feat(pam): PAM Platform V1 #4590
Merged
+10,032
−209
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
@greptile review this |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Greptile Overview
Summary
This PR introduces PAM Platform V1, a comprehensive privileged access management system that enables secure access to database resources through encrypted credential management and session tracking.
Key Components:
- Database Schema: Four new tables (
pam_folders,pam_resources,pam_accounts,pam_sessions) with proper indexing and foreign key constraints - Backend Services: Complete CRUD operations for resources, accounts, folders, and sessions with encryption, permission checks, and license validation
- Frontend Interface: React components for managing PAM resources, accounts, and monitoring sessions with form validation and UI components
- Gateway Integration: Session-based access control that provides temporary credentials to gateways for establishing resource connections
Security Features:
- All sensitive data (credentials, connection details) is encrypted at rest using KMS
- Permission-based access control with granular PAM-specific permissions
- Session tracking with expiration times and status management
- Actor information captured for audit trails
Architecture:
The system follows a secure access pattern where users request access to accounts, creating temporary sessions that gateways use to retrieve decrypted credentials and establish connections to target resources.
Confidence Score: 4/5
- This PR is generally safe to merge with one minor validation issue that should be addressed
- The PAM platform implementation follows security best practices with proper encryption, permission checks, and license validation. Database queries use safe patterns with proper filtering. The only issue found is missing character length validation for username fields which could cause database insertion failures.
- frontend/src/pages/pam/PamAccountsPage/components/PamAccountForm/shared/sql-account-schemas.ts - needs username length validation
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| backend/src/db/migrations/20250917052037_pam.ts | 5/5 | PAM database schema migration creating four tables with proper indexes and foreign key constraints |
| backend/src/ee/services/pam-resource/pam-resource-service.ts | 4/5 | Core PAM service with proper permission checks, encryption, and license validation |
| frontend/src/pages/pam/PamAccountsPage/components/PamAccountForm/shared/sql-account-schemas.ts | 3/5 | Account validation schema missing character length validation for username field |
| backend/src/ee/services/pam-resource/pam-account-dal.ts | 5/5 | Account data access layer with safe JOIN query implementation using proper filter wrapping |
| backend/src/ee/services/pam-resource/pam-resource-schemas.ts | 5/5 | Resource and account schemas with proper validation limits and slug patterns |
Sequence Diagram
sequenceDiagram
participant User
participant Frontend
participant Backend
participant Gateway
participant Database
participant Resource
User->>Frontend: Create PAM Resource
Frontend->>Backend: POST /v1/pam/resources
Backend->>Database: Insert resource with encrypted connection details
Backend->>Gateway: Validate connection
Backend->>Frontend: Resource created
User->>Frontend: Create PAM Account
Frontend->>Backend: POST /v1/pam/accounts
Backend->>Database: Insert account with encrypted credentials
Backend->>Resource: Validate account credentials
Backend->>Frontend: Account created
User->>Frontend: Access Account
Frontend->>Backend: POST /v1/pam/accounts/access
Backend->>Database: Create PAM session (Starting status)
Backend->>Gateway: Get gateway connection details
Backend->>Frontend: Return session ID & certificates
Gateway->>Backend: GET /v1/pam/sessions/{id}/credentials
Backend->>Database: Update session status to Active
Backend->>Database: Get decrypted account & resource details
Backend->>Gateway: Return credentials for connection
Gateway->>Resource: Establish connection using credentials
Resource->>Gateway: Connection established
Gateway->>User: Proxy connection to resource
152 files reviewed, 1 comment
frontend/src/pages/pam/PamAccountsPage/components/PamAccountForm/shared/sql-account-schemas.ts
Outdated
Show resolved
Hide resolved
…rm/shared/sql-account-schemas.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
backend/src/ee/routes/v1/pam-resource-routers/pam-resource-endpoints.ts
Outdated
Show resolved
Hide resolved
backend/src/ee/routes/v1/pam-resource-routers/pam-resource-endpoints.ts
Outdated
Show resolved
Hide resolved
backend/src/ee/routes/v1/pam-resource-routers/pam-resource-endpoints.ts
Outdated
Show resolved
Hide resolved
backend/src/ee/routes/v1/pam-resource-routers/pam-resource-endpoints.ts
Outdated
Show resolved
Hide resolved
backend/src/ee/routes/v1/pam-resource-routers/pam-resource-endpoints.ts
Outdated
Show resolved
Hide resolved
frontend/src/pages/organization/AuditLogsPage/components/LogsFilter.tsx
Outdated
Show resolved
Hide resolved
frontend/src/pages/project/RoleDetailsBySlugPage/components/ProjectRoleModifySection.utils.tsx
Show resolved
Hide resolved
frontend/src/pages/project/IdentityDetailsByIDPage/route-pam.tsx
Outdated
Show resolved
Hide resolved
frontend/src/pages/pam/PamResourcesPage/components/PamResourceHeader.tsx
Outdated
Show resolved
Hide resolved
|
@greptile review this |
There was a problem hiding this comment.
