diff --git a/e2e/go.mod b/e2e/go.mod index 94e1ad8c..129b52f7 100644 --- a/e2e/go.mod +++ b/e2e/go.mod @@ -151,7 +151,7 @@ require ( github.com/huandu/xstrings v1.5.0 // indirect github.com/in-toto/in-toto-golang v0.9.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect - github.com/infisical/go-sdk v0.6.1 // indirect + github.com/infisical/go-sdk v0.6.8 // indirect github.com/infisical/infisical-kmip v0.3.17 // indirect github.com/inhies/go-bytesize v0.0.0-20220417184213-4913239db9cf // indirect github.com/jackc/pgpassfile v1.0.0 // indirect diff --git a/e2e/go.sum b/e2e/go.sum index 33a28f7f..6f6ecc8b 100644 --- a/e2e/go.sum +++ b/e2e/go.sum @@ -537,8 +537,8 @@ github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/infisical/go-sdk v0.6.1 h1:T/OKssiNUsjvWNk8ZVStbrEEoEbOnp0XhbxAkV8fWdg= -github.com/infisical/go-sdk v0.6.1/go.mod h1:A6l7EhwCkPw8tmJjgA09KtueEHYko+VdGCEupK8hL08= +github.com/infisical/go-sdk v0.6.8 h1:OB0d4v9Nm+ioA5it1SQaOGGv5qXWEwfYsxRqZZkxHMk= +github.com/infisical/go-sdk v0.6.8/go.mod h1:A6l7EhwCkPw8tmJjgA09KtueEHYko+VdGCEupK8hL08= github.com/infisical/infisical-kmip v0.3.17 h1:5dBuyzHs+BxZD30JYBNufnoxRJNyPThL6lR4YPRWf4w= github.com/infisical/infisical-kmip v0.3.17/go.mod h1:bO1M4YtKyutNg1bREPmlyZspC5duSR7hyQ3lPmLzrIs= github.com/inhies/go-bytesize v0.0.0-20220417184213-4913239db9cf h1:FtEj8sfIcaaBfAKrE1Cwb61YDtYq9JxChK1c7AKce7s= diff --git a/go.mod b/go.mod index bc5a1086..92ccdc1f 100644 --- a/go.mod +++ b/go.mod @@ -5,6 +5,7 @@ go 1.24.11 require ( github.com/BobuSumisu/aho-corasick v1.0.3 github.com/Masterminds/sprig/v3 v3.3.0 + github.com/awnumar/memguard v0.23.0 github.com/bradleyjkemp/cupaloy/v2 v2.8.0 github.com/charmbracelet/lipgloss v0.9.1 github.com/creack/pty v1.1.21 @@ -15,7 +16,7 @@ require ( github.com/go-mysql-org/go-mysql v1.13.0 github.com/google/uuid v1.6.0 github.com/h2non/filetype v1.1.3 - github.com/infisical/go-sdk v0.6.1 + github.com/infisical/go-sdk v0.6.8 github.com/infisical/infisical-kmip v0.3.17 github.com/jackc/pgx/v5 v5.7.6 github.com/mattn/go-isatty v0.0.20 @@ -60,7 +61,6 @@ require ( github.com/alessio/shellescape v1.4.1 // indirect github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef // indirect github.com/awnumar/memcall v0.4.0 // indirect - github.com/awnumar/memguard v0.23.0 // indirect github.com/aws/aws-sdk-go-v2 v1.27.2 // indirect github.com/aws/aws-sdk-go-v2/config v1.27.18 // indirect github.com/aws/aws-sdk-go-v2/credentials v1.17.18 // indirect diff --git a/go.sum b/go.sum index d919ef24..783e9070 100644 --- a/go.sum +++ b/go.sum @@ -357,8 +357,8 @@ github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJ github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc= github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/infisical/go-sdk v0.6.1 h1:T/OKssiNUsjvWNk8ZVStbrEEoEbOnp0XhbxAkV8fWdg= -github.com/infisical/go-sdk v0.6.1/go.mod h1:A6l7EhwCkPw8tmJjgA09KtueEHYko+VdGCEupK8hL08= +github.com/infisical/go-sdk v0.6.8 h1:OB0d4v9Nm+ioA5it1SQaOGGv5qXWEwfYsxRqZZkxHMk= +github.com/infisical/go-sdk v0.6.8/go.mod h1:A6l7EhwCkPw8tmJjgA09KtueEHYko+VdGCEupK8hL08= github.com/infisical/infisical-kmip v0.3.17 h1:5dBuyzHs+BxZD30JYBNufnoxRJNyPThL6lR4YPRWf4w= github.com/infisical/infisical-kmip v0.3.17/go.mod h1:bO1M4YtKyutNg1bREPmlyZspC5duSR7hyQ3lPmLzrIs= github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM= diff --git a/packages/cmd/gateway.go b/packages/cmd/gateway.go index 143cbddb..6dfde912 100644 --- a/packages/cmd/gateway.go +++ b/packages/cmd/gateway.go @@ -515,6 +515,7 @@ func init() { gatewayStartCmd.Flags().String("name", "", "name of the gateway") gatewayStartCmd.Flags().String("token", "", "connect with Infisical using machine identity access token. if not provided, you must set the auth-method flag") gatewayStartCmd.Flags().String("auth-method", "", "login method [universal-auth, kubernetes, azure, gcp-id-token, gcp-iam, aws-iam, oidc-auth]. if