github/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-01-10 07:58:15 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3736 from Infisical/feat/azureDevopsSecretSync

Browse Source 
Feat/azure devops secret sync
This commit is contained in:
carlosmonastyrski
2025-06-12 22:06:05 -03:00
committed by GitHub
parent 1fb0c638d6 3f2de2c5ef
commit 9621df4f8b
84 changed files with 2056 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
backend/src/lib/api-docs/constants.ts
View File

@@ -2208,6 +2208,11 @@ export const AppConnections = {
code: "The OAuth code to use to connect with Azure Client Secrets.",
tenantId: "The Tenant ID to use to connect with Azure Client Secrets."
},
AZURE_DEVOPS: {
code: "The OAuth code to use to connect with Azure DevOps.",
tenantId: "The Tenant ID to use to connect with Azure DevOps.",
orgName: "The Organization name to use to connect with Azure DevOps."
},
OCI: {
userOcid: "The OCID (Oracle Cloud Identifier) of the user making the request.",
tenancyOcid: "The OCID (Oracle Cloud Identifier) of the tenancy in Oracle Cloud Infrastructure.",
@@ -2322,6 +2327,10 @@ export const SecretSyncs = {
"The URL of the Azure App Configuration to sync secrets to. Example: https://example.azconfig.io/",
label: "An optional label to assign to secrets created in Azure App Configuration."
},
AZURE_DEVOPS: {
devopsProjectId: "The ID of the Azure DevOps project to sync secrets to.",
devopsProjectName: "The name of the Azure DevOps project to sync secrets to."
},
GCP: {
scope: "The Google project scope that secrets should be synced to.",
projectId: "The ID of the Google project secrets should be synced to.",

6
backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
View File

@@ -19,6 +19,10 @@ import {
AzureClientSecretsConnectionListItemSchema,
SanitizedAzureClientSecretsConnectionSchema
} from "@app/services/app-connection/azure-client-secrets";
import {
AzureDevOpsConnectionListItemSchema,
SanitizedAzureDevOpsConnectionSchema
} from "@app/services/app-connection/azure-devops/azure-devops-schemas";
import {
AzureKeyVaultConnectionListItemSchema,
SanitizedAzureKeyVaultConnectionSchema
@@ -75,6 +79,7 @@ const SanitizedAppConnectionSchema = z.union([
...SanitizedGcpConnectionSchema.options,
...SanitizedAzureKeyVaultConnectionSchema.options,
...SanitizedAzureAppConfigurationConnectionSchema.options,
...SanitizedAzureDevOpsConnectionSchema.options,
...SanitizedDatabricksConnectionSchema.options,
...SanitizedHumanitecConnectionSchema.options,
...SanitizedTerraformCloudConnectionSchema.options,
@@ -100,6 +105,7 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
GcpConnectionListItemSchema,
AzureKeyVaultConnectionListItemSchema,
AzureAppConfigurationConnectionListItemSchema,
AzureDevOpsConnectionListItemSchema,
DatabricksConnectionListItemSchema,
HumanitecConnectionListItemSchema,
TerraformCloudConnectionListItemSchema,

49
backend/src/server/routes/v1/app-connection-routers/azure-devops-connection-router.ts Normal file
View File

@@ -0,0 +1,49 @@
import { z } from "zod";
import { readLimit } from "@app/server/config/rateLimiter";
import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
import { AppConnection } from "@app/services/app-connection/app-connection-enums";
import {
CreateAzureDevOpsConnectionSchema,
SanitizedAzureDevOpsConnectionSchema,
UpdateAzureDevOpsConnectionSchema
} from "@app/services/app-connection/azure-devops/azure-devops-schemas";
import { AuthMode } from "@app/services/auth/auth-type";
import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
export const registerAzureDevOpsConnectionRouter = async (server: FastifyZodProvider) => {
registerAppConnectionEndpoints({
app: AppConnection.AzureDevOps,
server,
sanitizedResponseSchema: SanitizedAzureDevOpsConnectionSchema,
createSchema: CreateAzureDevOpsConnectionSchema,
updateSchema: UpdateAzureDevOpsConnectionSchema
});
server.route({
method: "GET",
url: `/:connectionId/projects`,
config: {
rateLimit: readLimit
},
schema: {
params: z.object({
connectionId: z.string().uuid()
}),
response: {
200: z.object({
projects: z.object({ name: z.string(), id: z.string(), appId: z.string() }).array()
})
}
},
onRequest: verifyAuth([AuthMode.JWT]),
handler: async (req) => {
const { connectionId } = req.params;
const projects = await server.services.appConnection.azureDevOps.listProjects(connectionId, req.permission);
return { projects };
}
});
};

2
backend/src/server/routes/v1/app-connection-routers/index.ts
View File

@@ -6,6 +6,7 @@ import { registerAuth0ConnectionRouter } from "./auth0-connection-router";
import { registerAwsConnectionRouter } from "./aws-connection-router";
import { registerAzureAppConfigurationConnectionRouter } from "./azure-app-configuration-connection-router";
import { registerAzureClientSecretsConnectionRouter } from "./azure-client-secrets-connection-router";
import { registerAzureDevOpsConnectionRouter } from "./azure-devops-connection-router";
import { registerAzureKeyVaultConnectionRouter } from "./azure-key-vault-connection-router";
import { registerCamundaConnectionRouter } from "./camunda-connection-router";
import { registerDatabricksConnectionRouter } from "./databricks-connection-router";
@@ -34,6 +35,7 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
[AppConnection.AzureKeyVault]: registerAzureKeyVaultConnectionRouter,
[AppConnection.AzureAppConfiguration]: registerAzureAppConfigurationConnectionRouter,
[AppConnection.AzureClientSecrets]: registerAzureClientSecretsConnectionRouter,
[AppConnection.AzureDevOps]: registerAzureDevOpsConnectionRouter,
[AppConnection.Databricks]: registerDatabricksConnectionRouter,
[AppConnection.Humanitec]: registerHumanitecConnectionRouter,
[AppConnection.TerraformCloud]: registerTerraformCloudConnectionRouter,

17
backend/src/server/routes/v1/secret-sync-routers/azure-devops-sync-router.ts Normal file
View File

@@ -0,0 +1,17 @@
import {
AzureDevOpsSyncSchema,
CreateAzureDevOpsSyncSchema,
UpdateAzureDevOpsSyncSchema
} from "@app/services/secret-sync/azure-devops";
import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
export const registerAzureDevOpsSyncRouter = async (server: FastifyZodProvider) =>
registerSyncSecretsEndpoints({
destination: SecretSync.AzureDevOps,
server,
responseSchema: AzureDevOpsSyncSchema,
createSchema: CreateAzureDevOpsSyncSchema,
updateSchema: UpdateAzureDevOpsSyncSchema
});

2
backend/src/server/routes/v1/secret-sync-routers/index.ts
View File

@@ -5,6 +5,7 @@ import { registerOnePassSyncRouter } from "./1password-sync-router";
import { registerAwsParameterStoreSyncRouter } from "./aws-parameter-store-sync-router";
import { registerAwsSecretsManagerSyncRouter } from "./aws-secrets-manager-sync-router";
import { registerAzureAppConfigurationSyncRouter } from "./azure-app-configuration-sync-router";
import { registerAzureDevOpsSyncRouter } from "./azure-devops-sync-router";
import { registerAzureKeyVaultSyncRouter } from "./azure-key-vault-sync-router";
import { registerCamundaSyncRouter } from "./camunda-sync-router";
import { registerDatabricksSyncRouter } from "./databricks-sync-router";
@@ -26,6 +27,7 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
[SecretSync.GCPSecretManager]: registerGcpSyncRouter,
[SecretSync.AzureKeyVault]: registerAzureKeyVaultSyncRouter,
[SecretSync.AzureAppConfiguration]: registerAzureAppConfigurationSyncRouter,
[SecretSync.AzureDevOps]: registerAzureDevOpsSyncRouter,
[SecretSync.Databricks]: registerDatabricksSyncRouter,
[SecretSync.Humanitec]: registerHumanitecSyncRouter,
[SecretSync.TerraformCloud]: registerTerraformCloudSyncRouter,

3
backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts
View File

@@ -19,6 +19,7 @@ import {
AzureAppConfigurationSyncListItemSchema,
AzureAppConfigurationSyncSchema
} from "@app/services/secret-sync/azure-app-configuration";
import { AzureDevOpsSyncListItemSchema, AzureDevOpsSyncSchema } from "@app/services/secret-sync/azure-devops";
import { AzureKeyVaultSyncListItemSchema, AzureKeyVaultSyncSchema } from "@app/services/secret-sync/azure-key-vault";
import { CamundaSyncListItemSchema, CamundaSyncSchema } from "@app/services/secret-sync/camunda";
import { DatabricksSyncListItemSchema, DatabricksSyncSchema } from "@app/services/secret-sync/databricks";
@@ -38,6 +39,7 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
GcpSyncSchema,
AzureKeyVaultSyncSchema,
AzureAppConfigurationSyncSchema,
AzureDevOpsSyncSchema,
DatabricksSyncSchema,
HumanitecSyncSchema,
TerraformCloudSyncSchema,
@@ -57,6 +59,7 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
GcpSyncListItemSchema,
AzureKeyVaultSyncListItemSchema,
AzureAppConfigurationSyncListItemSchema,
AzureDevOpsSyncListItemSchema,
DatabricksSyncListItemSchema,
HumanitecSyncListItemSchema,
TerraformCloudSyncListItemSchema,

1
backend/src/services/app-connection/app-connection-enums.ts
View File

@@ -7,6 +7,7 @@ export enum AppConnection {
AzureKeyVault = "azure-key-vault",
AzureAppConfiguration = "azure-app-configuration",
AzureClientSecrets = "azure-client-secrets",
AzureDevOps = "azure-devops",
Humanitec = "humanitec",
TerraformCloud = "terraform-cloud",
Vercel = "vercel",

10
backend/src/services/app-connection/app-connection-fns.ts
View File

@@ -39,6 +39,11 @@ import {
getAzureClientSecretsConnectionListItem,
validateAzureClientSecretsConnectionCredentials
} from "./azure-client-secrets";
import { AzureDevOpsConnectionMethod } from "./azure-devops/azure-devops-enums";
import {
getAzureDevopsConnectionListItem,
validateAzureDevOpsConnectionCredentials
} from "./azure-devops/azure-devops-fns";
import {
AzureKeyVaultConnectionMethod,
getAzureKeyVaultConnectionListItem,
@@ -98,6 +103,7 @@ export const listAppConnectionOptions = () => {
getGcpConnectionListItem(),
getAzureKeyVaultConnectionListItem(),
getAzureAppConfigurationConnectionListItem(),
getAzureDevopsConnectionListItem(),
getDatabricksConnectionListItem(),
getHumanitecConnectionListItem(),
getTerraformCloudConnectionListItem(),
@@ -173,6 +179,7 @@ export const validateAppConnectionCredentials = async (
validateAzureAppConfigurationConnectionCredentials as TAppConnectionCredentialsValidator,
[AppConnection.AzureClientSecrets]:
validateAzureClientSecretsConnectionCredentials as TAppConnectionCredentialsValidator,
[AppConnection.AzureDevOps]: validateAzureDevOpsConnectionCredentials as TAppConnectionCredentialsValidator,
[AppConnection.Humanitec]: validateHumanitecConnectionCredentials as TAppConnectionCredentialsValidator,
[AppConnection.Postgres]: validateSqlConnectionCredentials as TAppConnectionCredentialsValidator,
[AppConnection.MsSql]: validateSqlConnectionCredentials as TAppConnectionCredentialsValidator,
@@ -201,6 +208,7 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
case AzureAppConfigurationConnectionMethod.OAuth:
case AzureClientSecretsConnectionMethod.OAuth:
case GitHubConnectionMethod.OAuth:
case AzureDevOpsConnectionMethod.OAuth:
return "OAuth";
case AwsConnectionMethod.AccessKey:
case OCIConnectionMethod.AccessKey:
@@ -225,6 +233,7 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
case WindmillConnectionMethod.AccessToken:
case HCVaultConnectionMethod.AccessToken:
case TeamCityConnectionMethod.AccessToken:
case AzureDevOpsConnectionMethod.AccessToken:
return "Access Token";
case Auth0ConnectionMethod.ClientCredentials:
return "Client Credentials";
@@ -270,6 +279,7 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
[AppConnection.GCP]: platformManagedCredentialsNotSupported,
[AppConnection.AzureKeyVault]: platformManagedCredentialsNotSupported,
[AppConnection.AzureAppConfiguration]: platformManagedCredentialsNotSupported,
[AppConnection.AzureDevOps]: platformManagedCredentialsNotSupported,
[AppConnection.Humanitec]: platformManagedCredentialsNotSupported,
[AppConnection.Postgres]: transferSqlConnectionCredentialsToPlatform as TAppConnectionTransitionCredentialsToPlatform,
[AppConnection.MsSql]: transferSqlConnectionCredentialsToPlatform as TAppConnectionTransitionCredentialsToPlatform,

2
backend/src/services/app-connection/app-connection-maps.ts
View File

@@ -8,6 +8,7 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
[AppConnection.AzureKeyVault]: "Azure Key Vault",
[AppConnection.AzureAppConfiguration]: "Azure App Configuration",
[AppConnection.AzureClientSecrets]: "Azure Client Secrets",
[AppConnection.AzureDevOps]: "Azure DevOps",
[AppConnection.Databricks]: "Databricks",
[AppConnection.Humanitec]: "Humanitec",
[AppConnection.TerraformCloud]: "Terraform Cloud",
@@ -33,6 +34,7 @@ export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanTyp
[AppConnection.AzureKeyVault]: AppConnectionPlanType.Regular,
[AppConnection.AzureAppConfiguration]: AppConnectionPlanType.Regular,
[AppConnection.AzureClientSecrets]: AppConnectionPlanType.Regular,
[AppConnection.AzureDevOps]: AppConnectionPlanType.Regular,
[AppConnection.Databricks]: AppConnectionPlanType.Regular,
[AppConnection.Humanitec]: AppConnectionPlanType.Regular,
[AppConnection.TerraformCloud]: AppConnectionPlanType.Regular,

