Infisical
diff --git a/‎backend/src/@types/fastify.d.ts‎
Lines changed: 1 addition & 1 deletion b/‎backend/src/@types/fastify.d.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎backend/src/db/schemas/identity-spiffe-auths.ts‎
Lines changed: 1 addition & 1 deletion b/‎backend/src/db/schemas/identity-spiffe-auths.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎backend/src/db/schemas/index.ts‎
Lines changed: 1 addition & 1 deletion b/‎backend/src/db/schemas/index.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎backend/src/server/routes/index.ts‎
Lines changed: 2 additions & 3 deletions b/‎backend/src/server/routes/index.ts‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎backend/src/server/routes/v1/identity-spiffe-auth-router.ts‎
Lines changed: 24 additions & 54 deletions b/‎backend/src/server/routes/v1/identity-spiffe-auth-router.ts‎
Lines changed: 24 additions & 54 deletions
diff --git a/‎backend/src/server/routes/v1/index.ts‎
Lines changed: 1 addition & 1 deletion b/‎backend/src/server/routes/v1/index.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎backend/src/services/identity-spiffe-auth/identity-spiffe-auth-fns.ts‎
Lines changed: 3 additions & 19 deletions b/‎backend/src/services/identity-spiffe-auth/identity-spiffe-auth-fns.ts‎
Lines changed: 3 additions & 19 deletions
@@ -93,13 +93,13 @@ import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/
 import { TIdentityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
 import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
 import { TIdentityJwtAuthServiceFactory } from "@app/services/identity-jwt-auth/identity-jwt-auth-service";
-import { TIdentitySpiffeAuthServiceFactory } from "@app/services/identity-spiffe-auth/identity-spiffe-auth-service";
 import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { TIdentityLdapAuthServiceFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-service";
 import { TAllowedFields } from "@app/services/identity-ldap-auth/identity-ldap-auth-types";
 import { TIdentityOciAuthServiceFactory } from "@app/services/identity-oci-auth/identity-oci-auth-service";
 import { TIdentityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
+import { TIdentitySpiffeAuthServiceFactory } from "@app/services/identity-spiffe-auth/identity-spiffe-auth-service";
 import { TIdentityTlsCertAuthServiceFactory } from "@app/services/identity-tls-cert-auth/identity-tls-cert-auth-types";
 import { TIdentityTokenAuthServiceFactory } from "@app/services/identity-token-auth/identity-token-auth-service";
 import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua-service";
 
@@ -22,7 +22,7 @@ export const IdentitySpiffeAuthsSchema = z.object({
   encryptedBundleEndpointCaCert: zodBuffer.nullable().optional(),
   encryptedCachedBundleJwks: zodBuffer.nullable().optional(),
   cachedBundleLastRefreshedAt: z.date().nullable().optional(),
-  bundleRefreshHintSeconds: z.coerce.number().default(300),
+  bundleRefreshHintSeconds: z.number().default(300),
   accessTokenTTL: z.coerce.number().default(7200),
   accessTokenMaxTTL: z.coerce.number().default(7200),
   accessTokenNumUsesLimit: z.coerce.number().default(0),
 
@@ -64,7 +64,6 @@ export * from "./identity-azure-auths";
 export * from "./identity-gcp-auths";
 export * from "./identity-group-membership";
 export * from "./identity-jwt-auths";
-export * from "./identity-spiffe-auths";
 export * from "./identity-kubernetes-auths";
 export * from "./identity-metadata";
 export * from "./identity-oci-auths";
@@ -73,6 +72,7 @@ export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";
 export * from "./identity-project-membership-role";
 export * from "./identity-project-memberships";
+export * from "./identity-spiffe-auths";
 export * from "./identity-tls-cert-auths";
 export * from "./identity-token-auths";
 export * from "./identity-ua-client-secrets";
 
@@ -285,8 +285,6 @@ import { identityGcpAuthDALFactory } from "@app/services/identity-gcp-auth/ident
 import { identityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
 import { identityJwtAuthDALFactory } from "@app/services/identity-jwt-auth/identity-jwt-auth-dal";
 import { identityJwtAuthServiceFactory } from "@app/services/identity-jwt-auth/identity-jwt-auth-service";
-import { identitySpiffeAuthDALFactory } from "@app/services/identity-spiffe-auth/identity-spiffe-auth-dal";
-import { identitySpiffeAuthServiceFactory } from "@app/services/identity-spiffe-auth/identity-spiffe-auth-service";
 import { identityKubernetesAuthDALFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-dal";
 import { identityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { identityLdapAuthDALFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-dal";
@@ -297,6 +295,8 @@ import { identityOidcAuthDALFactory } from "@app/services/identity-oidc-auth/ide
 import { identityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { identityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { identityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
+import { identitySpiffeAuthDALFactory } from "@app/services/identity-spiffe-auth/identity-spiffe-auth-dal";
+import { identitySpiffeAuthServiceFactory } from "@app/services/identity-spiffe-auth/identity-spiffe-auth-service";
 import { identityTlsCertAuthDALFactory } from "@app/services/identity-tls-cert-auth/identity-tls-cert-auth-dal";
 import { identityTlsCertAuthServiceFactory } from "@app/services/identity-tls-cert-auth/identity-tls-cert-auth-service";
 import { identityTokenAuthDALFactory } from "@app/services/identity-token-auth/identity-token-auth-dal";
@@ -1972,7 +1972,6 @@ export const registerRoutes = async (
     membershipIdentityDAL
   });
 
-
   const identityLdapAuthService = identityLdapAuthServiceFactory({
     identityLdapAuthDAL,
     orgDAL,
 
@@ -19,10 +19,23 @@ import {
 } from "@app/services/identity-spiffe-auth/identity-spiffe-auth-validators";
 import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
 
-const IdentitySpiffeAuthResponseSchema = IdentitySpiffeAuthsSchema.omit({
-  encryptedCaBundleJwks: true,
-  encryptedBundleEndpointCaCert: true,
-  encryptedCachedBundleJwks: true
+const IdentitySpiffeAuthResponseSchema = IdentitySpiffeAuthsSchema.pick({
+  id: true,
+  identityId: true,
+  trustDomain: true,
+  allowedSpiffeIds: true,
+  allowedAudiences: true,
+  configurationType: true,
+  bundleEndpointUrl: true,
+  bundleEndpointProfile: true,
+  cachedBundleLastRefreshedAt: true,
+  bundleRefreshHintSeconds: true,
+  accessTokenTTL: true,
+  accessTokenMaxTTL: true,
+  accessTokenNumUsesLimit: true,
+  accessTokenTrustedIps: true,
+  createdAt: true,
+  updatedAt: true
 }).extend({
   caBundleJwks: z.string(),
   bundleEndpointCaCert: z.string()
@@ -51,50 +64,15 @@ const CommonCreateFields = z.object({
   accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(SPIFFE_AUTH.ATTACH.accessTokenNumUsesLimit)
 });
 
-const CommonUpdateFields = z
-  .object({
-    trustDomain: validateTrustDomain.describe(SPIFFE_AUTH.UPDATE.trustDomain),
-    allowedSpiffeIds: validateSpiffeAllowedIdsField.describe(SPIFFE_AUTH.UPDATE.allowedSpiffeIds),
-    allowedAudiences: validateSpiffeAllowedAudiencesField.describe(SPIFFE_AUTH.UPDATE.allowedAudiences),
-    accessTokenTrustedIps: z
-      .object({
-        ipAddress: z.string().trim()
-      })
-      .array()
-      .min(1)
-      .describe(SPIFFE_AUTH.UPDATE.accessTokenTrustedIps),
-    accessTokenTTL: z
-      .number()
-      .int()
-      .min(0)
-      .max(315360000)
-      .describe(SPIFFE_AUTH.UPDATE.accessTokenTTL),
-    accessTokenMaxTTL: z
-      .number()
-      .int()
-      .min(0)
-      .max(315360000)
-      .describe(SPIFFE_AUTH.UPDATE.accessTokenMaxTTL),
-    accessTokenNumUsesLimit: z.number().int().min(0).describe(SPIFFE_AUTH.UPDATE.accessTokenNumUsesLimit)
-  })
-  .partial();
+const CommonUpdateFields = CommonCreateFields.partial();
 
 const StaticConfigurationSchema = z.object({
-  configurationType: z
-    .literal(SpiffeConfigurationType.STATIC)
-    .describe(SPIFFE_AUTH.ATTACH.configurationType),
-  caBundleJwks: z.string().min(1).describe(SPIFFE_AUTH.ATTACH.caBundleJwks),
-  bundleEndpointUrl: z.string().optional().default(""),
-  bundleEndpointProfile: z.nativeEnum(SpiffeBundleEndpointProfile).optional(),
-  bundleEndpointCaCert: z.string().optional().default(""),
-  bundleRefreshHintSeconds: z.number().int().min(0).optional().default(3600)
+  configurationType: z.literal(SpiffeConfigurationType.STATIC).describe(SPIFFE_AUTH.ATTACH.configurationType),
+  caBundleJwks: z.string().min(1).describe(SPIFFE_AUTH.ATTACH.caBundleJwks)
 });
 
 const RemoteConfigurationSchema = z.object({
-  configurationType: z
-    .literal(SpiffeConfigurationType.REMOTE)
-    .describe(SPIFFE_AUTH.ATTACH.configurationType),
-  caBundleJwks: z.string().optional().default(""),
+  configurationType: z.literal(SpiffeConfigurationType.REMOTE).describe(SPIFFE_AUTH.ATTACH.configurationType),
   bundleEndpointUrl: z
     .string()
     .trim()
@@ -105,13 +83,8 @@ const RemoteConfigurationSchema = z.object({
     .nativeEnum(SpiffeBundleEndpointProfile)
     .default(SpiffeBundleEndpointProfile.HTTPS_WEB)
     .describe(SPIFFE_AUTH.ATTACH.bundleEndpointProfile),
-  bundleEndpointCaCert: z.string().optional().default("").describe(SPIFFE_AUTH.ATTACH.bundleEndpointCaCert),
-  bundleRefreshHintSeconds: z
-    .number()
-    .int()
-    .min(0)
-    .default(3600)
-    .describe(SPIFFE_AUTH.ATTACH.bundleRefreshHintSeconds)
+  bundleEndpointCaCert: z.string().optional().describe(SPIFFE_AUTH.ATTACH.bundleEndpointCaCert),
+  bundleRefreshHintSeconds: z.number().int().min(0).default(3600).describe(SPIFFE_AUTH.ATTACH.bundleRefreshHintSeconds)
 });
 
 export const registerIdentitySpiffeAuthRouter = async (server: FastifyZodProvider) => {
@@ -416,10 +389,7 @@ export const registerIdentitySpiffeAuthRouter = async (server: FastifyZodProvide
       }),
       response: {
         200: z.object({
-          identitySpiffeAuth: IdentitySpiffeAuthResponseSchema.omit({
-            caBundleJwks: true,
-            bundleEndpointCaCert: true
-          })
+          identitySpiffeAuth: IdentitySpiffeAuthResponseSchema
         })
       }
     },
 
@@ -38,14 +38,14 @@ import { registerIdentityAwsAuthRouter } from "./identity-aws-iam-auth-router";
 import { registerIdentityAzureAuthRouter } from "./identity-azure-auth-router";
 import { registerIdentityGcpAuthRouter } from "./identity-gcp-auth-router";
 import { registerIdentityJwtAuthRouter } from "./identity-jwt-auth-router";
-import { registerIdentitySpiffeAuthRouter } from "./identity-spiffe-auth-router";
 import { registerIdentityKubernetesRouter } from "./identity-kubernetes-auth-router";
 import { registerIdentityLdapAuthRouter } from "./identity-ldap-auth-router";
 import { registerIdentityOciAuthRouter } from "./identity-oci-auth-router";
 import { registerIdentityOidcAuthRouter } from "./identity-oidc-auth-router";
 import { registerIdentityOrgMembershipRouter } from "./identity-org-membership-router";
 import { registerIdentityProjectMembershipRouter } from "./identity-project-membership-router";
 import { registerIdentityRouter } from "./identity-router";
+import { registerIdentitySpiffeAuthRouter } from "./identity-spiffe-auth-router";
 import { registerIdentityTlsCertAuthRouter } from "./identity-tls-cert-auth-router";
 import { registerIdentityTokenAuthRouter } from "./identity-token-auth-router";
 import { registerIdentityUaRouter } from "./identity-universal-auth-router";
 
@@ -1,15 +1,15 @@
 import https from "https";
-
 import picomatch from "picomatch";
+import RE2 from "re2";
 
-const SPIFFE_ID_REGEX = /^spiffe:\/\/([^/]+)(\/.*)?$/;
+const SPIFFE_ID_REGEX = new RE2("^spiffe:\\/\\/([^/]+)(\\/.*)?");
 
 export const isValidSpiffeId = (value: string): boolean => {
   return SPIFFE_ID_REGEX.test(value);
 };
 
 export const extractTrustDomainFromSpiffeId = (spiffeId: string): string => {
-  const match = spiffeId.match(SPIFFE_ID_REGEX);
+  const match = SPIFFE_ID_REGEX.exec(spiffeId);
   if (!match) {
     throw new Error(`Invalid SPIFFE ID: ${spiffeId}`);
   }
@@ -25,22 +25,6 @@ export const doesSpiffeIdMatchPattern = (spiffeId: string, patterns: string): bo
   return patternList.some((pattern) => picomatch.isMatch(spiffeId, pattern));
 };
 
-export const findSigningKeyInJwks = (jwksJson: string, kid: string) => {
-  const jwks = JSON.parse(jwksJson) as { keys: Array<{ kid?: string; use?: string; kty: string; [key: string]: unknown }> };
-
-  if (!jwks.keys || !Array.isArray(jwks.keys)) {
-    throw new Error("Invalid JWKS: missing keys array");
-  }
-
-  const matchingKey = jwks.keys.find((key) => key.kid === kid);
-
-  if (!matchingKey) {
-    throw new Error(`No key found in JWKS matching kid: ${kid}`);
-  }
-
-  return matchingKey;
-};
-
 const BUNDLE_FETCH_TIMEOUT_MS = 10_000;
 const MAX_BUNDLE_SIZE_BYTES = 1_048_576; // 1 MB