Readme environments updates

.vscode/settings.json

@@ -5,7 +5,7 @@
     "package-lock.json": true
   },
   "editor.defaultFormatter": "dbaeumer.vscode-eslint",
-  "editor.formatOnSave": false,
+  "editor.formatOnSave": true,
   "editor.codeActionsOnSave": [
     "source.addMissingImports",
     "source.fixAll.eslint"
@@ -21,5 +21,9 @@
     "editor.formatOnSave": true,
     "editor.defaultFormatter": "esbenp.prettier-vscode"
   },
-  "prettier.ignorePath": ".gitignore" // Don't run prettier for files listed in .gitignore
+  "prettier.ignorePath": ".gitignore",
+  "[python]": {
+    "editor.defaultFormatter": "ms-python.autopep8",
+    "editor.formatOnSave": true
+  } // Don't run prettier for files listed in .gitignore
 }

README.md

@@ -3,7 +3,7 @@
   <img height="68" width="306" src="img/phase-console-wordmark-dark.png" alt="Phase">
 </h1>
 
-<h3 align="center">Open Source, end-to-end encrypted key management platform for developers to encrypt data in their apps.</h3>
+<h3 align="center">Open Source, end-to-end encrypted, self-hostable all in one platform for developers to manage secrets and environment variables. From their laptop 💻 to the cloud ☁️.</h3>
 
 <div align="center">
   <a href="https://phase.dev">Website</a> |
@@ -13,45 +13,70 @@
 </div>
 
 <hr/>
-
-<img src="img/console-home.png" width="100%" alt="Phase Console" />
-
-<div width="100%">
-  <img src="img/console-logs.png" alt="Phase Console" width="47%">
-  &nbsp; &nbsp; &nbsp; &nbsp;
-  <img src="img/vscode-demo.png" alt="Phase Console" width="47%"/>
-</div>
 
 <br>
 
 [Phase Console](https://phase.dev) is an open source, end-to-end encrypted key management solution for developers to seamlessly encrypt production data in their apps.
 
-We're on a mission to make strong encryption accessible to all developers, not just security teams. That means redesigning the entire developer experience from the ground up.
+## Console
+
+<img src="img/console-home.png" width="100%" alt="Phase Console" />
 
-## Features
+- **[Phase Console](https://console.phase.dev)**: Dashboard for seamlessly creating, managing, rotating secrets and environment variables
 
-- **[Phase Console](https://console.phase.dev)**: Dashboard for seamlessly creating, managing, rotating and monitoring keys
-- **[Phase KMS](https://phase.dev)**: A zero knowledge key management service
-- **[Dual-Key Model](https://docs.phase.dev/security#dual-key-model)**: Avoid single point of compromise of the private key via [secret splitting schemes](https://en.wikipedia.org/wiki/Secret_sharing)
 - **[Hold your keys](https://docs.phase.dev/security/phase-encryption#account-keyring)**: Maintain self-custody of your root keys via 24 word mnemonic phrase
+- **Secret management**: Diffs, version control and Point-in-time Recovery
+- Fine grained Role-based and cryptographic access control, per application, per environment.
+- **Service Tokens**:
+- **Secret referencing**: Inheritance
+- **[Audit Logs]()**
 - **[Self Hosting](https://docs.phase.dev)**: Run Phase on your own infrastructure
-- **[Client SDKs](https://docs.phase.dev/sdks)**: Asynchronously encrypt data in the browsers of your users without any external API or sensitive keys [Live Demo](https://phase.dev/#use-cases)
-- **[Server SDKs](https://docs.phase.dev/sdks)**: Securely decrypt and process data in memory only when you need to with 3 lines of code
-- **[Phase I/O]()**: Self-hosted EaaS (Encryption as a Service) and a transparent proxy encryption (Coming Soon)
+- **[Phase KMS](https://phase.dev)**: A zero knowledge key management service
+- **[SDKs](https://docs.phase.dev/sdks)**: Encrypt / decrypt data with a few lines of code.
 
 And much more.
 
 ---
 
-## What about SSE?
+## CLI
+
+```fish
+# Your existing secrets
+> cat .env
+AWS_ACCESS_KEY_ID="AKIA2OGYBAH63UA3VNFG"
+AWS_SECRET_ACCESS_KEY="V5yWXDe82Gohf9DYBhpatYZ74a5fiKfJVx8rx6W1"
+
+# Import your existing secrets
+> phase secrets import .env
+Successfully imported and encrypted 2 secrets.
+To view them please run: phase secrets list
 
-Relying on automatic database, disk or bucket level encryption has its limitations, since the data is automatically decrypted when retrieved and the keys typically belong to the hosting provider. A breach is a single SQL or a IAM misconfiguration away.
+# View your secrets in Phase
+> phase secrets list
+KEY 🗝️                    | VALUE ✨                                                                  
+----------------------------------------------------------------------------------------------------     
+AWS_ACCESS_KEY_ID        | AKI**************NFG                                                     
+AWS_SECRET_ACCESS_KEY    | V5y**********************************6W1                                 
 