4
backend/src/services/app-connection/app-connection-service.ts
View File

@@ -41,6 +41,8 @@ import { awsConnectionService } from "./aws/aws-connection-service";
import { ValidateAzureAppConfigurationConnectionCredentialsSchema } from "./azure-app-configuration";
import { ValidateAzureClientSecretsConnectionCredentialsSchema } from "./azure-client-secrets";
import { azureClientSecretsConnectionService } from "./azure-client-secrets/azure-client-secrets-service";
import { ValidateAzureDevOpsConnectionCredentialsSchema } from "./azure-devops/azure-devops-schemas";
import { azureDevOpsConnectionService } from "./azure-devops/azure-devops-service";
import { ValidateAzureKeyVaultConnectionCredentialsSchema } from "./azure-key-vault";
import { ValidateCamundaConnectionCredentialsSchema } from "./camunda";
import { camundaConnectionService } from "./camunda/camunda-connection-service";
@@ -84,6 +86,7 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
[AppConnection.GCP]: ValidateGcpConnectionCredentialsSchema,
[AppConnection.AzureKeyVault]: ValidateAzureKeyVaultConnectionCredentialsSchema,
[AppConnection.AzureAppConfiguration]: ValidateAzureAppConfigurationConnectionCredentialsSchema,
[AppConnection.AzureDevOps]: ValidateAzureDevOpsConnectionCredentialsSchema,
[AppConnection.Databricks]: ValidateDatabricksConnectionCredentialsSchema,
[AppConnection.Humanitec]: ValidateHumanitecConnectionCredentialsSchema,
[AppConnection.TerraformCloud]: ValidateTerraformCloudConnectionCredentialsSchema,
@@ -498,6 +501,7 @@ export const appConnectionServiceFactory = ({
camunda: camundaConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
vercel: vercelConnectionService(connectAppConnectionById),
azureClientSecrets: azureClientSecretsConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
azureDevOps: azureDevOpsConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
auth0: auth0ConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
hcvault: hcVaultConnectionService(connectAppConnectionById),
windmill: windmillConnectionService(connectAppConnectionById),

10
backend/src/services/app-connection/app-connection-types.ts
View File

@@ -39,6 +39,12 @@ import {
TAzureClientSecretsConnectionInput,
TValidateAzureClientSecretsConnectionCredentialsSchema
} from "./azure-client-secrets";
import {
TAzureDevOpsConnection,
TAzureDevOpsConnectionConfig,
TAzureDevOpsConnectionInput,
TValidateAzureDevOpsConnectionCredentialsSchema
} from "./azure-devops/azure-devops-types";
import {
TAzureKeyVaultConnection,
TAzureKeyVaultConnectionConfig,
@@ -132,6 +138,7 @@ export type TAppConnection = { id: string } & (
| TGcpConnection
| TAzureKeyVaultConnection
| TAzureAppConfigurationConnection
| TAzureDevOpsConnection
| TDatabricksConnection
| THumanitecConnection
| TTerraformCloudConnection
@@ -161,6 +168,7 @@ export type TAppConnectionInput = { id: string } & (
| TGcpConnectionInput
| TAzureKeyVaultConnectionInput
| TAzureAppConfigurationConnectionInput
| TAzureDevOpsConnectionInput
| TDatabricksConnectionInput
| THumanitecConnectionInput
| TTerraformCloudConnectionInput
@@ -197,6 +205,7 @@ export type TAppConnectionConfig =
| TGcpConnectionConfig
| TAzureKeyVaultConnectionConfig
| TAzureAppConfigurationConnectionConfig
| TAzureDevOpsConnectionConfig
| TAzureClientSecretsConnectionConfig
| TDatabricksConnectionConfig
| THumanitecConnectionConfig
@@ -220,6 +229,7 @@ export type TValidateAppConnectionCredentialsSchema =
| TValidateAzureKeyVaultConnectionCredentialsSchema
| TValidateAzureAppConfigurationConnectionCredentialsSchema
| TValidateAzureClientSecretsConnectionCredentialsSchema
| TValidateAzureDevOpsConnectionCredentialsSchema
| TValidateDatabricksConnectionCredentialsSchema
| TValidateHumanitecConnectionCredentialsSchema
| TValidatePostgresConnectionCredentialsSchema

4
backend/src/services/app-connection/azure-devops/azure-devops-enums.ts Normal file
View File

@@ -0,0 +1,4 @@
export enum AzureDevOpsConnectionMethod {
OAuth = "oauth",
AccessToken = "access-token"
}

269
backend/src/services/app-connection/azure-devops/azure-devops-fns.ts Normal file
View File

@@ -0,0 +1,269 @@
/* eslint-disable no-case-declarations */
import { AxiosError, AxiosResponse } from "axios";
import { getConfig } from "@app/lib/config/env";
import { request } from "@app/lib/config/request";
import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
import { logger } from "@app/lib/logger";
import {
decryptAppConnectionCredentials,
encryptAppConnectionCredentials,
getAppConnectionMethodName
} from "@app/services/app-connection/app-connection-fns";
import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
import { TKmsServiceFactory } from "@app/services/kms/kms-service";
import { TAppConnectionDALFactory } from "../app-connection-dal";
import { AppConnection } from "../app-connection-enums";
import { AzureDevOpsConnectionMethod } from "./azure-devops-enums";
import {
ExchangeCodeAzureResponse,
TAzureDevOpsConnectionConfig,
TAzureDevOpsConnectionCredentials
} from "./azure-devops-types";
export const getAzureDevopsConnectionListItem = () => {
const { INF_APP_CONNECTION_AZURE_CLIENT_ID } = getConfig();
return {
name: "Azure DevOps" as const,
app: AppConnection.AzureDevOps as const,
methods: Object.values(AzureDevOpsConnectionMethod) as [
AzureDevOpsConnectionMethod.OAuth,
AzureDevOpsConnectionMethod.AccessToken
],
oauthClientId: INF_APP_CONNECTION_AZURE_CLIENT_ID
};
};
export const getAzureDevopsConnection = async (
connectionId: string,
appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "updateById">,
kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
) => {
const appConnection = await appConnectionDAL.findById(connectionId);
if (!appConnection) {
throw new NotFoundError({ message: `Connection with ID '${connectionId}' not found` });
}
if (appConnection.app !== AppConnection.AzureDevOps) {
throw new BadRequestError({
message: `Connection with ID '${connectionId}' is not an Azure DevOps connection`
});
}
const credentials = (await decryptAppConnectionCredentials({
orgId: appConnection.orgId,
kmsService,
encryptedCredentials: appConnection.encryptedCredentials
})) as TAzureDevOpsConnectionCredentials;
// Handle different connection methods
switch (appConnection.method) {
case AzureDevOpsConnectionMethod.OAuth:
const appCfg = getConfig();
if (!appCfg.INF_APP_CONNECTION_AZURE_CLIENT_ID || !appCfg.INF_APP_CONNECTION_AZURE_CLIENT_SECRET) {
throw new BadRequestError({
message: `Azure environment variables have not been configured`
});
}
if (!("refreshToken" in credentials)) {
throw new BadRequestError({ message: "Invalid OAuth credentials" });
}
const { refreshToken, tenantId } = credentials;
const currentTime = Date.now();
const { data } = await request.post<ExchangeCodeAzureResponse>(
IntegrationUrls.AZURE_TOKEN_URL.replace("common", tenantId || "common"),
new URLSearchParams({
grant_type: "refresh_token",
scope: `https://app.vssps.visualstudio.com/.default`,
client_id: appCfg.INF_APP_CONNECTION_AZURE_CLIENT_ID,
client_secret: appCfg.INF_APP_CONNECTION_AZURE_CLIENT_SECRET,
refresh_token: refreshToken
})
);
const updatedCredentials = {
...credentials,
accessToken: data.access_token,
expiresAt: currentTime + data.expires_in * 1000,
refreshToken: data.refresh_token
};
const encryptedCredentials = await encryptAppConnectionCredentials({
credentials: updatedCredentials,
orgId: appConnection.orgId,
kmsService
});
await appConnectionDAL.updateById(appConnection.id, { encryptedCredentials });
return data.access_token;
case AzureDevOpsConnectionMethod.AccessToken:
if (!("accessToken" in credentials)) {
throw new BadRequestError({ message: "Invalid API token credentials" });
}
// For access token, return the basic auth token directly
return credentials.accessToken;
default:
throw new BadRequestError({ message: `Unsupported connection method` });
}
};
export const validateAzureDevOpsConnectionCredentials = async (config: TAzureDevOpsConnectionConfig) => {
const { credentials: inputCredentials, method } = config;
const { INF_APP_CONNECTION_AZURE_CLIENT_ID, INF_APP_CONNECTION_AZURE_CLIENT_SECRET, SITE_URL } = getConfig();
switch (method) {
case AzureDevOpsConnectionMethod.OAuth:
if (!SITE_URL) {
throw new InternalServerError({ message: "SITE_URL env var is required to complete Azure OAuth flow" });
}
if (!INF_APP_CONNECTION_AZURE_CLIENT_ID || !INF_APP_CONNECTION_AZURE_CLIENT_SECRET) {
throw new InternalServerError({
message: `Azure ${getAppConnectionMethodName(method)} environment variables have not been configured`
});
}
let tokenResp: AxiosResponse<ExchangeCodeAzureResponse> | null = null;
let tokenError: AxiosError | null = null;
try {
const oauthCredentials = inputCredentials as { code: string; tenantId: string };
tokenResp = await request.post<ExchangeCodeAzureResponse>(
IntegrationUrls.AZURE_TOKEN_URL.replace("common", oauthCredentials.tenantId || "common"),
new URLSearchParams({
grant_type: "authorization_code",
code: oauthCredentials.code,
scope: `https://app.vssps.visualstudio.com/.default`,
client_id: INF_APP_CONNECTION_AZURE_CLIENT_ID,
client_secret: INF_APP_CONNECTION_AZURE_CLIENT_SECRET,
redirect_uri: `${SITE_URL}/organization/app-connections/azure/oauth/callback`
})
);
} catch (e: unknown) {
if (e instanceof AxiosError) {
tokenError = e;
} else {
throw new BadRequestError({
message: `Unable to validate connection: verify credentials`
});
}
}
if (tokenError) {
if (tokenError instanceof AxiosError) {
throw new BadRequestError({
message: `Failed to get access token: ${
(tokenError?.response?.data as { error_description?: string })?.error_description || "Unknown error"
}`
});
} else {
throw new InternalServerError({
message: "Failed to get access token"
});
}
}
if (!tokenResp) {
throw new InternalServerError({
message: `Failed to get access token: Token was empty with no error`
});
}
const oauthCredentials = inputCredentials as { code: string; tenantId: string; orgName: string };
return {
tenantId: oauthCredentials.tenantId,
orgName: oauthCredentials.orgName,
accessToken: tokenResp.data.access_token,
refreshToken: tokenResp.data.refresh_token,
expiresAt: Date.now() + tokenResp.data.expires_in * 1000
};
case AzureDevOpsConnectionMethod.AccessToken:
const accessTokenCredentials = inputCredentials as { accessToken: string; orgName?: string };
try {
if (accessTokenCredentials.orgName) {
// Validate against specific organization
const response = await request.get(
`${IntegrationUrls.AZURE_DEVOPS_API_URL}/${encodeURIComponent(accessTokenCredentials.orgName)}/_apis/projects?api-version=7.2-preview.2&$top=1`,
{
headers: {
Authorization: `Basic ${Buffer.from(`:${accessTokenCredentials.accessToken}`).toString("base64")}`
}
}
);
if (response.status !== 200) {
throw new BadRequestError({
message: `Failed to validate connection: ${response.status}`
});
}
return {
accessToken: accessTokenCredentials.accessToken,
orgName: accessTokenCredentials.orgName
};
}
// Validate via profile and discover organizations
const profileResponse = await request.get<{ displayName: string }>(
`https://app.vssps.visualstudio.com/_apis/profile/profiles/me?api-version=7.1`,
{
headers: {
Authorization: `Basic ${Buffer.from(`:${accessTokenCredentials.accessToken}`).toString("base64")}`
}
}
);
let organizations: Array<{ accountId: string; accountName: string; accountUri: string }> = [];
try {
const orgsResponse = await request.get<{
value: Array<{ accountId: string; accountName: string; accountUri: string }>;
}>(`https://app.vssps.visualstudio.com/_apis/accounts?api-version=7.1`, {
headers: {
Authorization: `Basic ${Buffer.from(`:${accessTokenCredentials.accessToken}`).toString("base64")}`
}
});
organizations = orgsResponse.data.value || [];
} catch (orgError) {
logger.warn(orgError, "Could not fetch organizations automatically:");
}
return {
accessToken: accessTokenCredentials.accessToken,
userDisplayName: profileResponse.data.displayName,
organizations: organizations.map((org) => ({
accountId: org.accountId,
accountName: org.accountName,
accountUri: org.accountUri
}))
};
} catch (error) {
if (error instanceof AxiosError) {
const errorMessage = accessTokenCredentials.orgName
? // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
`Failed to validate access token for organization '${accessTokenCredentials.orgName}': ${error.response?.data?.message || error.message}`
: `Invalid Azure DevOps Personal Access Token: ${error.response?.status === 401 ? "Token is invalid or expired" : error.message}`;
throw new BadRequestError({ message: errorMessage });
}
throw new BadRequestError({
message: `Unable to validate Azure DevOps token`
});
}
default:
throw new InternalServerError({
message: `Unhandled Azure connection method: ${method as AzureDevOpsConnectionMethod}`
});
}
};

112
backend/src/services/app-connection/azure-devops/azure-devops-schemas.ts Normal file
View File

