keyshade-xyz · rajdip-b · Feb 25, 2025 · Feb 25, 2025 · Feb 25, 2025
diff --git a/api-collection/Secret Controller/Fetch all by project and environment.bru b/api-collection/Secret Controller/Fetch all by project and environment.bru
@@ -0,0 +1,26 @@
+meta {
+  name: Fetch all by project and environment
+  type: http
+  seq: 5
+}
+
+get {
+  url: {{BASE_URL}}/api/secret/:project_slug/:environment_slug
+  body: none
+  auth: bearer
+}
+
+params:path {
+  project_slug: 
+  environment_slug: 
+}
+
+auth:bearer {
+  token: {{JWT}}
+}
+
+docs {
+  ## Description
+
+  Fetches all the secrets for a particular pair of project and environment. Used by the CLI to prefetch the existing secrets.
+}
diff --git a/api-collection/Variable Controller/Fetch all by project and environment.bru b/api-collection/Variable Controller/Fetch all by project and environment.bru
@@ -0,0 +1,26 @@
+meta {
+  name: Fetch all by project and environment
+  type: http
+  seq: 5
+}
+
+get {
+  url: {{BASE_URL}}/api/variable/:project_slug/:environment_slug
+  body: none
+  auth: bearer
+}
+
+params:path {
+  project_slug: project-1-uzukc
+  environment_slug: alpha-l7xvp
+}
+
+auth:bearer {
+  token: {{JWT}}
+}
+
+docs {
+  ## Description
+
+  Fetches all the variables for a particular pair of project and environment. Used by the CLI to prefetch the existing variables.
+}
@@ -154,8 +154,10 @@ describe('Project Controller Tests', () => {
   })
 
   afterEach(async () => {
-    await prisma.user.deleteMany()
-    await prisma.workspace.deleteMany()
+    await prisma.$transaction([
+      prisma.user.deleteMany(),
+      prisma.workspace.deleteMany()
+    ])
   })
 
   it('should be defined', async () => {

@@ -462,7 +462,7 @@ export class ProjectService {
         accessLevel: project.accessLevel,
         isForked: true,
         forkedFromId: project.id,
-        workspaceId: workspaceId,
+        workspaceId,
         lastUpdatedById: userId
       }
     })

@@ -110,4 +110,18 @@ export class SecretController {
       order
     )
   }
+
+  @Get('/:projectSlug/:environmentSlug')
+  @RequiredApiKeyAuthorities(Authority.READ_SECRET)
+  async getAllSecretsOfEnvironment(
+    @CurrentUser() user: AuthenticatedUser,
+    @Param('projectSlug') projectSlug: string,
+    @Param('environmentSlug') environmentSlug: string
+  ) {
+    return await this.secretService.getAllSecretsOfProjectAndEnvironment(
+      user,
+      projectSlug,
+      environmentSlug
+    )
+  }
 }
@@ -1160,4 +1160,102 @@ describe('Secret Controller Tests', () => {
       expect(event.title).toBe('Secret rotated')
     })
   })
+
+  describe('Fetch All Secrets By Project And Environment Tests', () => {
+    it('should be able to fetch all secrets by project and environment', async () => {
+      const response = await app.inject({
+        method: 'GET',
+        url: `/secret/${project1.slug}/${environment1.slug}`,
+        headers: {
+          'x-e2e-user-email': user1.email
+        }
+      })
+
+      expect(response.statusCode).toBe(200)
+      expect(response.json().length).toBe(1)
+
+      const secret = response.json()[0]
+      expect(secret.name).toBe('Secret 1')
+      expect(secret.value).toBe('Secret 1 value')
+      expect(secret.isPlaintext).toBe(true)
+    })
+
+    it('should not be able to fetch all secrets by project and environment if project does not exists', async () => {
+      const response = await app.inject({
+        method: 'GET',
+        url: `/secret/non-existing-project-slug/${environment1.slug}`,
+        headers: {
+          'x-e2e-user-email': user1.email
+        }
+      })
+
+      expect(response.statusCode).toBe(404)
+    })
+
+    it('should not be able to fetch all secrets by project and environment if environment does not exists', async () => {
+      const response = await app.inject({
+        method: 'GET',
+        url: `/secret/${project1.slug}/non-existing-environment-slug`,
+        headers: {
+          'x-e2e-user-email': user1.email
+        }
+      })
+
+      expect(response.statusCode).toBe(404)
+    })
+
+    it('should not be able to fetch all secrets by project and environment if the user has no access to the project', async () => {
+      const response = await app.inject({
+        method: 'GET',
+        url: `/secret/${project1.slug}/${environment1.slug}`,
+        headers: {
+          'x-e2e-user-email': user2.email
+        }
+      })
+
+      expect(response.statusCode).toBe(401)
+    })
+
+    it('should not be sending the plaintext secret if project does not store the private key', async () => {
+      // Get the first environment of project 2
+      const environment = await prisma.environment.findFirst({
+        where: {
+          projectId: project2.id
+        }
+      })
+
+      // Create a secret in project 2
+      await secretService.createSecret(
+        user1,
+        {
+          name: 'Secret 20',
+          entries: [
+            {
+              environmentSlug: environment.slug,
+              value: 'Secret 20 value'
+            }
+          ],
+          rotateAfter: '24',
+          note: 'Secret 20 note'
+        },
+        project2.slug
+      )
+
+      const response = await app.inject({
+        method: 'GET',
+        url: `/secret/${project2.slug}/${environment.slug}`,
+        headers: {
+          'x-e2e-user-email': user1.email
+        }
+      })
+
+      expect(response.statusCode).toBe(200)
+      expect(response.json().length).toBe(1)
+
+      const secret = response.json()[0]
+      expect(secret.name).toBe('Secret 20')
+      expect(secret.value).not.toBe('Secret 20 value')
+      expect(secret.isPlaintext).toBe(false)
+    })
+  })
 })
@@ -24,7 +24,10 @@ import { AuthorizationService } from '@/auth/service/authorization.service'
 import { RedisClientType } from 'redis'
 import { REDIS_CLIENT } from '@/provider/redis.provider'
 import { CHANGE_NOTIFIER_RSC } from '@/socket/change-notifier.socket'
-import { ChangeNotificationEvent } from 'src/socket/socket.types'
+import {
+  ChangeNotification,
+  ChangeNotificationEvent
+} from '@/socket/socket.types'
 import { paginate } from '@/common/paginate'
 import {
   addHoursToDate,
@@ -770,6 +773,89 @@ export class SecretService {
     return { items, metadata }
   }
 
