diff --git a/Dockerfile.fips.standalone-infisical b/Dockerfile.fips.standalone-infisical index 667245cb6e..c06347c7a0 100644 --- a/Dockerfile.fips.standalone-infisical +++ b/Dockerfile.fips.standalone-infisical @@ -73,17 +73,6 @@ RUN apt-get update && apt-get install -y \ # Configure ODBC RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini - -# Build and install FIPS validated OpenSSL -WORKDIR /openssl-build -RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \ - && tar -xf openssl-3.1.2.tar.gz \ - && cd openssl-3.1.2 \ - && ./Configure enable-fips \ - && make \ - && make install_fips - - COPY backend/package*.json ./ RUN npm ci --only-production @@ -114,15 +103,6 @@ RUN apt-get update && apt-get install -y \ # Configure ODBC RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini -# Build and install FIPS validated OpenSSL -WORKDIR /openssl-build -RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \ - && tar -xf openssl-3.1.2.tar.gz \ - && cd openssl-3.1.2 \ - && ./Configure enable-fips \ - && make \ - && make install_fips - COPY backend/package*.json ./ RUN npm ci --only-production @@ -135,6 +115,12 @@ FROM base AS production # Install necessary packages including ODBC RUN apt-get update && apt-get install -y \ + build-essential \ + autoconf \ + automake \ + libtool \ + wget \ + libssl-dev \ ca-certificates \ curl \ git \ @@ -152,6 +138,15 @@ RUN apt-get update && apt-get install -y \ # Configure ODBC in production RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini + +WORKDIR /openssl-build +RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \ + && tar -xf openssl-3.1.2.tar.gz \ + && cd openssl-3.1.2 \ + && ./Configure enable-fips \ + && make \ + && make install_fips + # Install Infisical CLI RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \ && apt-get update && apt-get install -y infisical=0.41.89 \ @@ -198,14 +193,16 @@ ENV OPENSSL_CONF=/backend/nodejs.fips.cnf ENV OPENSSL_MODULES=/usr/local/lib/ossl-modules ENV NODE_OPTIONS=--force-fips ENV FIPS_ENABLED=true + WORKDIR /backend ENV TELEMETRY_ENABLED true EXPOSE 8080 +EXPOSE 80 EXPOSE 443 USER non-root-user -CMD ["./standalone-entrypoint.sh"] +CMD ["./standalone-entrypoint.sh"] \ No newline at end of file diff --git a/backend/src/lib/crypto/cryptography/crypto.ts b/backend/src/lib/crypto/cryptography/crypto.ts index f5c2182e6c..e8111dfed6 100644 --- a/backend/src/lib/crypto/cryptography/crypto.ts +++ b/backend/src/lib/crypto/cryptography/crypto.ts @@ -20,17 +20,8 @@ import { logger } from "../../logger"; import { asymmetricFipsValidated } from "./asymmetric-fips"; import { hasherFipsValidated } from "./hash-fips"; import { jwtFipsValidated } from "./jwt-fips"; -import { - DigestType, - JWTPayload, - JWTSecretOrKey, - JWTSignOptions, - JWTVerifyOptions, - SymmetricKeySize, - TDecryptAsymmetricInput, - TDecryptSymmetricInput, - TEncryptSymmetricInput -} from "./types"; +import type { TDecryptAsymmetricInput, TDecryptSymmetricInput, TEncryptSymmetricInput } from "./types"; +import { DigestType, JWTPayload, JWTSecretOrKey, JWTSignOptions, JWTVerifyOptions, SymmetricKeySize } from "./types"; const bytesToBits = (bytes: number) => bytes * 8; diff --git a/backend/src/lib/crypto/cryptography/index.ts b/backend/src/lib/crypto/cryptography/index.ts index 5edd5fb89a..e1cc71548d 100644 --- a/backend/src/lib/crypto/cryptography/index.ts +++ b/backend/src/lib/crypto/cryptography/index.ts @@ -1,9 +1,8 @@ export { crypto } from "./crypto"; -export { - DigestType, - SymmetricKeySize, +export type { TDecryptAsymmetricInput, TDecryptSymmetricInput, TEncryptedWithRootEncryptionKey, TEncryptSymmetricInput } from "./types"; +export { DigestType, SymmetricKeySize } from "./types"; diff --git a/backend/src/lib/crypto/index.ts b/backend/src/lib/crypto/index.ts index d67e75d0b3..aac797a3e3 100644 --- a/backend/src/lib/crypto/index.ts +++ b/backend/src/lib/crypto/index.ts @@ -1,4 +1,4 @@ -export { crypto, SymmetricKeySize, TEncryptedWithRootEncryptionKey } from "./cryptography"; +export { crypto, SymmetricKeySize } from "./cryptography"; export { buildSecretBlindIndexFromName } from "./encryption"; export { decryptIntegrationAuths, diff --git a/backend/src/lib/telemetry/instrumentation.ts b/backend/src/lib/telemetry/instrumentation.ts index 44c9108165..1c9b29cc7c 100644 --- a/backend/src/lib/telemetry/instrumentation.ts +++ b/backend/src/lib/telemetry/instrumentation.ts @@ -6,7 +6,6 @@ import { HttpInstrumentation } from "@opentelemetry/instrumentation-http"; import { Resource } from "@opentelemetry/resources"; import { AggregationTemporality, MeterProvider, PeriodicExportingMetricReader } from "@opentelemetry/sdk-metrics"; import { ATTR_SERVICE_NAME, ATTR_SERVICE_VERSION } from "@opentelemetry/semantic-conventions"; -import tracer from "dd-trace"; import dotenv from "dotenv"; import { initEnvConfig } from "../config/env"; @@ -89,6 +88,8 @@ const setupTelemetry = async () => { } if (envCfg.SHOULD_USE_DATADOG_TRACER) { + const tracer = await import("dd-trace"); + console.log("Initializing Datadog tracer"); tracer.init({ profiling: envCfg.DATADOG_PROFILING_ENABLED, diff --git a/backend/src/queue/queue-service.ts b/backend/src/queue/queue-service.ts index 9f98a73470..2761179a82 100644 --- a/backend/src/queue/queue-service.ts +++ b/backend/src/queue/queue-service.ts @@ -448,6 +448,9 @@ export const queueServiceFactory = ( if (appCfg.QUEUE_WORKERS_ENABLED && isQueueEnabled(name)) { workerContainer[name] = new Worker(name, jobFn, { ...queueSettings, + settings: { + repeatKeyHashAlgorithm: "sha256" + }, connection }); }