@@ -0,0 +1,112 @@
import { z } from "zod";
import { AppConnections } from "@app/lib/api-docs";
import { AppConnection } from "@app/services/app-connection/app-connection-enums";
import {
BaseAppConnectionSchema,
GenericCreateAppConnectionFieldsSchema,
GenericUpdateAppConnectionFieldsSchema
} from "@app/services/app-connection/app-connection-schemas";
import { AzureDevOpsConnectionMethod } from "./azure-devops-enums";
export const AzureDevOpsConnectionOAuthInputCredentialsSchema = z.object({
code: z.string().trim().min(1, "OAuth code required").describe(AppConnections.CREDENTIALS.AZURE_DEVOPS.code),
tenantId: z.string().trim().min(1, "Tenant ID required").describe(AppConnections.CREDENTIALS.AZURE_DEVOPS.tenantId),
orgName: z
.string()
.trim()
.min(1, "Organization name required")
.describe(AppConnections.CREDENTIALS.AZURE_DEVOPS.orgName)
});
export const AzureDevOpsConnectionOAuthOutputCredentialsSchema = z.object({
tenantId: z.string(),
orgName: z.string(),
accessToken: z.string(),
refreshToken: z.string(),
expiresAt: z.number()
});
export const AzureDevOpsConnectionAccessTokenInputCredentialsSchema = z.object({
accessToken: z.string().trim().min(1, "Access Token required"),
orgName: z.string().trim().min(1, "Organization name required")
});
export const AzureDevOpsConnectionAccessTokenOutputCredentialsSchema = z.object({
accessToken: z.string(),
orgName: z.string()
});
export const ValidateAzureDevOpsConnectionCredentialsSchema = z.discriminatedUnion("method", [
z.object({
method: z
.literal(AzureDevOpsConnectionMethod.OAuth)
.describe(AppConnections.CREATE(AppConnection.AzureDevOps).method),
credentials: AzureDevOpsConnectionOAuthInputCredentialsSchema.describe(
AppConnections.CREATE(AppConnection.AzureDevOps).credentials
)
}),
z.object({
method: z
.literal(AzureDevOpsConnectionMethod.AccessToken)
.describe(AppConnections.CREATE(AppConnection.AzureDevOps).method),
credentials: AzureDevOpsConnectionAccessTokenInputCredentialsSchema.describe(
AppConnections.CREATE(AppConnection.AzureDevOps).credentials
)
})
]);
export const CreateAzureDevOpsConnectionSchema = ValidateAzureDevOpsConnectionCredentialsSchema.and(
GenericCreateAppConnectionFieldsSchema(AppConnection.AzureDevOps)
);
export const UpdateAzureDevOpsConnectionSchema = z
.object({
credentials: z
.union([AzureDevOpsConnectionOAuthInputCredentialsSchema, AzureDevOpsConnectionAccessTokenInputCredentialsSchema])
.optional()
.describe(AppConnections.UPDATE(AppConnection.AzureDevOps).credentials)
})
.and(GenericUpdateAppConnectionFieldsSchema(AppConnection.AzureDevOps));
const BaseAzureDevOpsConnectionSchema = BaseAppConnectionSchema.extend({
app: z.literal(AppConnection.AzureDevOps)
});
export const AzureDevOpsConnectionSchema = z.intersection(
BaseAzureDevOpsConnectionSchema,
z.discriminatedUnion("method", [
z.object({
method: z.literal(AzureDevOpsConnectionMethod.OAuth),
credentials: AzureDevOpsConnectionOAuthOutputCredentialsSchema
}),
z.object({
method: z.literal(AzureDevOpsConnectionMethod.AccessToken),
credentials: AzureDevOpsConnectionAccessTokenOutputCredentialsSchema
})
])
);
export const SanitizedAzureDevOpsConnectionSchema = z.discriminatedUnion("method", [
BaseAzureDevOpsConnectionSchema.extend({
method: z.literal(AzureDevOpsConnectionMethod.OAuth),
credentials: AzureDevOpsConnectionOAuthOutputCredentialsSchema.pick({
tenantId: true,
orgName: true
})
}),
BaseAzureDevOpsConnectionSchema.extend({
method: z.literal(AzureDevOpsConnectionMethod.AccessToken),
credentials: AzureDevOpsConnectionAccessTokenOutputCredentialsSchema.pick({
orgName: true
})
})
]);
export const AzureDevOpsConnectionListItemSchema = z.object({
name: z.literal("Azure DevOps"),
app: z.literal(AppConnection.AzureDevOps),
methods: z.nativeEnum(AzureDevOpsConnectionMethod).array(),
oauthClientId: z.string().optional()
});

127
backend/src/services/app-connection/azure-devops/azure-devops-service.ts Normal file
View File

@@ -0,0 +1,127 @@
/* eslint-disable @typescript-eslint/no-unsafe-member-access */
/* eslint-disable no-case-declarations */
import { AxiosError } from "axios";
import { request } from "@app/lib/config/request";
import { BadRequestError } from "@app/lib/errors";
import { OrgServiceActor } from "@app/lib/types";
import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
import { AppConnection } from "@app/services/app-connection/app-connection-enums";
import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
import { TKmsServiceFactory } from "@app/services/kms/kms-service";
import { AzureDevOpsConnectionMethod } from "./azure-devops-enums";
import { getAzureDevopsConnection } from "./azure-devops-fns";
import { TAzureDevOpsConnection } from "./azure-devops-types";
type TGetAppConnectionFunc = (
app: AppConnection,
connectionId: string,
actor: OrgServiceActor
) => Promise<TAzureDevOpsConnection>;
type TAzureDevOpsProject = {
id: string;
name: string;
description?: string;
url?: string;
state?: string;
visibility?: string;
lastUpdateTime?: string;
revision?: number;
abbreviation?: string;
defaultTeamImageUrl?: string;
};
type TAzureDevOpsProjectsResponse = {
count: number;
value: TAzureDevOpsProject[];
};
const getAuthHeaders = (appConnection: TAzureDevOpsConnection, accessToken: string) => {
switch (appConnection.method) {
case AzureDevOpsConnectionMethod.OAuth:
return {
Authorization: `Bearer ${accessToken}`,
Accept: "application/json"
};
case AzureDevOpsConnectionMethod.AccessToken:
// For access token, create Basic auth header
const basicAuthToken = Buffer.from(`user:${accessToken}`).toString("base64");
return {
Authorization: `Basic ${basicAuthToken}`,
Accept: "application/json"
};
default:
throw new BadRequestError({ message: "Unsupported connection method" });
}
};
const listAzureDevOpsProjects = async (
appConnection: TAzureDevOpsConnection,
appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "update" | "updateById">,
kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
): Promise<TAzureDevOpsProject[]> => {
const accessToken = await getAzureDevopsConnection(appConnection.id, appConnectionDAL, kmsService);
// Both OAuth and access Token methods use organization name from credentials
const credentials = appConnection.credentials as { orgName: string };
const { orgName } = credentials;
// Use the standard Azure DevOps Projects API endpoint
// This endpoint returns only projects that the authenticated user has access to
const devOpsEndpoint = `${IntegrationUrls.AZURE_DEVOPS_API_URL}/${encodeURIComponent(orgName)}/_apis/projects?api-version=7.1`;
try {
const { data } = await request.get<TAzureDevOpsProjectsResponse>(devOpsEndpoint, {
headers: getAuthHeaders(appConnection, accessToken)
});
return data.value || [];
} catch (error) {
if (error instanceof AxiosError) {
// Provide more specific error messages based on the response
if (error?.response?.status === 401) {
throw new Error(
`Authentication failed for Azure DevOps organization: ${orgName}. Please check your credentials and ensure the token has the required scopes (vso.project or vso.profile).`
);
} else if (error?.response?.status === 403) {
throw new Error(
`Access denied to Azure DevOps organization: ${orgName}. Please ensure the user has access to the organization.`
);
} else if (error?.response?.status === 404) {
throw new Error(`Azure DevOps organization not found: ${orgName}. Please verify the organization name.`);
}
}
throw error;
}
};
export const azureDevOpsConnectionService = (
getAppConnection: TGetAppConnectionFunc,
appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "update" | "updateById">,
kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
) => {
const listProjects = async (connectionId: string, actor: OrgServiceActor) => {
const appConnection = await getAppConnection(AppConnection.AzureDevOps, connectionId, actor);
const projects = await listAzureDevOpsProjects(appConnection, appConnectionDAL, kmsService);
return projects.map((project) => ({
id: project.id,
name: project.name,
appId: project.id,
description: project.description,
url: project.url,
state: project.state,
visibility: project.visibility,
lastUpdateTime: project.lastUpdateTime,
revision: project.revision,
abbreviation: project.abbreviation,
defaultTeamImageUrl: project.defaultTeamImageUrl
}));
};
return {
listProjects
};
};

54
backend/src/services/app-connection/azure-devops/azure-devops-types.ts Normal file
View File

@@ -0,0 +1,54 @@
import { z } from "zod";
import { DiscriminativePick } from "@app/lib/types";
import { AppConnection } from "../app-connection-enums";
import {
AzureDevOpsConnectionOAuthOutputCredentialsSchema,
AzureDevOpsConnectionSchema,
CreateAzureDevOpsConnectionSchema,
ValidateAzureDevOpsConnectionCredentialsSchema
} from "./azure-devops-schemas";
export type TAzureDevOpsConnection = z.infer<typeof AzureDevOpsConnectionSchema>;
export type TAzureDevOpsConnectionInput = z.infer<typeof CreateAzureDevOpsConnectionSchema> & {
app: AppConnection.AzureDevOps;
};
export type TValidateAzureDevOpsConnectionCredentialsSchema = typeof ValidateAzureDevOpsConnectionCredentialsSchema;
export type TAzureDevOpsConnectionConfig = DiscriminativePick<
TAzureDevOpsConnectionInput,
"method" | "app" | "credentials"
> & {
orgId: string;
};
export type TAzureDevOpsConnectionCredentials = z.infer<typeof AzureDevOpsConnectionOAuthOutputCredentialsSchema>;
export interface ExchangeCodeAzureResponse {
token_type: string;
scope: string;
expires_in: number;
ext_expires_in: number;
access_token: string;
refresh_token: string;
id_token: string;
}
export interface TAzureRegisteredApp {
id: string;
appId: string;
displayName: string;
description?: string;
createdDateTime: string;
identifierUris?: string[];
signInAudience?: string;
}
export interface TAzureListRegisteredAppsResponse {
"@odata.context": string;
"@odata.nextLink"?: string;
value: TAzureRegisteredApp[];
}

10
backend/src/services/secret-sync/azure-devops/azure-devops-sync-constants.ts Normal file
View File

@@ -0,0 +1,10 @@
import { AppConnection } from "@app/services/app-connection/app-connection-enums";
import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
export const AZURE_DEVOPS_SYNC_LIST_OPTION: TSecretSyncListItem = {
name: "Azure DevOps",
destination: SecretSync.AzureDevOps,
connection: AppConnection.AzureDevOps,
canImportSecrets: false
};

233
backend/src/services/secret-sync/azure-devops/azure-devops-sync-fns.ts Normal file
View File