+  /**
+   * Gets all secrets of a project and environment
+   * @param user the user performing the action
+   * @param projectSlug the slug of the project
+   * @param environmentSlug the slug of the environment
+   * @returns an array of objects with the secret name and value
+   * @throws {NotFoundException} if the project or environment does not exist
+   * @throws {BadRequestException} if the user does not have the required role
+   */
+  async getAllSecretsOfProjectAndEnvironment(
+    user: AuthenticatedUser,
+    projectSlug: Project['slug'],
+    environmentSlug: Environment['slug']
+  ) {
+    // Fetch the project
+    const project =
+      await this.authorizationService.authorizeUserAccessToProject({
+        user,
+        entity: { slug: projectSlug },
+        authorities: [Authority.READ_SECRET]
+      })
+    const projectId = project.id
+
+    // Check access to the environment
+    const environment =
+      await this.authorizationService.authorizeUserAccessToEnvironment({
+        user,
+        entity: { slug: environmentSlug },
+        authorities: [Authority.READ_ENVIRONMENT]
+      })
+    const environmentId = environment.id
+
+    const secrets = await this.prisma.secret.findMany({
+      where: {
+        projectId,
+        versions: {
+          some: {
+            environmentId
+          }
+        }
+      },
+      include: {
+        lastUpdatedBy: {
+          select: {
+            id: true,
+            name: true
+          }
+        },
+        versions: {
+          where: {
+            environmentId
+          },
+          orderBy: {
+            version: 'desc'
+          },
+          take: 1,
+          include: {
+            environment: {
+              select: {
+                id: true,
+                slug: true
+              }
+            }
+          }
+        }
+      }
+    })
+
+    const response: ChangeNotification[] = []
+
+    for (const secret of secrets) {
+      response.push({
+        name: secret.name,
+        value: project.storePrivateKey
+          ? await decrypt(project.privateKey, secret.versions[0].value)
+          : secret.versions[0].value,
+        isPlaintext: project.storePrivateKey
+      })
+    }
+
+    return response
+  }
+
   /**
    * Rotate values of secrets that have reached their rotation time
    * @param currentTime the current time

@@ -106,4 +106,18 @@ export class VariableController {
       order
     )
   }
+
+  @Get('/:projectSlug/:environmentSlug')
+  @RequiredApiKeyAuthorities(Authority.READ_VARIABLE)
+  async getAllVariablesOfEnvironment(
+    @CurrentUser() user: AuthenticatedUser,
+    @Param('projectSlug') projectSlug: string,
+    @Param('environmentSlug') environmentSlug: string
+  ) {
+    return await this.variableService.getAllVariablesOfProjectAndEnvironment(
+      user,
+      projectSlug,
+      environmentSlug
+    )
+  }
 }