not provided, you must set the token flag") + gatewayStartCmd.Flags().String("organization-slug", "", "When set, this will scope the login session to the specified sub-organization the machine identity has access to. If left empty, the session defaults to the organization where the machine identity was created in.") gatewayStartCmd.Flags().String("client-id", "", "client id for universal auth") gatewayStartCmd.Flags().String("client-secret", "", "client secret for universal auth") gatewayStartCmd.Flags().String("machine-identity-id", "", "machine identity id for kubernetes, azure, gcp-id-token, gcp-iam, and aws-iam auth methods") diff --git a/packages/cmd/login.go b/packages/cmd/login.go index 3a419673..30c2ad1d 100644 --- a/packages/cmd/login.go +++ b/packages/cmd/login.go @@ -399,6 +399,7 @@ func init() { loginCmd.Flags().String("method", "user", "login method [user, universal-auth, kubernetes, azure, gcp-id-token, gcp-iam, aws-iam, oidc-auth]") loginCmd.Flags().String("client-id", "", "client id for universal auth") loginCmd.Flags().String("client-secret", "", "client secret for universal auth") + loginCmd.Flags().String("organization-slug", "", "When set for machine identity login, this will scope the login session to the specified sub-organization the machine identity has access to. If left empty, the session defaults to the organization where the machine identity was created in.") loginCmd.Flags().String("machine-identity-id", "", "machine identity id for these login methods [kubernetes, azure, gcp-id-token, gcp-iam, aws-iam]") loginCmd.Flags().String("service-account-token-path", "", "service account token path for kubernetes auth") loginCmd.Flags().String("service-account-key-file-path", "", "service account key file path for GCP IAM auth") diff --git a/packages/util/auth.go b/packages/util/auth.go index 45ab303e..a40f6022 100644 --- a/packages/util/auth.go +++ b/packages/util/auth.go @@ -117,7 +117,14 @@ func (a *SdkAuthenticator) HandleUniversalAuthLogin() (credential infisicalSdk.M return infisicalSdk.MachineIdentityCredential{}, err } - return a.infisicalClient.Auth().UniversalAuthLogin(clientId, clientSecret) + // We are not providing an environment variable because infisical go sdk will check for the environment variable when value is emtpy + // Refer: https://github.com/Infisical/go-sdk/blob/main/packages/util/constants.go#L10 + organizationSlug, err := GetCmdFlagOrEnvWithDefaultValue(a.cmd, "organization-slug", []string{}, "") + if err != nil { + return infisicalSdk.MachineIdentityCredential{}, err + } + + return a.infisicalClient.Auth().WithOrganizationSlug(organizationSlug).UniversalAuthLogin(clientId, clientSecret) } func (a *SdkAuthenticator) HandleJwtAuthLogin() (credential infisicalSdk.MachineIdentityCredential, e error) { @@ -132,7 +139,12 @@ func (a *SdkAuthenticator) HandleJwtAuthLogin() (credential infisicalSdk.Machine return infisicalSdk.MachineIdentityCredential{}, err } - return a.infisicalClient.Auth().JwtAuthLogin(identityId, jwt) + organizationSlug, err := GetCmdFlagOrEnvWithDefaultValue(a.cmd, "organization-slug", []string{}, "") + if err != nil { + return infisicalSdk.MachineIdentityCredential{}, err + } + + return a.infisicalClient.Auth().WithOrganizationSlug(organizationSlug).JwtAuthLogin(identityId, jwt) } func (a *SdkAuthenticator) HandleKubernetesAuthLogin() (credential infisicalSdk.MachineIdentityCredential, e error) { @@ -147,7 +159,12 @@ func (a *SdkAuthenticator) HandleKubernetesAuthLogin() (credential infisicalSdk. return infisicalSdk.MachineIdentityCredential{}, err } - return a.infisicalClient.Auth().KubernetesAuthLogin(identityId, serviceAccountTokenPath) + organizationSlug, err := GetCmdFlagOrEnvWithDefaultValue(a.cmd, "organization-slug", []string{}, "") + if err != nil { + return infisicalSdk.MachineIdentityCredential{}, err + } + + return