@@ -0,0 +1,233 @@
import { request } from "@app/lib/config/request";
import { BadRequestError } from "@app/lib/errors";
import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
import { AzureDevOpsConnectionMethod } from "@app/services/app-connection/azure-devops/azure-devops-enums";
import { getAzureDevopsConnection } from "@app/services/app-connection/azure-devops/azure-devops-fns";
import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
import { TKmsServiceFactory } from "@app/services/kms/kms-service";
import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
import { TAzureDevOpsSyncWithCredentials } from "./azure-devops-sync-types";
type TAzureDevOpsSyncFactoryDeps = {
appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "updateById">;
kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
};
interface AzureDevOpsVariableGroup {
id: number;
name: string;
description: string;
type: string;
variables: Record<string, { value: string; isSecret: boolean }>;
variableGroupProjectReferences: Array<{
description: string;
name: string;
projectReference: { id: string; name: string };
}>;
}
interface AzureDevOpsVariableGroupList {
count: number;
value: AzureDevOpsVariableGroup[];
}
export const azureDevOpsSyncFactory = ({ kmsService, appConnectionDAL }: TAzureDevOpsSyncFactoryDeps) => {
const getConnectionAuth = async (secretSync: TAzureDevOpsSyncWithCredentials) => {
const { credentials } = secretSync.connection;
const isOAuth = secretSync.connection.method === AzureDevOpsConnectionMethod.OAuth;
const { orgName } = credentials;
if (!orgName) {
throw new BadRequestError({
message: "Azure DevOps: organization name is required"
});
}
const accessToken = await getAzureDevopsConnection(secretSync.connectionId, appConnectionDAL, kmsService);
return { accessToken, orgName, isOAuth };
};
const getAuthHeader = (accessToken: string, isOAuth: boolean) => {
if (isOAuth) {
return `Bearer ${accessToken}`;
}
const basicAuth = Buffer.from(`:${accessToken}`).toString("base64");
return `Basic ${basicAuth}`;
};
const $getEnvGroupId = async (
accessToken: string,
orgName: string,
projectId: string,
environmentName: string,
isOAuth: boolean
) => {
const url = `${IntegrationUrls.AZURE_DEVOPS_API_URL}/${encodeURIComponent(orgName)}/${encodeURIComponent(projectId)}/_apis/distributedtask/variablegroups?api-version=7.1`;
const response = await request.get<AzureDevOpsVariableGroupList>(url, {
headers: {
Authorization: getAuthHeader(accessToken, isOAuth)
}
});
for (const group of response.data.value) {
if (group.name === environmentName) {
return { groupId: group.id.toString(), groupName: group.name };
}
}
return { groupId: "", groupName: "" };
};
const syncSecrets = async (secretSync: TAzureDevOpsSyncWithCredentials, secretMap: TSecretMap) => {
if (!secretSync.destinationConfig.devopsProjectId) {
throw new BadRequestError({
message: "Azure DevOps: project ID is required"
});
}
if (!secretSync.environment?.name) {
throw new BadRequestError({
message: "Azure DevOps: environment name is required"
});
}
const { accessToken, orgName, isOAuth } = await getConnectionAuth(secretSync);
const { groupId, groupName } = await $getEnvGroupId(
accessToken,
orgName,
secretSync.destinationConfig.devopsProjectId,
secretSync.environment.name,
isOAuth
);
const variables: Record<string, { value: string; isSecret: boolean }> = {};
for (const [key, secret] of Object.entries(secretMap)) {
if (secret?.value !== undefined) {
variables[key] = { value: secret.value, isSecret: true };
}
}
if (!groupId) {
// Create new variable group - API endpoint is organization-level
const url = `${IntegrationUrls.AZURE_DEVOPS_API_URL}/${encodeURIComponent(orgName)}/_apis/distributedtask/variablegroups?api-version=7.1`;
await request.post(
url,
{
name: secretSync.environment.name,
description: secretSync.environment.name,
type: "Vsts",
variables,
variableGroupProjectReferences: [
{
description: secretSync.environment.name,
name: secretSync.environment.name,
projectReference: {
id: secretSync.destinationConfig.devopsProjectId,
name: secretSync.destinationConfig.devopsProjectId
}
}
]
},
{
headers: {
Authorization: getAuthHeader(accessToken, isOAuth),
"Content-Type": "application/json"
}
}
);
} else {
const url = `${IntegrationUrls.AZURE_DEVOPS_API_URL}/${encodeURIComponent(orgName)}/_apis/distributedtask/variablegroups/${groupId}?api-version=7.1`;
await request.put(
url,
{
name: groupName,
description: groupName,
type: "Vsts",
variables,
variableGroupProjectReferences: [
{
description: groupName,
name: groupName,
projectReference: {
id: secretSync.destinationConfig.devopsProjectId,
name: secretSync.destinationConfig.devopsProjectId
}
}
]
},
{
headers: {
Authorization: getAuthHeader(accessToken, isOAuth),
"Content-Type": "application/json"
}
}
);
}
};
const removeSecrets = async (secretSync: TAzureDevOpsSyncWithCredentials) => {
const { accessToken, orgName, isOAuth } = await getConnectionAuth(secretSync);
const { groupId } = await $getEnvGroupId(
accessToken,
orgName,
secretSync.destinationConfig.devopsProjectId,
secretSync.environment?.name || "",
isOAuth
);
if (groupId) {
// Delete the variable group entirely using the DELETE API
const deleteUrl = `${IntegrationUrls.AZURE_DEVOPS_API_URL}/${encodeURIComponent(orgName)}/_apis/distributedtask/variablegroups/${groupId}?projectIds=${secretSync.destinationConfig.devopsProjectId}&api-version=7.1`;
await request.delete(deleteUrl, {
headers: {
Authorization: getAuthHeader(accessToken, isOAuth)
}
});
}
};
const getSecrets = async (secretSync: TAzureDevOpsSyncWithCredentials) => {
const { accessToken, orgName, isOAuth } = await getConnectionAuth(secretSync);
const { groupId } = await $getEnvGroupId(
accessToken,
orgName,
secretSync.destinationConfig.devopsProjectId,
secretSync.environment?.name || "",
isOAuth
);
const secretMap: TSecretMap = {};
if (groupId) {
const url = `${IntegrationUrls.AZURE_DEVOPS_API_URL}/${orgName}/_apis/distributedtask/variablegroups/${groupId}?api-version=7.1`;
const response = await request.get<AzureDevOpsVariableGroup>(url, {
headers: {
Authorization: getAuthHeader(accessToken, isOAuth)
}
});
if (response?.data?.variables) {
Object.entries(response.data.variables).forEach(([key, variable]) => {
secretMap[key] = {
value: variable.value || ""
};
});
}
}
return secretMap;
};
return {
syncSecrets,
removeSecrets,
getSecrets
};
};

50
backend/src/services/secret-sync/azure-devops/azure-devops-sync-schemas.ts Normal file
View File

@@ -0,0 +1,50 @@
import { z } from "zod";
import { SecretSyncs } from "@app/lib/api-docs";
import { AppConnection } from "@app/services/app-connection/app-connection-enums";
import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
import {
BaseSecretSyncSchema,
GenericCreateSecretSyncFieldsSchema,
GenericUpdateSecretSyncFieldsSchema
} from "@app/services/secret-sync/secret-sync-schemas";
import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
export const AzureDevOpsSyncDestinationConfigSchema = z.object({
devopsProjectId: z
.string()
.min(1, "Project ID required")
.describe(SecretSyncs.DESTINATION_CONFIG.AZURE_DEVOPS?.devopsProjectId || "Azure DevOps Project ID"),
devopsProjectName: z
.string()
.min(1, "Project name required")
.describe(SecretSyncs.DESTINATION_CONFIG.AZURE_DEVOPS?.devopsProjectName || "Azure DevOps Project Name")
});
const AzureDevOpsSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: false };
export const AzureDevOpsSyncSchema = BaseSecretSyncSchema(SecretSync.AzureDevOps, AzureDevOpsSyncOptionsConfig).extend({
destination: z.literal(SecretSync.AzureDevOps),
destinationConfig: AzureDevOpsSyncDestinationConfigSchema
});
export const CreateAzureDevOpsSyncSchema = GenericCreateSecretSyncFieldsSchema(
SecretSync.AzureDevOps,
AzureDevOpsSyncOptionsConfig
).extend({
destinationConfig: AzureDevOpsSyncDestinationConfigSchema
});
export const UpdateAzureDevOpsSyncSchema = GenericUpdateSecretSyncFieldsSchema(
SecretSync.AzureDevOps,
AzureDevOpsSyncOptionsConfig
).extend({
destinationConfig: AzureDevOpsSyncDestinationConfigSchema.optional()
});
export const AzureDevOpsSyncListItemSchema = z.object({
name: z.literal("Azure DevOps"),
connection: z.literal(AppConnection.AzureDevOps),
destination: z.literal(SecretSync.AzureDevOps),
canImportSecrets: z.literal(false)
});

22
backend/src/services/secret-sync/azure-devops/azure-devops-sync-types.ts Normal file
View File

@@ -0,0 +1,22 @@
import { z } from "zod";
import { TAzureDevOpsConnection } from "@app/services/app-connection/azure-devops/azure-devops-types";
import {
AzureDevOpsSyncDestinationConfigSchema,
AzureDevOpsSyncListItemSchema,
AzureDevOpsSyncSchema,
CreateAzureDevOpsSyncSchema
} from "./azure-devops-sync-schemas";
export type TAzureDevOpsSync = z.infer<typeof AzureDevOpsSyncSchema>;
export type TAzureDevOpsSyncInput = z.infer<typeof CreateAzureDevOpsSyncSchema>;
export type TAzureDevOpsSyncListItem = z.infer<typeof AzureDevOpsSyncListItemSchema>;
export type TAzureDevOpsSyncDestinationConfig = z.infer<typeof AzureDevOpsSyncDestinationConfigSchema>;
export type TAzureDevOpsSyncWithCredentials = TAzureDevOpsSync & {
connection: TAzureDevOpsConnection;
};

4
backend/src/services/secret-sync/azure-devops/index.ts Normal file
View File

@@ -0,0 +1,4 @@
export * from "./azure-devops-sync-constants";
export * from "./azure-devops-sync-fns";
export * from "./azure-devops-sync-schemas";
export * from "./azure-devops-sync-types";

1
backend/src/services/secret-sync/secret-sync-enums.ts
View File

@@ -5,6 +5,7 @@ export enum SecretSync {
GCPSecretManager = "gcp-secret-manager",
AzureKeyVault = "azure-key-vault",
AzureAppConfiguration = "azure-app-configuration",
AzureDevOps = "azure-devops",
Databricks = "databricks",
Humanitec = "humanitec",
TerraformCloud = "terraform-cloud",

18
backend/src/services/secret-sync/secret-sync-fns.ts
View File

@@ -26,6 +26,7 @@ import { TAppConnectionDALFactory } from "../app-connection/app-connection-dal";
import { TKmsServiceFactory } from "../kms/kms-service";
import { ONEPASS_SYNC_LIST_OPTION, OnePassSyncFns } from "./1password";
import { AZURE_APP_CONFIGURATION_SYNC_LIST_OPTION, azureAppConfigurationSyncFactory } from "./azure-app-configuration";
import { AZURE_DEVOPS_SYNC_LIST_OPTION, azureDevOpsSyncFactory } from "./azure-devops";
import { AZURE_KEY_VAULT_SYNC_LIST_OPTION, azureKeyVaultSyncFactory } from "./azure-key-vault";
import { CAMUNDA_SYNC_LIST_OPTION, camundaSyncFactory } from "./camunda";
import { GCP_SYNC_LIST_OPTION } from "./gcp";
@@ -45,6 +46,7 @@ const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
[SecretSync.GitHub]: GITHUB_SYNC_LIST_OPTION,
[SecretSync.GCPSecretManager]: GCP_SYNC_LIST_OPTION,
[SecretSync.AzureKeyVault]: AZURE_KEY_VAULT_SYNC_LIST_OPTION,
[SecretSync.AzureDevOps]: AZURE_DEVOPS_SYNC_LIST_OPTION,
[SecretSync.AzureAppConfiguration]: AZURE_APP_CONFIGURATION_SYNC_LIST_OPTION,
[SecretSync.Databricks]: DATABRICKS_SYNC_LIST_OPTION,
[SecretSync.Humanitec]: HUMANITEC_SYNC_LIST_OPTION,
@@ -182,6 +184,11 @@ export const SecretSyncFns = {
appConnectionDAL,
kmsService
}).syncSecrets(secretSync, schemaSecretMap);
case SecretSync.AzureDevOps:
return azureDevOpsSyncFactory({
appConnectionDAL,
kmsService
}).syncSecrets(secretSync, schemaSecretMap);
case SecretSync.Databricks:
return databricksSyncFactory({
appConnectionDAL,
@@ -244,6 +251,12 @@ export const SecretSyncFns = {
kmsService
}).getSecrets(secretSync);
break;
case SecretSync.AzureDevOps:
secretMap = await azureDevOpsSyncFactory({
appConnectionDAL,
kmsService
}).getSecrets(secretSync);
break;
case SecretSync.Databricks:
return databricksSyncFactory({
appConnectionDAL,
@@ -315,6 +328,11 @@ export const SecretSyncFns = {
appConnectionDAL,
kmsService
}).removeSecrets(secretSync, schemaSecretMap);
case SecretSync.AzureDevOps:
return azureDevOpsSyncFactory({
appConnectionDAL,
kmsService
}).removeSecrets(secretSync);
case SecretSync.Databricks:
return databricksSyncFactory({
appConnectionDAL,

3
backend/src/services/secret-sync/secret-sync-maps.ts
View File

@@ -8,6 +8,7 @@ export const SECRET_SYNC_NAME_MAP: Record<SecretSync, string> = {
[SecretSync.GCPSecretManager]: "GCP Secret Manager",
[SecretSync.AzureKeyVault]: "Azure Key Vault",
[SecretSync.AzureAppConfiguration]: "Azure App Configuration",
[SecretSync.AzureDevOps]: "Azure DevOps",
[SecretSync.Databricks]: "Databricks",
[SecretSync.Humanitec]: "Humanitec",
[SecretSync.TerraformCloud]: "Terraform Cloud",
@@ -27,6 +28,7 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
[SecretSync.GCPSecretManager]: AppConnection.GCP,
[SecretSync.AzureKeyVault]: AppConnection.AzureKeyVault,
[SecretSync.AzureAppConfiguration]: AppConnection.AzureAppConfiguration,
[SecretSync.AzureDevOps]: AppConnection.AzureDevOps,
[SecretSync.Databricks]: AppConnection.Databricks,
[SecretSync.Humanitec]: AppConnection.Humanitec,
[SecretSync.TerraformCloud]: AppConnection.TerraformCloud,
@@ -46,6 +48,7 @@ export const SECRET_SYNC_PLAN_MAP: Record<SecretSync, SecretSyncPlanType> = {
[SecretSync.GCPSecretManager]: SecretSyncPlanType.Regular,
[SecretSync.AzureKeyVault]: SecretSyncPlanType.Regular,
[SecretSync.AzureAppConfiguration]: SecretSyncPlanType.Regular,
[SecretSync.AzureDevOps]: SecretSyncPlanType.Regular,
[SecretSync.Databricks]: SecretSyncPlanType.Regular,
[SecretSync.Humanitec]: SecretSyncPlanType.Regular,
[SecretSync.TerraformCloud]: SecretSyncPlanType.Regular,

10
backend/src/services/secret-sync/secret-sync-types.ts
View File

@@ -60,6 +60,12 @@ import {
TAzureAppConfigurationSyncListItem,
TAzureAppConfigurationSyncWithCredentials
} from "./azure-app-configuration";
import {
TAzureDevOpsSync,
TAzureDevOpsSyncInput,
TAzureDevOpsSyncListItem,
TAzureDevOpsSyncWithCredentials
} from "./azure-devops";
import {
TAzureKeyVaultSync,
TAzureKeyVaultSyncInput,
@@ -100,6 +106,7 @@ export type TSecretSync =
| TGcpSync
| TAzureKeyVaultSync
| TAzureAppConfigurationSync
| TAzureDevOpsSync
| TDatabricksSync
| THumanitecSync
| TTerraformCloudSync
@@ -118,6 +125,7 @@ export type TSecretSyncWithCredentials =
| TGcpSyncWithCredentials
| TAzureKeyVaultSyncWithCredentials
| TAzureAppConfigurationSyncWithCredentials
| TAzureDevOpsSyncWithCredentials
| TDatabricksSyncWithCredentials
| THumanitecSyncWithCredentials
| TTerraformCloudSyncWithCredentials
@@ -136,6 +144,7 @@ export type TSecretSyncInput =
| TGcpSyncInput
| TAzureKeyVaultSyncInput
| TAzureAppConfigurationSyncInput
| TAzureDevOpsSyncInput
| TDatabricksSyncInput
| THumanitecSyncInput
| TTerraformCloudSyncInput
@@ -154,6 +163,7 @@ export type TSecretSyncListItem =
| TGcpSyncListItem
| TAzureKeyVaultSyncListItem
| TAzureAppConfigurationSyncListItem
| TAzureDevOpsSyncListItem
| TDatabricksSyncListItem
| THumanitecSyncListItem
| TTerraformCloudSyncListItem

