Add Chef PKI sync

.infisicalignore

@@ -54,4 +54,5 @@ k8-operator/config/samples/universalAuthIdentitySecret.yaml:generic-api-key:8
 docs/integrations/app-connections/redis.mdx:generic-api-key:80
 backend/src/ee/services/app-connections/chef/chef-connection-fns.ts:private-key:42
 docs/documentation/platform/pki/enrollment-methods/api.mdx:generic-api-key:93
-docs/documentation/platform/pki/enrollment-methods/api.mdx:private-key:139
+docs/documentation/platform/pki/enrollment-methods/api.mdx:private-key:139
+docs/documentation/platform/pki/certificate-syncs/aws-secrets-manager.mdx:private-key:62

backend/e2e-test/routes/v1/secret-approval-policy.spec.ts

@@ -1,7 +1,12 @@
 import { seedData1 } from "@app/db/seed-data";
 import { ApproverType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
 
-const createPolicy = async (dto: { name: string; secretPath: string; approvers: {type: ApproverType.User, id: string}[]; approvals: number }) => {
+const createPolicy = async (dto: {
+  name: string;
+  secretPath: string;
+  approvers: { type: ApproverType.User; id: string }[];
+  approvals: number;
+}) => {
   const res = await testServer.inject({
     method: "POST",
     url: `/api/v1/secret-approvals`,
@@ -27,7 +32,7 @@ describe("Secret approval policy router", async () => {
     const policy = await createPolicy({
       secretPath: "/",
       approvals: 1,
-      approvers: [{id:seedData1.id, type: ApproverType.User}],
+      approvers: [{ id: seedData1.id, type: ApproverType.User }],
       name: "test-policy"
     });
 

backend/scripts/create-migration.ts

@@ -2,7 +2,7 @@
 import { execSync } from "child_process";
 import path from "path";
 import promptSync from "prompt-sync";
-import slugify from "@sindresorhus/slugify"
+import slugify from "@sindresorhus/slugify";
 
 const prompt = promptSync({ sigint: true });
 

backend/src/ee/services/app-connections/chef/chef-connection-fns.ts

@@ -255,6 +255,37 @@ export const getChefDataBagItem = async ({
   }
 };
 
+export const createChefDataBagItem = async ({
+  serverUrl,
+  userName,
+  privateKey,
+  orgName,
+  dataBagName,
+  data
+}: Omit<TUpdateChefDataBagItem, "dataBagItemName">): Promise<void> => {
+  try {
+    const path = `/organizations/${orgName}/data/${dataBagName}`;
+    const body = JSON.stringify(data);
+
+    const hostServerUrl = await getChefServerUrl(serverUrl);
+
+    const headers = getChefAuthHeaders("POST", path, body, userName, privateKey);
+
+    await request.post(`${hostServerUrl}${path}`, data, {
+      headers
+    });
+  } catch (error) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to create Chef data bag item: ${error.message || "Unknown error"}`
+      });
+    }
+    throw new BadRequestError({
+      message: "Unable to create Chef data bag item"
+    });
+  }
+};
+
 export const updateChefDataBagItem = async ({
   serverUrl,
   userName,
@@ -286,3 +317,34 @@ export const updateChefDataBagItem = async ({
     });
   }
 };
+
+export const removeChefDataBagItem = async ({
+  serverUrl,
+  userName,
+  privateKey,
+  orgName,
+  dataBagName,
+  dataBagItemName
+}: Omit<TUpdateChefDataBagItem, "data">): Promise<void> => {
+  try {
+    const path = `/organizations/${orgName}/data/${dataBagName}/${dataBagItemName}`;
+    const body = "";
+
+    const hostServerUrl = await getChefServerUrl(serverUrl);
+
+    const headers = getChefAuthHeaders("DELETE", path, body, userName, privateKey);
+
+    await request.delete(`${hostServerUrl}${path}`, {
+      headers
+    });
+  } catch (error) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to remove Chef data bag item: ${error.message || "Unknown error"}`
+      });
+    }
+    throw new BadRequestError({
+      message: "Unable to remove Chef data bag item"
+    });
+  }
+};

backend/src/server/routes/v1/pki-sync-routers/aws-secrets-manager-pki-sync-router.ts

