Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Using global private environment to save secrets[INS-4715] #8233

Open
wants to merge 33 commits into
base: develop
Choose a base branch
from
Open

feat: Using global private environment to save secrets[INS-4715] #8233

wants to merge 33 commits into from
+1,671 −99

Conversation

cwangsmv
Copy link
Contributor

@cwangsmv cwangsmv commented Dec 5, 2024
edited
Loading

Changes
Leverage global private environment to add built-in support secret management capabilities.
Add a new secret type environment key-value pair to store secret variables with the following features:

  • Secret environment variables will add a vault prefix automatically to distinguish with normal environment variables. If you define a secret environment called foo, you need to input {{ vault.foo }} to use as environment variable
  • Secret environment values are encrypted in the database
  • Secret environment values are masked unless in environment editor/variable editor modal/using in request
  • When the private environment is exported, a default placeholder string will replace its real value
  • When user has rest the encryption key (aka: vault key) in other devices, all local secret environment variables will be removed
Screenshot 2024-12-05 at 14 44 33

We also introduce a new term Vault Key.
Vault key is used to encrypt/decrypt secret environment variables, it is not synced to the cloud, so users need to save the key themselves.
User could reset the vault key, but this will remove local secret environments in all devices.
Add a new UI in Preferences page for management:
Screenshot 2025-01-07 at 15 54 55

Vault secrets can be used in scripts if user set Enable vault in scripts in settings. (Only allow to get vault secret value, set/unset/clear methods are not allowd)
The pattern is

insomnia.vault.get(<vault_name>)

Tasks

  • Add new UI for secret environment variables
  • Secret environment variables processing logic
    • Mask value unless in editor and request
    • Encryption/Decryption logic
  • Vault key UI
    • New vault key management UI in Preferences modal
    • API integration and SSE event handling
    • Vault key/hash CRUD operations
  • Pre-requset & After-response support

@cwangsmv cwangsmv marked this pull request as draft December 5, 2024 07:08
@cwangsmv cwangsmv force-pushed the feat/vault-environment branch from a546711 to f8cb14d Compare December 9, 2024 08:45
@cwangsmv cwangsmv force-pushed the feat/vault-environment branch 2 times, most recently from b453cd8 to bfb3d55 Compare January 6, 2025 09:10
@cwangsmv cwangsmv marked this pull request as ready for review January 8, 2025 07:22
@cwangsmv cwangsmv requested review from ihexxa and a team January 8, 2025 07:22
cwangsmv added 23 commits January 8, 2025 15:27
@cwangsmv
1.add external vault context menu
7c0e2af 
2.secret key-value pair ui
@cwangsmv
1.Add cloud credential model
f1973d2 
2.Add basic integration with AWS
3.Add vault secret cache and config UI
@cwangsmv
1.fix main process integration issue
cc38d40 
2.add a hook to get user plan
@cwangsmv
1.adjust layout for upgrade notice
10099be 
2.AWS secret nunjuckt tag config UI
@cwangsmv
1.add logic to handle vault secret items(vault environment)
c7b970f
@cwangsmv
1.add modal to confirm export private environment when user exports g…
361c185 
…lobal environment

2.mask all secret items value when export
@cwangsmv
1.fix aws secret manager tag
4092d5d
@cwangsmv
1.use hook to get plan detail
50dff22
@cwangsmv
1.remove unnecessary style color
0b55a50
@cwangsmv
1.fix lint issue
3ba47b6
@cwangsmv
1.save work
8c86fbf
@cwangsmv
1.ui changes
0e3c02c
@cwangsmv
1.add logic to handle vault key reset and input request
85adcd2
@cwangsmv
1.add encrypt/decrypt and remove secret function
6a6678d
@cwangsmv
1.move removeAllSecrets function to modal
ac1f9be 
2.Add download vault key function
@cwangsmv
1.basic integration with srp api
c00a4c0
@cwangsmv
1.add new utils function
8d23a7b 
2.api and encrypt/decrypt integration
@cwangsmv
1.add modal for secrets environment variable without vault key hint
096cd4a
@cwangsmv
1.integration with sse event of reset vault key
7415db5 
2.add notification and remove secrets
@cwangsmv
1.support create vault key conflict condition
23c6c22
@cwangsmv
1.integrate with sse event change
5cccad7
@cwangsmv
1.fix some minor issues
4feb20d
@cwangsmv
1.fix error handling
fbf45a9
@cwangsmv cwangsmv force-pushed the feat/vault-environment branch from 9b384d8 to 3f66590 Compare January 8, 2025 07:28
jackkav
jackkav reviewed Jan 8, 2025
View reviewed changes
packages/insomnia/package.json Outdated
@@ -69,6 +69,7 @@
"jshint": "^2.13.6",
"jsonlint-mod-fixed": "1.7.7",
"jsonpath-plus": "^6.0.1",
"keytar": "^7.9.0",
Copy link
Contributor

@jackkav jackkav Jan 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please evaluate alternatives to this library it appears to be unmaintained.

Copy link
Contributor Author

@cwangsmv cwangsmv Jan 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will try VsCode's solution to use electron safeStorage to repalce keytar.
Refer: microsoft/vscode#185677

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use electron safeStorage instead. The encrypted secrets will be saved to local file instead of OS native secret manager.

ihexxa
ihexxa reviewed Jan 9, 2025
View reviewed changes
packages/insomnia-sdk/src/objects/environments.ts
}
return Reflect.get(target, prop, receiver);
},
set: (target, prop, value, receiver) => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may not support this?
Another irrelevant minor observation is, when environment.set is called in script, open the environment modal, it will not be shown in the key-value mode until switching to the json mode and back.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed, do not allow set method in vault script.
For the second issue found, I've created a ticket to fix the bug.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ihexxa ihexxa ihexxa left review comments

@jackkav jackkav jackkav left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cwangsmv @jackkav @ihexxa