refactor: update PAM session status handling and improve enum definitions

- Changed PAM session status from 'Expired' to 'Ended' in the database update logic and service layer for clarity. - Updated the PamSessionStatus enum to consolidate the definitions of 'Ended' and 'Expired', reflecting that 'Ended' can result from both user action and automatic expiration. - Removed references to 'Expired' in the frontend components and adjusted related UI elements for consistency.
2026-01-10 16:08:20 -05:00 · 2025-12-08 12:19:19 -03:00
parent a0718321e7
commit d09849d9dc
7 changed files with 21 additions and 26 deletions
--- a/backend/src/ee/services/pam-session/pam-session-dal.ts
+++ b/backend/src/ee/services/pam-session/pam-session-dal.ts
@@ -31,7 +31,7 @@ export const pamSessionDALFactory = (db: TDbClient) => {
      .where("id", sessionId)
      .whereIn("status", [PamSessionStatus.Active, PamSessionStatus.Starting])
      .update({
-        status: PamSessionStatus.Expired,
+        status: PamSessionStatus.Ended,
        endedAt: now
      });

--- a/backend/src/ee/services/pam-session/pam-session-enums.ts
+++ b/backend/src/ee/services/pam-session/pam-session-enums.ts
@@ -1,7 +1,6 @@
 export enum PamSessionStatus {
  Starting = "starting", // Starting, user connecting to resource
  Active = "active", // Active, user is connected to resource
-  Ended = "ended", // Ended by user
-  Terminated = "terminated", // Terminated by an admin
-  Expired = "expired" // Automatically expired after expiresAt timestamp
+  Ended = "ended", // Ended by user or automatically expired after expiresAt timestamp
+  Terminated = "terminated" // Terminated by an admin
 }
--- a/backend/src/ee/services/pam-session/pam-session-service.ts
+++ b/backend/src/ee/services/pam-session/pam-session-service.ts
@@ -53,7 +53,7 @@ export const pamSessionServiceFactory = ({
    if (isActive && isExpired) {
      // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
      const updatedSession = await pamSessionDAL.updateById(session.id, {
-        status: PamSessionStatus.Expired,
+        status: PamSessionStatus.Ended,
        endedAt: new Date()
      });
      // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
@@ -200,7 +200,7 @@ export const pamSessionServiceFactory = ({
      throw new ForbiddenRequestError({ message: "Only identities and users can perform this action" });
    }

-    if (session.status === PamSessionStatus.Ended || session.status === PamSessionStatus.Expired) {
+    if (session.status === PamSessionStatus.Ended) {
      return {
        session,
        projectId: project.id
--- a/frontend/src/hooks/api/pam/enums.ts
+++ b/frontend/src/hooks/api/pam/enums.ts
@@ -29,8 +29,7 @@ export enum PamSessionStatus {
  Starting = "starting",
  Active = "active",
  Ended = "ended",
-  Terminated = "terminated",
-  Expired = "expired"
+  Terminated = "terminated"
 }

 // Accounts
--- a/frontend/src/pages/pam/PamAccountsPage/components/PamAccountForm/AwsIamAccountForm.tsx
+++ b/frontend/src/pages/pam/PamAccountsPage/components/PamAccountForm/AwsIamAccountForm.tsx
@@ -148,10 +148,10 @@ export const AwsIamAccountForm = ({ account, onSubmit }: Props) => {
            </AccordionTrigger>
            <AccordionContent className="px-4 pb-2.5">
              <p className="mb-3 text-sm text-mineshaft-300">
-                The target role must have a trust policy that allows the Infisical PAM role you
-                created and used in the &quot;Resources&quot; tab to assume it. If you used the{" "}
-                <code className="rounded bg-mineshaft-700 px-1 text-xs">infisical-pam-*</code>{" "}
-                naming convention, no additional changes are needed to the PAM role.
+                The target role must have a trust policy that allows the PAM role (created in the
+                &quot;Resources&quot; tab) to assume it. If your target role name follows the
+                wildcard pattern you defined in the PAM role&apos;s permissions policy, no
+                additional changes are needed.
              </p>