4
docs/api-reference/endpoints/app-connections/azure-devops/available.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Available"
openapi: "GET /api/v1/app-connections/azure-devops/available"
---

10
docs/api-reference/endpoints/app-connections/azure-devops/create.mdx Normal file
View File

@@ -0,0 +1,10 @@
---
title: "Create"
openapi: "POST /api/v1/app-connections/azure-devops"
---
<Note>
Azure DevOps Connections must be created through the Infisical UI if you are using OAuth.
Check out the configuration docs for [Azure DevOps Connections](/integrations/app-connections/azure-devops) for a step-by-step
guide.
</Note>

4
docs/api-reference/endpoints/app-connections/azure-devops/delete.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Delete"
openapi: "DELETE /api/v1/app-connections/azure-devops/{connectionId}"
---

4
docs/api-reference/endpoints/app-connections/azure-devops/get-by-id.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Get by ID"
openapi: "GET /api/v1/app-connections/azure-devops/{connectionId}"
---

4
docs/api-reference/endpoints/app-connections/azure-devops/get-by-name.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Get by Name"
openapi: "GET /api/v1/app-connections/azure-devops/connection-name/{connectionName}"
---

4
docs/api-reference/endpoints/app-connections/azure-devops/list.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "List"
openapi: "GET /api/v1/app-connections/azure-devops"
---

10
docs/api-reference/endpoints/app-connections/azure-devops/update.mdx Normal file
View File

@@ -0,0 +1,10 @@
---
title: "Update"
openapi: "PATCH /api/v1/app-connections/azure-devops/{connectionId}"
---
<Note>
Azure DevOps Connections must be updated through the Infisical UI if you are using OAuth.
Check out the configuration docs for [Azure DevOps Connections](/integrations/app-connections/azure-devops) for a step-by-step
guide.
</Note>

4
docs/api-reference/endpoints/secret-syncs/azure-devops/create.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Create"
openapi: "POST /api/v1/secret-syncs/azure-devops"
---

4
docs/api-reference/endpoints/secret-syncs/azure-devops/delete.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Delete"
openapi: "DELETE /api/v1/secret-syncs/azure-devops/{syncId}"
---

4
docs/api-reference/endpoints/secret-syncs/azure-devops/get-by-id.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Get by ID"
openapi: "GET /api/v1/secret-syncs/azure-devops/{syncId}"
---

4
docs/api-reference/endpoints/secret-syncs/azure-devops/get-by-name.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Get by Name"
openapi: "GET /api/v1/secret-syncs/azure-devops/sync-name/{syncName}"
---

4
docs/api-reference/endpoints/secret-syncs/azure-devops/import-secrets.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Import Secrets"
openapi: "POST /api/v1/secret-syncs/azure-devops/{syncId}/import-secrets"
---

4
docs/api-reference/endpoints/secret-syncs/azure-devops/list.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "List"
openapi: "GET /api/v1/secret-syncs/azure-devops"
---

4
docs/api-reference/endpoints/secret-syncs/azure-devops/remove-secrets.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Remove Secrets"
openapi: "POST /api/v1/secret-syncs/azure-devops/{syncId}/remove-secrets"
---

4
docs/api-reference/endpoints/secret-syncs/azure-devops/sync-secrets.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Sync Secrets"
openapi: "POST /api/v1/secret-syncs/azure-devops/{syncId}/sync-secrets"
---

4
docs/api-reference/endpoints/secret-syncs/azure-devops/update.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Update"
openapi: "PATCH /api/v1/secret-syncs/azure-devops/{syncId}"
---

BIN
docs/images/app-connections/azure/devops/devops-connection.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.8 MiB

BIN
docs/images/app-connections/azure/devops/fill-in-connection-details-oauth.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.1 MiB

BIN
docs/images/app-connections/azure/devops/fill-in-connection-details-token.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.1 MiB

BIN
docs/images/app-connections/azure/devops/select-connection.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.3 MiB

BIN
docs/images/integrations/azure-devops/app-api-permissions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.8 MiB

BIN
docs/images/secret-syncs/azure-devops/devops-destination.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 202 KiB

BIN
docs/images/secret-syncs/azure-devops/devops-details.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 202 KiB

BIN
docs/images/secret-syncs/azure-devops/devops-options.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 220 KiB

BIN
docs/images/secret-syncs/azure-devops/devops-review.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 214 KiB

BIN
docs/images/secret-syncs/azure-devops/devops-source.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 195 KiB

BIN
docs/images/secret-syncs/azure-devops/devops-synced.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 294 KiB

BIN
docs/images/secret-syncs/azure-devops/select-azure-devops-option.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 235 KiB

137
docs/integrations/app-connections/azure-devops.mdx Normal file
View File

@@ -0,0 +1,137 @@
---
title: "Azure DevOps Connection"
description: "Learn how to configure an Azure DevOps Connection for Infisical."
---
Infisical currently supports two methods for connecting to Azure DevOps, which are OAuth and Azure DevOps Personal Access Token.
<Accordion title="Azure OAuth on a Self-Hosted Instance">
Using the Azure DevOps <b>OAuth connection</b> on a self-hosted instance of Infisical requires configuring an application in Azure
and registering your instance with it.
**Prerequisites:**
- Set up Azure.
<Steps>
<Step title="Create an application in Azure">
Navigate to Azure Active Directory > App registrations to create a new application.
<Info>
Azure Active Directory is now Microsoft Entra ID.
</Info>
![Azure devops](/images/integrations/azure-app-configuration/config-aad.png)
![Azure devops](/images/integrations/azure-app-configuration/config-new-app.png)
Create the application. As part of the form, set the **Redirect URI** to `https://your-domain.com/organization/app-connections/azure/oauth/callback`.
<Tip>
The domain you defined in the Redirect URI should be equivalent to the `SITE_URL` configured in your Infisical instance.
</Tip>
![Azure devops](/images/app-connections/azure/register-callback.png)
</Step>
<Step title="Assign API permissions to the application">
For the Azure Connection to work with DevOps Pipelines, you need to assign the following permission to the application.
#### Azure DevOps permissions
Set the API permissions of the Azure application to include the following permissions:
- Azure DevOps
- `user_impersonation`
- `vso.project_write`
- `vso.variablegroups_manage`
- `vso.variablegroups_write`
![Azure devops](/images/integrations/azure-devops/app-api-permissions.png)
</Step>
<Step title="Add your application credentials to Infisical">
Obtain the **Application (Client) ID** and **Directory (Tenant) ID** (this will be used later in the Infisical connection) in Overview and generate a **Client Secret** in Certificate & secrets for your Azure application.
![Azure devops](../../images/app-connections/azure/client-secrets/config-credentials-1.png)
![Azure devops](../../images/integrations/azure-app-configuration/config-credentials-2.png)
![Azure devops](../../images/integrations/azure-app-configuration/config-credentials-3.png)
Back in your Infisical instance, add two new environment variables for the credentials of your Azure application.
- `INF_APP_CONNECTION_AZURE_CLIENT_ID`: The **Application (Client) ID** of your Azure application.
- `INF_APP_CONNECTION_AZURE_CLIENT_SECRET`: The **Client Secret** of your Azure application.
Once added, restart your Infisical instance and use the Azure Client Secrets connection.
</Step>
</Steps>
</Accordion>
<Accordion title="Azure DevOps personal access token (PAT)">
#### Create a new Azure DevOps personal access token (PAT)
When using the Azure DevOps <b>Access Token connection</b> you'll need to create a new personal access token (PAT) in order to authenticate Infisical with Azure DevOps.
<Steps>
<Step title="Navigate to Azure DevOps">
![integrations](../../images/integrations/azure-devops/overview-page.png)
</Step>
<Step title="Create a new token">
Make sure the newly created token has Read/Write access to the Release scope.
![integrations](../../images/integrations/azure-devops/create-new-token.png)
<Note>
Please make sure that the token has access to the following scopes: Variable Groups _(read, create, & manage)_, Release _(read/write)_, Project and Team _(read)_, Service Connections _(read & query)_
</Note>
</Step>
<Step title="Copy the new access token">
Copy the newly created token as this will be used to authenticate Infisical with Azure DevOps.
![integrations](../../images/integrations/azure-devops/new-token-created.png)
</Step>
</Steps>
</Accordion>
## Setup Azure Connection in Infisical
<Steps>
<Step title="Navigate to App Connections">
Navigate to the **App Connections** tab on the **Organization Settings** page. ![App Connections
Tab](/images/app-connections/general/add-connection.png)
</Step>
<Step title="Add Connection">
Select the **Azure Connection** option from the connection options modal. ![Select Azure Connection](/images/app-connections/azure/devops/select-connection.png)
</Step>
<Step title="Create Connection">
<Tabs>
<Tab title="OAuth">
<Steps>
<Step title="Fill in Connection Details">
Fill in the **Tenant ID** field with the Directory (Tenant) ID you obtained in the previous [step](#azure-oauth-on-a-self-hosted-instance). Also fill in the organization name of the Azure DevOps organization you want to connect to.
![Fill in Connection Details](/images/app-connections/azure/devops/fill-in-connection-details-oauth.png)
<Tip>
You can find the **Organization Name** on https://dev.azure.com/
</Tip>
</Step>
<Step title="Grant Access">
You will then be redirected to Azure to grant Infisical access to your Azure account. Once granted,
you will be redirected back to Infisical's App Connections page. ![Azure Client Secrets
Authorization](/images/app-connections/azure/grant-access.png)
</Step>
</Steps>
</Tab>
<Tab title="Access Token">
<Steps>
<Step title="Fill in Connection Details">
Fill in the **Access Token** field with the Access Token you obtained in the previous step. And the organization name of the Azure DevOps organization you want to connect to.
![Fill in Connection Details](/images/app-connections/azure/devops/fill-in-connection-details-token.png)
<Tip>
You can find the **Organization Name** on https://dev.azure.com/
</Tip>
</Step>
</Steps>
</Tab>
</Tabs>
</Step>
<Step title="Connection Created">
Your **Azure DevOps Connection** is now available for use. ![Azure DevOps](/images/app-connections/azure/devops/devops-connection.png)
</Step>
</Steps>

143
docs/integrations/secret-syncs/azure-devops.mdx Normal file
View File

@@ -0,0 +1,143 @@
---
title: "Azure DevOps Sync"
description: "Learn how to configure a Azure DevOps Sync for Infisical."
---
**Prerequisites:**
- Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
- Create an [Azure DevOps Connection](/integrations/app-connections/azure-devops)
<Tabs>
<Tab title="Infisical UI">
1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab](/images/secret-syncs/general/secret-sync-tab.png)
2. Select the **Azure DevOps** option.
![Select Azure DevOps](/images/secret-syncs/azure-devops/select-azure-devops-option.png)
3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source](/images/secret-syncs/azure-devops/devops-source.png)
- **Environment**: The project environment to retrieve secrets from.
- **Secret Path**: The folder path to retrieve secrets from.
<Tip>
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
</Tip>
4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination](/images/secret-syncs/azure-devops/devops-destination.png)
- **Azure DevOps Connection**: The Azure DevOps Connection to authenticate with.
- **Project**: The Azure DevOps project to deploy secrets to.
<p class="height:1px"/>
5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options](/images/secret-syncs/azure-devops/devops-options.png)
- **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
- **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
<Note>
Azure Devops does not support importing secrets.
</Note>
- **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name.
- **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
- **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
6. Configure the **Details** of your Azure DevOps Sync, then click **Next**.
![Configure Details](/images/secret-syncs/azure-devops/devops-details.png)
- **Name**: The name of your sync. Must be slug-friendly.
- **Description**: An optional description for your sync.
7. Review your Azure DevOps Sync configuration, then click **Create Sync**.
![Confirm Configuration](/images/secret-syncs/azure-devops/devops-review.png)
8. If enabled, your Azure DevOps Sync will begin syncing your secrets to the destination endpoint.
![Sync Secrets](/images/secret-syncs/azure-devops/devops-synced.png)
</Tab>
<Tab title="API">
To create a **Azure DevOps Sync**, make an API request to the [Create Azure DevOps Sync](/api-reference/endpoints/secret-syncs/azure-devops/create) API endpoint.
### Sample request
```bash Request
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/azure-devops \
--header 'Content-Type: application/json' \
--data '{
"name": "my-devops-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"disableSecretDeletion": true
},
"destinationConfig": {
"devopsProjectId": "12345678-90ab-cdef-1234-567890abcdef",
"devopsProjectName": "example-project"
}
}'
```
### Sample response
```json Response
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-devops-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"keySchema": "PIPELINE_${secretKey}",
"disableSecretDeletion": true
},
"connection": {
"app": "azure-devops",
"name": "Production DevOps Organization",
"id": "8b92f5cc-3g77-5e80-6666-6ff57069385d"
},
"environment": {
"slug": "production",
"name": "Production Environment",
"id": "4f16j9gg-7k11-9i23-2222-2jj91403729h"
},
"folder": {
"id": "5a71e8dd-2f66-4d70-7777-7cc46958274c",
"path": "/devops/pipeline-secrets"
},
"destination": "azure-devops",
"destinationConfig": {
"devopsProjectId": "12345678-90ab-cdef-1234-567890abcdef",
"devopsProjectName": "example-project"
}
}
}
```
</Tab>
</Tabs>

28
docs/mint.json
View File

@@ -498,6 +498,7 @@
"integrations/app-connections/aws",
"integrations/app-connections/azure-app-configuration",
"integrations/app-connections/azure-client-secrets",
"integrations/app-connections/azure-devops",
"integrations/app-connections/azure-key-vault",
"integrations/app-connections/camunda",
"integrations/app-connections/databricks",
@@ -530,6 +531,7 @@
"integrations/secret-syncs/aws-parameter-store",
"integrations/secret-syncs/aws-secrets-manager",
"integrations/secret-syncs/azure-app-configuration",
"integrations/secret-syncs/azure-devops",
"integrations/secret-syncs/azure-key-vault",
"integrations/secret-syncs/camunda",
"integrations/secret-syncs/databricks",
@@ -1197,6 +1199,18 @@
"api-reference/endpoints/app-connections/azure-client-secret/delete"
]
},
{
"group": "Azure DevOps",
"pages": [
"api-reference/endpoints/app-connections/azure-devops/list",
"api-reference/endpoints/app-connections/azure-devops/available",
"api-reference/endpoints/app-connections/azure-devops/get-by-id",
"api-reference/endpoints/app-connections/azure-devops/get-by-name",
"api-reference/endpoints/app-connections/azure-devops/create",
"api-reference/endpoints/app-connections/azure-devops/update",
"api-reference/endpoints/app-connections/azure-devops/delete"
]
},
{
"group": "Azure Key Vault",
"pages": [
@@ -1464,6 +1478,20 @@
"api-reference/endpoints/secret-syncs/azure-app-configuration/remove-secrets"
]
},
{
"group": "Azure DevOps",
"pages": [
"api-reference/endpoints/secret-syncs/azure-devops/list",
"api-reference/endpoints/secret-syncs/azure-devops/get-by-id",
"api-reference/endpoints/secret-syncs/azure-devops/get-by-name",
"api-reference/endpoints/secret-syncs/azure-devops/create",
"api-reference/endpoints/secret-syncs/azure-devops/update",
"api-reference/endpoints/secret-syncs/azure-devops/delete",
"api-reference/endpoints/secret-syncs/azure-devops/sync-secrets",
"api-reference/endpoints/secret-syncs/azure-devops/import-secrets",
"api-reference/endpoints/secret-syncs/azure-devops/remove-secrets"
]
},
{
"group": "Azure Key Vault",
"pages": [

76
frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/AzureDevOpsSyncFields.tsx Normal file
View File

@@ -0,0 +1,76 @@
import { Controller, useFormContext, useWatch } from "react-hook-form";
import { SingleValue } from "react-select";
import { faCircleInfo } from "@fortawesome/free-solid-svg-icons";
import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
import { SecretSyncConnectionField } from "@app/components/secret-syncs/forms/SecretSyncConnectionField";
import { FilterableSelect, FormControl, Tooltip } from "@app/components/v2";
import { useGetAzureDevOpsProjects } from "@app/hooks/api/appConnections/azure";
import { AzureDevOpsProject } from "@app/hooks/api/appConnections/azure/types";
import { SecretSync } from "@app/hooks/api/secretSyncs";
import { TSecretSyncForm } from "../schemas";
export const AzureDevOpsSyncFields = () => {
const { control, setValue } = useFormContext<
TSecretSyncForm & { destination: SecretSync.AzureDevOps }
>();
const connectionId = useWatch({ name: "connection.id", control });
const { data: { projects } = { projects: [] }, isLoading: isProjectsLoading } =
useGetAzureDevOpsProjects(connectionId, {
enabled: Boolean(connectionId)
});
return (
<>
<SecretSyncConnectionField
onChange={() => {
setValue("destinationConfig.devopsProjectId", "");
}}
/>
<Controller
name="destinationConfig.devopsProjectId"
control={control}
render={({ field: { value, onChange }, fieldState: { error } }) => (
<FormControl
isError={Boolean(error)}
errorText={error?.message}
label="Project"
helperText={
<Tooltip
className="max-w-md"
content="Ensure the project exists in the connection's Azure DevOps instance URL."
>
<div>
<span>Don&#39;t see the project you&#39;re looking for?</span>{" "}
<FontAwesomeIcon icon={faCircleInfo} className="text-mineshaft-400" />
</div>
</Tooltip>
}
>
<FilterableSelect
menuPlacement="top"
isLoading={isProjectsLoading && Boolean(connectionId)}
isDisabled={!connectionId}
value={projects?.find((v) => v.appId === value) ?? null}
onChange={(option) => {
onChange((option as SingleValue<AzureDevOpsProject>)?.appId ?? null);
setValue(
"destinationConfig.devopsProjectName",
(option as SingleValue<AzureDevOpsProject>)?.name ?? ""
);
}}
options={projects}
placeholder="Select a project..."
getOptionLabel={(option) => option.name}
getOptionValue={(option) => option.id}
/>
</FormControl>
)}
/>
</>
);
};

3
frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/SecretSyncDestinationFields.tsx
View File

@@ -7,6 +7,7 @@ import { OnePassSyncFields } from "./1PasswordSyncFields";
import { AwsParameterStoreSyncFields } from "./AwsParameterStoreSyncFields";
import { AwsSecretsManagerSyncFields } from "./AwsSecretsManagerSyncFields";
import { AzureAppConfigurationSyncFields } from "./AzureAppConfigurationSyncFields";
import { AzureDevOpsSyncFields } from "./AzureDevOpsSyncFields";
import { AzureKeyVaultSyncFields } from "./AzureKeyVaultSyncFields";
import { CamundaSyncFields } from "./CamundaSyncFields";
import { DatabricksSyncFields } from "./DatabricksSyncFields";
@@ -38,6 +39,8 @@ export const SecretSyncDestinationFields = () => {
return <AzureKeyVaultSyncFields />;
case SecretSync.AzureAppConfiguration:
return <AzureAppConfigurationSyncFields />;
case SecretSync.AzureDevOps:
return <AzureDevOpsSyncFields />;
case SecretSync.Databricks:
return <DatabricksSyncFields />;
case SecretSync.Humanitec:

1
frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/SecretSyncOptionsFields.tsx
View File

@@ -41,6 +41,7 @@ export const SecretSyncOptionsFields = ({ hideInitialSync }: Props) => {
case SecretSync.GCPSecretManager:
case SecretSync.AzureKeyVault:
case SecretSync.AzureAppConfiguration:
case SecretSync.AzureDevOps:
case SecretSync.Databricks:
case SecretSync.Humanitec:
case SecretSync.TerraformCloud:

18
frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/AzureDevOpsSyncReviewFields.tsx Normal file
View File

@@ -0,0 +1,18 @@
import { useFormContext } from "react-hook-form";
import { GenericFieldLabel } from "@app/components/secret-syncs";
import { TSecretSyncForm } from "@app/components/secret-syncs/forms/schemas";
import { SecretSync } from "@app/hooks/api/secretSyncs";
export const AzureDevOpsSyncReviewFields = () => {
const { watch } = useFormContext<TSecretSyncForm & { destination: SecretSync.AzureDevOps }>();
const devopsProjectId = watch("destinationConfig.devopsProjectId");
const devopsProjectName = watch("destinationConfig.devopsProjectName");
return (
<>
<GenericFieldLabel label="Project">{devopsProjectName}</GenericFieldLabel>
<GenericFieldLabel label="Project ID">{devopsProjectId}</GenericFieldLabel>
</>
);
};

4
frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/SecretSyncReviewFields.tsx
View File

@@ -16,6 +16,7 @@ import {
AwsSecretsManagerSyncReviewFields
} from "./AwsSecretsManagerSyncReviewFields";
import { AzureAppConfigurationSyncReviewFields } from "./AzureAppConfigurationSyncReviewFields";
import { AzureDevOpsSyncReviewFields } from "./AzureDevOpsSyncReviewFields";
import { AzureKeyVaultSyncReviewFields } from "./AzureKeyVaultSyncReviewFields";
import { CamundaSyncReviewFields } from "./CamundaSyncReviewFields";
import { DatabricksSyncReviewFields } from "./DatabricksSyncReviewFields";
@@ -70,6 +71,9 @@ export const SecretSyncReviewFields = () => {
case SecretSync.AzureAppConfiguration:
DestinationFieldsComponent = <AzureAppConfigurationSyncReviewFields />;
break;
case SecretSync.AzureDevOps:
DestinationFieldsComponent = <AzureDevOpsSyncReviewFields />;
break;
case SecretSync.Databricks:
DestinationFieldsComponent = <DatabricksSyncReviewFields />;
break;

17
frontend/src/components/secret-syncs/forms/schemas/azure-devops-sync-destination-schema.ts Normal file
View File

@@ -0,0 +1,17 @@
import { z } from "zod";
import { BaseSecretSyncSchema } from "@app/components/secret-syncs/forms/schemas/base-secret-sync-schema";
import { SecretSync } from "@app/hooks/api/secretSyncs";
export const AzureDevOpsSyncDestinationSchema = BaseSecretSyncSchema().merge(
z.object({
destination: z.literal(SecretSync.AzureDevOps),
destinationConfig: z.object({
devopsProjectId: z.string().trim().min(1, { message: "Azure DevOps Project ID is required" }),
devopsProjectName: z
.string()
.trim()
.min(1, { message: "Azure DevOps Project Name is required" })
})
})
);

2
frontend/src/components/secret-syncs/forms/schemas/secret-sync-schema.ts
View File

@@ -4,6 +4,7 @@ import { OnePassSyncDestinationSchema } from "./1password-sync-destination-schem
import { AwsParameterStoreSyncDestinationSchema } from "./aws-parameter-store-sync-destination-schema";
import { AwsSecretsManagerSyncDestinationSchema } from "./aws-secrets-manager-sync-destination-schema";
import { AzureAppConfigurationSyncDestinationSchema } from "./azure-app-configuration-sync-destination-schema";
import { AzureDevOpsSyncDestinationSchema } from "./azure-devops-sync-destination-schema";
import { AzureKeyVaultSyncDestinationSchema } from "./azure-key-vault-sync-destination-schema";
import { CamundaSyncDestinationSchema } from "./camunda-sync-destination-schema";
import { DatabricksSyncDestinationSchema } from "./databricks-sync-destination-schema";
@@ -24,6 +25,7 @@ const SecretSyncUnionSchema = z.discriminatedUnion("destination", [
GcpSyncDestinationSchema,
AzureKeyVaultSyncDestinationSchema,
AzureAppConfigurationSyncDestinationSchema,
AzureDevOpsSyncDestinationSchema,
DatabricksSyncDestinationSchema,
HumanitecSyncDestinationSchema,
TerraformCloudSyncDestinationSchema,

4
frontend/src/helpers/appConnections.ts
View File

@@ -15,6 +15,7 @@ import {
AwsConnectionMethod,
AzureAppConfigurationConnectionMethod,
AzureClientSecretsConnectionMethod,
AzureDevOpsConnectionMethod,
AzureKeyVaultConnectionMethod,
CamundaConnectionMethod,
DatabricksConnectionMethod,
@@ -60,6 +61,7 @@ export const APP_CONNECTION_MAP: Record<
name: "Azure Client Secrets",
image: "Microsoft Azure.png"
},
[AppConnection.AzureDevOps]: { name: "Azure DevOps", image: "Microsoft Azure.png" },
[AppConnection.Databricks]: { name: "Databricks", image: "Databricks.png" },
[AppConnection.Humanitec]: { name: "Humanitec", image: "Humanitec.png" },
[AppConnection.TerraformCloud]: { name: "Terraform Cloud", image: "Terraform Cloud.png" },
@@ -85,6 +87,7 @@ export const getAppConnectionMethodDetails = (method: TAppConnection["method"])
case AzureKeyVaultConnectionMethod.OAuth:
case AzureAppConfigurationConnectionMethod.OAuth:
case AzureClientSecretsConnectionMethod.OAuth:
case AzureDevOpsConnectionMethod.OAuth:
case GitHubConnectionMethod.OAuth:
return { name: "OAuth", icon: faPassport };
case AwsConnectionMethod.AccessKey:
@@ -109,6 +112,7 @@ export const getAppConnectionMethodDetails = (method: TAppConnection["method"])
return { name: "Username & Password", icon: faLock };
case HCVaultConnectionMethod.AccessToken:
case TeamCityConnectionMethod.AccessToken:
case AzureDevOpsConnectionMethod.AccessToken:
case WindmillConnectionMethod.AccessToken:
return { name: "Access Token", icon: faKey };
case Auth0ConnectionMethod.ClientCredentials:

5
frontend/src/helpers/secretSyncs.ts
View File

@@ -17,6 +17,10 @@ export const SECRET_SYNC_MAP: Record<SecretSync, { name: string; image: string }
name: "Azure App Configuration",
image: "Microsoft Azure.png"
},
[SecretSync.AzureDevOps]: {
name: "Azure DevOps",
image: "Microsoft Azure.png"
},
[SecretSync.Databricks]: {
name: "Databricks",
image: "Databricks.png"
@@ -66,6 +70,7 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
[SecretSync.GCPSecretManager]: AppConnection.GCP,
[SecretSync.AzureKeyVault]: AppConnection.AzureKeyVault,
[SecretSync.AzureAppConfiguration]: AppConnection.AzureAppConfiguration,
[SecretSync.AzureDevOps]: AppConnection.AzureDevOps,
[SecretSync.Databricks]: AppConnection.Databricks,
[SecretSync.Humanitec]: AppConnection.Humanitec,
[SecretSync.TerraformCloud]: AppConnection.TerraformCloud,

32
frontend/src/hooks/api/appConnections/azure/queries.tsx
View File

@@ -3,12 +3,14 @@ import { useQuery, UseQueryOptions } from "@tanstack/react-query";
import { apiRequest } from "@app/config/request";
import { appConnectionKeys } from "../queries";
import { TAzureClient } from "./types";
import { AzureDevOpsProjectsResponse, TAzureClient } from "./types";
const azureConnectionKeys = {
all: [...appConnectionKeys.all, "azure"] as const,
listClients: (connectionId: string) =>
[...azureConnectionKeys.all, "clients", connectionId] as const
[...azureConnectionKeys.all, "clients", connectionId] as const,
listDevopsProjects: (connectionId: string) =>
[...azureConnectionKeys.all, "devops-projects", connectionId] as const
};
export const useAzureConnectionListClients = (
@@ -35,3 +37,29 @@ export const useAzureConnectionListClients = (
...options
});
};
export const fetchAzureDevOpsProjects = async (
connectionId: string
): Promise<AzureDevOpsProjectsResponse> => {
if (!connectionId) {
throw new Error("Connection ID is required");
}
const { data } = await apiRequest.get<AzureDevOpsProjectsResponse>(
`/api/v1/app-connections/azure-devops/${connectionId}/projects`
);
return data;
};
export const useGetAzureDevOpsProjects = (
connectionId: string,
options?: Omit<UseQueryOptions<AzureDevOpsProjectsResponse, Error>, "queryKey" | "queryFn">
) => {
return useQuery({
queryKey: azureConnectionKeys.listDevopsProjects(connectionId),
queryFn: () => fetchAzureDevOpsProjects(connectionId),
enabled: Boolean(connectionId),
...options
});
};

