Merge pull request #84 from Infisical/feat/pam-approval-flow

feat: implemented approval flow for pam access

Author: akhilmhdh

packages/api/api.go

@@ -48,6 +48,7 @@ const (
 	operationCallGetOrgRelays                      = "CallGetOrgRelays"
 	operationCallRegisterGateway                   = "CallRegisterGateway"
 	operationCallPAMAccess                         = "CallPAMAccess"
+	operationCallPAMAccessApprovalRequest          = "CallPAMAccessApprovalRequest"
 	operationCallPAMSessionCredentials             = "CallPAMSessionCredentials"
 	operationCallGetPamSessionKey                  = "CallGetPamSessionKey"
 	operationCallUploadPamSessionLog               = "CallUploadPamSessionLog"
@@ -865,6 +866,26 @@ func CallPAMAccess(httpClient *resty.Client, request PAMAccessRequest) (PAMAcces
 	return pamAccessResponse, nil
 }
 
+func CallPAMAccessApprovalRequest(httpClient *resty.Client, request PAMAccessApprovalRequest) (PAMAccessApprovalRequestResponse, error) {
+	var pamAccessApprovalRequestResponse PAMAccessApprovalRequestResponse
+	response, err := httpClient.
+		R().
+		SetResult(&pamAccessApprovalRequestResponse).
+		SetHeader("User-Agent", USER_AGENT).
+		SetBody(request).
+		Post(fmt.Sprintf("%v/v1/approval-policies/pam-access/requests", config.INFISICAL_URL))
+
+	if err != nil {
+		return PAMAccessApprovalRequestResponse{}, NewGenericRequestError(operationCallPAMAccessApprovalRequest, err)
+	}
+
+	if response.IsError() {
+		return PAMAccessApprovalRequestResponse{}, NewAPIErrorWithResponse(operationCallPAMAccessApprovalRequest, response, nil)
+	}
+
+	return pamAccessApprovalRequestResponse, nil
+}
+
 func CallPAMSessionCredentials(httpClient *resty.Client, sessionId string) (PAMSessionCredentialsResponse, error) {
 	var pamSessionCredentialsResponse PAMSessionCredentialsResponse
 	response, err := httpClient.

packages/api/model.go

@@ -790,6 +790,24 @@ type PAMAccessResponse struct {
 	Metadata                      map[string]string `json:"metadata,omitempty"`
 }
 
+type PAMAccessApprovalRequestPayloadRequestData struct {
+	AccountPath    string `json:"accountPath"`
+	AccessDuration string `json:"accessDuration"`
+}
+
+type PAMAccessApprovalRequest struct {
+	ProjectId   string                                     `json:"projectId"`
+	RequestData PAMAccessApprovalRequestPayloadRequestData `json:"requestData"`
+}
+
+type PAMAccessApprovalRequestResponse struct {
+	Request struct {
+		ID        string `json:"id"`
+		ProjectId string `json:"projectId"`
+		OrgId     string `json:"organizationId"`
+	} `json:"request"`
+}
+
 type PAMSessionCredentialsResponse struct {
 	Credentials PAMSessionCredentials `json:"credentials"`
 }

packages/pam/local/database-proxy.go

@@ -2,18 +2,22 @@ package pam
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"net"
 	"os"
 	"os/signal"
+	"strings"
 	"syscall"
 	"time"
 
 	"github.com/Infisical/infisical-merge/packages/api"
+	"github.com/Infisical/infisical-merge/packages/config"
 	"github.com/Infisical/infisical-merge/packages/pam/session"
 	"github.com/Infisical/infisical-merge/packages/util"
 	"github.com/go-resty/resty/v2"
+	"github.com/manifoldco/promptui"
 	"github.com/rs/zerolog/log"
 )
 
@@ -30,6 +34,18 @@ const (
 	ALPNInfisicalPAMCancellation ALPN = "infisical-pam-session-cancellation"
 )
 
+func askForApprovalRequestTrigger() (bool, error) {
+	prompt := promptui.Prompt{
+		Label:     "This action requires approval. You may create an approval request now. Continue?",
+		IsConfirm: true,
+	}
+	result, err := prompt.Run()
+	if err != nil {
+		return false, err
+	}
+	return strings.ToLower(result) == "y", nil
+}
+
 func StartDatabaseLocalProxy(accessToken string, accountPath string, projectID string, durationStr string, port int) {
 	log.Info().Msgf("Starting database proxy for account: %s", accountPath)
 	log.Info().Msgf("Session duration: %s", durationStr)
@@ -46,6 +62,48 @@ func StartDatabaseLocalProxy(accessToken string, accountPath string, projectID s
 
 	pamResponse, err := api.CallPAMAccess(httpClient, pamRequest)
 	if err != nil {
+		var apiErr *api.APIError
+		if errors.As(err, &apiErr) && apiErr.ErrorMessage == "A policy is in place for this resource" {
+			if v, ok := apiErr.Details.(map[string]any); ok {
+				log.Info().Msgf("Account is protected by approval policy: %s", v["policyName"])
+
+				shouldSendRequest, err := askForApprovalRequestTrigger()
+				if err != nil {
+					if errors.Is(err, promptui.ErrAbort) {
+						log.Info().Msgf("Approval request was not created.")
+					} else {
+						util.HandleError(err, "Failed to send PAM account request")
+					}
+					return
+				}
+
+				if !shouldSendRequest {
+					log.Info().Msgf("Approval request was not created.")
+					return
+				}
+
+				approvalReq, err := api.CallPAMAccessApprovalRequest(httpClient, api.PAMAccessApprovalRequest{
+					ProjectId: projectID,
+					RequestData: api.PAMAccessApprovalRequestPayloadRequestData{
+						AccountPath:    accountPath,
+						AccessDuration: durationStr,
+					},
+				})
+				if err != nil {
+					util.HandleError(err, "Failed to send PAM account request")
+					return
+				}
+
+				url := fmt.Sprintf("%s/organizations/%s/projects/pam/%s/approval-requests/%s", strings.TrimSuffix(config.INFISICAL_URL, "/api"), approvalReq.Request.OrgId, approvalReq.Request.ProjectId, approvalReq.Request.ID)
+				if err := util.OpenBrowser(url); err != nil {
+					log.Error().Msgf("Failed to do browser redirect: %v", err)
+				}
+				log.Info().Msgf("Approval request created.")
+				log.Info().Msgf("View details at: %s", url)
+				return
+			}
+		}
+
 		util.HandleError(err, "Failed to access PAM account")
 		return
 	}

packages/util/helper.go

@@ -11,6 +11,7 @@ import (
 	"os"
 	"os/exec"
 	"path"
+	"runtime"
 	"sort"
 	"strings"
 	"sync"
@@ -558,3 +559,17 @@ func GenerateETagFromSecrets(secrets []models.SingleEnvironmentVariable) string
 func IsDevelopmentMode() bool {
 	return CLI_VERSION == "devel"
 }
+
+// OpenBrowser attempts to open a URL in the user's default browser
+func OpenBrowser(url string) error {
+	var cmd *exec.Cmd
+	switch runtime.GOOS {
+	case "darwin":
+		cmd = exec.Command("open", url)
+	case "windows":
+		cmd = exec.Command("cmd", "/c", "start", url)
+	default: // linux and others
+		cmd = exec.Command("xdg-open", url)
+	}
+	return cmd.Start()
+}