              <p className="mb-2 text-sm font-medium text-mineshaft-200">
@@ -170,13 +170,12 @@ export const AwsIamAccountForm = ({ account, onSubmit }: Props) => {
                <code className="rounded bg-mineshaft-700 px-1">&lt;YOUR_ACCOUNT_ID&gt;</code> with
                your AWS account ID and{" "}
                <code className="rounded bg-mineshaft-700 px-1">&lt;YOUR_PAM_ROLE_NAME&gt;</code>{" "}
-                with the name of the PAM role you created and used in the &quot;Resources&quot; tab
-                (e.g., <code className="rounded bg-mineshaft-700 px-1">InfisicalPAMRole</code>). The
+                with the name of the PAM role you created in the &quot;Resources&quot; tab. The
                External ID{" "}
                <code className="rounded bg-mineshaft-700 px-1 font-bold">{projectId}</code> is your
-                current project ID. If your target role name doesn&apos;t follow the{" "}
-                <code className="rounded bg-mineshaft-700 px-1">infisical-pam-*</code> pattern, you
-                must update the PAM role&apos;s permissions policy to include the target role ARN.
+                current project ID. If this target role name doesn&apos;t match the wildcard pattern
+                in your PAM role&apos;s permissions policy, you&apos;ll need to update that policy
+                to include this role&apos;s ARN.
              </p>
            </AccordionContent>
          </AccordionItem>
--- a/frontend/src/pages/pam/PamResourcesPage/components/PamResourceForm/AwsIamResourceForm.tsx
+++ b/frontend/src/pages/pam/PamResourcesPage/components/PamResourceForm/AwsIamResourceForm.tsx
@@ -57,7 +57,7 @@ export const AwsIamResourceForm = ({ resource, onSubmit }: Props) => {
  "Statement": [{
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
-    "Resource": "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/infisical-pam-*"
+    "Resource": "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/<YOUR_PREFIX>-*"
  }]
 }`;

@@ -148,9 +148,12 @@ export const AwsIamResourceForm = ({ resource, onSubmit }: Props) => {
                Step 1: Create a permissions policy for assuming target roles
              </p>
              <p className="mb-3 text-sm text-mineshaft-300">
-                This policy allows the PAM role to assume target roles. We recommend using the{" "}
-                <code className="rounded bg-mineshaft-700 px-1 text-xs">infisical-pam-*</code>{" "}
-                naming convention for target roles.
+                This policy allows the PAM role to assume target roles. We recommend using a
+                wildcard pattern (e.g.,{" "}
+                <code className="rounded bg-mineshaft-700 px-1 text-xs">pam-*</code> or{" "}
+                <code className="rounded bg-mineshaft-700 px-1 text-xs">privileged-*</code>) so you
+                can add new accounts without updating this policy. Choose a prefix that fits your
+                naming conventions.
              </p>
              <div className="relative mb-4">
                <div className="absolute top-1 right-1">
--- a/frontend/src/pages/pam/PamSessionsPage/components/PamSessionStatusBadge.tsx
+++ b/frontend/src/pages/pam/PamSessionsPage/components/PamSessionStatusBadge.tsx
@@ -2,7 +2,6 @@ import {
  ActivityIcon,
  BanIcon,
  ChevronsLeftRightEllipsisIcon,
-  ClockIcon,
  GavelIcon,
  LucideIcon
 } from "lucide-react";
@@ -34,10 +33,6 @@ const PAM_SESSION_STATUS_CONFIG: Record<PamSessionStatus, StatusConfig> = {
  [PamSessionStatus.Ended]: {
    variant: "neutral",
    icon: BanIcon
-  },
-  [PamSessionStatus.Expired]: {
-    variant: "warning",
-    icon: ClockIcon
  }
 };