Merge pull request #3336 from akhilmhdh/feat/patch-v5

feat: minor bug fixes and patch
2026-01-09 07:28:09 -05:00 · 2025-03-31 12:57:31 -04:00
parent 0a28ac4a7d dd79d0385a
commit 5e1a7cfb6e
4 changed files with 26 additions and 14 deletions
--- a/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
+++ b/backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts
@@ -183,7 +183,7 @@ export const dynamicSecretLeaseServiceFactory = ({
      });

    const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease) {
+    if (!dynamicSecretLease || dynamicSecretLease.dynamicSecret.folderId !== folder.id) {
      throw new NotFoundError({ message: `Dynamic secret lease with ID '${leaseId}' not found` });
    }

@@ -256,7 +256,7 @@ export const dynamicSecretLeaseServiceFactory = ({
      });

    const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease)
+    if (!dynamicSecretLease || dynamicSecretLease.dynamicSecret.folderId !== folder.id)
      throw new NotFoundError({ message: `Dynamic secret lease with ID '${leaseId}' not found` });

    const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts
@@ -8,7 +8,7 @@ import { getDbConnectionHost } from "@app/lib/knex";

 export const verifyHostInputValidity = async (host: string, isGateway = false) => {
  const appCfg = getConfig();
-  // if (appCfg.NODE_ENV === "development") return; // incase you want to remove this check in dev
+  // if (appCfg.NODE_ENV === "development") return ["host.docker.internal"]; // incase you want to remove this check in dev

  const reservedHosts = [appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI)].concat(
    (appCfg.DB_READ_REPLICAS || []).map((el) => getDbConnectionHost(el.DB_CONNECTION_URI)),
--- a/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
+++ b/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
@@ -44,13 +44,13 @@ export type TIdentityAwsAuthServiceFactory = ReturnType<typeof identityAwsAuthSe

 const awsRegionFromHeader = (authorizationHeader: string): string | null => {
  // https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html
-	// The Authorization header takes the following form.
-	//  Authorization: AWS4-HMAC-SHA256
-	//	Credential=AKIAIOSFODNN7EXAMPLE/20230719/us-east-1/sts/aws4_request,
-	// 	SignedHeaders=content-length;content-type;host;x-amz-date,
-	//	Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024
-	//
-	// The credential is in the form of "<your-access-key-id>/<date>/<aws-region>/<aws-service>/aws4_request"
+  // The Authorization header takes the following form.
+  //  Authorization: AWS4-HMAC-SHA256
+  //	Credential=AKIAIOSFODNN7EXAMPLE/20230719/us-east-1/sts/aws4_request,
+  // 	SignedHeaders=content-length;content-type;host;x-amz-date,
+  //	Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024
+  //
+  // The credential is in the form of "<your-access-key-id>/<date>/<aws-region>/<aws-service>/aws4_request"
  try {
    const fields = authorizationHeader.split(" ");
    for (const field of fields) {
@@ -83,7 +83,7 @@ export const identityAwsAuthServiceFactory = ({
    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityAwsAuth.identityId });

    const headers: TAwsGetCallerIdentityHeaders = JSON.parse(Buffer.from(iamRequestHeaders, "base64").toString());
-    const body: string = Buffer.from(iamRequestBody, "base64").toString();    
+    const body: string = Buffer.from(iamRequestBody, "base64").toString();

    const region = headers.Authorization ? awsRegionFromHeader(headers.Authorization) : null;
    const url = region ? `https://sts.${region}.amazonaws.com` : identityAwsAuth.stsEndpoint;
--- a/backend/src/services/identity-ua/identity-ua-service.ts
+++ b/backend/src/services/identity-ua/identity-ua-service.ts
@@ -471,6 +471,7 @@ export const identityUaServiceFactory = ({
    const clientSecretHash = await bcrypt.hash(clientSecret, appCfg.SALT_ROUNDS);

    const identityUaAuth = await identityUaDAL.findOne({ identityId: identityMembershipOrg.identityId });
+    if (!identityUaAuth) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });

    const identityUaClientSecret = await identityUaClientSecretDAL.create({
      identityUAId: identityUaAuth.id,
@@ -567,6 +568,12 @@ export const identityUaServiceFactory = ({
      });
    }

+    const identityUa = await identityUaDAL.findOne({ identityId });
+    if (!identityUa) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
+
+    const clientSecret = await identityUaClientSecretDAL.findOne({ id: clientSecretId, identityUAId: identityUa.id });
+    if (!clientSecret) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
+
    const { permission, membership } = await permissionService.getOrgPermission(
      actor,
      actorId,
@@ -601,7 +608,6 @@ export const identityUaServiceFactory = ({
        details: { missingPermissions: permissionBoundary.missingPermissions }
      });

-    const clientSecret = await identityUaClientSecretDAL.findById(clientSecretId);
    return { ...clientSecret, identityId, orgId: identityMembershipOrg.orgId };
  };

@@ -622,6 +628,12 @@ export const identityUaServiceFactory = ({
      });
    }

+    const identityUa = await identityUaDAL.findOne({ identityId });
+    if (!identityUa) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
+
+    const clientSecret = await identityUaClientSecretDAL.findOne({ id: clientSecretId, identityUAId: identityUa.id });
+    if (!clientSecret) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
+
    const { permission, membership } = await permissionService.getOrgPermission(
      actor,
      actorId,
@@ -658,11 +670,11 @@ export const identityUaServiceFactory = ({
      });
    }

-    const clientSecret = await identityUaClientSecretDAL.updateById(clientSecretId, {
+    const updatedClientSecret = await identityUaClientSecretDAL.updateById(clientSecretId, {
      isClientSecretRevoked: true
    });

-    return { ...clientSecret, identityId, orgId: identityMembershipOrg.orgId };
+    return { ...updatedClientSecret, identityId, orgId: identityMembershipOrg.orgId };
  };

  return {