fix: build and comments

Author: PrestigePvP

backend/src/@types/fastify.d.ts

@@ -92,13 +92,13 @@ import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/
 import { TIdentityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
 import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
 import { TIdentityJwtAuthServiceFactory } from "@app/services/identity-jwt-auth/identity-jwt-auth-service";
-import { TIdentitySpiffeAuthServiceFactory } from "@app/services/identity-spiffe-auth/identity-spiffe-auth-service";
 import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { TIdentityLdapAuthServiceFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-service";
 import { TAllowedFields } from "@app/services/identity-ldap-auth/identity-ldap-auth-types";
 import { TIdentityOciAuthServiceFactory } from "@app/services/identity-oci-auth/identity-oci-auth-service";
 import { TIdentityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
+import { TIdentitySpiffeAuthServiceFactory } from "@app/services/identity-spiffe-auth/identity-spiffe-auth-service";
 import { TIdentityTlsCertAuthServiceFactory } from "@app/services/identity-tls-cert-auth/identity-tls-cert-auth-types";
 import { TIdentityTokenAuthServiceFactory } from "@app/services/identity-token-auth/identity-token-auth-service";
 import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua-service";

backend/src/db/schemas/index.ts

@@ -64,7 +64,6 @@ export * from "./identity-azure-auths";
 export * from "./identity-gcp-auths";
 export * from "./identity-group-membership";
 export * from "./identity-jwt-auths";
-export * from "./identity-spiffe-auths";
 export * from "./identity-kubernetes-auths";
 export * from "./identity-metadata";
 export * from "./identity-oci-auths";
@@ -73,6 +72,7 @@ export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";
 export * from "./identity-project-membership-role";
 export * from "./identity-project-memberships";
+export * from "./identity-spiffe-auths";
 export * from "./identity-tls-cert-auths";
 export * from "./identity-token-auths";
 export * from "./identity-ua-client-secrets";

backend/src/server/routes/index.ts

@@ -277,8 +277,6 @@ import { identityGcpAuthDALFactory } from "@app/services/identity-gcp-auth/ident
 import { identityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
 import { identityJwtAuthDALFactory } from "@app/services/identity-jwt-auth/identity-jwt-auth-dal";
 import { identityJwtAuthServiceFactory } from "@app/services/identity-jwt-auth/identity-jwt-auth-service";
-import { identitySpiffeAuthDALFactory } from "@app/services/identity-spiffe-auth/identity-spiffe-auth-dal";
-import { identitySpiffeAuthServiceFactory } from "@app/services/identity-spiffe-auth/identity-spiffe-auth-service";
 import { identityKubernetesAuthDALFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-dal";
 import { identityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { identityLdapAuthDALFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-dal";
@@ -289,6 +287,8 @@ import { identityOidcAuthDALFactory } from "@app/services/identity-oidc-auth/ide
 import { identityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { identityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { identityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
+import { identitySpiffeAuthDALFactory } from "@app/services/identity-spiffe-auth/identity-spiffe-auth-dal";
+import { identitySpiffeAuthServiceFactory } from "@app/services/identity-spiffe-auth/identity-spiffe-auth-service";
 import { identityTlsCertAuthDALFactory } from "@app/services/identity-tls-cert-auth/identity-tls-cert-auth-dal";
 import { identityTlsCertAuthServiceFactory } from "@app/services/identity-tls-cert-auth/identity-tls-cert-auth-service";
 import { identityTokenAuthDALFactory } from "@app/services/identity-token-auth/identity-token-auth-dal";
@@ -1964,7 +1964,6 @@ export const registerRoutes = async (
     membershipIdentityDAL
   });
 
-
   const identityLdapAuthService = identityLdapAuthServiceFactory({
     identityLdapAuthDAL,
     orgDAL,

backend/src/server/routes/v1/identity-spiffe-auth-router.ts

@@ -63,26 +63,14 @@ const CommonUpdateFields = z
       .array()
       .min(1)
       .describe(SPIFFE_AUTH.UPDATE.accessTokenTrustedIps),
-    accessTokenTTL: z
-      .number()
-      .int()
-      .min(0)
-      .max(315360000)
-      .describe(SPIFFE_AUTH.UPDATE.accessTokenTTL),
-    accessTokenMaxTTL: z
-      .number()
-      .int()
-      .min(0)
-      .max(315360000)
-      .describe(SPIFFE_AUTH.UPDATE.accessTokenMaxTTL),
+    accessTokenTTL: z.number().int().min(0).max(315360000).describe(SPIFFE_AUTH.UPDATE.accessTokenTTL),
+    accessTokenMaxTTL: z.number().int().min(0).max(315360000).describe(SPIFFE_AUTH.UPDATE.accessTokenMaxTTL),
     accessTokenNumUsesLimit: z.number().int().min(0).describe(SPIFFE_AUTH.UPDATE.accessTokenNumUsesLimit)
   })
   .partial();
 
 const StaticConfigurationSchema = z.object({
-  configurationType: z
-    .literal(SpiffeConfigurationType.STATIC)
-    .describe(SPIFFE_AUTH.ATTACH.configurationType),
+  configurationType: z.literal(SpiffeConfigurationType.STATIC).describe(SPIFFE_AUTH.ATTACH.configurationType),
   caBundleJwks: z.string().min(1).describe(SPIFFE_AUTH.ATTACH.caBundleJwks),
   bundleEndpointUrl: z.string().optional().default(""),
   bundleEndpointProfile: z.nativeEnum(SpiffeBundleEndpointProfile).optional(),
@@ -91,9 +79,7 @@ const StaticConfigurationSchema = z.object({
 });
 
 const RemoteConfigurationSchema = z.object({
-  configurationType: z
-    .literal(SpiffeConfigurationType.REMOTE)
-    .describe(SPIFFE_AUTH.ATTACH.configurationType),
+  configurationType: z.literal(SpiffeConfigurationType.REMOTE).describe(SPIFFE_AUTH.ATTACH.configurationType),
   caBundleJwks: z.string().optional().default(""),
   bundleEndpointUrl: z
     .string()
@@ -106,12 +92,7 @@ const RemoteConfigurationSchema = z.object({
     .default(SpiffeBundleEndpointProfile.HTTPS_WEB)
     .describe(SPIFFE_AUTH.ATTACH.bundleEndpointProfile),
   bundleEndpointCaCert: z.string().optional().default("").describe(SPIFFE_AUTH.ATTACH.bundleEndpointCaCert),
-  bundleRefreshHintSeconds: z
-    .number()
-    .int()
-    .min(0)
-    .default(3600)
-    .describe(SPIFFE_AUTH.ATTACH.bundleRefreshHintSeconds)
+  bundleRefreshHintSeconds: z.number().int().min(0).default(3600).describe(SPIFFE_AUTH.ATTACH.bundleRefreshHintSeconds)
 });
 
 export const registerIdentitySpiffeAuthRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v1/index.ts

@@ -38,14 +38,14 @@ import { registerIdentityAwsAuthRouter } from "./identity-aws-iam-auth-router";
 import { registerIdentityAzureAuthRouter } from "./identity-azure-auth-router";
 import { registerIdentityGcpAuthRouter } from "./identity-gcp-auth-router";
 import { registerIdentityJwtAuthRouter } from "./identity-jwt-auth-router";
-import { registerIdentitySpiffeAuthRouter } from "./identity-spiffe-auth-router";
 import { registerIdentityKubernetesRouter } from "./identity-kubernetes-auth-router";
 import { registerIdentityLdapAuthRouter } from "./identity-ldap-auth-router";
 import { registerIdentityOciAuthRouter } from "./identity-oci-auth-router";
 import { registerIdentityOidcAuthRouter } from "./identity-oidc-auth-router";
 import { registerIdentityOrgMembershipRouter } from "./identity-org-membership-router";
 import { registerIdentityProjectMembershipRouter } from "./identity-project-membership-router";
 import { registerIdentityRouter } from "./identity-router";
+import { registerIdentitySpiffeAuthRouter } from "./identity-spiffe-auth-router";
 import { registerIdentityTlsCertAuthRouter } from "./identity-tls-cert-auth-router";
 import { registerIdentityTokenAuthRouter } from "./identity-token-auth-router";
 import { registerIdentityUaRouter } from "./identity-universal-auth-router";

backend/src/services/identity-spiffe-auth/identity-spiffe-auth-fns.ts

@@ -1,15 +1,15 @@
 import https from "https";
-
 import picomatch from "picomatch";
+import RE2 from "re2";
 
-const SPIFFE_ID_REGEX = /^spiffe:\/\/([^/]+)(\/.*)?$/;
+const SPIFFE_ID_REGEX = new RE2("^spiffe:\\/\\/([^/]+)(\\/.*)?");
 
 export const isValidSpiffeId = (value: string): boolean => {
   return SPIFFE_ID_REGEX.test(value);
 };
 
 export const extractTrustDomainFromSpiffeId = (spiffeId: string): string => {
-  const match = spiffeId.match(SPIFFE_ID_REGEX);
+  const match = SPIFFE_ID_REGEX.exec(spiffeId);
   if (!match) {
     throw new Error(`Invalid SPIFFE ID: ${spiffeId}`);
   }
@@ -26,7 +26,9 @@ export const doesSpiffeIdMatchPattern = (spiffeId: string, patterns: string): bo
 };
 
 export const findSigningKeyInJwks = (jwksJson: string, kid: string) => {
-  const jwks = JSON.parse(jwksJson) as { keys: Array<{ kid?: string; use?: string; kty: string; [key: string]: unknown }> };
+  const jwks = JSON.parse(jwksJson) as {
+    keys: Array<{ kid?: string; use?: string; kty: string; [key: string]: unknown }>;
+  };
 
   if (!jwks.keys || !Array.isArray(jwks.keys)) {
     throw new Error("Invalid JWKS: missing keys array");

backend/src/services/identity-spiffe-auth/identity-spiffe-auth-service.ts

@@ -28,8 +28,8 @@ import {
 } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 import { logger } from "@app/lib/logger";
-import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
 import { AuthAttemptAuthMethod, AuthAttemptAuthResult, authAttemptCounter } from "@app/lib/telemetry/metrics";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
 
 import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityDALFactory } from "../identity/identity-dal";
@@ -104,7 +104,9 @@ const validateSpiffeClaims = (
 ): boolean => {
   if (!tokenData.aud) return false;
 
-  const tokenAudiences: string[] = Array.isArray(tokenData.aud) ? tokenData.aud : [tokenData.aud as string];
+  const tokenAudiences: string[] = Array.isArray(tokenData.aud)
+    ? (tokenData.aud as string[])
+    : [tokenData.aud as string];
   const allowedAudiences = config.allowedAudiences
     .split(", ")
     .map((a) => a.trim())
@@ -141,13 +143,13 @@ export const identitySpiffeAuthServiceFactory = ({
     config: {
       id: string;
       configurationType: string;
-      encryptedCaBundleJwks: Buffer | null;
-      encryptedCachedBundleJwks: Buffer | null;
-      bundleEndpointUrl: string | null;
-      bundleEndpointProfile: string | null;
-      encryptedBundleEndpointCaCert: Buffer | null;
-      bundleRefreshHintSeconds: number | null;
-      cachedBundleLastRefreshedAt: Date | string | null;
+      encryptedCaBundleJwks?: Buffer | null;
+      encryptedCachedBundleJwks?: Buffer | null;
+      bundleEndpointUrl?: string | null;
+      bundleEndpointProfile?: string | null;
+      encryptedBundleEndpointCaCert?: Buffer | null;
+      bundleRefreshHintSeconds?: number | null;
+      cachedBundleLastRefreshedAt?: Date | string | null;
     };
     orgId: string;
     forceRefresh?: boolean;
@@ -162,7 +164,7 @@ export const identitySpiffeAuthServiceFactory = ({
       if (!config.encryptedCaBundleJwks) {
         throw new BadRequestError({ message: "Static SPIFFE auth has no CA bundle JWKS configured" });
       }
-      
+
       return {
         jwksJson: orgDataKeyDecryptor({ cipherTextBlob: config.encryptedCaBundleJwks }).toString(),
         fromCache: false
@@ -320,7 +322,7 @@ export const identitySpiffeAuthServiceFactory = ({
         return newToken;
       });
 
-      let expireyOptions: { expiresIn: number } | undefined = undefined;
+      let expireyOptions: { expiresIn: number } | undefined;
       const accessTokenTTL = Number(identityAccessToken.accessTokenTTL);
       if (accessTokenTTL > 0) {
         expireyOptions = { expiresIn: accessTokenTTL };
@@ -810,7 +812,13 @@ export const identitySpiffeAuthServiceFactory = ({
     return revokedIdentitySpiffeAuth;
   };
 
-  const refreshSpiffeBundle = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetSpiffeAuthDTO) => {
+  const refreshSpiffeBundle = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TGetSpiffeAuthDTO) => {
     const identityMembershipOrg = await membershipIdentityDAL.getIdentityById({
       scopeData: {
         scope: AccessScope.Organization,

backend/src/services/identity-spiffe-auth/identity-spiffe-auth-validators.ts

@@ -1,3 +1,4 @@
+import RE2 from "re2";
 import { z } from "zod";
 
 export const validateSpiffeAllowedAudiencesField = z
@@ -24,8 +25,10 @@ export const validateSpiffeAllowedIdsField = z
       .join(", ");
   });
 
+const TRUST_DOMAIN_REGEX = new RE2("^[a-zA-Z0-9]([a-zA-Z0-9.-]*[a-zA-Z0-9])?$");
+
 export const validateTrustDomain = z
   .string()
   .trim()
   .min(1, "Trust domain is required")
-  .regex(/^[a-zA-Z0-9]([a-zA-Z0-9.-]*[a-zA-Z0-9])?$/, "Invalid trust domain format");
+  .refine((val) => TRUST_DOMAIN_REGEX.test(val), "Invalid trust domain format");

backend/src/services/identity/identity-org-dal.ts

@@ -12,6 +12,7 @@ import {
   TIdentityKubernetesAuths,
   TIdentityOciAuths,
   TIdentityOidcAuths,
+  TIdentitySpiffeAuths,
   TIdentityTlsCertAuths,
   TIdentityTokenAuths,
   TIdentityUniversalAuths,
@@ -257,7 +258,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           "paginatedIdentity.actorIdentityId",
           `${TableName.IdentityTlsCertAuth}.identityId`
         )
-        .leftJoin(
+        .leftJoin<TIdentitySpiffeAuths>(
           TableName.IdentitySpiffeAuth,
           "paginatedIdentity.actorIdentityId",
           `${TableName.IdentitySpiffeAuth}.identityId`

frontend/src/hooks/api/identities/mutations.tsx

@@ -12,10 +12,10 @@ import {
   AddIdentityGcpAuthDTO,
   AddIdentityJwtAuthDTO,
   AddIdentityKubernetesAuthDTO,
-  AddIdentitySpiffeAuthDTO,
   AddIdentityLdapAuthDTO,
   AddIdentityOciAuthDTO,
   AddIdentityOidcAuthDTO,
+  AddIdentitySpiffeAuthDTO,
   AddIdentityTlsCertAuthDTO,
   AddIdentityTokenAuthDTO,
   AddIdentityUniversalAuthDTO,
@@ -32,10 +32,10 @@ import {
   DeleteIdentityGcpAuthDTO,
   DeleteIdentityJwtAuthDTO,
   DeleteIdentityKubernetesAuthDTO,
-  DeleteIdentitySpiffeAuthDTO,
   DeleteIdentityLdapAuthDTO,
   DeleteIdentityOciAuthDTO,
   DeleteIdentityOidcAuthDTO,
+  DeleteIdentitySpiffeAuthDTO,
   DeleteIdentityTlsCertAuthDTO,
   DeleteIdentityTokenAuthDTO,
   DeleteIdentityUniversalAuthClientSecretDTO,
@@ -47,10 +47,10 @@ import {
   IdentityGcpAuth,
   IdentityJwtAuth,
   IdentityKubernetesAuth,
-  IdentitySpiffeAuth,
   IdentityLdapAuth,
   IdentityOciAuth,
   IdentityOidcAuth,
+  IdentitySpiffeAuth,
   IdentityTlsCertAuth,
   IdentityTokenAuth,
   IdentityUniversalAuth,
@@ -62,10 +62,10 @@ import {
   UpdateIdentityGcpAuthDTO,
   UpdateIdentityJwtAuthDTO,
   UpdateIdentityKubernetesAuthDTO,
-  UpdateIdentitySpiffeAuthDTO,
   UpdateIdentityLdapAuthDTO,
   UpdateIdentityOciAuthDTO,
   UpdateIdentityOidcAuthDTO,
+  UpdateIdentitySpiffeAuthDTO,
   UpdateIdentityTlsCertAuthDTO,
   UpdateIdentityTokenAuthDTO,
   UpdateIdentityUniversalAuthDTO,