fix: build and address review feedback

Author: PrestigePvP

backend/src/@types/fastify.d.ts

@@ -93,13 +93,13 @@ import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/
 import { TIdentityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
 import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
 import { TIdentityJwtAuthServiceFactory } from "@app/services/identity-jwt-auth/identity-jwt-auth-service";
-import { TIdentitySpiffeAuthServiceFactory } from "@app/services/identity-spiffe-auth/identity-spiffe-auth-service";
 import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { TIdentityLdapAuthServiceFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-service";
 import { TAllowedFields } from "@app/services/identity-ldap-auth/identity-ldap-auth-types";
 import { TIdentityOciAuthServiceFactory } from "@app/services/identity-oci-auth/identity-oci-auth-service";
 import { TIdentityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
+import { TIdentitySpiffeAuthServiceFactory } from "@app/services/identity-spiffe-auth/identity-spiffe-auth-service";
 import { TIdentityTlsCertAuthServiceFactory } from "@app/services/identity-tls-cert-auth/identity-tls-cert-auth-types";
 import { TIdentityTokenAuthServiceFactory } from "@app/services/identity-token-auth/identity-token-auth-service";
 import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua-service";

backend/src/db/migrations/20260305201413_add-spiffe-machine-auth.ts

@@ -15,7 +15,6 @@ export async function up(knex: Knex): Promise<void> {
       t.string("configurationType").notNullable();
       t.binary("encryptedCaBundleJwks").nullable();
       t.string("bundleEndpointUrl").nullable();
-      t.string("bundleEndpointProfile").nullable();
       t.binary("encryptedBundleEndpointCaCert").nullable();
       t.binary("encryptedCachedBundleJwks").nullable();
       t.datetime("cachedBundleLastRefreshedAt").nullable();

backend/src/db/schemas/identity-spiffe-auths.ts

@@ -18,11 +18,10 @@ export const IdentitySpiffeAuthsSchema = z.object({
   configurationType: z.string(),
   encryptedCaBundleJwks: zodBuffer.nullable().optional(),
   bundleEndpointUrl: z.string().nullable().optional(),
-  bundleEndpointProfile: z.string().nullable().optional(),
   encryptedBundleEndpointCaCert: zodBuffer.nullable().optional(),
   encryptedCachedBundleJwks: zodBuffer.nullable().optional(),
   cachedBundleLastRefreshedAt: z.date().nullable().optional(),
-  bundleRefreshHintSeconds: z.coerce.number().default(300),
+  bundleRefreshHintSeconds: z.number().default(300),
   accessTokenTTL: z.coerce.number().default(7200),
   accessTokenMaxTTL: z.coerce.number().default(7200),
   accessTokenNumUsesLimit: z.coerce.number().default(0),

backend/src/db/schemas/index.ts

@@ -64,7 +64,6 @@ export * from "./identity-azure-auths";
 export * from "./identity-gcp-auths";
 export * from "./identity-group-membership";
 export * from "./identity-jwt-auths";
-export * from "./identity-spiffe-auths";
 export * from "./identity-kubernetes-auths";
 export * from "./identity-metadata";
 export * from "./identity-oci-auths";
@@ -73,6 +72,7 @@ export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";
 export * from "./identity-project-membership-role";
 export * from "./identity-project-memberships";
+export * from "./identity-spiffe-auths";
 export * from "./identity-tls-cert-auths";
 export * from "./identity-token-auths";
 export * from "./identity-ua-client-secrets";