Greptile Overview
Summary
This review covers only the changes made since the last review, not the entire PR. The changes implement comprehensive improvements to the PAM (Privileged Access Management) Platform V1 feature, focusing on several key areas:API Architecture Refactoring: The PAM system has been restructured to separate account management from resource management concerns. Account operations have been moved from nested endpoints under resources (/pam/resources/{type}/{id}/accounts) to direct account endpoints (/pam/accounts/{type}). This creates cleaner separation of concerns and follows RESTful principles better.
Encryption Migration: A significant architectural change migrates PAM-related encryption from organization-scoped KMS keys (KmsDataKey.Organization) to project-scoped KMS keys (KmsDataKey.SecretManager). This affects PAM resources, sessions, and account credentials, providing better security isolation at the project level.
Service Layer Improvements: New dedicated services have been created, including pamAccountService with comprehensive CRUD operations, session management, and gateway connectivity. The service includes proper license validation, permission checks using CASL, and encryption/decryption of sensitive data.
Database Schema Enhancement: The gateway schema has been extended with encryptedPamSessionKey field to support PAM session management, with corresponding migration and advisory lock mechanisms for thread safety.
Frontend Route Structure: Parallel routing structures have been established for PAM functionality, creating PAM-specific versions of identity, role, member, and group detail routes that mirror existing secret-management patterns but operate within the PAM context.
Audit Logging Enhancement: Account and folder names have been added to audit log metadata across PAM operations, improving traceability and making audit logs more meaningful for security teams.
The changes integrate seamlessly with the existing Infisical architecture by following established patterns for service factories, DAL layers, and routing structures while adding the specialized functionality needed for privileged access management.
Important Files Changed
Changed Files
| Filename | Score | Overview |
|---|---|---|
| backend/src/@types/fastify.d.ts | 5/5 | Adds PAM account service to Fastify type definitions for dependency injection |
| backend/src/ee/services/gateway-v2/gateway-v2-constants.ts | 5/5 | Adds PAM_INFO_OID constant for gateway routing and actor identification |
| frontend/src/pages/pam/PamAccountsPage/components/PamAccountForm/shared/sql-account-schemas.ts | 5/5 | Adds 255 character validation limit to username field for database constraints |
| frontend/src/pages/project/IdentityDetailsByIDPage/route-pam.tsx | 5/5 | Creates PAM-specific route for identity details with proper breadcrumb navigation |
| frontend/src/pages/project/RoleDetailsBySlugPage/route-pam.tsx | 5/5 | Defines new PAM role details route following established routing patterns |
| frontend/src/pages/pam/PamResourcesPage/components/PamResourceHeader.tsx | 5/5 | Minor UI text change from 'External resource' to 'Resource' for clarity |
| docker-compose.dev.yml | 5/5 | Changes nginx HTTPS port mapping from 8443 to 8444 for PAM platform |
| frontend/src/pages/pam/PamAccountsPage/components/PamDeleteAccountModal.tsx | 4/5 | Removes resourceId parameter from PAM account deletion flow |
| backend/src/ee/services/audit-log/audit-log-types.ts | 5/5 | Adds accountName and folderName fields to PAM event metadata for better audit trails |
| backend/src/ee/services/relay/relay-service.ts | 4/5 | Adds configurable certificate duration to relay client credential generation |
| frontend/src/pages/project/MemberDetailsByIDPage/route-pam.tsx | 5/5 | Creates PAM-specific member details route with proper navigation structure |
| backend/src/server/routes/index.ts | 4/5 | Adds pamAccountService with dependencies and registers in server service decorator |
| backend/src/db/schemas/gateways-v2.ts | 4/5 | Adds encryptedPamSessionKey field to GatewaysV2Schema for PAM session management |
| backend/src/ee/routes/v1/index.ts | 4/5 | Restructures PAM routing from flat to hierarchical nested structure under /pam |
| backend/src/ee/routes/v1/pam-session-router.ts | 4/5 | Refactors session credential handling from pamResource to pamAccount service |
| backend/src/ee/routes/v1/pam-resource-routers/index.ts | 5/5 | Separates resource management from account management in router configuration |
| backend/src/ee/services/pam-resource/pam-resource-fns.ts | 4/5 | Migrates encryption from organization to project scope, removes account functions |
