Merge remote-tracking branch 'upstream/main'

pks-os · Aug 9, 2024 · fc74561 · fc74561
2 parents 06e315c + 82b2b0a
commit fc74561
Show file tree

Hide file tree

Showing 10 changed files with 151 additions and 154 deletions.
diff --git a/.github/workflows/run-cli-tests.yml b/.github/workflows/run-cli-tests.yml
@@ -50,6 +50,6 @@ jobs:
                   CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
                   CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
                   CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
-                  INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
+                #   INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
 
               run: go test -v -count=1 ./test
diff --git a/cli/packages/cmd/secrets.go b/cli/packages/cmd/secrets.go
@@ -374,6 +374,11 @@ func getSecretsByNames(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse flag")
 	}
 
+	secretOverriding, err := cmd.Flags().GetBool("secret-overriding")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
 	request := models.GetAllSecretsParameters{
 		Environment:   environmentName,
 		WorkspaceId:   projectId,
@@ -394,6 +399,12 @@ func getSecretsByNames(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "To fetch all secrets")
 	}
 
+	if secretOverriding {
+		secrets = util.OverrideSecrets(secrets, util.SECRET_TYPE_PERSONAL)
+	} else {
+		secrets = util.OverrideSecrets(secrets, util.SECRET_TYPE_SHARED)
+	}
+
 	if shouldExpand {
 		authParams := models.ExpandSecretsAuthentication{}
 		if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
@@ -688,6 +699,7 @@ func init() {
 	secretsGetCmd.Flags().Bool("include-imports", true, "Imported linked secrets ")
 	secretsGetCmd.Flags().Bool("expand", true, "Parse shell parameter expansions in your secrets, and process your referenced secrets")
 	secretsGetCmd.Flags().Bool("recursive", false, "Fetch secrets from all sub-folders")
+	secretsGetCmd.Flags().Bool("secret-overriding", true, "Prioritizes personal secrets, if any, with the same name over shared secrets")
 	secretsCmd.AddCommand(secretsGetCmd)
 	secretsCmd.Flags().Bool("secret-overriding", true, "Prioritizes personal secrets, if any, with the same name over shared secrets")
 	secretsCmd.AddCommand(secretsSetCmd)

diff --git a/cli/packages/cmd/vault.go b/cli/packages/cmd/vault.go
@@ -31,39 +31,54 @@ var AvailableVaults = []VaultBackendType{
 }
 
 var vaultSetCmd = &cobra.Command{
-	Example:               `infisical vault set file --passphrase <your-passphrase>`,
-	Use:                   "set [file|auto] [flags]",
+	Example:               `infisical vault set file`,
+	Use:                   "set [file|auto]",
 	Short:                 "Used to configure the vault backends",
 	DisableFlagsInUseLine: true,
 	Args:                  cobra.MinimumNArgs(1),
 	Run: func(cmd *cobra.Command, args []string) {
-
-		vaultType := args[0]
-
-		passphrase, err := cmd.Flags().GetString("passphrase")
+		wantedVaultTypeName := args[0]
+		currentVaultBackend, err := util.GetCurrentVaultBackend()
 		if err != nil {
-			util.HandleError(err, "Unable to get passphrase flag")
+			log.Error().Msgf("Unable to set vault to [%s] because of [err=%s]", wantedVaultTypeName, err)
+			return
 		}
 
-		if vaultType == util.VAULT_BACKEND_FILE_MODE && passphrase != "" {
-			setFileVaultPassphrase(passphrase)
+		if wantedVaultTypeName == string(currentVaultBackend) {
+			log.Error().Msgf("You are already on vault backend [%s]", currentVaultBackend)
 			return
 		}
 
