Update backend/src/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-fns.ts

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
fix: potential fix for oracle db rotation failing
2025-08-14 08:08:30 +00:00 · 2025-07-28 00:09:30 +05:30 · 2025-07-28 00:03:01 +05:30 · 2025-07-25 20:52:04 -03:00 · 2025-07-25 20:48:18 -03:00 · 2025-07-25 20:47:17 -03:00
4 changed files with 25 additions and 22 deletions
--- a/backend/src/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-fns.ts
+++ b/backend/src/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-fns.ts
@@ -7,12 +7,13 @@ import {
  TRotationFactoryRevokeCredentials,
  TRotationFactoryRotateCredentials
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
  executeWithPotentialGateway,
  SQL_CONNECTION_ALTER_LOGIN_STATEMENT
 } from "@app/services/app-connection/shared/sql";

-import { generatePassword } from "../utils";
+import { DEFAULT_PASSWORD_REQUIREMENTS, generatePassword } from "../utils";
 import {
  TSqlCredentialsRotationGeneratedCredentials,
  TSqlCredentialsRotationWithConnection
@@ -32,6 +33,11 @@ const redactPasswords = (e: unknown, credentials: TSqlCredentialsRotationGenerat
  return redactedMessage;
 };

+const ORACLE_PASSWORD_REQUIREMENTS = {
+  ...DEFAULT_PASSWORD_REQUIREMENTS,
+  length: 30
+};
+
 export const sqlCredentialsRotationFactory: TRotationFactory<
  TSqlCredentialsRotationWithConnection,
  TSqlCredentialsRotationGeneratedCredentials
@@ -43,6 +49,9 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
    secretsMapping
  } = secretRotation;

+  const passwordRequirement =
+    connection.app === AppConnection.OracleDB ? ORACLE_PASSWORD_REQUIREMENTS : DEFAULT_PASSWORD_REQUIREMENTS;
+
  const executeOperation = <T>(
    operation: (client: Knex) => Promise<T>,
    credentialsOverride?: TSqlCredentialsRotationGeneratedCredentials[number]
@@ -65,7 +74,7 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
  const $validateCredentials = async (credentials: TSqlCredentialsRotationGeneratedCredentials[number]) => {
    try {
      await executeOperation(async (client) => {
-        await client.raw("SELECT 1");
+        await client.raw(connection.app === AppConnection.OracleDB ? `SELECT 1 FROM DUAL` : `Select 1`);
      }, credentials);
    } catch (error) {
      throw new Error(redactPasswords(error, [credentials]));
@@ -75,11 +84,13 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
  const issueCredentials: TRotationFactoryIssueCredentials<TSqlCredentialsRotationGeneratedCredentials> = async (
    callback
  ) => {
+    // For SQL, since we get existing users, we change both their passwords
+    // on issue to invalidate their existing passwords
    // For SQL, since we get existing users, we change both their passwords
    // on issue to invalidate their existing passwords
    const credentialsSet = [
-      { username: username1, password: generatePassword() },
-      { username: username2, password: generatePassword() }
+      { username: username1, password: generatePassword(passwordRequirement) },
+      { username: username2, password: generatePassword(passwordRequirement) }
    ];

    try {
@@ -105,7 +116,10 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
    credentialsToRevoke,
    callback
  ) => {
-    const revokedCredentials = credentialsToRevoke.map(({ username }) => ({ username, password: generatePassword() }));
+    const revokedCredentials = credentialsToRevoke.map(({ username }) => ({
+      username,
+      password: generatePassword(passwordRequirement)
+    }));

    try {
      await executeOperation(async (client) => {
@@ -128,7 +142,10 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
    callback
  ) => {
    // generate new password for the next active user
-    const credentials = { username: activeIndex === 0 ? username2 : username1, password: generatePassword() };
+    const credentials = {
+      username: activeIndex === 0 ? username2 : username1,
+      password: generatePassword(passwordRequirement)
+    };

    try {
      await executeOperation(async (client) => {
--- a/backend/src/ee/services/secret-rotation-v2/shared/utils/index.ts
+++ b/backend/src/ee/services/secret-rotation-v2/shared/utils/index.ts
@@ -11,7 +11,7 @@ type TPasswordRequirements = {
  allowedSymbols?: string;
 };

-const DEFAULT_PASSWORD_REQUIREMENTS: TPasswordRequirements = {
+export const DEFAULT_PASSWORD_REQUIREMENTS: TPasswordRequirements = {
  length: 48,
  required: {
    lowercase: 1,
--- a/docs/integrations/app-connections/azure-client-secrets.mdx
+++ b/docs/integrations/app-connections/azure-client-secrets.mdx
@@ -43,12 +43,6 @@ Infisical currently only supports one method for connecting to Azure, which is O
          - `Application.ReadWrite.All` (Delegated)
          - `Directory.ReadWrite.All` (Delegated)
          - `User.Read` (Delegated)
-        - Azure App Configuration
-          - `KeyValue.Delete` (Delegated)
-          - `KeyValue.Read` (Delegated)
-          - `KeyValue.Write` (Delegated)
-        - Access Key Vault
-          - `user_impersonation` (Delegated)

      ![Azure client secrets](/images/integrations/azure-client-secrets/app-api-permissions.png)

@@ -91,14 +85,6 @@ Infisical currently only supports one method for connecting to Azure, which is O
      - `Directory.ReadWrite.All` (Delegated)
      - `User.Read` (Delegated)

-      **Azure App Configuration**
-      - `KeyValue.Delete` (Delegated)
-      - `KeyValue.Read` (Delegated)
-      - `KeyValue.Write` (Delegated)
-
-      **Access Key Vault**
-      - `user_impersonation` (Delegated)
-
      ![Azure client secrets](/images/integrations/azure-client-secrets/app-api-permissions.png)
    </Step>
  </Steps>
--- a/frontend/src/pages/organization/AppConnections/AppConnectionsPage/components/AppConnectionForm/AzureClientSecretsConnectionForm.tsx
+++ b/frontend/src/pages/organization/AppConnections/AppConnectionsPage/components/AppConnectionForm/AzureClientSecretsConnectionForm.tsx
@@ -132,7 +132,7 @@ export const AzureClientSecretsConnectionForm = ({ appConnection, onSubmit }: Pr
          JSON.stringify({ ...formData, connectionId: appConnection?.id })
        );
        window.location.assign(
-          `https://login.microsoftonline.com/${formData.tenantId || "common"}/oauth2/v2.0/authorize?client_id=${oauthClientId}&response_type=code&redirect_uri=${window.location.origin}/organization/app-connections/azure/oauth/callback&response_mode=query&scope=https://azconfig.io/.default%20openid%20offline_access&state=${state}<:>azure-client-secrets`
+          `https://login.microsoftonline.com/${formData.tenantId || "common"}/oauth2/v2.0/authorize?client_id=${oauthClientId}&response_type=code&redirect_uri=${window.location.origin}/organization/app-connections/azure/oauth/callback&response_mode=query&scope=https://graph.microsoft.com/.default%20openid%20offline_access&state=${state}<:>azure-client-secrets`
        );
        break;
Author	SHA1	Message	Date
Akhil Mohan	8df4616265	Update backend/src/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-fns.ts Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>	2025-07-28 00:09:30 +05:30
=	484f34a257	fix: potential fix for oracle db rotation failing	2025-07-28 00:03:01 +05:30
carlosmonastyrski	32851565a7	Merge pull request #4247 from Infisical/fix/azureClientSecretsPermissions Fix/azure client secrets permissions	2025-07-25 20:52:04 -03:00
Carlos Monastyrski	68401a799e	Fix env variables name on doc	2025-07-25 20:48:18 -03:00
Carlos Monastyrski	0adf2c830d	Fix azure client secrets OAuth URL to use graph instead of vault	2025-07-25 20:47:17 -03:00