@@ -0,0 +1,22 @@
+import {
+  AWS_SECRETS_MANAGER_PKI_SYNC_LIST_OPTION,
+  AwsSecretsManagerPkiSyncSchema,
+  CreateAwsSecretsManagerPkiSyncSchema,
+  UpdateAwsSecretsManagerPkiSyncSchema
+} from "@app/services/pki-sync/aws-secrets-manager";
+import { PkiSync } from "@app/services/pki-sync/pki-sync-enums";
+
+import { registerSyncPkiEndpoints } from "./pki-sync-endpoints";
+
+export const registerAwsSecretsManagerPkiSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncPkiEndpoints({
+    destination: PkiSync.AwsSecretsManager,
+    server,
+    responseSchema: AwsSecretsManagerPkiSyncSchema,
+    createSchema: CreateAwsSecretsManagerPkiSyncSchema,
+    updateSchema: UpdateAwsSecretsManagerPkiSyncSchema,
+    syncOptions: {
+      canImportCertificates: AWS_SECRETS_MANAGER_PKI_SYNC_LIST_OPTION.canImportCertificates,
+      canRemoveCertificates: AWS_SECRETS_MANAGER_PKI_SYNC_LIST_OPTION.canRemoveCertificates
+    }
+  });

backend/src/server/routes/v1/pki-sync-routers/chef-pki-sync-router.ts

@@ -0,0 +1,17 @@
+import { ChefPkiSyncSchema, CreateChefPkiSyncSchema, UpdateChefPkiSyncSchema } from "@app/services/pki-sync/chef";
+import { PkiSync } from "@app/services/pki-sync/pki-sync-enums";
+
+import { registerSyncPkiEndpoints } from "./pki-sync-endpoints";
+
+export const registerChefPkiSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncPkiEndpoints({
+    destination: PkiSync.Chef,
+    server,
+    responseSchema: ChefPkiSyncSchema,
+    createSchema: CreateChefPkiSyncSchema,
+    updateSchema: UpdateChefPkiSyncSchema,
+    syncOptions: {
+      canImportCertificates: false,
+      canRemoveCertificates: true
+    }
+  });

backend/src/server/routes/v1/pki-sync-routers/index.ts

@@ -1,11 +1,15 @@
 import { PkiSync } from "@app/services/pki-sync/pki-sync-enums";
 
 import { registerAwsCertificateManagerPkiSyncRouter } from "./aws-certificate-manager-pki-sync-router";
+import { registerAwsSecretsManagerPkiSyncRouter } from "./aws-secrets-manager-pki-sync-router";
 import { registerAzureKeyVaultPkiSyncRouter } from "./azure-key-vault-pki-sync-router";
+import { registerChefPkiSyncRouter } from "./chef-pki-sync-router";
 
 export * from "./pki-sync-router";
 
 export const PKI_SYNC_REGISTER_ROUTER_MAP: Record<PkiSync, (server: FastifyZodProvider) => Promise<void>> = {
   [PkiSync.AzureKeyVault]: registerAzureKeyVaultPkiSyncRouter,
-  [PkiSync.AwsCertificateManager]: registerAwsCertificateManagerPkiSyncRouter
+  [PkiSync.AwsCertificateManager]: registerAwsCertificateManagerPkiSyncRouter,
+  [PkiSync.AwsSecretsManager]: registerAwsSecretsManagerPkiSyncRouter,
+  [PkiSync.Chef]: registerChefPkiSyncRouter
 };

backend/src/services/app-connection/app-connection-fns.ts

@@ -170,7 +170,8 @@ const PKI_APP_CONNECTIONS = [
   AppConnection.AWS,
   AppConnection.Cloudflare,
   AppConnection.AzureADCS,
-  AppConnection.AzureKeyVault
+  AppConnection.AzureKeyVault,
+  AppConnection.Chef
 ];
 
 export const listAppConnectionOptions = (projectType?: ProjectType) => {

backend/src/services/certificate-common/certificate-utils.ts

@@ -196,3 +196,62 @@ export const convertExtendedKeyUsageArrayToLegacy = (
 ): CertExtendedKeyUsage[] | undefined => {
   return usages?.map(convertToLegacyExtendedKeyUsage);
 };
+
+/**
+ * Parses a PEM-formatted certificate chain and returns individual certificates
+ * @param certificateChain - PEM-formatted certificate chain
+ * @returns Array of individual PEM certificates
+ */
+const parseCertificateChain = (certificateChain: string): string[] => {
+  if (!certificateChain || typeof certificateChain !== "string") {
+    return [];
+  }
+
+  const certRegex = new RE2(/-----BEGIN CERTIFICATE-----[\s\S]*?-----END CERTIFICATE-----/g);
+  const certificates = certificateChain.match(certRegex);
+
+  return certificates ? certificates.map((cert) => cert.trim()) : [];
+};
+
+/**
+ * Removes the root CA certificate from a certificate chain, leaving only intermediate certificates.
+ * If the chain contains only the root CA certificate, returns an empty string.
+ *
+ * @param certificateChain - PEM-formatted certificate chain containing leaf + intermediates + root CA
+ * @returns PEM-formatted certificate chain with only intermediate certificates (no root CA)
+ */
+export const removeRootCaFromChain = (certificateChain?: string): string => {
+  if (!certificateChain || typeof certificateChain !== "string") {
+    return "";
+  }
+
+  const certificates = parseCertificateChain(certificateChain);
+
+  if (certificates.length === 0) {
+    return "";
+  }
+
+  const intermediateCerts = certificates.slice(0, -1);
+
+  return intermediateCerts.join("\n");
+};
+
+/**
+ * Extracts the root CA certificate from a certificate chain.
+ *
+ * @param certificateChain - PEM-formatted certificate chain containing leaf + intermediates + root CA
+ * @returns PEM-formatted root CA certificate, or empty string if not found
+ */
+export const extractRootCaFromChain = (certificateChain?: string): string => {
+  if (!certificateChain || typeof certificateChain !== "string") {
+    return "";
+  }
+
+  const certificates = parseCertificateChain(certificateChain);
+
+  if (certificates.length === 0) {
+    return "";
+  }
+
+  return certificates[certificates.length - 1];
+};