10
frontend/src/hooks/api/appConnections/azure/types.ts
View File

@@ -3,3 +3,13 @@ export type TAzureClient = {
appId: string;
id: string;
};
export interface AzureDevOpsProject {
id: string;
name: string;
appId: string;
}
export interface AzureDevOpsProjectsResponse {
projects: AzureDevOpsProject[];
}

1
frontend/src/hooks/api/appConnections/enums.ts
View File

@@ -6,6 +6,7 @@ export enum AppConnection {
AzureKeyVault = "azure-key-vault",
AzureAppConfiguration = "azure-app-configuration",
AzureClientSecrets = "azure-client-secrets",
AzureDevOps = "azure-devops",
Databricks = "databricks",
Humanitec = "humanitec",
TerraformCloud = "terraform-cloud",

7
frontend/src/hooks/api/appConnections/types/app-options.ts
View File

@@ -45,6 +45,11 @@ export type TDatabricksConnectionOption = TAppConnectionOptionBase & {
app: AppConnection.Databricks;
};
export type TAzureDevOpsConnectionOption = TAppConnectionOptionBase & {
app: AppConnection.AzureDevOps;
oauthClientId?: string;
};
export type THumanitecConnectionOption = TAppConnectionOptionBase & {
app: AppConnection.Humanitec;
};
@@ -108,6 +113,7 @@ export type TAppConnectionOption =
| TAzureAppConfigurationConnectionOption
| TAzureKeyVaultConnectionOption
| TAzureClientSecretsConnectionOption
| TAzureDevOpsConnectionOption
| TDatabricksConnectionOption
| THumanitecConnectionOption
| TTerraformCloudConnectionOption
@@ -131,6 +137,7 @@ export type TAppConnectionOptionMap = {
[AppConnection.AzureKeyVault]: TAzureKeyVaultConnectionOption;
[AppConnection.AzureAppConfiguration]: TAzureAppConfigurationConnectionOption;
[AppConnection.AzureClientSecrets]: TAzureClientSecretsConnectionOption;
[AppConnection.AzureDevOps]: TAzureDevOpsConnectionOption;
[AppConnection.Databricks]: TDatabricksConnectionOption;
[AppConnection.Humanitec]: THumanitecConnectionOption;
[AppConnection.TerraformCloud]: TTerraformCloudConnectionOption;

27
frontend/src/hooks/api/appConnections/types/azure-devops-connection.ts Normal file
View File

@@ -0,0 +1,27 @@
import { AppConnection } from "@app/hooks/api/appConnections/enums";
import { TRootAppConnection } from "@app/hooks/api/appConnections/types/root-connection";
export enum AzureDevOpsConnectionMethod {
OAuth = "oauth",
AccessToken = "access-token"
}
export type TAzureDevOpsConnection = TRootAppConnection & {
app: AppConnection.AzureDevOps;
} & (
| {
method: AzureDevOpsConnectionMethod.OAuth;
credentials: {
code: string;
tenantId: string;
orgName: string;
};
}
| {
method: AzureDevOpsConnectionMethod.AccessToken;
credentials: {
accessToken: string;
orgName: string;
};
}
);

4
frontend/src/hooks/api/appConnections/types/index.ts
View File

@@ -5,6 +5,7 @@ import { TAuth0Connection } from "./auth0-connection";
import { TAwsConnection } from "./aws-connection";
import { TAzureAppConfigurationConnection } from "./azure-app-configuration-connection";
import { TAzureClientSecretsConnection } from "./azure-client-secrets-connection";
import { TAzureDevOpsConnection } from "./azure-devops-connection";
import { TAzureKeyVaultConnection } from "./azure-key-vault-connection";
import { TCamundaConnection } from "./camunda-connection";
import { TDatabricksConnection } from "./databricks-connection";
@@ -28,6 +29,7 @@ export * from "./auth0-connection";
export * from "./aws-connection";
export * from "./azure-app-configuration-connection";
export * from "./azure-client-secrets-connection";
export * from "./azure-devops-connection";
export * from "./azure-key-vault-connection";
export * from "./camunda-connection";
export * from "./databricks-connection";
@@ -54,6 +56,7 @@ export type TAppConnection =
| TAzureKeyVaultConnection
| TAzureAppConfigurationConnection
| TAzureClientSecretsConnection
| TAzureDevOpsConnection
| TDatabricksConnection
| THumanitecConnection
| TTerraformCloudConnection
@@ -103,6 +106,7 @@ export type TAppConnectionMap = {
[AppConnection.AzureKeyVault]: TAzureKeyVaultConnection;
[AppConnection.AzureAppConfiguration]: TAzureAppConfigurationConnection;
[AppConnection.AzureClientSecrets]: TAzureClientSecretsConnection;
[AppConnection.AzureDevOps]: TAzureDevOpsConnection;
[AppConnection.Databricks]: TDatabricksConnection;
[AppConnection.Humanitec]: THumanitecConnection;
[AppConnection.TerraformCloud]: TTerraformCloudConnection;

1
frontend/src/hooks/api/secretSyncs/enums.ts
View File

@@ -5,6 +5,7 @@ export enum SecretSync {
GCPSecretManager = "gcp-secret-manager",
AzureKeyVault = "azure-key-vault",
AzureAppConfiguration = "azure-app-configuration",
AzureDevOps = "azure-devops",
Databricks = "databricks",
Humanitec = "humanitec",
TerraformCloud = "terraform-cloud",

16
frontend/src/hooks/api/secretSyncs/types/azure-devops-sync.ts Normal file
View File

@@ -0,0 +1,16 @@
import { AppConnection } from "@app/hooks/api/appConnections/enums";
import { SecretSync } from "@app/hooks/api/secretSyncs";
import { TRootSecretSync } from "@app/hooks/api/secretSyncs/types/root-sync";
export type TAzureDevOpsSync = TRootSecretSync & {
destination: SecretSync.AzureDevOps;
destinationConfig: {
devopsProjectId: string;
devopsProjectName: string;
};
connection: {
app: AppConnection.AzureDevOps;
name: string;
id: string;
};
};

2
frontend/src/hooks/api/secretSyncs/types/index.ts
View File

@@ -5,6 +5,7 @@ import { TOnePassSync } from "./1password-sync";
import { TAwsParameterStoreSync } from "./aws-parameter-store-sync";
import { TAwsSecretsManagerSync } from "./aws-secrets-manager-sync";
import { TAzureAppConfigurationSync } from "./azure-app-configuration-sync";
import { TAzureDevOpsSync } from "./azure-devops-sync";
import { TAzureKeyVaultSync } from "./azure-key-vault-sync";
import { TCamundaSync } from "./camunda-sync";
import { TDatabricksSync } from "./databricks-sync";
@@ -32,6 +33,7 @@ export type TSecretSync =
| TGcpSync
| TAzureKeyVaultSync
| TAzureAppConfigurationSync
| TAzureDevOpsSync
| TDatabricksSync
| THumanitecSync
| TTerraformCloudSync

5
frontend/src/pages/organization/AppConnections/AppConnectionsPage/components/AppConnectionForm/AppConnectionForm.tsx
View File

@@ -14,6 +14,7 @@ import { Auth0ConnectionForm } from "./Auth0ConnectionForm";
import { AwsConnectionForm } from "./AwsConnectionForm";
import { AzureAppConfigurationConnectionForm } from "./AzureAppConfigurationConnectionForm";
import { AzureClientSecretsConnectionForm } from "./AzureClientSecretsConnectionForm";
import { AzureDevOpsConnectionForm } from "./AzureDevOpsConnectionForm";
import { AzureKeyVaultConnectionForm } from "./AzureKeyVaultConnectionForm";
import { CamundaConnectionForm } from "./CamundaConnectionForm";
import { DatabricksConnectionForm } from "./DatabricksConnectionForm";
@@ -99,6 +100,8 @@ const CreateForm = ({ app, onComplete }: CreateFormProps) => {
return <CamundaConnectionForm onSubmit={onSubmit} />;
case AppConnection.AzureClientSecrets:
return <AzureClientSecretsConnectionForm />;
case AppConnection.AzureDevOps:
return <AzureDevOpsConnectionForm onSubmit={onSubmit} />;
case AppConnection.Windmill:
return <WindmillConnectionForm onSubmit={onSubmit} />;
case AppConnection.Auth0:
@@ -179,6 +182,8 @@ const UpdateForm = ({ appConnection, onComplete }: UpdateFormProps) => {
return <CamundaConnectionForm onSubmit={onSubmit} appConnection={appConnection} />;
case AppConnection.AzureClientSecrets:
return <AzureClientSecretsConnectionForm appConnection={appConnection} />;
case AppConnection.AzureDevOps:
return <AzureDevOpsConnectionForm appConnection={appConnection} onSubmit={onSubmit} />;
case AppConnection.Windmill:
return <WindmillConnectionForm onSubmit={onSubmit} appConnection={appConnection} />;
case AppConnection.Auth0:

291
frontend/src/pages/organization/AppConnections/AppConnectionsPage/components/AppConnectionForm/AzureDevOpsConnectionForm.tsx Normal file
View File

@@ -0,0 +1,291 @@
/* eslint-disable no-case-declarations */
import crypto from "crypto";
import { useState } from "react";
import { Controller, FormProvider, useForm } from "react-hook-form";
import { zodResolver } from "@hookform/resolvers/zod";
import { z } from "zod";
import { Button, FormControl, Input, ModalClose, Select, SelectItem } from "@app/components/v2";
import { APP_CONNECTION_MAP, getAppConnectionMethodDetails } from "@app/helpers/appConnections";
import { isInfisicalCloud } from "@app/helpers/platform";
import {
AzureDevOpsConnectionMethod,
TAzureDevOpsConnection,
useGetAppConnectionOption
} from "@app/hooks/api/appConnections";
import { AppConnection } from "@app/hooks/api/appConnections/enums";
import {
genericAppConnectionFieldsSchema,
GenericAppConnectionsFields
} from "./GenericAppConnectionFields";
type AccessTokenForm = z.infer<typeof accessTokenSchema>;
type Props = {
appConnection?: TAzureDevOpsConnection;
onSubmit: (formData: AccessTokenForm) => Promise<void>;
};
// Base schema with common fields
const baseSchema = genericAppConnectionFieldsSchema.extend({
app: z.literal(AppConnection.AzureDevOps),
method: z.nativeEnum(AzureDevOpsConnectionMethod)
});
// Method-specific schemas
const oauthSchema = baseSchema.extend({
method: z.literal(AzureDevOpsConnectionMethod.OAuth),
tenantId: z.string().trim().min(1, "Tenant ID is required"),
orgName: z.string().trim().min(1, "Organization name is required")
});
const accessTokenSchema = baseSchema.extend({
method: z.literal(AzureDevOpsConnectionMethod.AccessToken),
credentials: z.object({
accessToken: z.string().trim().min(1, "Access Token is required"),
orgName: z.string().trim().min(1, "Organization name is required")
})
});
// Union schema
const formSchema = z.discriminatedUnion("method", [oauthSchema, accessTokenSchema]);
type FormData = z.infer<typeof formSchema>;
const getDefaultValues = (appConnection?: TAzureDevOpsConnection): Partial<FormData> => {
if (!appConnection) {
return {
app: AppConnection.AzureDevOps,
method: AzureDevOpsConnectionMethod.OAuth
};
}
const base = {
name: appConnection.name,
description: appConnection.description,
app: appConnection.app,
method: appConnection.method
};
const { credentials } = appConnection;
switch (appConnection.method) {
case AzureDevOpsConnectionMethod.OAuth:
if ("tenantId" in credentials && "orgName" in credentials) {
return {
...base,
method: AzureDevOpsConnectionMethod.OAuth,
tenantId: credentials.tenantId,
orgName: credentials.orgName
};
}
break;
case AzureDevOpsConnectionMethod.AccessToken:
if ("accessToken" in credentials && "orgName" in credentials) {
return {
...base,
method: AzureDevOpsConnectionMethod.AccessToken,
credentials: {
accessToken: credentials.accessToken,
orgName: credentials.orgName
}
};
}
break;
default:
return base;
}
return base;
};
export const AzureDevOpsConnectionForm = ({ appConnection, onSubmit }: Props) => {
const isUpdate = Boolean(appConnection);
const [isRedirecting, setIsRedirecting] = useState(false);
const {
option: { oauthClientId },
isLoading
} = useGetAppConnectionOption(AppConnection.AzureDevOps);
const form = useForm<FormData>({
resolver: zodResolver(formSchema),
defaultValues: getDefaultValues(appConnection)
});
const {
handleSubmit,
control,
watch,
formState: { isSubmitting, isDirty }
} = form;
const selectedMethod = watch("method");
const onSubmitHandler = async (formData: FormData) => {
switch (formData.method) {
case AzureDevOpsConnectionMethod.OAuth:
setIsRedirecting(true);
const state = crypto.randomBytes(16).toString("hex");
localStorage.setItem("latestCSRFToken", state);
localStorage.setItem(
"azureDevOpsConnectionFormData",
JSON.stringify({ ...formData, connectionId: appConnection?.id })
);
window.location.assign(
`https://login.microsoftonline.com/${formData.tenantId || "common"}/oauth2/v2.0/authorize?client_id=${oauthClientId}&response_type=code&redirect_uri=${window.location.origin}/organization/app-connections/azure/oauth/callback&response_mode=query&scope=https://azconfig.io/.default%20openid%20offline_access&state=${state}<:>azure-devops`
);
break;
case AzureDevOpsConnectionMethod.AccessToken:
onSubmit(formData);
break;
default:
throw new Error(`Unhandled Azure Connection method: ${(formData as FormData).method}`);
}
};
const isMissingConfig = selectedMethod === AzureDevOpsConnectionMethod.OAuth && !oauthClientId;
const methodDetails = getAppConnectionMethodDetails(selectedMethod);
return (
<FormProvider {...form}>
<form onSubmit={handleSubmit(onSubmitHandler)} className="space-y-6">
{!isUpdate && <GenericAppConnectionsFields />}
<Controller
name="method"
control={control}
render={({ field: { value, onChange }, fieldState: { error } }) => (
<FormControl
tooltipText={`The method you would like to use to connect with ${
APP_CONNECTION_MAP[AppConnection.AzureDevOps].name
}. This field cannot be changed after creation.`}
errorText={
!isLoading && isMissingConfig
? `Environment variables have not been configured. ${
isInfisicalCloud()
? "Please contact Infisical."
: `See documentation to configure Azure ${methodDetails.name} Connections.`
}`
: error?.message
}
isError={Boolean(error?.message) || isMissingConfig}
label="Method"
>
<Select
isDisabled={isUpdate}
value={value}
onValueChange={(val) => onChange(val)}
className="w-full border border-mineshaft-500"
position="popper"
dropdownContainerClassName="max-w-none"
>
{Object.values(AzureDevOpsConnectionMethod).map((method) => {
return (
<SelectItem value={method} key={method}>
{getAppConnectionMethodDetails(method).name}
</SelectItem>
);
})}
</Select>
</FormControl>
)}
/>
{/* OAuth-specific fields */}
{selectedMethod === AzureDevOpsConnectionMethod.OAuth && (
<>
<Controller
name="tenantId"
control={control}
render={({ field, fieldState: { error } }) => (
<FormControl
tooltipText="The Directory (tenant) ID."
isError={Boolean(error?.message)}
label="Tenant ID"
errorText={error?.message}
>
<Input {...field} placeholder="e4f34ea5-ad23-4291-8585-66d20d603cc8" />
</FormControl>
)}
/>
<Controller
name="orgName"
control={control}
render={({ field, fieldState: { error } }) => (
<FormControl
tooltipText="Your Azure DevOps organization name."
isError={Boolean(error?.message)}
label="Organization Name"
errorText={error?.message}
>
<Input {...field} placeholder="myorganization" />
</FormControl>
)}
/>
</>
)}
{/* Access Token-specific fields */}
{selectedMethod === AzureDevOpsConnectionMethod.AccessToken && (
<>
<Controller
name="credentials.accessToken"
control={control}
render={({ field, fieldState: { error } }) => (
<FormControl
tooltipText="Personal Access Token from Azure DevOps."
isError={Boolean(error?.message)}
label="Access Token"
errorText={error?.message}
>
<Input
{...field}
type="password"
placeholder="Enter your Personal Access Token"
/>
</FormControl>
)}
/>
<Controller
name="credentials.orgName"
control={control}
render={({ field, fieldState: { error } }) => (
<FormControl
tooltipText="Your Azure DevOps organization name."
isError={Boolean(error?.message)}
label="Organization Name"
errorText={error?.message}
>
<Input {...field} placeholder="myorganization" />
</FormControl>
)}
/>
</>
)}
<div className="mt-8 flex items-center">
<Button
className="mr-4"
size="sm"
type="submit"
colorSchema="secondary"
isLoading={isSubmitting || isRedirecting}
isDisabled={isSubmitting || (!isUpdate && !isDirty) || isMissingConfig || isRedirecting}
>
{isUpdate ? "Reconnect to Azure" : "Connect to Azure"}
</Button>
<ModalClose asChild>
<Button colorSchema="secondary" variant="plain">
Cancel
</Button>
</ModalClose>
</div>
</form>
</FormProvider>
);
};