-See:
+🥽 To uncover the secrets, use: phase secrets list --show
+
+# Get rid of your .env
+> rm .env
+
+# Seamlessly inject secrets during runtime
+> phase run yarn dev
+$ next dev
+ready - started server on 0.0.0.0:3000, url: http://localhost:3000
+```
+
+
+- **CLI**: Fetch, decrypt and inject secrets and environment variables to your application. Zero code changes required.
+- Inject
+- Export secrets in a dotenv format
+- **Cross platform**: Easily install the Phase CLI on macOS, Ubuntu/Arch/Redhat/Alpine Linux, Windows, Docker.
+- **Keyring Integration** - Store keys and credentials securely in [macOS Keychain](https://en.wikipedia.org/wiki/Keychain_%28software%29), [Windows Credential Locker](https://learn.microsoft.com/en-us/windows/uwp/security/credential-locker), [KDE Wallet](https://en.wikipedia.org/wiki/KWallet), [GNOME Keyring](https://en.wikipedia.org/wiki/GNOME_Keyring) etc.
+- **[Private Key Sharding](https://docs.phase.dev/security#dual-key-model)**: Avoid single point of compromise of the private key via [secret splitting schemes](https://en.wikipedia.org/wiki/Secret_sharing)
 
-- [OWASP - Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/#example-attack-scenarios)
-- [IAM misconfiguration](https://github.com/nagwww/s3-leaks)
-- [Problems with S3 encryption](https://www.secwale.com/p/encryption)
 
 ---
 
@@ -65,11 +90,12 @@ The quickest and most reliable way to get started is making a new free account o
 
 ### Deploy Phase Console on your infrastructure
 
-Deployment options:
+- [Docker Compose](https://docs.phase.dev/self-hosting/docker-compose)
+- [AWS](https://docs.phase.dev/self-hosting/aws)
+- [Azure](https://docs.phase.dev/self-hosting/azure)
+- [Google Cloud Platform](https://docs.phase.dev/self-hosting/gcp)
+- [DigitalOcean](https://docs.phase.dev/self-hosting/digitalocean)
 
-- Docker-compose
-- AWS
-- DigitalOcean
 
 See: [Self-hosting Phase](https://docs.phase.dev/self-hosting)
 
@@ -83,29 +109,13 @@ See: [Self-hosting Phase](https://docs.phase.dev/self-hosting)
 
 More coming soon!
 
-Example:
-
-```js
-// Import & initialize
-const Phase = require('@phase.dev/phase-node')
-const phase = new Phase(APP_ID, APP_SECRET)
-
-// Encrypt
-const ciphertext = await phase.encrypt('hello world')
-
-// Decrypt
-const plaintext = await phase.decrypt(ciphertext)
-console.log(plaintext)
-$ hello world
-```
-
 ---
 
 ## Community vs Enterprise edition
 
-Phase operates on an [open-core](https://en.wikipedia.org/wiki/Open-core_model) model, similar to that of [GitLab](https://gitlab.com), [Infisical](https://infisical.com), [PostHog](https://posthog.com) etc.
+Phase operates on an [open-core](https://en.wikipedia.org/wiki/Open-core_model) model, similar to that of [GitLab](https://gitlab.com).
 
-This repo available under the [MIT expat license](/LICENSE), with the exception of the `ee` directory which will contain premium Pro or Enterprise features requiring a Phase license in the future.
+This repo available under the [MIT expat license](/LICENSE), with the exception of the `ee` directory which will contain Pro or Enterprise features requiring a Phase license.
 
 ---
 
@@ -121,7 +131,7 @@ For more information see: [SECURITY.md](/SECURITY.md)
 
 ## Contributing
 
-Whether it's big or small, we love contributions. See [CONTRIBUTING.md](/CONTRIBUTING.md)
+We love contributions. See [CONTRIBUTING.md](/CONTRIBUTING.md)
 
 You can join our [Slack](https://join.slack.com/t/phase-community/shared_invite/zt-1tkwzl31z-a6yCB5Uqlj~V2x43ep2Evg) if you have any questions!
 

backend/README.md

@@ -1,9 +1,9 @@
 # Phase Console - Backend
 
-Python Django REST api + Postgres
+Django + Graphene + DRF
 
 ### Generate graphql schema for frontend
 
 ```bash
-./manage.py graphql_schema --schema backend.schema.schema --out ../dashboard/apollo/schema.graphql
+./manage.py graphql_schema --schema backend.schema.schema --out ../frontend/apollo/schema.graphql
 ```