-		util.PrintWarning("This command has been deprecated. Please use 'infisical vault use [file|auto]' to select which vault to use.\n")
-		selectVaultTypeCmd(cmd, args)
+		if wantedVaultTypeName == util.VAULT_BACKEND_AUTO_MODE || wantedVaultTypeName == util.VAULT_BACKEND_FILE_MODE {
+			configFile, err := util.GetConfigFile()
+			if err != nil {
+				log.Error().Msgf("Unable to set vault to [%s] because of [err=%s]", wantedVaultTypeName, err)
+				return
+			}
+
+			configFile.VaultBackendType = wantedVaultTypeName
+			configFile.LoggedInUserEmail = ""
+			configFile.VaultBackendPassphrase = base64.StdEncoding.EncodeToString([]byte(util.GenerateRandomString(10)))
+
+			err = util.WriteConfigFile(&configFile)
+			if err != nil {
+				log.Error().Msgf("Unable to set vault to [%s] because an error occurred when saving the config file [err=%s]", wantedVaultTypeName, err)
+				return
+			}
+
+			fmt.Printf("\nSuccessfully, switched vault backend from [%s] to [%s]. Please login in again to store your login details in the new vault with [infisical login]\n", currentVaultBackend, wantedVaultTypeName)
+
+			Telemetry.CaptureEvent("cli-command:vault set", posthog.NewProperties().Set("currentVault", currentVaultBackend).Set("wantedVault", wantedVaultTypeName).Set("version", util.CLI_VERSION))
+		} else {
+			var availableVaultsNames []string
+			for _, vault := range AvailableVaults {
+				availableVaultsNames = append(availableVaultsNames, vault.Name)
+			}
+			log.Error().Msgf("The requested vault type [%s] is not available on this system. Only the following vault backends are available for you system: %s", wantedVaultTypeName, strings.Join(availableVaultsNames, ", "))
+		}
 	},
 }
 
-var vaultUseCmd = &cobra.Command{
-	Example:               `infisical vault use [file|auto]`,
-	Use:                   "use [file|auto]",
-	Short:                 "Used to select the the type of vault backend to store sensitive data securely at rest",
-	DisableFlagsInUseLine: true,
-	Args:                  cobra.MinimumNArgs(1),
-	Run:                   selectVaultTypeCmd,
-}
-
 // runCmd represents the run command
 var vaultCmd = &cobra.Command{
 	Use:                   "vault",
@@ -75,26 +90,6 @@ var vaultCmd = &cobra.Command{
 	},
 }
 
-func setFileVaultPassphrase(passphrase string) {
-	configFile, err := util.GetConfigFile()
-	if err != nil {
-		log.Error().Msgf("Unable to set passphrase for file vault because of [err=%s]", err)
-		return
-	}
-
-	// encode with base64
-	encodedPassphrase := base64.StdEncoding.EncodeToString([]byte(passphrase))
-	configFile.VaultBackendPassphrase = encodedPassphrase
-
-	err = util.WriteConfigFile(&configFile)
-	if err != nil {
-		log.Error().Msgf("Unable to set passphrase for file vault because of [err=%s]", err)
-		return
-	}
-
-	util.PrintSuccessMessage("\nSuccessfully, set passphrase for file vault.\n")
-}
-
 func printAvailableVaultBackends() {
 	fmt.Printf("Vaults are used to securely store your login details locally. Available vaults:")
 	for _, vaultType := range AvailableVaults {
@@ -111,53 +106,8 @@ func printAvailableVaultBackends() {
 	fmt.Printf("\n\nYou are currently using [%s] vault to store your login credentials\n", string(currentVaultBackend))
 }
 
-func selectVaultTypeCmd(cmd *cobra.Command, args []string) {
-	wantedVaultTypeName := args[0]
-	currentVaultBackend, err := util.GetCurrentVaultBackend()
-	if err != nil {
-		log.Error().Msgf("Unable to set vault to [%s] because of [err=%s]", wantedVaultTypeName, err)
-		return
-	}
-
-	if wantedVaultTypeName == string(currentVaultBackend) {
-		log.Error().Msgf("You are already on vault backend [%s]", currentVaultBackend)
-		return
-	}
-
-	if wantedVaultTypeName == util.VAULT_BACKEND_AUTO_MODE || wantedVaultTypeName == util.VAULT_BACKEND_FILE_MODE {
-		configFile, err := util.GetConfigFile()
-		if err != nil {
-			log.Error().Msgf("Unable to set vault to [%s] because of [err=%s]", wantedVaultTypeName, err)
-			return
-		}
-
-		configFile.VaultBackendType = wantedVaultTypeName // save selected vault
-		configFile.LoggedInUserEmail = ""                 // reset the logged in user to prompt them to re login
-
-		err = util.WriteConfigFile(&configFile)
-		if err != nil {
-			log.Error().Msgf("Unable to set vault to [%s] because an error occurred when saving the config file [err=%s]", wantedVaultTypeName, err)
-			return
-		}
-
-		fmt.Printf("\nSuccessfully, switched vault backend from [%s] to [%s]. Please login in again to store your login details in the new vault with [infisical login]\n", currentVaultBackend, wantedVaultTypeName)
-
-		Telemetry.CaptureEvent("cli-command:vault set", posthog.NewProperties().Set("currentVault", currentVaultBackend).Set("wantedVault", wantedVaultTypeName).Set("version", util.CLI_VERSION))
-	} else {
-		var availableVaultsNames []string
-		for _, vault := range AvailableVaults {
-			availableVaultsNames = append(availableVaultsNames, vault.Name)
-		}
-		log.Error().Msgf("The requested vault type [%s] is not available on this system. Only the following vault backends are available for you system: %s", wantedVaultTypeName, strings.Join(availableVaultsNames, ", "))
-	}
-}
-
 func init() {
-
-	vaultSetCmd.Flags().StringP("passphrase", "p", "", "Set the passphrase for the file vault")
-
 	vaultCmd.AddCommand(vaultSetCmd)
-	vaultCmd.AddCommand(vaultUseCmd)
 
