improvement: optimize rotation queries

2025-07-11 12:11:38 +00:00 · 2025-02-26 09:11:29 +09:00
3 changed files with 38 additions and 28 deletions
--- a/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-fn.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-fn.ts
@ -6,7 +6,7 @@
 /* eslint-disable no-param-reassign */
 import axios from "axios";
 import jmespath from "jmespath";
-import knex from "knex";
+import knex, { Knex } from "knex";

 import { getConfig } from "@app/lib/config/env";
 import { getDbConnectionHost } from "@app/lib/knex";
@ -80,12 +80,11 @@ export const secretRotationDbFn = async ({
  ca,
  host,
  port,
-  query,
  database,
  password,
  username,
  client,
-  variables,
+  getQuery,
  options
 }: TSecretRotationDbFn) => {
  const appCfg = getConfig();
@ -122,6 +121,9 @@ export const secretRotationDbFn = async ({
      options
    }
  });
+
+  const { query, variables } = await getQuery(db);
+
  const data = await db.raw(query, variables);
  return data;
 };
@ -148,24 +150,27 @@ export const secretRotationHttpSetFn = async (func: THttpProviderFunction, varia
  });
 };

-export const getDbSetQuery = (db: TDbProviderClients, variables: { username: string; password: string }) => {
+export const getDbSetQuery =
+  (db: TDbProviderClients, variables: { username: string; password: string }) => async (knx: Knex) => {
+    const sanitizedPassword = await knx.raw("select ?", [variables.password]);
+
    if (db === TDbProviderClients.Pg) {
      return {
-      query: `ALTER USER ?? WITH PASSWORD '${variables.password}'`,
+        query: `ALTER USER ?? WITH PASSWORD '${sanitizedPassword}'`,
        variables: [variables.username]
      };
    }

    if (db === TDbProviderClients.MsSqlServer) {
      return {
-      query: `ALTER LOGIN ?? WITH PASSWORD = '${variables.password}'`,
+        query: `ALTER LOGIN ?? WITH PASSWORD = '${sanitizedPassword}'`,
        variables: [variables.username]
      };
    }

    // add more based on client
    return {
-    query: `ALTER USER ?? IDENTIFIED BY '${variables.password}'`,
+      query: `ALTER USER ?? IDENTIFIED BY '${sanitizedPassword}'`,
      variables: [variables.username]
    };
  };
--- a/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-types.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-types.ts
@ -1,3 +1,5 @@
+import { Knex } from "knex";
+
 import { TDbProviderClients } from "../templates/types";

 export type TSecretRotationEncData = {
@ -21,8 +23,7 @@ export type TSecretRotationDbFn = {
  host: string;
  database: string;
  port: number;
-  query: string;
-  variables: unknown[];
+  getQuery: (db: Knex) => Promise<{ query: string; variables: unknown[] }>;
  ca?: string;
  options?: Record<string, unknown>;
 };
--- a/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts
+++ b/backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts
@ -188,13 +188,15 @@ export const secretRotationQueueFactory = ({
          options
        } as TSecretRotationDbFn;

+        const getQuery = getDbSetQuery(provider.template.client, {
+          password: newCredential.internal.rotated_password as string,
+          username: newCredential.internal.username as string
+        });
+
        // set function
        await secretRotationDbFn({
          ...dbFunctionArg,
-          ...getDbSetQuery(provider.template.client, {
-            password: newCredential.internal.rotated_password as string,
-            username: newCredential.internal.username as string
-          })
+          getQuery
        });

        // test function
@ -203,8 +205,10 @@ export const secretRotationQueueFactory = ({

        await secretRotationDbFn({
          ...dbFunctionArg,
+          getQuery: async () => ({
            query: testQuery,
            variables: []
+          })
        });

        newCredential.outputs.db_username = newCredential.internal.username;