backend/api/migrations/0017_environment_secret_secrettag_secretevent_and_more.py

@@ -0,0 +1,106 @@
+# Generated by Django 4.2.3 on 2023-07-31 10:52
+
+from django.conf import settings
+import django.contrib.postgres.fields
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0016_organisation_plan'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Environment',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=64)),
+                ('env_type', models.CharField(choices=[('dev', 'Development'), ('staging', 'Staging'), ('prod', 'Production')], default='dev', max_length=7)),
+                ('wrapped_seed', models.CharField(max_length=208)),
+                ('wrapped_salt', models.CharField(max_length=208)),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('updated_at', models.DateTimeField(auto_now=True)),
+                ('deleted_at', models.DateTimeField(blank=True, null=True)),
+                ('is_deleted', models.BooleanField(default=False)),
+                ('app', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.app')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='Secret',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('collection', models.TextField(blank=True, null=True)),
+                ('key', models.TextField()),
+                ('key_digest', models.TextField()),
+                ('value', models.TextField()),
+                ('version', models.IntegerField(default=1)),
+                ('tags', django.contrib.postgres.fields.ArrayField(base_field=models.CharField(max_length=64), size=10)),
+                ('comment', models.TextField()),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('updated_at', models.DateTimeField(auto_now=True)),
+                ('deleted_at', models.DateTimeField(blank=True, null=True)),
+                ('environment', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.environment')),
+                ('user', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, to=settings.AUTH_USER_MODEL)),
+            ],
+        ),
+        migrations.CreateModel(
+            name='SecretTag',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=64)),
+                ('organisation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.organisation')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='SecretEvent',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('collection', models.TextField(blank=True, null=True)),
+                ('key', models.TextField()),
+                ('key_digest', models.TextField()),
+                ('value', models.TextField()),
+                ('version', models.IntegerField(default=1)),
+                ('tags', django.contrib.postgres.fields.ArrayField(base_field=models.CharField(max_length=64), size=10)),
+                ('comment', models.TextField()),
+                ('event_type', models.CharField(choices=[('C', 'Create'), ('R', 'Read'), ('U', 'Update'), ('D', 'Delete')], default='C', max_length=1)),
+                ('timestamp', models.BigIntegerField()),
+                ('environment', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.environment')),
+                ('secret', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.secret')),
+                ('user', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, to=settings.AUTH_USER_MODEL)),
+            ],
+        ),
+        migrations.CreateModel(
+            name='EnvironmentSecret',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('identity_key', models.CharField(max_length=256)),
+                ('environment_token', models.CharField(max_length=64)),
+                ('wrapped_key_share', models.CharField(max_length=406)),
+                ('token', models.CharField(max_length=64)),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('updated_at', models.DateTimeField(auto_now=True)),
+                ('deleted_at', models.DateTimeField(blank=True, null=True)),
+                ('environment', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.environment')),
+                ('user', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, to=settings.AUTH_USER_MODEL)),
+            ],
+        ),
+        migrations.CreateModel(
+            name='EnvironmentKey',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('identity_key', models.CharField(max_length=256)),
+                ('environment_token', models.CharField(max_length=64)),
+                ('wrapped_seed', models.CharField(max_length=208)),
+                ('wrapped_salt', models.CharField(max_length=208)),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('updated_at', models.DateTimeField(auto_now=True)),
+                ('deleted_at', models.DateTimeField(blank=True, null=True)),
+                ('environment', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.environment')),
+                ('user', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, to=settings.AUTH_USER_MODEL)),
+            ],
+        ),
+    ]

backend/api/migrations/0018_rename_environment_token_environmentsecret_name_and_more.py

@@ -0,0 +1,60 @@
+# Generated by Django 4.2.3 on 2023-08-01 07:57
+
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0017_environment_secret_secrettag_secretevent_and_more'),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name='environmentsecret',
+            old_name='environment_token',
+            new_name='name',
+        ),
+        migrations.RemoveField(
+            model_name='environmentkey',
+            name='environment_token',
+        ),
+        migrations.RemoveField(
+            model_name='secret',
+            name='collection',
+        ),
+        migrations.AddField(
+            model_name='secrettag',
+            name='created_at',
+            field=models.DateTimeField(auto_now_add=True, null=True),
+        ),
+        migrations.AddField(
+            model_name='secrettag',
+            name='deleted_at',
+            field=models.DateTimeField(blank=True, null=True),
+        ),
+        migrations.AddField(
+            model_name='secrettag',
+            name='updated_at',
+            field=models.DateTimeField(auto_now=True),
+        ),
+        migrations.CreateModel(
+            name='SecretFolder',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=64)),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('updated_at', models.DateTimeField(auto_now=True)),
+                ('deleted_at', models.DateTimeField(blank=True, null=True)),
+                ('environment', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.environment')),
+                ('parent', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.secretfolder')),
+            ],
+        ),
+        migrations.AddField(
+            model_name='secret',
+            name='folder',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='api.secretfolder'),
+        ),
+    ]

backend/api/migrations/0019_remove_secret_user_remove_secretevent_collection_and_more.py

@@ -0,0 +1,27 @@
+# Generated by Django 4.2.3 on 2023-08-02 07:03
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0018_rename_environment_token_environmentsecret_name_and_more'),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name='secret',
+            name='user',
+        ),
+        migrations.RemoveField(
+            model_name='secretevent',
+            name='collection',
+        ),
+        migrations.AddField(
+            model_name='secretevent',
+            name='folder',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='api.secretfolder'),
+        ),
+    ]