a.infisicalClient.Auth().WithOrganizationSlug(organizationSlug).KubernetesAuthLogin(identityId, serviceAccountTokenPath) } func (a *SdkAuthenticator) HandleAzureAuthLogin() (credential infisicalSdk.MachineIdentityCredential, e error) { @@ -157,7 +174,12 @@ func (a *SdkAuthenticator) HandleAzureAuthLogin() (credential infisicalSdk.Machi return infisicalSdk.MachineIdentityCredential{}, err } - return a.infisicalClient.Auth().AzureAuthLogin(identityId, "") + organizationSlug, err := GetCmdFlagOrEnvWithDefaultValue(a.cmd, "organization-slug", []string{}, "") + if err != nil { + return infisicalSdk.MachineIdentityCredential{}, err + } + + return a.infisicalClient.Auth().WithOrganizationSlug(organizationSlug).AzureAuthLogin(identityId, "") } func (a *SdkAuthenticator) HandleGcpIdTokenAuthLogin() (credential infisicalSdk.MachineIdentityCredential, e error) { @@ -167,7 +189,12 @@ func (a *SdkAuthenticator) HandleGcpIdTokenAuthLogin() (credential infisicalSdk. return infisicalSdk.MachineIdentityCredential{}, err } - return a.infisicalClient.Auth().GcpIdTokenAuthLogin(identityId) + organizationSlug, err := GetCmdFlagOrEnvWithDefaultValue(a.cmd, "organization-slug", []string{}, "") + if err != nil { + return infisicalSdk.MachineIdentityCredential{}, err + } + + return a.infisicalClient.Auth().WithOrganizationSlug(organizationSlug).GcpIdTokenAuthLogin(identityId) } func (a *SdkAuthenticator) HandleGcpIamAuthLogin() (credential infisicalSdk.MachineIdentityCredential, e error) { @@ -182,7 +209,12 @@ func (a *SdkAuthenticator) HandleGcpIamAuthLogin() (credential infisicalSdk.Mach return infisicalSdk.MachineIdentityCredential{}, err } - return a.infisicalClient.Auth().GcpIamAuthLogin(identityId, serviceAccountKeyFilePath) + organizationSlug, err := GetCmdFlagOrEnvWithDefaultValue(a.cmd, "organization-slug", []string{}, "") + if err != nil { + return infisicalSdk.MachineIdentityCredential{}, err + } + + return a.infisicalClient.Auth().WithOrganizationSlug(organizationSlug).GcpIamAuthLogin(identityId, serviceAccountKeyFilePath) } func (a *SdkAuthenticator) HandleAwsIamAuthLogin() (credential infisicalSdk.MachineIdentityCredential, e error) { @@ -192,7 +224,12 @@ func (a *SdkAuthenticator) HandleAwsIamAuthLogin() (credential infisicalSdk.Mach return infisicalSdk.MachineIdentityCredential{}, err } - return a.infisicalClient.Auth().AwsIamAuthLogin(identityId) + organizationSlug, err := GetCmdFlagOrEnvWithDefaultValue(a.cmd, "organization-slug", []string{}, "") + if err != nil { + return infisicalSdk.MachineIdentityCredential{}, err + } + + return a.infisicalClient.Auth().WithOrganizationSlug(organizationSlug).AwsIamAuthLogin(identityId) } func (a *SdkAuthenticator) HandleOidcAuthLogin() (credential infisicalSdk.MachineIdentityCredential, e error) { @@ -207,7 +244,12 @@ func (a *SdkAuthenticator) HandleOidcAuthLogin() (credential infisicalSdk.Machin return infisicalSdk.MachineIdentityCredential{}, err } - return a.infisicalClient.Auth().OidcAuthLogin(identityId, jwt) + organizationSlug, err := GetCmdFlagOrEnvWithDefaultValue(a.cmd, "organization-slug", []string{}, "") + if err != nil { + return infisicalSdk.MachineIdentityCredential{}, err + } + + return a.infisicalClient.Auth().WithOrganizationSlug(organizationSlug).OidcAuthLogin(identityId, jwt) } func (a *SdkAuthenticator) HandleLdapAuthLogin() (credential infisicalSdk.MachineIdentityCredential, e error) { @@ -226,5 +268,10 @@ func (a *SdkAuthenticator) HandleLdapAuthLogin() (credential infisicalSdk.Machin return infisicalSdk.MachineIdentityCredential{}, err } - return a.infisicalClient.Auth().LdapAuthLogin(identityId, ldapUsername, ldapPassword) + organizationSlug, err := GetCmdFlagOrEnvWithDefaultValue(a.cmd, "organization-slug", []string{}, "") + if err != nil { + return infisicalSdk.MachineIdentityCredential{}, err + } + + return a.infisicalClient.Auth().WithOrganizationSlug(organizationSlug).LdapAuthLogin(identityId, ldapUsername, ldapPassword) }