[ENG-4034] feat: Adds chef data bag app connection and secret sync #4784
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Collaborator
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
This PR adds comprehensive Chef data bag integration, enabling app connections and secret synchronization with Chef Server. The implementation follows Chef's X-Ops authentication protocol with RSA signature-based requests.
Key Changes:
- Backend services for Chef connection validation using X-Ops authentication headers
- Secret sync implementation for Chef data bags with support for add/update/delete operations
- Frontend forms for configuring Chef connections and sync destinations
- API routes with proper authentication and rate limiting
- Complete documentation with setup guides and API references
Security & Quality:
- IP address blocking implemented to prevent SSRF attacks via
blockLocalAndPrivateIpAddresses() - Credentials properly encrypted using KMS before storage
- Permission checks enforced at service layer
- Input validation via Zod schemas with appropriate size limits
- No unsafe OR queries detected in database operations
Minor Issues:
- Debug
console.logstatements left in frontend code (non-blocking) - Minor optimization opportunity in secret sync merge logic
- Redundant
setValuecall in frontend form
Confidence Score: 4/5
- Safe to merge with minor cleanup recommended for production code quality
- The implementation is solid with proper security measures (SSRF protection, credential encryption, permission checks). The code follows existing patterns in the codebase and integrates cleanly. Only minor code quality issues were found (debug statements, small optimizations) that don't affect functionality or security.
- Frontend files contain debug console.log statements that should be removed before production deployment
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| backend/src/services/app-connection/chef/chef-connection-fns.ts | 4/5 | Implements Chef Server authentication using X-Ops headers and RSA signatures. Includes IP address blocking for security. Private key formatting logic is comprehensive. |
| backend/src/services/secret-sync/chef/chef-sync-fns.ts | 4/5 | Implements Chef data bag secret synchronization with proper CRUD operations. Minor optimization opportunity with map usage. |
| backend/src/services/app-connection/chef/chef-connection-service.ts | 5/5 | Clean service layer with proper permission checks. Delegates to connection functions appropriately. |
| backend/src/services/app-connection/chef/chef-connection-schemas.ts | 5/5 | Zod schemas with appropriate validation rules, including size limits on credentials fields. |
| frontend/src/pages/organization/AppConnections/AppConnectionsPage/components/AppConnectionForm/ChefConnectionForm.tsx | 4/5 | Form component for Chef connection with proper validation. Contains debug console.log that should be removed. |
| frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/ChefSyncFields.tsx | 4/5 | Cascading selects for data bag and item selection. Contains debug console.log and redundant setValue call. |
Sequence Diagram
sequenceDiagram
participant User
participant Frontend
participant AppConnectionAPI
participant ChefConnectionService
participant SecretSyncAPI
participant ChefSyncService
participant ChefServer
Note over User,ChefServer: 1. Create Chef App Connection
User->>Frontend: Create Chef Connection
Frontend->>AppConnectionAPI: POST /app-connections/chef
AppConnectionAPI->>ChefConnectionService: validateChefConnectionCredentials()
ChefConnectionService->>ChefServer: GET /organizations/{org}/users/{user}
ChefServer-->>ChefConnectionService: User validated
ChefConnectionService-->>AppConnectionAPI: Credentials valid
AppConnectionAPI->>AppConnectionAPI: Encrypt & store credentials
AppConnectionAPI-->>Frontend: Connection created
Frontend-->>User: Connection success
Note over User,ChefServer: 2. List Data Bags/Items
User->>Frontend: Select data bag destination
Frontend->>AppConnectionAPI: GET /app-connections/{id}/data-bags
AppConnectionAPI->>ChefConnectionService: listDataBags()
ChefConnectionService->>ChefServer: GET /organizations/{org}/data
ChefServer-->>ChefConnectionService: Data bags list
ChefConnectionService-->>Frontend: Data bags
Frontend->>AppConnectionAPI: GET /app-connections/{id}/data-bag-items
AppConnectionAPI->>ChefConnectionService: listDataBagItems()
ChefConnectionService->>ChefServer: GET /organizations/{org}/data/{bag}
ChefServer-->>ChefConnectionService: Data bag items list
ChefConnectionService-->>Frontend: Data bag items
Note over User,ChefServer: 3. Create & Sync Secrets
User->>Frontend: Create secret sync
Frontend->>SecretSyncAPI: POST /secret-syncs/chef
SecretSyncAPI->>SecretSyncAPI: Store sync configuration
SecretSyncAPI-->>Frontend: Sync created
Note over SecretSyncAPI,ChefServer: Sync Operation
SecretSyncAPI->>ChefSyncService: syncSecrets()
ChefSyncService->>ChefServer: GET /organizations/{org}/data/{bag}/{item}
ChefServer-->>ChefSyncService: Current data bag item
ChefSyncService->>ChefSyncService: Merge secrets (add/update/delete)
ChefSyncService->>ChefServer: PUT /organizations/{org}/data/{bag}/{item}
ChefServer-->>ChefSyncService: Updated
ChefSyncService-->>SecretSyncAPI: Sync complete
SecretSyncAPI-->>Frontend: Success
76 files reviewed, 4 comments
...zation/AppConnections/AppConnectionsPage/components/AppConnectionForm/ChefConnectionForm.tsx
Outdated
Show resolved
Hide resolved
frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/ChefSyncFields.tsx
Show resolved
Hide resolved
frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/ChefSyncFields.tsx
Show resolved
Hide resolved
gupta-piyush19
changed the title
…at/chef-data-bag-app-connection-secret-sync
x032205
approved these changes
Oct 31, 2025
Contributor
x032205
left a comment
x032205
left a comment
There was a problem hiding this comment.
