-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Using global private environment to save secrets[INS-4715] #8233
base: develop
Are you sure you want to change the base?
Conversation
a546711
to
f8cb14d
Compare
b453cd8
to
bfb3d55
Compare
2.secret key-value pair ui
2.Add basic integration with AWS 3.Add vault secret cache and config UI
2.add a hook to get user plan
2.AWS secret nunjuckt tag config UI
…lobal environment 2.mask all secret items value when export
2.Add download vault key function
2.api and encrypt/decrypt integration
2.add notification and remove secrets
2.Modify rendering logic to expose decrypted secrets to script
9b384d8
to
3f66590
Compare
packages/insomnia/package.json
Outdated
@@ -69,6 +69,7 @@ | |||
"jshint": "^2.13.6", | |||
"jsonlint-mod-fixed": "1.7.7", | |||
"jsonpath-plus": "^6.0.1", | |||
"keytar": "^7.9.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please evaluate alternatives to this library it appears to be unmaintained.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will try VsCode's solution to use electron safeStorage to repalce keytar.
Refer: microsoft/vscode#185677
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use electron safeStorage instead. The encrypted secrets will be saved to local file instead of OS native secret manager.
} | ||
return Reflect.get(target, prop, receiver); | ||
}, | ||
set: (target, prop, value, receiver) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We may not support this?
Another irrelevant minor observation is, when environment.set
is called in script, open the environment modal, it will not be shown in the key-value mode until switching to the json mode and back.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed, do not allow set method in vault script.
For the second issue found, I've created a ticket to fix the bug.
enabled: true, | ||
}); | ||
// get all secret items from vaultEnvironmentPath | ||
if (key === vaultEnvironmentPath && val === 'object') { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe typeof val === 'object'
// invalid symmetricKey | ||
return rawValue; | ||
} | ||
const encryptReuslt = crypt.encryptAES(symmetricKey, rawValue); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo encryptReuslt
@@ -0,0 +1,77 @@ | |||
import { safeStorage } from 'electron'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should name the file with hyphen: secret-storage.ts
.
|
||
export const name = 'Environment'; | ||
export const type = 'Environment'; | ||
export const prefix = 'env'; | ||
export const vaultEnvironmentPath = 'vault'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What will happen if vault
is an existing key in environment?
Changes
Leverage global private environment to add built-in support secret management capabilities.
Add a new secret type environment key-value pair to store secret variables with the following features:
We also introduce a new term Vault Key.
Vault key is used to encrypt/decrypt secret environment variables, it is not synced to the cloud, so users need to save the key themselves.
User could reset the vault key, but this will remove local secret environments in all devices.
Add a new UI in Preferences page for management:
Vault secrets can be used in scripts if user set Enable vault in scripts in settings. (Only allow to get vault secret value, set/unset/clear methods are not allowd)
The pattern is
Tasks