Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Using global private environment to save secrets[INS-4715] #8233

Open
wants to merge 35 commits into
base: develop
Choose a base branch
from

Conversation

cwangsmv
Copy link
Contributor

@cwangsmv cwangsmv commented Dec 5, 2024

Changes
Leverage global private environment to add built-in support secret management capabilities.
Add a new secret type environment key-value pair to store secret variables with the following features:

  • Secret environment variables will add a vault prefix automatically to distinguish with normal environment variables. If you define a secret environment called foo, you need to input {{ vault.foo }} to use as environment variable
  • Secret environment values are encrypted in the database
  • Secret environment values are masked unless in environment editor/variable editor modal/using in request
  • When the private environment is exported, a default placeholder string will replace its real value
  • When user has rest the encryption key (aka: vault key) in other devices, all local secret environment variables will be removed
Screenshot 2024-12-05 at 14 44 33

We also introduce a new term Vault Key.
Vault key is used to encrypt/decrypt secret environment variables, it is not synced to the cloud, so users need to save the key themselves.
User could reset the vault key, but this will remove local secret environments in all devices.
Add a new UI in Preferences page for management:
Screenshot 2025-01-07 at 15 54 55

Vault secrets can be used in scripts if user set Enable vault in scripts in settings. (Only allow to get vault secret value, set/unset/clear methods are not allowd)
The pattern is

insomnia.vault.get(<vault_name>)

Tasks

  • Add new UI for secret environment variables
  • Secret environment variables processing logic
    • Mask value unless in editor and request
    • Encryption/Decryption logic
  • Vault key UI
    • New vault key management UI in Preferences modal
    • API integration and SSE event handling
    • Vault key/hash CRUD operations
  • Pre-requset & After-response support

@cwangsmv cwangsmv marked this pull request as draft December 5, 2024 07:08
@cwangsmv cwangsmv force-pushed the feat/vault-environment branch from a546711 to f8cb14d Compare December 9, 2024 08:45
@cwangsmv cwangsmv force-pushed the feat/vault-environment branch 2 times, most recently from b453cd8 to bfb3d55 Compare January 6, 2025 09:10
@cwangsmv cwangsmv marked this pull request as ready for review January 8, 2025 07:22
@cwangsmv cwangsmv requested review from ihexxa and a team January 8, 2025 07:22
@cwangsmv cwangsmv force-pushed the feat/vault-environment branch from 9b384d8 to 3f66590 Compare January 8, 2025 07:28
@@ -69,6 +69,7 @@
"jshint": "^2.13.6",
"jsonlint-mod-fixed": "1.7.7",
"jsonpath-plus": "^6.0.1",
"keytar": "^7.9.0",
Copy link
Contributor

@jackkav jackkav Jan 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please evaluate alternatives to this library it appears to be unmaintained.

Copy link
Contributor Author

@cwangsmv cwangsmv Jan 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will try VsCode's solution to use electron safeStorage to repalce keytar.
Refer: microsoft/vscode#185677

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use electron safeStorage instead. The encrypted secrets will be saved to local file instead of OS native secret manager.

}
return Reflect.get(target, prop, receiver);
},
set: (target, prop, value, receiver) => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may not support this?
Another irrelevant minor observation is, when environment.set is called in script, open the environment modal, it will not be shown in the key-value mode until switching to the json mode and back.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed, do not allow set method in vault script.
For the second issue found, I've created a ticket to fix the bug.

enabled: true,
});
// get all secret items from vaultEnvironmentPath
if (key === vaultEnvironmentPath && val === 'object') {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe typeof val === 'object'

// invalid symmetricKey
return rawValue;
}
const encryptReuslt = crypt.encryptAES(symmetricKey, rawValue);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo encryptReuslt

@@ -0,0 +1,77 @@
import { safeStorage } from 'electron';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should name the file with hyphen: secret-storage.ts.


export const name = 'Environment';
export const type = 'Environment';
export const prefix = 'env';
export const vaultEnvironmentPath = 'vault';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What will happen if vault is an existing key in environment?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants