Merge pull request #3259 from Infisical/feat/automated-instance-bootstrapping

feat: automated bootstrapping

Author: sheensantoscapadngan

backend/src/db/migrations/20250317101525_add-instance-admin-mi.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas/models";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.SuperAdmin, "adminIdentityIds"))) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.specificType("adminIdentityIds", "text[]");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SuperAdmin, "adminIdentityIds")) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.dropColumn("adminIdentityIds");
+    });
+  }
+}

backend/src/db/schemas/super-admin.ts

@@ -25,7 +25,8 @@ export const SuperAdminSchema = z.object({
   encryptedSlackClientId: zodBuffer.nullable().optional(),
   encryptedSlackClientSecret: zodBuffer.nullable().optional(),
   authConsentContent: z.string().nullable().optional(),
-  pageFrameContent: z.string().nullable().optional()
+  pageFrameContent: z.string().nullable().optional(),
+  adminIdentityIds: z.string().array().nullable().optional()
 });
 
 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;

backend/src/server/plugins/auth/inject-identity.ts

@@ -9,6 +9,7 @@ import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { ActorType, AuthMethod, AuthMode, AuthModeJwtTokenPayload, AuthTokenType } from "@app/services/auth/auth-type";
 import { TIdentityAccessTokenJwtPayload } from "@app/services/identity-access-token/identity-access-token-types";
+import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 
 export type TAuthMode =
   | {
@@ -44,6 +45,7 @@ export type TAuthMode =
       identityName: string;
       orgId: string;
       authMethod: null;
+      isInstanceAdmin?: boolean;
     }
   | {
       authMode: AuthMode.SCIM_TOKEN;
@@ -130,13 +132,15 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
       }
       case AuthMode.IDENTITY_ACCESS_TOKEN: {
         const identity = await server.services.identityAccessToken.fnValidateIdentityAccessToken(token, req.realIp);
+        const serverCfg = await getServerCfg();
         req.auth = {
           authMode: AuthMode.IDENTITY_ACCESS_TOKEN,
           actor,
           orgId: identity.orgId,
           identityId: identity.identityId,
           identityName: identity.name,
-          authMethod: null
+          authMethod: null,
+          isInstanceAdmin: serverCfg?.adminIdentityIds?.includes(identity.identityId)
         };
         if (token?.identityAuth?.oidc) {
           requestContext.set("identityAuthInfo", {

backend/src/server/plugins/auth/superAdmin.ts

@@ -1,16 +1,18 @@
 import { FastifyReply, FastifyRequest, HookHandlerDoneFunction } from "fastify";
 
 import { ForbiddenRequestError } from "@app/lib/errors";
-import { ActorType } from "@app/services/auth/auth-type";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
 
 export const verifySuperAdmin = <T extends FastifyRequest>(
   req: T,
   _res: FastifyReply,
   done: HookHandlerDoneFunction
 ) => {
-  if (req.auth.actor !== ActorType.USER || !req.auth.user.superAdmin)
-    throw new ForbiddenRequestError({
-      message: "Requires elevated super admin privileges"
-    });
-  done();
+  if (isSuperAdmin(req.auth)) {
+    return done();
+  }
+
+  throw new ForbiddenRequestError({
+    message: "Requires elevated super admin privileges"
+  });
 };

backend/src/server/routes/index.ts

@@ -637,6 +637,9 @@ export const registerRoutes = async (
     userDAL,
     identityDAL,
     userAliasDAL,
+    identityTokenAuthDAL,
+    identityAccessTokenDAL,
+    identityOrgMembershipDAL,
     authService: loginService,
     serverCfgDAL: superAdminDAL,
     kmsRootConfigDAL,

