feat(pam): support requesting access from the CLI on the approval gate#293
feat(pam): support requesting access from the CLI on the approval gate#293bernie-g wants to merge 3 commits into
Conversation
|
💬 Discussion in Slack: #pr-review-cli-293-feat-pam-support-requesting-access-from-the-cli-on-the-approva Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel. |
Also removes the dead StartRDPLocalProxy entry (superseded by startRDPProxy in the PAM revamp). Redis proxy and the legacy approval workflow are left untouched.
1825baa to
d4de1d7
Compare
…code - send justification as reason (API strips the unknown note key) - convert Go durations to milliseconds before sending; npm ms can't parse compound formats like 2h30m - exit non-zero when the approval gate is hit in a non-interactive terminal
|
| Filename | Overview |
|---|---|
| packages/pam/local/access.go | Adds handleApprovalRequired to intercept PAM_APPROVAL_REQUIRED errors and offer interactive access-request submission; Ctrl+C during the confirm prompt silently exits 0 (diverging from the legacy handler) and expired detection relies on server message substring matching. |
| packages/api/api.go | Adds CallPAMCreateAccessRequest following the same pattern as other PAM API helpers; implementation is straightforward and consistent with existing conventions. |
| packages/api/model.go | Adds PAMCreateAccessRequestBody and PAMCreateAccessRequestResponse structs; modelling is correct and consistent with existing response shapes. |
| packages/pam/local/rdp-proxy.go | Removes the legacy StartRDPLocalProxy entry-point that used the old approval workflow; remaining RDP proxy helpers are unchanged and correct. |
Reviews (1): Last reviewed commit: "fix(pam): align access request payload w..." | Re-trigger Greptile
- detect an expired grant via the PAM_GRANT_EXPIRED error name instead of substring-matching the backend error message - treat Ctrl+C (promptui.ErrInterrupt) at the request prompt as a non-zero exit rather than a graceful decline
Description 📣
Restores the ability to request access from the CLI against the new PAM model. When
infisical pam access <path>hits the approval gate (PAM_APPROVAL_REQUIRED) on a gated account, the CLI now offers to submit an access request for that account path in an interactive terminal (and prints clear guidance otherwise), calling the newPOST /v1/pam/access-requestsendpoint. Also removes the legacy approval-workflow code that was orphaned by the launch-path refactor.Type ✨
Tests 🛠️
Requires the matching backend branch. Steps: