy_set_header Host $http_host;
+        proxy_set_header X-NginX-Proxy true;
+        
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        # Forward client certificate information
+        proxy_set_header X-SSL-Client-Cert $ssl_client_escaped_cert;
+        proxy_set_header X-SSL-Client-Verify $ssl_client_verify;
+        proxy_set_header X-SSL-Client-Subject-DN $ssl_client_s_dn;
+        proxy_set_header X-SSL-Client-Issuer-DN $ssl_client_i_dn;
+
+        proxy_pass http://frontend:3000;
+        proxy_redirect off;
+    }
+}