Infisical · DanielHougaard · Oct 17, 2024 · Oct 17, 2024 · Oct 17, 2024 · Oct 17, 2024
diff --git a/backend/e2e-test/routes/v1/identity.spec.ts b/backend/e2e-test/routes/v1/identity.spec.ts
@@ -34,15 +34,15 @@ describe("Identity v1", async () => {
   test("Create identity", async () => {
     const newIdentity = await createIdentity("mac1", OrgMembershipRole.Admin);
     expect(newIdentity.name).toBe("mac1");
-    expect(newIdentity.authMethod).toBeNull();
+    expect(newIdentity.authMethods).toEqual([]);
 
     await deleteIdentity(newIdentity.id);
   });
 
   test("Update identity", async () => {
     const newIdentity = await createIdentity("mac1", OrgMembershipRole.Admin);
     expect(newIdentity.name).toBe("mac1");
-    expect(newIdentity.authMethod).toBeNull();
+    expect(newIdentity.authMethods).toEqual([]);
 
     const updatedIdentity = await testServer.inject({
       method: "PATCH",

diff --git a/backend/package-lock.json b/backend/package-lock.json
diff --git a/backend/package.json b/backend/package.json
@@ -44,7 +44,7 @@
     "test:e2e-watch": "vitest -c vitest.e2e.config.ts --bail=1",
     "test:e2e-coverage": "vitest run --coverage -c vitest.e2e.config.ts",
     "generate:component": "tsx ./scripts/create-backend-file.ts",
-    "generate:schema": "tsx ./scripts/generate-schema-types.ts",
+    "generate:schema": "tsx ./scripts/generate-schema-types.ts && eslint --fix --ext ts ./src/db/schemas",
     "auditlog-migration:latest": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:latest",
     "auditlog-migration:up": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:up",
     "auditlog-migration:down": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:down",
@@ -155,7 +155,7 @@
     "connect-redis": "^7.1.1",
     "cron": "^3.1.7",
     "dotenv": "^16.4.1",
-    "fastify": "^4.26.0",
+    "fastify": "^4.28.1",
     "fastify-plugin": "^4.5.1",
     "google-auth-library": "^9.9.0",
     "googleapis": "^137.1.0",

diff --git a/backend/src/db/migrations/20241014084900_identity-multiple-auth-methods.ts b/backend/src/db/migrations/20241014084900_identity-multiple-auth-methods.ts
@@ -0,0 +1,55 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasAuthMethodColumnAccessToken = await knex.schema.hasColumn(TableName.IdentityAccessToken, "authMethod");
+
+  if (!hasAuthMethodColumnAccessToken) {
+    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
+      t.string("authMethod").nullable();
+    });
+
+    // Backfilling: Update the authMethod column in the IdentityAccessToken table to match the authMethod of the Identity
+    await knex(TableName.IdentityAccessToken).update({
+      // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+      // @ts-ignore because generate schema happens after this
+      authMethod: knex(TableName.Identity)
+        .select("authMethod")
+        .whereRaw(`${TableName.IdentityAccessToken}."identityId" = ${TableName.Identity}.id`)
+        .whereNotNull("authMethod")
+        .first()
+    });
+
+    // ! We delete all access tokens where the identity has no auth method set!
+    // ! Which means un-configured identities that for some reason have access tokens, will have their access tokens deleted.
+    await knex(TableName.IdentityAccessToken)
+      .whereNotExists((queryBuilder) => {
+        void queryBuilder
+          .select("id")
+          .from(TableName.Identity)
+          .whereRaw(`${TableName.IdentityAccessToken}."identityId" = ${TableName.Identity}.id`)
+          .whereNotNull("authMethod");
+      })
+      .delete();
+
+    // Finally we set the authMethod to notNullable after populating the column.
+    // This will fail if the data is not populated correctly, so it's safe.
+    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
+      t.string("authMethod").notNullable().alter();
+    });
+  }
+
+  // ! We aren't dropping the authMethod column from the Identity itself, because we wan't to be able to easily rollback for the time being.
+}
+
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+export async function down(knex: Knex): Promise<void> {
+  const hasAuthMethodColumnAccessToken = await knex.schema.hasColumn(TableName.IdentityAccessToken, "authMethod");
+
+  if (hasAuthMethodColumnAccessToken) {
+    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
+      t.dropColumn("authMethod");
+    });
+  }
+}
diff --git a/backend/src/db/schemas/identity-access-tokens.ts b/backend/src/db/schemas/identity-access-tokens.ts
@@ -20,7 +20,8 @@ export const IdentityAccessTokensSchema = z.object({
   identityId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  name: z.string().nullable().optional()
+  name: z.string().nullable().optional(),
+  authMethod: z.string()
 });
 
 export type TIdentityAccessTokens = z.infer<typeof IdentityAccessTokensSchema>;

diff --git a/backend/src/db/schemas/models.ts b/backend/src/db/schemas/models.ts
@@ -189,7 +189,7 @@ export enum ProjectUpgradeStatus {
 
 export enum IdentityAuthMethod {
   TOKEN_AUTH = "token-auth",
-  Univeral = "universal-auth",
+  UNIVERSAL_AUTH = "universal-auth",
   KUBERNETES_AUTH = "kubernetes-auth",
   GCP_AUTH = "gcp-auth",
   AWS_AUTH = "aws-auth",

diff --git a/backend/src/db/seeds/5-machine-identity.ts b/backend/src/db/seeds/5-machine-identity.ts
@@ -16,7 +16,7 @@ export async function seed(knex: Knex): Promise<void> {
       // @ts-ignore
       id: seedData1.machineIdentity.id,
       name: seedData1.machineIdentity.name,
-      authMethod: IdentityAuthMethod.Univeral
+      authMethod: IdentityAuthMethod.UNIVERSAL_AUTH
     }
   ]);
   const identityUa = await knex(TableName.IdentityUniversalAuth)