backend/src/services/certificate-profile/certificate-profile-service.test.ts

@@ -428,7 +428,10 @@ describe("CertificateProfileService", () => {
         service.createProfile({
           ...mockActor,
           projectId: "project-123",
-          data: validProfileData
+          data: {
+            ...validProfileData,
+            enrollmentType: EnrollmentType.ACME
+          }
         })
       ).rejects.toThrowError(
         new BadRequestError({

backend/src/services/pki-sync/aws-secrets-manager/aws-secrets-manager-pki-sync-constants.ts

@@ -0,0 +1,71 @@
+import RE2 from "re2";
+
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { PkiSync } from "@app/services/pki-sync/pki-sync-enums";
+
+/**
+ * AWS Secrets Manager naming constraints for secrets
+ */
+export const AWS_SECRETS_MANAGER_PKI_SYNC_CERTIFICATE_NAMING = {
+  /**
+   * Regular expression pattern for valid AWS Secrets Manager secret names
+   * Must contain only alphanumeric characters, hyphens, and underscores
+   * Must be 1-512 characters long
+   */
+  NAME_PATTERN: new RE2("^[\\w-]+$"),
+
+  /**
+   * String of characters that are forbidden in AWS Secrets Manager secret names
+   */
+  FORBIDDEN_CHARACTERS: " @#$%^&*()+=[]{}|;':\"<>?,./",
+
+  /**
+   * Minimum length for secret names in AWS Secrets Manager
+   */
+  MIN_LENGTH: 1,
+
+  /**
+   * Maximum length for secret names in AWS Secrets Manager
+   */
+  MAX_LENGTH: 512,
+
+  /**
+   * String representation of the allowed character pattern (for UI display)
+   */
+  ALLOWED_CHARACTER_PATTERN: "^[\\w-]+$"
+} as const;
+
+export const AWS_SECRETS_MANAGER_PKI_SYNC_DEFAULTS = {
+  INFISICAL_PREFIX: "infisical-",
+  DEFAULT_ENVIRONMENT: "production",
+  DEFAULT_CERTIFICATE_NAME_SCHEMA: "infisical-{{certificateId}}",
+  DEFAULT_FIELD_MAPPINGS: {
+    certificate: "certificate",
+    privateKey: "private_key",
+    certificateChain: "certificate_chain",
+    caCertificate: "ca_certificate"
+  }
+};
+
+export const AWS_SECRETS_MANAGER_PKI_SYNC_OPTIONS = {
+  DEFAULT_CAN_REMOVE_CERTIFICATES: true,
+  DEFAULT_PRESERVE_SECRET_ON_RENEWAL: true,
+  DEFAULT_UPDATE_EXISTING_CERTIFICATES: true,
+  DEFAULT_CAN_IMPORT_CERTIFICATES: false
+};
+
+/**
+ * AWS Secrets Manager PKI Sync list option configuration
+ */
+export const AWS_SECRETS_MANAGER_PKI_SYNC_LIST_OPTION = {
+  name: "AWS Secrets Manager" as const,
+  connection: AppConnection.AWS,
+  destination: PkiSync.AwsSecretsManager,
+  canImportCertificates: false,
+  canRemoveCertificates: true,
+  defaultCertificateNameSchema: "infisical-{{certificateId}}",
+  forbiddenCharacters: AWS_SECRETS_MANAGER_PKI_SYNC_CERTIFICATE_NAMING.FORBIDDEN_CHARACTERS,
+  allowedCharacterPattern: AWS_SECRETS_MANAGER_PKI_SYNC_CERTIFICATE_NAMING.ALLOWED_CHARACTER_PATTERN,
+  maxCertificateNameLength: AWS_SECRETS_MANAGER_PKI_SYNC_CERTIFICATE_NAMING.MAX_LENGTH,
+  minCertificateNameLength: AWS_SECRETS_MANAGER_PKI_SYNC_CERTIFICATE_NAMING.MIN_LENGTH
+} as const;