Merge pull request #2133 from akhilmhdh/feat/aws-kms-sm

fix: slug too big for project fixed
Merge pull request #2134 from Infisical/improve-auth-method-errors
2025-08-31 15:32:32 +00:00 · 2024-07-16 09:50:08 -04:00 · 2024-07-16 15:00:12 +07:00 · 2024-07-16 14:59:41 +07:00 · 2024-07-16 13:47:46 +07:00 · 2024-07-16 11:26:45 +05:30
7 changed files with 55 additions and 22 deletions
--- a/backend/src/ee/routes/v1/external-kms-router.ts
+++ b/backend/src/ee/routes/v1/external-kms-router.ts
@@ -39,7 +39,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
    },
    schema: {
      body: z.object({
-        slug: z.string().min(1).trim().optional(),
+        slug: z.string().min(1).trim().toLowerCase().optional(),
        description: z.string().min(1).trim().optional(),
        provider: ExternalKmsInputSchema
      }),
@@ -75,7 +75,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
        id: z.string().trim().min(1)
      }),
      body: z.object({
-        slug: z.string().min(1).trim().optional(),
+        slug: z.string().min(1).trim().toLowerCase().optional(),
        description: z.string().min(1).trim().optional(),
        provider: ExternalKmsInputUpdateSchema
      }),
--- a/backend/src/ee/services/external-kms/external-kms-service.ts
+++ b/backend/src/ee/services/external-kms/external-kms-service.ts
@@ -52,7 +52,7 @@ export const externalKmsServiceFactory = ({
      actorOrgId
    );
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Settings);
-    const kmsSlug = slug ? slugify(slug) : slugify(alphaNumericNanoId(32));
+    const kmsSlug = slug ? slugify(slug) : slugify(alphaNumericNanoId(8).toLowerCase());

    let sanitizedProviderInput = "";
    switch (provider.type) {
--- a/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
+++ b/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
@@ -78,7 +78,10 @@ export const identityAwsAuthServiceFactory = ({
        .map((accountId) => accountId.trim())
        .some((accountId) => accountId === Account);

-      if (!isAccountAllowed) throw new UnauthorizedError();
+      if (!isAccountAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: AWS account ID not allowed."
+        });
    }

    if (identityAwsAuth.allowedPrincipalArns) {
@@ -94,7 +97,10 @@ export const identityAwsAuthServiceFactory = ({
          return regex.test(extractPrincipalArn(Arn));
        });

-      if (!isArnAllowed) throw new UnauthorizedError();
+      if (!isArnAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: AWS principal ARN not allowed."
+        });
    }

    const identityAccessToken = await identityAwsAuthDAL.transaction(async (tx) => {
--- a/backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts
+++ b/backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts
@@ -81,7 +81,10 @@ export const identityGcpAuthServiceFactory = ({
        .map((serviceAccount) => serviceAccount.trim())
        .some((serviceAccount) => serviceAccount === gcpIdentityDetails.email);

-      if (!isServiceAccountAllowed) throw new UnauthorizedError();
+      if (!isServiceAccountAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: GCP service account not allowed."
+        });
    }

    if (identityGcpAuth.type === "gce" && identityGcpAuth.allowedProjects && gcpIdentityDetails.computeEngineDetails) {
@@ -92,7 +95,10 @@ export const identityGcpAuthServiceFactory = ({
        .map((project) => project.trim())
        .some((project) => project === gcpIdentityDetails.computeEngineDetails?.project_id);

-      if (!isProjectAllowed) throw new UnauthorizedError();
+      if (!isProjectAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: GCP project not allowed."
+        });
    }

    if (identityGcpAuth.type === "gce" && identityGcpAuth.allowedZones && gcpIdentityDetails.computeEngineDetails) {
@@ -101,7 +107,10 @@ export const identityGcpAuthServiceFactory = ({
        .map((zone) => zone.trim())
        .some((zone) => zone === gcpIdentityDetails.computeEngineDetails?.zone);

-      if (!isZoneAllowed) throw new UnauthorizedError();
+      if (!isZoneAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: GCP zone not allowed."
+        });
    }

    const identityAccessToken = await identityGcpAuthDAL.transaction(async (tx) => {
--- a/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
+++ b/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
@@ -139,7 +139,10 @@ export const identityKubernetesAuthServiceFactory = ({
        .map((namespace) => namespace.trim())
        .some((namespace) => namespace === targetNamespace);

-      if (!isNamespaceAllowed) throw new UnauthorizedError();
+      if (!isNamespaceAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: K8s namespace not allowed."
+        });
    }

    if (identityKubernetesAuth.allowedNames) {
@@ -150,7 +153,10 @@ export const identityKubernetesAuthServiceFactory = ({
        .map((name) => name.trim())
        .some((name) => name === targetName);

-      if (!isNameAllowed) throw new UnauthorizedError();
+      if (!isNameAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: K8s name not allowed."
+        });
    }

    if (identityKubernetesAuth.allowedAudience) {
@@ -159,7 +165,10 @@ export const identityKubernetesAuthServiceFactory = ({
        (audience) => audience === identityKubernetesAuth.allowedAudience
      );

-      if (!isAudienceAllowed) throw new UnauthorizedError();
+      if (!isAudienceAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: K8s audience not allowed."
+        });
    }

    const identityAccessToken = await identityKubernetesAuthDAL.transaction(async (tx) => {
--- a/backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts
+++ b/backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts
@@ -124,13 +124,17 @@ export const identityOidcAuthServiceFactory = ({

    if (identityOidcAuth.boundSubject) {
      if (tokenData.sub !== identityOidcAuth.boundSubject) {
-        throw new UnauthorizedError();
+        throw new ForbiddenRequestError({
+          message: "Access denied: OIDC subject not allowed."
+        });
      }
    }

    if (identityOidcAuth.boundAudiences) {
      if (!identityOidcAuth.boundAudiences.split(", ").includes(tokenData.aud)) {
-        throw new UnauthorizedError();
+        throw new ForbiddenRequestError({
+          message: "Access denied: OIDC audience not allowed."
+        });
      }
    }

@@ -139,7 +143,9 @@ export const identityOidcAuthServiceFactory = ({
        const claimValue = (identityOidcAuth.boundClaims as Record<string, string>)[claimKey];
        // handle both single and multi-valued claims
        if (!claimValue.split(", ").some((claimEntry) => tokenData[claimKey] === claimEntry)) {
-          throw new UnauthorizedError();
+          throw new ForbiddenRequestError({
+            message: "Access denied: OIDC claim not allowed."
+          });
        }
      });
    }
--- a/backend/src/services/kms/kms-service.ts
+++ b/backend/src/services/kms/kms-service.ts
@@ -56,15 +56,18 @@ export const kmsServiceFactory = ({
    const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
    const kmsKeyMaterial = randomSecureBytes(32);
    const encryptedKeyMaterial = cipher.encrypt(kmsKeyMaterial, ROOT_ENCRYPTION_KEY);
-    const sanitizedSlug = slug ? slugify(slug) : slugify(alphaNumericNanoId(32));
+    const sanitizedSlug = slug ? slugify(slug) : slugify(alphaNumericNanoId(8).toLowerCase());
    const dbQuery = async (db: Knex) => {
-      const kmsDoc = await kmsDAL.create({
-        slug: sanitizedSlug,
-        orgId,
-        isReserved
-      });
+      const kmsDoc = await kmsDAL.create(
+        {
+          slug: sanitizedSlug,
+          orgId,
+          isReserved
+        },
+        db
+      );

-      const { encryptedKey, ...doc } = await internalKmsDAL.create(
+      await internalKmsDAL.create(
        {
          version: 1,
          encryptedKey: encryptedKeyMaterial,
@@ -73,7 +76,7 @@ export const kmsServiceFactory = ({
        },
        db
      );
-      return doc;
+      return kmsDoc;
    };
    if (tx) return dbQuery(tx);
    const doc = await kmsDAL.transaction(async (tx2) => dbQuery(tx2));
Author	SHA1	Message	Date
Maidul Islam	fed44f328d	Merge pull request #2133 from akhilmhdh/feat/aws-kms-sm fix: slug too big for project fixed	2024-07-16 09:50:08 -04:00
BlackMagiq	95a68f2c2d	Merge pull request #2134 from Infisical/improve-auth-method-errors Improve Native Auth Method Forbidden Errors	2024-07-16 15:00:12 +07:00
BlackMagiq	db7c0c45f6	Merge pull request #2135 from Infisical/fix-identity-projects Fix Identity-Project Provisioning Modal — Filter Current Org Projects	2024-07-16 14:59:41 +07:00
Tuan Dang	043c04778f	Improve native auth method unauthorized errors	2024-07-16 13:47:46 +07:00
=	560cd81a1c	fix: slug too big for project fixed	2024-07-16 11:26:45 +05:30