backend/src/server/routes/v1/admin-router.ts

@@ -98,7 +98,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
       }
     },
     onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT, AuthMode.API_KEY])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
         verifySuperAdmin(req, res, done);
       });
     },
@@ -139,7 +139,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
       }
     },
     onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
         verifySuperAdmin(req, res, done);
       });
     },
@@ -171,12 +171,16 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
           identities: IdentitiesSchema.pick({
             name: true,
             id: true
-          }).array()
+          })
+            .extend({
+              isInstanceAdmin: z.boolean()
+            })
+            .array()
         })
       }
     },
     onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
         verifySuperAdmin(req, res, done);
       });
     },
@@ -206,7 +210,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
       }
     },
     onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
         verifySuperAdmin(req, res, done);
       });
     },
@@ -240,7 +244,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
       }
     },
     onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
         verifySuperAdmin(req, res, done);
       });
     },
@@ -265,7 +269,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
       })
     },
     onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
         verifySuperAdmin(req, res, done);
       });
     },
@@ -293,7 +297,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
       }
     },
     onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
         verifySuperAdmin(req, res, done);
       });
     },
@@ -316,7 +320,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
       })
     },
     onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
         verifySuperAdmin(req, res, done);
       });
     },
@@ -394,4 +398,141 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
       };
     }
   });
+
+  server.route({
+    method: "DELETE",
+    url: "/identity-management/identities/:identityId/super-admin-access",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        identityId: z.string()
+      }),
+      response: {
+        200: z.object({
+          identity: IdentitiesSchema.pick({
+            name: true,
+            id: true
+          })
+        })
+      }
+    },
+    onRequest: (req, res, done) => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
+        verifySuperAdmin(req, res, done);
+      });
+    },
+    handler: async (req) => {
+      const identity = await server.services.superAdmin.deleteIdentitySuperAdminAccess(
+        req.params.identityId,
+        req.permission.id
+      );
+
+      return {
+        identity
+      };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/user-management/users/:userId/admin-access",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        userId: z.string()
+      }),
+      response: {
+        200: z.object({
+          user: UsersSchema.pick({
+            username: true,
+            firstName: true,
+            lastName: true,
+            email: true,
+            id: true
+          })
+        })
+      }
+    },
+    onRequest: (req, res, done) => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
+        verifySuperAdmin(req, res, done);
+      });
+    },
+    handler: async (req) => {
+      const user = await server.services.superAdmin.deleteUserSuperAdminAccess(req.params.userId);
+
+      return {
+        user
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/bootstrap",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        email: z.string().email().trim().min(1),
+        password: z.string().trim().min(1),
+        organization: z.string().trim().min(1)
+      }),
+      response: {
+        200: z.object({
+          message: z.string(),
+          user: UsersSchema.pick({
+            username: true,
+            firstName: true,
+            lastName: true,
+            email: true,
+            id: true,
+            superAdmin: true
+          }),
+          organization: OrganizationsSchema.pick({
+            id: true,
+            name: true,
+            slug: true
+          }),
+          identity: IdentitiesSchema.pick({
+            id: true,
+            name: true
+          }).extend({
+            credentials: z.object({
+              token: z.string()
+            }) // would just be Token AUTH for now
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const { user, organization, machineIdentity } = await server.services.superAdmin.bootstrapInstance({
+        ...req.body,
+        organizationName: req.body.organization
+      });
+
+      await server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.AdminInit,
+        distinctId: user.user.username ?? "",
+        properties: {
+          username: user.user.username,
+          email: user.user.email ?? "",
+          lastName: user.user.lastName || "",
+          firstName: user.user.firstName || ""
+        }
+      });
+
+      return {
+        message: "Successfully bootstrapped instance",
+        user: user.user,
+        organization,
+        identity: machineIdentity
+      };
+    }
+  });
 };

backend/src/server/routes/v1/identity-aws-iam-auth-router.ts

@@ -11,6 +11,7 @@ import {
   validateAccountIds,
   validatePrincipalArns
 } from "@app/services/identity-aws-auth/identity-aws-auth-validators";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
 
 export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -130,7 +131,8 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
         ...req.body,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
       });
 
       await server.services.auditLog.createAuditLog({

backend/src/server/routes/v1/identity-azure-auth-router.ts

@@ -8,8 +8,7 @@ import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { validateAzureAuthField } from "@app/services/identity-azure-auth/identity-azure-auth-validators";
-
-import {} from "../sanitizedSchemas";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
 
 export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -127,7 +126,8 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
         ...req.body,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
       });
 
       await server.services.auditLog.createAuditLog({

backend/src/server/routes/v1/identity-gcp-auth-router.ts

@@ -8,6 +8,7 @@ import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { validateGcpAuthField } from "@app/services/identity-gcp-auth/identity-gcp-auth-validators";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
 
 export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -121,7 +122,8 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
         ...req.body,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
       });
 
       await server.services.auditLog.createAuditLog({

backend/src/server/routes/v1/identity-jwt-auth-router.ts

@@ -12,6 +12,7 @@ import {
   validateJwtAuthAudiencesField,
   validateJwtBoundClaimsField
 } from "@app/services/identity-jwt-auth/identity-jwt-auth-validators";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
 
 const IdentityJwtAuthResponseSchema = IdentityJwtAuthsSchema.omit({
   encryptedJwksCaCert: true,
@@ -169,7 +170,8 @@ export const registerIdentityJwtAuthRouter = async (server: FastifyZodProvider)
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
         ...req.body,
-        identityId: req.params.identityId
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
       });
 
       await server.services.auditLog.createAuditLog({