feat: service account kms #634
Merged
+4,097
−524
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…elationship - Added `created_by_service_account` field to associate tokens with service accounts. - Implemented validation in `clean` method to ensure only one creator field is set. - Introduced `get_creator_account` method to retrieve the creator, whether an organisation member or a service account.
- Introduced a new ForeignKey field to associate service account tokens with their creator service accounts. - This migration enhances the model's relationship capabilities.
- Added a new ServiceAccountUser class to represent service account users in the authentication process. - Updated PhaseTokenAuthentication to utilize ServiceAccountUser when the creator is not an organization member, enhancing the handling of service account tokens.
- Introduced a new field `createdByServiceAccount` to the ServiceAccountTokenType to enhance the model's relationship with service accounts. - This addition supports better tracking of token creation by service accounts.
- Introduced `EnableServiceAccountSseMutation` to facilitate enabling third-party authentication for service accounts. - Added `createdByServiceAccount` field to `ServiceAccountTokenType` for better tracking of token creation. - Updated `GetServiceAccountTokensQuery` to include `createdByServiceAccount` information, enhancing the query's detail on token origins.
…ntTokens query - Introduced `EnableServiceAccountSSE` mutation to enable third-party authentication for service accounts. - Updated `GetServiceAccountTokens` query to include `createdByServiceAccount` field, enhancing token origin tracking.
…t-side key management mutation - Renamed `EnableServiceAccountThirdPartyAuthMutation` to `EnableServiceAccountServerSideKeyManagementMutation` for clarity. - Introduced `EnableServiceAccountClientSideKeyManagementMutation` to manage client-side key management, allowing for the deletion of server-wrapped keys and enhancing service account security management.
- Renamed `EnableServiceAccountThirdPartyAuthMutation` to `EnableServiceAccountServerSideKeyManagementMutation` for improved clarity. - Added `EnableServiceAccountClientSideKeyManagementMutation` to support client-side key management, enhancing service account security features.
- Renamed `EnableServiceAccountThirdPartyAuthMutation` to `EnableServiceAccountServerSideKeyManagementMutation` for better clarity. - Added `EnableServiceAccountClientSideKeyManagementMutation` to facilitate client-side key management, improving service account security features.
- Replaced `EnableServiceAccountSSE` mutation with `EnableSAClientKeyManagement` and `EnableSAServerKeyManagement` mutations to enhance key management capabilities. - Updated `GetServiceAccountDetail` query to include `thirdPartyAuthEnabled` field, improving service account detail retrieval.
- Introduced `EnableServiceAccountClientSideKeyManagementMutation` and `EnableServiceAccountServerSideKeyManagementMutation` to improve key management capabilities. - Updated `GetServiceAccountDetail` query to include `thirdPartyAuthEnabled` field for better service account detail retrieval. - Renamed existing mutations for clarity and consistency in naming conventions.
- Introduced `wrapServiceAccountSecretsForServer` to securely wrap service account keyring and recovery for server-side encryption. - Added `unwrapServiceAccountSecretsForUser` to decrypt and retrieve the original keyring and recovery for the current user. - Enhanced documentation with detailed JSDoc comments for both functions, improving code clarity and usability.
- Introduced `KeyManagementDialog` component to manage service account key settings, allowing users to switch between client-side and server-side key management. - Integrated Apollo Client for querying and mutating service account data, enhancing user experience with real-time updates. - Added user permission checks to ensure only authorized users can manage key settings, improving security and usability. - Included visual alerts and feedback for actions taken within the dialog, enhancing user interaction and clarity.
…mation - Updated the `ServiceAccountTokens` component to conditionally render the creator's information, supporting both user and service account creators. - Added fallback text for unknown creators, improving user experience and clarity in token origin tracking.
- Enhanced the `GetServiceAccountTokens` query by including the `createdByServiceAccount` field, which provides details about the creator of the service account tokens, improving tracking and transparency of token origins.
…nabled in ServiceAccountType - Updated the `ServiceAccountType` to replace the `third_party_auth_enabled` field with `server_side_key_management_enabled`, reflecting a clearer purpose for server-side key management. - Adjusted the corresponding resolver method to match the new field name, ensuring consistency in the API.
- Replaced the `thirdPartyAuthEnabled` field with `serverSideKeyManagementEnabled` in the `ServiceAccountType` to better reflect the functionality of server-side key management. - Updated the `GetServiceAccountDetail` query and related mutations to utilize the new field, ensuring consistency across the API. - Adjusted the GraphQL documents and types to align with the new schema changes, enhancing clarity and usability in service account management.
…tail query - Updated the `GetServiceAccountDetail` query to include the `serverSideKeyManagementEnabled` field, enhancing the detail provided for service accounts and aligning with recent schema changes for key management.
…gement for service accounts - Introduced `EnableSAClientKeyManagement` mutation to enable client-side key management for service accounts. - Added `EnableSAServerKeyManagement` mutation to enable server-side key management, requiring additional parameters for secure key handling. - Enhanced service account management capabilities by providing distinct mutations for both client-side and server-side key management.
- Replaced instances of thirdPartyAuthEnabled with serverSideKeyManagementEnabled in KeyManagementDialog component to ensure accurate state management for key management modes. - Adjusted modal open/close behavior and save logic to reflect the new field, enhancing the functionality and clarity of service account key management.
- Added visual indicators for server-side and client-side key management modes in the ServiceAccount component. - Integrated KeyManagementDialog for managing key settings, allowing users to switch between management modes. - Improved user experience by providing clear labels and management options based on the service account's key management configuration.
…ssary state updates - Updated the save handler in KeyManagementDialog to close the modal immediately after saving, improving user experience. - Removed redundant state updates and comments related to mode changes, simplifying the code and enhancing clarity. - Adjusted the rendering logic to eliminate unnecessary alerts, focusing on relevant user feedback for key management actions.
- Eliminated the alert related to server-side key management in the KeyManagementDialog component, streamlining the user interface and focusing on relevant feedback for client-side management. - This change enhances clarity and reduces visual clutter for users managing service account keys.
- Introduced a new module with functions to parse, format, and validate TTL strings, enhancing the handling of time-related data. - Added examples for common TTL formats, improving usability and clarity for developers working with time-to-live values.
…rations - Introduced a new IdentityProviders class to encapsulate configurations for supported identity providers, enhancing the structure for identity authentication. - Implemented methods to retrieve all providers, supported providers, and specific provider configurations, improving the usability and maintainability of identity management.
- Introduced a new Identity model to manage third-party identity configurations at the organization level, allowing multiple service accounts to be associated with a single identity. - Added fields for provider-specific configurations, token settings, and methods to retrieve trusted principals, enhancing the flexibility and usability of identity management.
|
@cursor review |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
feat: external identities - AWS IAM
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
There was a problem hiding this comment.
Pull Request Overview
This PR extends the service account key management system to support server-side key management (KMS) alongside the existing client-side approach. The implementation introduces external identities for third-party authentication and adds AWS IAM as the first supported provider.
- Added server-side key management toggle for service accounts with cryptographic utilities
- Implemented external identity system with AWS IAM provider support
- Refactored TTL utilities to shared module and enhanced service account token tracking
Reviewed Changes
Copilot reviewed 52 out of 58 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| frontend/utils/ttl.ts | New utility module for TTL parsing and formatting |
| frontend/utils/crypto/service-accounts.ts | Added crypto functions for wrapping/unwrapping SA keys |
| frontend/components/service-accounts/KeyManagementDialog.tsx | Dialog for switching between client/server KMS modes |
| frontend/components/identities/providers/aws/iam.tsx | AWS IAM identity configuration form |
| backend/api/models.py | Added Identity model and ServiceAccount relationships |
| backend/api/views/identities/aws/iam.py | AWS IAM authentication endpoint |
| backend/api/utils/crypto.py | New crypto utilities for key splitting and wrapping |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| } else if (selectedMode === 'client' && serviceAccount.serverSideKeyManagementEnabled) { | ||
| // Disable server-side encryption (switch to client-side) | ||
| await handleDisableSSE() | ||
| } else { |
There was a problem hiding this comment.
Empty else block should be removed as it serves no purpose.
Suggested change
| } else { |
Copilot uses AI. Check for mistakes.
|
@cursor review |
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
rohan-chaturvedi
approved these changes
Oct 5, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🔍 Overview
This PR extends Service Account key management system to add support for service-side key management. Server-side key management allows the Phase service to securely manage cryptographic keys on behalf of users on the backend. This allows the Phase API to create and manage Access Tokens for service accounts. This also opens the door for newer features such as external identities which allows Phase to use third-parry identity systems such as AWS IAM, Kubernetes API, GitHub Actions, and other providers that support OIDC etc. to authenticate clients and issue Access Tokens.
Dependency for: #654
💡 Proposed Changes
🖼️ Screenshots or Demo
Service Account KMS dialog when client-side key management is enabled
Service Account KMS dialog when server-side key management is enabled
Switching back to client-side key management
📝 Release Notes
third_party_auth_enabled->server_side_key_management_enabled,resolve_third_party_auth_enabled,resolve_server_side_key_management_enabled.server_wrapped_keyring,server_wrapped_recovery)PhaseTokenAuthenticationclass to support Service Account user model for when a Access Token is not created by a User.🎯 Reviewer Focus
frontend/utils/crypto/service-accounts.tsused to wrap Service Account keys with server keysserver_wrapped_keyring,server_wrapped_recoverywhen switching between KMS modesauth.pyto satisfy DRF requirements.backend/api/migrations/0106_serviceaccounttoken_created_by_service_account.py💚 Did You...
Note
Adds server-side key management for Service Accounts and introduces External Identities with AWS IAM auth to mint tokens, with full API/GraphQL and UI to manage identities and link them to accounts.
Identitymodel with M2M onServiceAccount; migrations0110,0111.GetCallerIdentityand mint ServiceAccount tokens; utilities for STS endpoints and token minting; unit tests added.created_by_service_account; DRF auth updated to support service-account-originated tokens; serializer targetsServiceAccountToken.ExternalIdentitiespermissions across roles.aws_sts_endpoints,identity_providers,identities), SA key-management mutations (enable server/client), schema/types updated (e.g.,serverSideKeyManagementEnabled,Identity*).xor_bytes, secret splitting/wrapping, ed25519→curve25519,random_hex).public/identities/external/v1/aws/iam/auth/.Written by Cursor Bugbot for commit c751c8a. This will update automatically on new commits. Configure here.