From 32c33eaf6e79c31dc412bb8fddb60e2942818c92 Mon Sep 17 00:00:00 2001 From: Tuan Dang Date: Fri, 17 May 2024 11:58:08 -0700 Subject: [PATCH] Patch identity token trusted ips validation for aws/gcp auths --- .../identity-access-token-dal.ts | 49 ++++++++++++++----- .../platform/identities/gcp-auth.mdx | 2 +- 2 files changed, 37 insertions(+), 14 deletions(-) diff --git a/backend/src/services/identity-access-token/identity-access-token-dal.ts b/backend/src/services/identity-access-token/identity-access-token-dal.ts index 42fb5bba5b..de8eb7ebc5 100644 --- a/backend/src/services/identity-access-token/identity-access-token-dal.ts +++ b/backend/src/services/identity-access-token/identity-access-token-dal.ts @@ -1,7 +1,7 @@ import { Knex } from "knex"; import { TDbClient } from "@app/db"; -import { TableName, TIdentityAccessTokens } from "@app/db/schemas"; +import { IdentityAuthMethod, TableName, TIdentityAccessTokens } from "@app/db/schemas"; import { DatabaseError } from "@app/lib/errors"; import { ormify, selectAllTableCols } from "@app/lib/knex"; @@ -15,23 +15,46 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => { const doc = await (tx || db)(TableName.IdentityAccessToken) .where(filter) .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.IdentityAccessToken}.identityId`) - .leftJoin( - TableName.IdentityUaClientSecret, - `${TableName.IdentityAccessToken}.identityUAClientSecretId`, - `${TableName.IdentityUaClientSecret}.id` - ) - .leftJoin( - TableName.IdentityUniversalAuth, - `${TableName.IdentityUaClientSecret}.identityUAId`, - `${TableName.IdentityUniversalAuth}.id` - ) + .leftJoin(TableName.IdentityUaClientSecret, (qb) => { + qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.Univeral])).andOn( + `${TableName.IdentityAccessToken}.identityUAClientSecretId`, + `${TableName.IdentityUaClientSecret}.id` + ); + }) + .leftJoin(TableName.IdentityUniversalAuth, (qb) => { + qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.Univeral])).andOn( + `${TableName.IdentityUaClientSecret}.identityUAId`, + `${TableName.IdentityUniversalAuth}.id` + ); + }) + .leftJoin(TableName.IdentityGcpAuth, (qb) => { + qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.GCP_AUTH])).andOn( + `${TableName.Identity}.id`, + `${TableName.IdentityGcpAuth}.identityId` + ); + }) + .leftJoin(TableName.IdentityAwsAuth, (qb) => { + qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.AWS_AUTH])).andOn( + `${TableName.Identity}.id`, + `${TableName.IdentityAwsAuth}.identityId` + ); + }) .select(selectAllTableCols(TableName.IdentityAccessToken)) .select( - db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityUniversalAuth), + db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityUniversalAuth).as("accessTokenTrustedIpsUa"), + db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityGcpAuth).as("accessTokenTrustedIpsGcp"), + db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityAwsAuth).as("accessTokenTrustedIpsAws"), db.ref("name").withSchema(TableName.Identity) ) .first(); - return doc; + + if (!doc) return; + + return { + ...doc, + accessTokenTrustedIps: + doc.accessTokenTrustedIpsUa || doc.accessTokenTrustedIpsGcp || doc.accessTokenTrustedIpsAws + }; } catch (error) { throw new DatabaseError({ error, name: "IdAccessTokenFindOne" }); } diff --git a/docs/documentation/platform/identities/gcp-auth.mdx b/docs/documentation/platform/identities/gcp-auth.mdx index 42ae819d3a..3dc341a9e8 100644 --- a/docs/documentation/platform/identities/gcp-auth.mdx +++ b/docs/documentation/platform/identities/gcp-auth.mdx @@ -123,7 +123,7 @@ access the Infisical API using the GCP ID Token authentication method. ```bash curl curl -H "Metadata-Flavor: Google" \ - 'http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=' + 'http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=&format=full' ```