| backend/src/ee/services/pam-account/pam-account-service.ts | 4/5 | Implements comprehensive PAM account service with CRUD and session management |
| backend/src/ee/services/pam-account/pam-account-types.ts | 4/5 | Defines TypeScript DTOs for PAM account operations with proper field restrictions |
| backend/src/ee/routes/v1/pam-account-routers/pam-account-router.ts | 4/5 | Major API changes moving accountId to body and requiring duration validation |
| backend/src/ee/services/gateway-v2/gateway-v2-service.ts | 4/5 | Adds PAM connection details and session key management with certificate extensions |
| backend/src/ee/services/pam-resource/pam-resource-service.ts | 4/5 | Major refactoring removing account functionality and migrating to project-scoped encryption |
| frontend/src/pages/pam/PamAccountsPage/components/PamAccountForm/PamAccountForm.tsx | 5/5 | Removes resourceId parameter from updatePamAccount mutation for API simplification |
| backend/src/ee/routes/v1/pam-account-routers/index.ts | 4/5 | Creates mapping for PAM account router registration following established patterns |
| backend/src/ee/services/pam-resource/pam-resource-schemas.ts | 4/5 | Adds resourceId requirement and changes description fields to nullable optional |
| backend/src/keystore/keystore.ts | 5/5 | Adds GatewayPamSessionKey advisory lock for PAM session management |
| backend/src/db/migrations/20251002113756_add-gateway-pam-key.ts | 5/5 | Database migration adding encryptedPamSessionKey column to GatewayV2 table |
| backend/src/ee/routes/v1/pam-folder-router.ts | 5/5 | Adds folderName field to audit log metadata for PAM folder deletion |
| frontend/src/pages/project/GroupDetailsByIDPage/route-pam.tsx | 5/5 | Defines PAM-specific group details route with proper breadcrumb navigation |
| backend/src/ee/services/pam-session/pam-session-fns.ts | 5/5 | Migrates PAM session encryption from organization to project-scoped KMS keys |
| frontend/src/pages/organization/AuditLogsPage/components/LogsFilter.tsx | 5/5 | Fixes bug using selectedProject instead of project prop for PAM project filtering |
| backend/src/ee/services/pam-session/pam-session-service.ts | 4/5 | Switches from organization-level to project-level KMS encryption for sessions |
| backend/src/ee/services/pam-folder/pam-folder-service.ts | 5/5 | Replaces manual duplicate checks with database-level error handling |
| frontend/src/hooks/api/pam/types/index.ts | 4/5 | Removes resourceId from update/delete DTOs while keeping it for create operations |
| frontend/src/pages/pam/PamAccountsPage/components/PamAccessAccountModal.tsx | 4/5 | Simplifies duration validation and always includes duration in CLI commands |
| backend/src/ee/services/pam-account/pam-account-dal.ts | 4/5 | Implements DAL with custom findWithResourceDetails method for efficient queries |
| backend/src/ee/services/pam-account/pam-account-fns.ts | 4/5 | Introduces KMS-based encryption functions for PAM account credentials |
| backend/src/db/migrations/20250917052037_pam.ts | 4/5 | Creates comprehensive PAM database schema with proper constraints and relationships |
| backend/src/ee/services/pam-resource/pam-resource-types.ts | 5/5 | Removes account DTOs to separate file for better separation of concerns |
| backend/src/ee/routes/v2/gateway-router.ts | 4/5 | Adds new GET /pam-session-key endpoint for PAM platform functionality |
| frontend/src/hooks/api/pam/mutations.tsx | 3/5 | Refactors account APIs from resource-scoped to direct account endpoints |
| backend/src/ee/routes/v1/pam-resource-routers/pam-resource-endpoints.ts | 4/5 | Removes account endpoints and simplifies function to focus on resource operations |
| backend/src/ee/routes/v1/pam-account-routers/pam-account-endpoints.ts | 4/5 | Implements generic CRUD endpoints for PAM accounts with comprehensive audit logging |
Confidence score: 4/5
- This PR introduces significant architectural changes with comprehensive PAM platform functionality that appears well-structured and follows established patterns
- Score reflects the complexity of the changes involving encryption migrations, API restructuring, and new service integrations that require careful attention during deployment
- Pay close attention to frontend/src/hooks/api/pam/mutations.tsx and files involving encryption scope changes from organization to project level
Context used:
Rule from dashboard - Add validation for string fields that have database column length limits to prevent insertion failur... (source)
43 files reviewed, 9 comments
sheensantoscapadngan
approved these changes
Oct 3, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description 📣
PAM Platform V1