Nicely done! Works as expected
Contributor
|
@greptile review this |
Contributor
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
This PR adds comprehensive Chef data bag integration for app connections and secret synchronization.
Key Changes:
- Implements Chef Server authentication using RSA-signed requests (API v1.3 and v1.0)
- Adds SSRF protection via
blockLocalAndPrivateIpAddressesfor user-provided Chef server URLs - Creates full CRUD operations for Chef app connections with proper encryption and permission checks
- Implements secret sync to Chef data bags with support for import, sync, and removal operations
- Adds frontend forms with cascading dropdowns for data bags and items
- Includes comprehensive documentation with screenshots and API reference
Security Measures:
- Private keys are encrypted using KMS before storage
- SSRF protection blocks local/private IP addresses
- Proper permission checks at org and project levels
- Rate limiting on API endpoints
- Input validation with Zod schemas (max 16KB for private keys, 256 chars for names)
Implementation Quality:
- Follows existing patterns from other integrations (AWS, GitHub, etc.)
- Properly integrated into secret-sync and app-connection maps
- Consistent error handling with BadRequestError
- No database query security issues (no unsafe
orWhereusage found)
The implementation is thorough, follows the codebase conventions, and includes appropriate security measures.
Confidence Score: 5/5
- This PR is safe to merge with no blocking issues found
- The implementation follows established patterns, includes proper security measures (SSRF protection, encryption, permission checks), has no critical bugs, and the only issues flagged in previous comments are minor style improvements (console.log removal, code simplification)
- No files require special attention - all implementations follow best practices
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| backend/src/services/app-connection/chef/chef-connection-fns.ts | 5/5 | Implements Chef Server authentication and API operations with proper SSRF protection and key formatting |
| backend/src/services/secret-sync/chef/chef-sync-fns.ts | 5/5 | Implements Chef data bag secret sync operations with proper secret handling and schema matching |
| backend/src/services/app-connection/chef/chef-connection-service.ts | 5/5 | Provides service layer for Chef data bags and items with proper permission checks |
| backend/src/server/routes/v1/app-connection-routers/chef-connection-router.ts | 5/5 | Registers Chef connection endpoints with proper auth and rate limiting |
| frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/ChefSyncFields.tsx | 5/5 | React form fields for Chef secret sync destination with cascading dropdown logic |
Sequence Diagram
sequenceDiagram
participant User
participant Frontend
participant API
participant ChefService
participant ChefServer
Note over User,ChefServer: App Connection Creation
User->>Frontend: Create Chef Connection
Frontend->>API: POST /app-connections/chef
API->>ChefService: validateChefConnectionCredentials()
ChefService->>ChefService: formatPrivateKey()
ChefService->>ChefService: getChefAuthHeaders()
ChefService->>ChefServer: GET /organizations/{org}/users/{user}
ChefServer-->>ChefService: User details
ChefService-->>API: Credentials valid
API->>API: encryptAppConnectionCredentials()
API-->>Frontend: Connection created
Note over User,ChefServer: Secret Sync Setup
User->>Frontend: Create Secret Sync
Frontend->>API: GET /app-connections/chef/{id}/data-bags
API->>ChefServer: GET /organizations/{org}/data
ChefServer-->>API: List of data bags
API-->>Frontend: Data bags
Frontend->>API: GET /app-connections/chef/{id}/data-bag-items?dataBagName=X
API->>ChefServer: GET /organizations/{org}/data/{bag}
ChefServer-->>API: List of items
API-->>Frontend: Data bag items
Frontend->>API: POST /secret-syncs/chef
API-->>Frontend: Sync created
Note over User,ChefServer: Secret Synchronization
API->>ChefService: ChefSyncFns.syncSecrets()
ChefService->>ChefServer: GET /organizations/{org}/data/{bag}/{item}
ChefServer-->>ChefService: Current secrets
ChefService->>ChefService: Merge secrets with schema matching
ChefService->>ChefServer: PUT /organizations/{org}/data/{bag}/{item}
ChefServer-->>ChefService: Updated
ChefService-->>API: Sync complete
76 files reviewed, no comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description 📣
Adds chef data bag app connection and secret sync
Type ✨
Tests 🛠️
# Here's some code block to paste some code snippets