Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Using global private environment to save secrets[INS-4715] #8233

Merged
merged 46 commits into from
Feb 17, 2025
Merged

feat: Using global private environment to save secrets[INS-4715] #8233

merged 46 commits into from
Feb 17, 2025

Conversation

cwangsmv
Copy link
Contributor

@cwangsmv cwangsmv commented Dec 5, 2024
edited
Loading

Changes
Leverage global private environment to add built-in support secret management capabilities.
Add a new secret type environment key-value pair to store secret variables with the following features:

  • Secret environment variables will add a vault prefix automatically to distinguish with normal environment variables. If you define a secret environment called foo, you need to input {{ vault.foo }} to use as environment variable
  • Secret environment values are encrypted in the database
  • Secret environment values are masked unless in environment editor/variable editor modal/using in request
  • When the private environment is exported, a default placeholder string will replace its real value
  • When user has rest the encryption key (aka: vault key) in other devices, all local secret environment variables will be removed
Screenshot 2024-12-05 at 14 44 33

We also introduce a new term Vault Key.
Vault key is used to encrypt/decrypt secret environment variables, it is not synced to the cloud, so users need to save the key themselves.
User could reset the vault key, but this will remove local secret environments in all devices.
Add a new UI in Preferences page for management:
Screenshot 2025-01-07 at 15 54 55

Vault secrets can be used in scripts if user set Enable vault in scripts in settings. (Only allow to get vault secret value, set/unset/clear methods are not allowd)
The pattern is

insomnia.vault.get(<vault_name>)

Tasks

  • Add new UI for secret environment variables
  • Secret environment variables processing logic
    • Mask value unless in editor and request
    • Encryption/Decryption logic
  • Vault key UI
    • New vault key management UI in Preferences modal
    • API integration and SSE event handling
    • Vault key/hash CRUD operations
  • Pre-requset & After-response support
  • Add smoke test

@cwangsmv cwangsmv marked this pull request as draft December 5, 2024 07:08
@cwangsmv cwangsmv force-pushed the feat/vault-environment branch from a546711 to f8cb14d Compare December 9, 2024 08:45
@cwangsmv cwangsmv force-pushed the feat/vault-environment branch 2 times, most recently from b453cd8 to bfb3d55 Compare January 6, 2025 09:10
@cwangsmv cwangsmv marked this pull request as ready for review January 8, 2025 07:22
@cwangsmv cwangsmv requested review from ihexxa and a team January 8, 2025 07:22
@cwangsmv cwangsmv force-pushed the feat/vault-environment branch from 9b384d8 to 3f66590 Compare January 8, 2025 07:28
ihexxa
ihexxa reviewed Jan 10, 2025
View reviewed changes
ihexxa
ihexxa reviewed Jan 14, 2025
View reviewed changes
@ihexxa ihexxa mentioned this pull request Jan 15, 2025
Merged
@cwangsmv cwangsmv force-pushed the feat/vault-environment branch from 35c9a6b to 8367496 Compare February 13, 2025 07:26
@cwangsmv cwangsmv force-pushed the feat/vault-environment branch 3 times, most recently from 5ed3dbd to 241dbc4 Compare February 17, 2025 08:46
ihexxa
ihexxa previously approved these changes Feb 17, 2025
View reviewed changes
Copy link
Contributor

@ihexxa ihexxa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added some minor comments and tend to move forward as there're several rounds review before, but ideally we might still have more tests in the next as it is a relatively huge change.

packages/insomnia/src/ui/components/modals/workspace-environments-edit-modal.tsx
@@ -51,6 +51,8 @@ export const WorkspaceEnvironmentsEditModal = ({ onClose }: {
}
return false;
}, [selectedEnvironment]);
// Do not allowed to switch to json environment if contains secret item
const allowSwitchEnvironment = !selectedEnvironment?.kvPairData?.some(d => d.type === EnvironmentKvPairDataType.SECRET);
Copy link
Contributor

@ihexxa ihexxa Feb 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Probably need to to auto switch to kv mode for one user has been in the json mode?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, I will add in a separate PR and add a test to cover this

@cwangsmv cwangsmv enabled auto-merge (squash) February 17, 2025 10:00
@cwangsmv cwangsmv force-pushed the feat/vault-environment branch from b4430ab to c240e19 Compare February 17, 2025 10:00
@cwangsmv cwangsmv disabled auto-merge February 17, 2025 10:13
@cwangsmv
1.add external vault context menu
a41ffc0 
2.secret key-value pair ui
@cwangsmv
1.Add cloud credential model
29dca0c 
2.Add basic integration with AWS
3.Add vault secret cache and config UI
@cwangsmv
1.fix main process integration issue
71dd8fa 
2.add a hook to get user plan
@cwangsmv
1.adjust layout for upgrade notice
d46a3b1 
2.AWS secret nunjuckt tag config UI
@cwangsmv
1.add logic to handle vault secret items(vault environment)
569fbfe
@cwangsmv
1.add modal to confirm export private environment when user exports g…
2eff222 
…lobal environment

2.mask all secret items value when export
@cwangsmv
1.integrate with sse event change
8e50c25
@cwangsmv
1.fix some minor issues
897cd7d
@cwangsmv
1.fix error handling
7251d85
@cwangsmv
remove aws secret key related changes
c45bd22
@cwangsmv
1.remove aws related code
3715425
@cwangsmv
1.remove useless codes
ebd8021
@cwangsmv
1.add enableVaultInScripts settings to allow using vault in script
da76f51 
2.fix editor bug
@cwangsmv
1.Add insomnia.vault to insomnia script
19bdb8b 
2.Modify rendering logic to expose decrypted secrets to script
@cwangsmv
1.remove keytar and use electron safestorage instead
6120b0c
@cwangsmv
Do not allow set method in vault script
4ee5ab4
@cwangsmv
1.fix issue from comment
f1e7eaa
@cwangsmv
1.add support for legacy environment with vault as environment key
33f28cd
@cwangsmv
1.fix issue
1d2a24b
@cwangsmv
1.avoid duplicate rendering
497f363
@cwangsmv
1.fix naming
c6543c5
@cwangsmv
1.fix issues from comment
3fef1b2
@cwangsmv
1.avoid cache
2beeac9
@cwangsmv
1.fix renaming issue
f97e780
@cwangsmv
1.fix issue
c0dfb77
@cwangsmv
1.add smoke test and modify code to make it work
e860235
@cwangsmv
1.remove unnecessary changes
6c5918c
@cwangsmv
1.remove error
c7a521d
@cwangsmv
1.remove useless codes
6ff25ed
@cwangsmv
1.fix hint issue
25eeada
@cwangsmv
fix lint issue
7f5fd8f
@cwangsmv
fix smoke test failure
4b89a00
@cwangsmv
1.remove duplicate file due to rebase
c05a95d
@cwangsmv cwangsmv force-pushed the feat/vault-environment branch from c240e19 to c05a95d Compare February 17, 2025 10:14
@cwangsmv cwangsmv merged commit 3abe124 into develop Feb 17, 2025
9 checks passed
@cwangsmv cwangsmv deleted the feat/vault-environment branch February 17, 2025 10:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jackkav jackkav jackkav left review comments

@ihexxa ihexxa ihexxa approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cwangsmv @jackkav @ihexxa