77
frontend/src/pages/organization/AppConnections/OauthCallbackPage/OauthCallbackPage.tsx
View File

@@ -8,10 +8,12 @@ import { APP_CONNECTION_MAP } from "@app/helpers/appConnections";
import {
AzureAppConfigurationConnectionMethod,
AzureClientSecretsConnectionMethod,
AzureDevOpsConnectionMethod,
AzureKeyVaultConnectionMethod,
GitHubConnectionMethod,
TAzureAppConfigurationConnection,
TAzureClientSecretsConnection,
TAzureDevOpsConnection,
TAzureKeyVaultConnection,
TGitHubConnection,
TGitHubRadarConnection,
@@ -42,6 +44,19 @@ type AzureClientSecretsFormData = BaseFormData &
Pick<TAzureClientSecretsConnection, "name" | "method" | "description"> &
Pick<TAzureClientSecretsConnection["credentials"], "tenantId">;
type OAuthCredentials = Extract<
TAzureDevOpsConnection,
{ method: AzureDevOpsConnectionMethod.OAuth }
>["credentials"];
type AccessTokenCredentials = Extract<
TAzureDevOpsConnection,
{ method: AzureDevOpsConnectionMethod.AccessToken }
>["credentials"];
type AzureDevOpsFormData = BaseFormData &
Pick<TAzureDevOpsConnection, "name" | "method" | "description"> &
(Pick<OAuthCredentials, "tenantId" | "orgName"> | Pick<AccessTokenCredentials, "orgName">);
type FormDataMap = {
[AppConnection.GitHub]: GithubFormData & { app: AppConnection.GitHub };
[AppConnection.GitHubRadar]: GithubRadarFormData & { app: AppConnection.GitHubRadar };
@@ -52,6 +67,9 @@ type FormDataMap = {
[AppConnection.AzureClientSecrets]: AzureClientSecretsFormData & {
app: AppConnection.AzureClientSecrets;
};
[AppConnection.AzureDevOps]: AzureDevOpsFormData & {
app: AppConnection.AzureDevOps;
};
};
const formDataStorageFieldMap: Partial<Record<AppConnection, string>> = {
@@ -59,7 +77,8 @@ const formDataStorageFieldMap: Partial<Record<AppConnection, string>> = {
[AppConnection.GitHubRadar]: "githubRadarConnectionFormData",
[AppConnection.AzureKeyVault]: "azureKeyVaultConnectionFormData",
[AppConnection.AzureAppConfiguration]: "azureAppConfigurationConnectionFormData",
[AppConnection.AzureClientSecrets]: "azureClientSecretsConnectionFormData"
[AppConnection.AzureClientSecrets]: "azureClientSecretsConnectionFormData",
[AppConnection.AzureDevOps]: "azureDevOpsConnectionFormData"
};
export const OAuthCallbackPage = () => {
@@ -258,6 +277,60 @@ export const OAuthCallbackPage = () => {
};
}, []);
const handleAzureDevOps = useCallback(async () => {
const formData = getFormData(AppConnection.AzureDevOps);
if (formData === null) return null;
clearState(AppConnection.AzureDevOps);
const { connectionId, name, description, returnUrl } = formData;
try {
if (!("tenantId" in formData)) {
throw new Error("Expected OAuth form data but got access token data");
}
if (connectionId) {
await updateAppConnection.mutateAsync({
app: AppConnection.AzureDevOps,
connectionId,
credentials: {
code: code as string,
tenantId: formData.tenantId as string,
orgName: formData.orgName
}
});
} else {
await createAppConnection.mutateAsync({
app: AppConnection.AzureDevOps,
name,
description,
method: AzureDevOpsConnectionMethod.OAuth,
credentials: {
code: code as string,
tenantId: formData.tenantId as string,
orgName: formData.orgName
}
});
}
} catch (err: any) {
createNotification({
title: `Failed to ${connectionId ? "update" : "add"} Azure DevOps Connection`,
text: err?.message,
type: "error"
});
navigate({
to: returnUrl ?? "/organization/app-connections"
});
}
return {
connectionId,
returnUrl,
appConnectionName: formData.app
};
}, []);
const handleGithub = useCallback(async () => {
const formData = getFormData(AppConnection.GitHub);
if (formData === null) return null;
@@ -396,6 +469,8 @@ export const OAuthCallbackPage = () => {
data = await handleAzureAppConfiguration();
} else if (appConnection === AppConnection.AzureClientSecrets) {
data = await handleAzureClientSecrets();
} else if (appConnection === AppConnection.AzureDevOps) {
data = await handleAzureDevOps();
}
if (data) {

14
frontend/src/pages/secret-manager/IntegrationsListPage/components/SecretSyncsTab/SecretSyncTable/SecretSyncDestinationCol/AzureDevOpsSyncDestinationCol.tsx Normal file
View File

@@ -0,0 +1,14 @@
import { TAzureDevOpsSync } from "@app/hooks/api/secretSyncs/types/azure-devops-sync";
import { getSecretSyncDestinationColValues } from "../helpers";
import { SecretSyncTableCell } from "../SecretSyncTableCell";
type Props = {
secretSync: TAzureDevOpsSync;
};
export const AzureDevOpsSyncDestinationCol = ({ secretSync }: Props) => {
const { primaryText, secondaryText } = getSecretSyncDestinationColValues(secretSync);
return <SecretSyncTableCell primaryText={primaryText} secondaryText={secondaryText} />;
};

3
frontend/src/pages/secret-manager/IntegrationsListPage/components/SecretSyncsTab/SecretSyncTable/SecretSyncDestinationCol/SecretSyncDestinationCol.tsx
View File

@@ -4,6 +4,7 @@ import { OnePassSyncDestinationCol } from "./1PasswordSyncDestinationCol";
import { AwsParameterStoreSyncDestinationCol } from "./AwsParameterStoreSyncDestinationCol";
import { AwsSecretsManagerSyncDestinationCol } from "./AwsSecretsManagerSyncDestinationCol";
import { AzureAppConfigurationDestinationSyncCol } from "./AzureAppConfigurationDestinationSyncCol";
import { AzureDevOpsSyncDestinationCol } from "./AzureDevOpsSyncDestinationCol";
import { AzureKeyVaultDestinationSyncCol } from "./AzureKeyVaultDestinationSyncCol";
import { CamundaSyncDestinationCol } from "./CamundaSyncDestinationCol";
import { DatabricksSyncDestinationCol } from "./DatabricksSyncDestinationCol";
@@ -55,6 +56,8 @@ export const SecretSyncDestinationCol = ({ secretSync }: Props) => {
return <OCIVaultSyncDestinationCol secretSync={secretSync} />;
case SecretSync.OnePass:
return <OnePassSyncDestinationCol secretSync={secretSync} />;
case SecretSync.AzureDevOps:
return <AzureDevOpsSyncDestinationCol secretSync={secretSync} />;
default:
throw new Error(
`Unhandled Secret Sync Destination Col: ${(secretSync as TSecretSync).destination}`

4
frontend/src/pages/secret-manager/IntegrationsListPage/components/SecretSyncsTab/SecretSyncTable/helpers/index.ts
View File

@@ -112,6 +112,10 @@ export const getSecretSyncDestinationColValues = (secretSync: TSecretSync) => {
primaryText = destinationConfig.vaultId;
secondaryText = "Vault ID";
break;
case SecretSync.AzureDevOps:
primaryText = destinationConfig.devopsProjectName;
secondaryText = destinationConfig.devopsProjectId;
break;
default:
throw new Error(`Unhandled Destination Col Values ${destination}`);
}

14
frontend/src/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncDestinationSection/AzureDevOpsSyncDestinationSection.tsx Normal file
View File

@@ -0,0 +1,14 @@
import { GenericFieldLabel } from "@app/components/secret-syncs";
import { TAzureDevOpsSync } from "@app/hooks/api/secretSyncs/types/azure-devops-sync";
type Props = {
secretSync: TAzureDevOpsSync;
};
export const AzureDevOpsSyncDestinationSection = ({ secretSync }: Props) => {
const {
destinationConfig: { devopsProjectName }
} = secretSync;
return <GenericFieldLabel label="Project">{devopsProjectName}</GenericFieldLabel>;
};

4
frontend/src/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncDestinationSection/SecretSyncDestinatonSection.tsx
View File

@@ -14,6 +14,7 @@ import { OnePassSyncDestinationSection } from "./1PasswordSyncDestinationSection
import { AwsParameterStoreSyncDestinationSection } from "./AwsParameterStoreSyncDestinationSection";
import { AwsSecretsManagerSyncDestinationSection } from "./AwsSecretsManagerSyncDestinationSection";
import { AzureAppConfigurationSyncDestinationSection } from "./AzureAppConfigurationSyncDestinationSection";
import { AzureDevOpsSyncDestinationSection } from "./AzureDevOpsSyncDestinationSection";
import { AzureKeyVaultSyncDestinationSection } from "./AzureKeyVaultSyncDestinationSection";
import { CamundaSyncDestinationSection } from "./CamundaSyncDestinationSection";
import { DatabricksSyncDestinationSection } from "./DatabricksSyncDestinationSection";
@@ -89,6 +90,9 @@ export const SecretSyncDestinationSection = ({ secretSync, onEditDestination }:
case SecretSync.OnePass:
DestinationComponents = <OnePassSyncDestinationSection secretSync={secretSync} />;
break;
case SecretSync.AzureDevOps:
DestinationComponents = <AzureDevOpsSyncDestinationSection secretSync={secretSync} />;
break;
default:
throw new Error(`Unhandled Destination Section components: ${destination}`);
}

1
frontend/src/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncOptionsSection/SecretSyncOptionsSection.tsx
View File

@@ -41,6 +41,7 @@ export const SecretSyncOptionsSection = ({ secretSync, onEditOptions }: Props) =
case SecretSync.GCPSecretManager:
case SecretSync.AzureKeyVault:
case SecretSync.AzureAppConfiguration:
case SecretSync.AzureDevOps:
case SecretSync.Databricks:
case SecretSync.Humanitec:
case SecretSync.TerraformCloud: