improvement: optimize rotation queries

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-fn.ts

@@ -6,7 +6,7 @@
 /* eslint-disable no-param-reassign */
 import axios from "axios";
 import jmespath from "jmespath";
-import knex from "knex";
+import knex, { Knex } from "knex";
 
 import { getConfig } from "@app/lib/config/env";
 import { getDbConnectionHost } from "@app/lib/knex";
@@ -80,12 +80,11 @@ export const secretRotationDbFn = async ({
   ca,
   host,
   port,
-  query,
   database,
   password,
   username,
   client,
-  variables,
+  getQuery,
   options
 }: TSecretRotationDbFn) => {
   const appCfg = getConfig();
@@ -122,6 +121,9 @@ export const secretRotationDbFn = async ({
       options
     }
   });
+
+  const { query, variables } = await getQuery(db);
+
   const data = await db.raw(query, variables);
   return data;
 };
@@ -148,24 +150,27 @@ export const secretRotationHttpSetFn = async (func: THttpProviderFunction, varia
   });
 };
 
-export const getDbSetQuery = (db: TDbProviderClients, variables: { username: string; password: string }) => {
+export const getDbSetQuery =
-  if (db === TDbProviderClients.Pg) {
+  (db: TDbProviderClients, variables: { username: string; password: string }) => async (knx: Knex) => {
+    const sanitizedPassword = await knx.raw("select ?", [variables.password]);
+
+    if (db === TDbProviderClients.Pg) {
+      return {
+        query: `ALTER USER ?? WITH PASSWORD '${sanitizedPassword}'`,
+        variables: [variables.username]
+      };
+    }
+
+    if (db === TDbProviderClients.MsSqlServer) {
+      return {
+        query: `ALTER LOGIN ?? WITH PASSWORD = '${sanitizedPassword}'`,
+        variables: [variables.username]
+      };
+    }
+
+    // add more based on client
     return {
-      query: `ALTER USER ?? WITH PASSWORD '${variables.password}'`,
+      query: `ALTER USER ?? IDENTIFIED BY '${sanitizedPassword}'`,
       variables: [variables.username]
     };
-  }
-
-  if (db === TDbProviderClients.MsSqlServer) {
-    return {
-      query: `ALTER LOGIN ?? WITH PASSWORD = '${variables.password}'`,
-      variables: [variables.username]
-    };
-  }
-
-  // add more based on client
-  return {
-    query: `ALTER USER ?? IDENTIFIED BY '${variables.password}'`,
-    variables: [variables.username]
   };
-};

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-types.ts

@@ -1,3 +1,5 @@
+import { Knex } from "knex";
+
 import { TDbProviderClients } from "../templates/types";
 
 export type TSecretRotationEncData = {
@@ -21,8 +23,7 @@ export type TSecretRotationDbFn = {
   host: string;
   database: string;
   port: number;
-  query: string;
+  getQuery: (db: Knex) => Promise<{ query: string; variables: unknown[] }>;
-  variables: unknown[];
   ca?: string;
   options?: Record<string, unknown>;
 };

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts

@@ -188,13 +188,15 @@ export const secretRotationQueueFactory = ({
           options
         } as TSecretRotationDbFn;
 
+        const getQuery = getDbSetQuery(provider.template.client, {
+          password: newCredential.internal.rotated_password as string,
+          username: newCredential.internal.username as string
+        });
+
         // set function
         await secretRotationDbFn({
           ...dbFunctionArg,
-          ...getDbSetQuery(provider.template.client, {
+          getQuery
-            password: newCredential.internal.rotated_password as string,
-            username: newCredential.internal.username as string
-          })
         });
 
         // test function
@@ -203,8 +205,10 @@ export const secretRotationQueueFactory = ({
 
         await secretRotationDbFn({
           ...dbFunctionArg,
-          query: testQuery,
+          getQuery: async () => ({
-          variables: []
+            query: testQuery,
+            variables: []
+          })
         });
 
         newCredential.outputs.db_username = newCredential.internal.username;