backend/src/lib/api-docs/constants.ts

@@ -758,17 +758,16 @@ export const SPIFFE_AUTH = {
     allowedSpiffeIds:
       "Comma-separated list of allowed SPIFFE ID patterns. Supports picomatch glob patterns (e.g. spiffe://prod.example.com/**).",
     allowedAudiences: "Comma-separated list of allowed audiences for JWT-SVID validation.",
-    configurationType:
-      "The configuration type for trust bundle management. Must be one of: 'static' (admin uploads JWKS), 'remote' (auto-refresh from SPIRE bundle endpoint).",
-    caBundleJwks:
-      "The JWKS JSON containing public keys for JWT-SVID verification. Required if configurationType is 'static'.",
-    bundleEndpointUrl:
-      "The SPIRE bundle endpoint URL for automatic trust bundle retrieval. Required if configurationType is 'remote'.",
-    bundleEndpointProfile:
-      "The bundle endpoint authentication profile. Must be one of: 'https_web' (standard HTTPS), 'https_spiffe' (mTLS with SPIFFE auth).",
-    bundleEndpointCaCert:
-      "The PEM-encoded CA certificate for verifying the bundle endpoint TLS connection. Required when bundleEndpointProfile is 'https_spiffe'.",
-    bundleRefreshHintSeconds: "The interval in seconds between bundle refresh attempts. Defaults to 300.",
+    trustBundleDistribution: {
+      profile:
+        "The trust bundle distribution profile. Must be one of: 'static' (admin uploads JWKS), 'https_web_bundle' (auto-refresh from HTTPS endpoint), 'https_spiffe_bundle' (auto-refresh with SPIFFE mTLS auth).",
+      bundle: "The JWKS JSON containing public keys for JWT-SVID verification. Required when profile is 'static'.",
+      endpointUrl:
+        "The SPIRE bundle endpoint URL for automatic trust bundle retrieval. Required when profile is 'https_web_bundle' or 'https_spiffe_bundle'.",
+      caCert:
+        "The PEM-encoded CA certificate for verifying the bundle endpoint TLS connection. Required when profile is 'https_spiffe_bundle'.",
+      refreshHintSeconds: "The interval in seconds between bundle refresh attempts. Defaults to 3600."
+    },
     accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from.",
     accessTokenTTL: "The lifetime for an access token in seconds.",
     accessTokenMaxTTL: "The maximum lifetime for an access token in seconds.",
@@ -779,12 +778,13 @@ export const SPIFFE_AUTH = {
     trustDomain: "The new SPIFFE trust domain.",
     allowedSpiffeIds: "The new comma-separated list of allowed SPIFFE ID patterns.",
     allowedAudiences: "The new comma-separated list of allowed audiences.",
-    configurationType: "The new configuration type for trust bundle management.",
-    caBundleJwks: "The new JWKS JSON containing public keys.",
-    bundleEndpointUrl: "The new SPIRE bundle endpoint URL.",
-    bundleEndpointProfile: "The new bundle endpoint authentication profile.",
-    bundleEndpointCaCert: "The new PEM-encoded CA certificate for the bundle endpoint.",
-    bundleRefreshHintSeconds: "The new interval in seconds between bundle refresh attempts.",
+    trustBundleDistribution: {
+      profile: "The new trust bundle distribution profile.",
+      bundle: "The new JWKS JSON containing public keys.",
+      endpointUrl: "The new SPIRE bundle endpoint URL.",
+      caCert: "The new PEM-encoded CA certificate for the bundle endpoint.",
+      refreshHintSeconds: "The new interval in seconds between bundle refresh attempts."
+    },
     accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from.",
     accessTokenTTL: "The new lifetime for an access token in seconds.",
     accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",

backend/src/server/routes/index.ts

@@ -285,8 +285,6 @@ import { identityGcpAuthDALFactory } from "@app/services/identity-gcp-auth/ident
 import { identityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
 import { identityJwtAuthDALFactory } from "@app/services/identity-jwt-auth/identity-jwt-auth-dal";
 import { identityJwtAuthServiceFactory } from "@app/services/identity-jwt-auth/identity-jwt-auth-service";
-import { identitySpiffeAuthDALFactory } from "@app/services/identity-spiffe-auth/identity-spiffe-auth-dal";
-import { identitySpiffeAuthServiceFactory } from "@app/services/identity-spiffe-auth/identity-spiffe-auth-service";
 import { identityKubernetesAuthDALFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-dal";
 import { identityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { identityLdapAuthDALFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-dal";
@@ -297,6 +295,8 @@ import { identityOidcAuthDALFactory } from "@app/services/identity-oidc-auth/ide
 import { identityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { identityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { identityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
+import { identitySpiffeAuthDALFactory } from "@app/services/identity-spiffe-auth/identity-spiffe-auth-dal";
+import { identitySpiffeAuthServiceFactory } from "@app/services/identity-spiffe-auth/identity-spiffe-auth-service";
 import { identityTlsCertAuthDALFactory } from "@app/services/identity-tls-cert-auth/identity-tls-cert-auth-dal";
 import { identityTlsCertAuthServiceFactory } from "@app/services/identity-tls-cert-auth/identity-tls-cert-auth-service";
 import { identityTokenAuthDALFactory } from "@app/services/identity-token-auth/identity-token-auth-dal";
@@ -1972,7 +1972,6 @@ export const registerRoutes = async (
     membershipIdentityDAL
   });
 
-
   const identityLdapAuthService = identityLdapAuthServiceFactory({
     identityLdapAuthDAL,
     orgDAL,

backend/src/server/routes/v1/identity-spiffe-auth-router.ts

@@ -8,30 +8,109 @@ import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
-import {
-  SpiffeBundleEndpointProfile,
-  SpiffeConfigurationType
-} from "@app/services/identity-spiffe-auth/identity-spiffe-auth-types";
+import { SpiffeTrustBundleProfile } from "@app/services/identity-spiffe-auth/identity-spiffe-auth-types";
 import {
   validateSpiffeAllowedAudiencesField,
   validateSpiffeAllowedIdsField,
   validateTrustDomain
 } from "@app/services/identity-spiffe-auth/identity-spiffe-auth-validators";
 import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
 
-const IdentitySpiffeAuthResponseSchema = IdentitySpiffeAuthsSchema.omit({
-  encryptedCaBundleJwks: true,
-  encryptedBundleEndpointCaCert: true,
-  encryptedCachedBundleJwks: true
+const StaticTrustBundleSchema = z.object({
+  profile: z.literal(SpiffeTrustBundleProfile.STATIC).describe(SPIFFE_AUTH.ATTACH.trustBundleDistribution.profile),
+  bundle: z.string().min(1).describe(SPIFFE_AUTH.ATTACH.trustBundleDistribution.bundle)
+});
+
+const HttpsWebBundleSchema = z.object({
+  profile: z
+    .literal(SpiffeTrustBundleProfile.HTTPS_WEB_BUNDLE)
+    .describe(SPIFFE_AUTH.ATTACH.trustBundleDistribution.profile),
+  endpointUrl: z
+    .string()
+    .trim()
+    .url()
+    .refine((url) => url.startsWith("https://"), "Bundle endpoint URL must use HTTPS")
+    .describe(SPIFFE_AUTH.ATTACH.trustBundleDistribution.endpointUrl),
+  refreshHintSeconds: z
+    .number()
+    .int()
+    .min(0)
+    .default(3600)
+    .describe(SPIFFE_AUTH.ATTACH.trustBundleDistribution.refreshHintSeconds)
+});
+
+const HttpsSpiffeBundleSchema = z.object({
+  profile: z
+    .literal(SpiffeTrustBundleProfile.HTTPS_SPIFFE_BUNDLE)
+    .describe(SPIFFE_AUTH.ATTACH.trustBundleDistribution.profile),
+  endpointUrl: z
+    .string()
+    .trim()
+    .url()
+    .refine((url) => url.startsWith("https://"), "Bundle endpoint URL must use HTTPS")
+    .describe(SPIFFE_AUTH.ATTACH.trustBundleDistribution.endpointUrl),
+  caCert: z.string().min(1).describe(SPIFFE_AUTH.ATTACH.trustBundleDistribution.caCert),
+  refreshHintSeconds: z
+    .number()
+    .int()
+    .min(0)
+    .default(3600)
+    .describe(SPIFFE_AUTH.ATTACH.trustBundleDistribution.refreshHintSeconds)
+});
+
+const TrustBundleDistributionSchema = z.discriminatedUnion("profile", [
+  StaticTrustBundleSchema,
+  HttpsWebBundleSchema,
+  HttpsSpiffeBundleSchema
+]);
+
+const StaticTrustBundleResponseSchema = z.object({
+  profile: z.literal(SpiffeTrustBundleProfile.STATIC),
+  bundle: z.string()
+});
+
+const HttpsWebBundleResponseSchema = z.object({
+  profile: z.literal(SpiffeTrustBundleProfile.HTTPS_WEB_BUNDLE),
+  endpointUrl: z.string(),
+  refreshHintSeconds: z.number(),
+  cachedBundleLastRefreshedAt: z.date().nullable().optional()
+});
+
+const HttpsSpiffeBundleResponseSchema = z.object({
+  profile: z.literal(SpiffeTrustBundleProfile.HTTPS_SPIFFE_BUNDLE),
+  endpointUrl: z.string(),
+  caCert: z.string(),
+  refreshHintSeconds: z.number(),
+  cachedBundleLastRefreshedAt: z.date().nullable().optional()
+});
+
+const TrustBundleDistributionResponseSchema = z.discriminatedUnion("profile", [
+  StaticTrustBundleResponseSchema,
+  HttpsWebBundleResponseSchema,
+  HttpsSpiffeBundleResponseSchema
+]);
+
+const IdentitySpiffeAuthResponseSchema = IdentitySpiffeAuthsSchema.pick({
+  id: true,
+  identityId: true,
+  trustDomain: true,
+  allowedSpiffeIds: true,
+  allowedAudiences: true,
+  accessTokenTTL: true,
+  accessTokenMaxTTL: true,
+  accessTokenNumUsesLimit: true,
+  accessTokenTrustedIps: true,
+  createdAt: true,
+  updatedAt: true
 }).extend({
-  caBundleJwks: z.string(),
-  bundleEndpointCaCert: z.string()
+  trustBundleDistribution: TrustBundleDistributionResponseSchema
 });
 
 const CommonCreateFields = z.object({
   trustDomain: validateTrustDomain.describe(SPIFFE_AUTH.ATTACH.trustDomain),
   allowedSpiffeIds: validateSpiffeAllowedIdsField.describe(SPIFFE_AUTH.ATTACH.allowedSpiffeIds),
   allowedAudiences: validateSpiffeAllowedAudiencesField.describe(SPIFFE_AUTH.ATTACH.allowedAudiences),
+  trustBundleDistribution: TrustBundleDistributionSchema,
   accessTokenTrustedIps: z
     .object({
       ipAddress: z.string().trim()
@@ -51,68 +130,7 @@ const CommonCreateFields = z.object({
   accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(SPIFFE_AUTH.ATTACH.accessTokenNumUsesLimit)
 });
 
-const CommonUpdateFields = z
-  .object({
-    trustDomain: validateTrustDomain.describe(SPIFFE_AUTH.UPDATE.trustDomain),
-    allowedSpiffeIds: validateSpiffeAllowedIdsField.describe(SPIFFE_AUTH.UPDATE.allowedSpiffeIds),
-    allowedAudiences: validateSpiffeAllowedAudiencesField.describe(SPIFFE_AUTH.UPDATE.allowedAudiences),
-    accessTokenTrustedIps: z
-      .object({
-        ipAddress: z.string().trim()
-      })
-      .array()
-      .min(1)
-      .describe(SPIFFE_AUTH.UPDATE.accessTokenTrustedIps),
-    accessTokenTTL: z
-      .number()
-      .int()
-      .min(0)
-      .max(315360000)
-      .describe(SPIFFE_AUTH.UPDATE.accessTokenTTL),
-    accessTokenMaxTTL: z
-      .number()
-      .int()
-      .min(0)
-      .max(315360000)
-      .describe(SPIFFE_AUTH.UPDATE.accessTokenMaxTTL),
-    accessTokenNumUsesLimit: z.number().int().min(0).describe(SPIFFE_AUTH.UPDATE.accessTokenNumUsesLimit)
-  })
-  .partial();
-
-const StaticConfigurationSchema = z.object({
-  configurationType: z
-    .literal(SpiffeConfigurationType.STATIC)
-    .describe(SPIFFE_AUTH.ATTACH.configurationType),
-  caBundleJwks: z.string().min(1).describe(SPIFFE_AUTH.ATTACH.caBundleJwks),
-  bundleEndpointUrl: z.string().optional().default(""),
-  bundleEndpointProfile: z.nativeEnum(SpiffeBundleEndpointProfile).optional(),
-  bundleEndpointCaCert: z.string().optional().default(""),
-  bundleRefreshHintSeconds: z.number().int().min(0).optional().default(3600)
-});
-
-const RemoteConfigurationSchema = z.object({
-  configurationType: z
-    .literal(SpiffeConfigurationType.REMOTE)
-    .describe(SPIFFE_AUTH.ATTACH.configurationType),
-  caBundleJwks: z.string().optional().default(""),
-  bundleEndpointUrl: z
-    .string()
-    .trim()
-    .url()
-    .refine((url) => url.startsWith("https://"), "Bundle endpoint URL must use HTTPS")
-    .describe(SPIFFE_AUTH.ATTACH.bundleEndpointUrl),
-  bundleEndpointProfile: z
-    .nativeEnum(SpiffeBundleEndpointProfile)
-    .default(SpiffeBundleEndpointProfile.HTTPS_WEB)
-    .describe(SPIFFE_AUTH.ATTACH.bundleEndpointProfile),
-  bundleEndpointCaCert: z.string().optional().default("").describe(SPIFFE_AUTH.ATTACH.bundleEndpointCaCert),
-  bundleRefreshHintSeconds: z
-    .number()
-    .int()
-    .min(0)
-    .default(3600)
-    .describe(SPIFFE_AUTH.ATTACH.bundleRefreshHintSeconds)
-});
+const CommonUpdateFields = CommonCreateFields.partial();
 
 export const registerIdentitySpiffeAuthRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -185,10 +203,7 @@ export const registerIdentitySpiffeAuthRouter = async (server: FastifyZodProvide
       params: z.object({
         identityId: z.string().trim().describe(SPIFFE_AUTH.ATTACH.identityId)
       }),
-      body: z.discriminatedUnion("configurationType", [
-        StaticConfigurationSchema.merge(CommonCreateFields),
-        RemoteConfigurationSchema.merge(CommonCreateFields)
-      ]),
+      body: CommonCreateFields,
       response: {
         200: z.object({
           identitySpiffeAuth: IdentitySpiffeAuthResponseSchema
@@ -216,7 +231,7 @@ export const registerIdentitySpiffeAuthRouter = async (server: FastifyZodProvide
             trustDomain: identitySpiffeAuth.trustDomain,
             allowedSpiffeIds: identitySpiffeAuth.allowedSpiffeIds,
             allowedAudiences: identitySpiffeAuth.allowedAudiences,
-            configurationType: identitySpiffeAuth.configurationType,
+            configurationType: identitySpiffeAuth.trustBundleDistribution.profile,
             accessTokenTTL: identitySpiffeAuth.accessTokenTTL,
             accessTokenMaxTTL: identitySpiffeAuth.accessTokenMaxTTL,
             accessTokenTrustedIps: identitySpiffeAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
@@ -251,10 +266,7 @@ export const registerIdentitySpiffeAuthRouter = async (server: FastifyZodProvide
       params: z.object({
         identityId: z.string().trim().describe(SPIFFE_AUTH.UPDATE.identityId)
       }),
-      body: z.discriminatedUnion("configurationType", [
-        StaticConfigurationSchema.merge(CommonUpdateFields),
-        RemoteConfigurationSchema.merge(CommonUpdateFields)
-      ]),
+      body: CommonUpdateFields,
       response: {
         200: z.object({
           identitySpiffeAuth: IdentitySpiffeAuthResponseSchema
@@ -281,7 +293,7 @@ export const registerIdentitySpiffeAuthRouter = async (server: FastifyZodProvide
             trustDomain: identitySpiffeAuth.trustDomain,
             allowedSpiffeIds: identitySpiffeAuth.allowedSpiffeIds,
             allowedAudiences: identitySpiffeAuth.allowedAudiences,
-            configurationType: identitySpiffeAuth.configurationType,
+            configurationType: identitySpiffeAuth.trustBundleDistribution.profile,
             accessTokenTTL: identitySpiffeAuth.accessTokenTTL,
             accessTokenMaxTTL: identitySpiffeAuth.accessTokenMaxTTL,
             accessTokenTrustedIps: identitySpiffeAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
@@ -416,10 +428,7 @@ export const registerIdentitySpiffeAuthRouter = async (server: FastifyZodProvide
       }),
       response: {
         200: z.object({
-          identitySpiffeAuth: IdentitySpiffeAuthResponseSchema.omit({
-            caBundleJwks: true,
-            bundleEndpointCaCert: true
-          })
+          identitySpiffeAuth: IdentitySpiffeAuthResponseSchema
         })
       }
     },