 	rootCmd.AddCommand(vaultCmd)
 }
diff --git a/cli/packages/util/constants.go b/cli/packages/util/constants.go
@@ -38,7 +38,8 @@ const (
 	SERVICE_TOKEN_IDENTIFIER        = "service-token"
 	UNIVERSAL_AUTH_TOKEN_IDENTIFIER = "universal-auth-token"
 
-	INFISICAL_BACKUP_SECRET = "infisical-backup-secrets"
+	INFISICAL_BACKUP_SECRET                = "infisical-backup-secrets" // akhilmhdh: @depreciated remove in version v0.30
+	INFISICAL_BACKUP_SECRET_ENCRYPTION_KEY = "infisical-backup-secret-encryption-key"
 )
 
 var (

diff --git a/cli/packages/util/helper.go b/cli/packages/util/helper.go
@@ -5,6 +5,7 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
+	"math/rand"
 	"os"
 	"os/exec"
 	"path"
@@ -25,6 +26,8 @@ type DecodedSymmetricEncryptionDetails = struct {
 	Key    []byte
 }
 
+const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+
 func GetBase64DecodedSymmetricEncryptionDetails(key string, cipher string, IV string, tag string) (DecodedSymmetricEncryptionDetails, error) {
 	cipherx, err := base64.StdEncoding.DecodeString(cipher)
 	if err != nil {
@@ -287,3 +290,11 @@ func GetCmdFlagOrEnv(cmd *cobra.Command, flag, envName string) (string, error) {
 	}
 	return value, nil
 }
+
+func GenerateRandomString(length int) string {
+	b := make([]byte, length)
+	for i := range b {
+		b[i] = charset[rand.Intn(len(charset))]
+	}
+	return string(b)
+}
diff --git a/cli/packages/util/keyringwrapper.go b/cli/packages/util/keyringwrapper.go
@@ -4,7 +4,6 @@ import (
 	"encoding/base64"
 	"fmt"
 
-	"github.com/manifoldco/promptui"
 	"github.com/rs/zerolog/log"
 	"github.com/zalando/go-keyring"
 )
@@ -32,16 +31,10 @@ func SetValueInKeyring(key, value string) error {
 		configFile, _ := GetConfigFile()
 
 		if configFile.VaultBackendPassphrase == "" {
-			passphrasePrompt := promptui.Prompt{
-				Label: "Enter a passphrase to encrypt sensitive CLI data at rest",
-			}
-			passphrase, err := passphrasePrompt.Run()
-			if err != nil {
-				return err
-			}
-			encodedPassphrase := base64.StdEncoding.EncodeToString([]byte(passphrase))
+			encodedPassphrase := base64.StdEncoding.EncodeToString([]byte(GenerateRandomString(10))) // generate random passphrase
 			configFile.VaultBackendPassphrase = encodedPassphrase
 			configFile.VaultBackendType = VAULT_BACKEND_FILE_MODE
+			err = WriteConfigFile(&configFile)
 			if err != nil {
 				return err
 			}
@@ -62,7 +55,6 @@ func GetValueInKeyring(key string) (string, error) {
 	if err != nil {
 		PrintErrorAndExit(1, err, "Unable to get current vault. Tip: run [infisical reset] then try again")
 	}
-
 	return keyring.Get(currentVaultBackend, MAIN_KEYRING_SERVICE, key)
 
 }
@@ -74,5 +66,4 @@ func DeleteValueInKeyring(key string) error {
 	}
 
 	return keyring.Delete(currentVaultBackend, MAIN_KEYRING_SERVICE, key)
-
 }