[AH-310]: Updated secret flows so removing foreign key constraints (#2618)

* [AH-310]: Updated secret flows
* [AH-310]: Updated secret flows so removing foreign key constraints

app/store/database/migrate/postgres/0070_drop_index_upstream_proxy_configs.down.sql

@@ -0,0 +1,4 @@
+alter table upstream_proxy_configs
+    add constraint fk_layers_secret_identifier_and_secret_space_id
+        foreign key (upstream_proxy_config_secret_identifier, upstream_proxy_config_secret_space_id)
+            references secrets(secret_uid, secret_space_id)

app/store/database/migrate/postgres/0070_drop_index_upstream_proxy_configs.up.sql

@@ -0,0 +1,2 @@
+alter table upstream_proxy_configs
+    drop constraint fk_layers_secret_identifier_and_secret_space_id;

app/store/database/migrate/sqlite/0070_drop_index_upstream_proxy_configs.down.sql

@@ -0,0 +1,54 @@
+create table upstream_proxy_configs_dg_tmp
+(
+    upstream_proxy_config_id                INTEGER
+        primary key autoincrement,
+    upstream_proxy_config_registry_id       INTEGER not null
+        constraint fk_upstream_proxy_config_registry_id
+            references registries
+            on delete cascade,
+    upstream_proxy_config_source            text,
+    upstream_proxy_config_url               text,
+    upstream_proxy_config_auth_type         text    not null,
+    upstream_proxy_config_user_name         text,
+    upstream_proxy_config_secret_identifier text,
+    upstream_proxy_config_secret_space_id   int,
+    upstream_proxy_config_token             text,
+    upstream_proxy_config_created_at        INTEGER,
+    upstream_proxy_config_updated_at        INTEGER,
+    upstream_proxy_config_created_by        INTEGER,
+    upstream_proxy_config_updated_by        INTEGER,
+    constraint fk_layers_secret_identifier_and_secret_space_id
+        foreign key (upstream_proxy_config_secret_identifier,
+                     upstream_proxy_config_secret_space_id) references secrets (secret_uid, secret_space_id)
+);
+
+insert into upstream_proxy_configs_dg_tmp(upstream_proxy_config_id, upstream_proxy_config_registry_id,
+                                          upstream_proxy_config_source, upstream_proxy_config_url,
+                                          upstream_proxy_config_auth_type, upstream_proxy_config_user_name,
+                                          upstream_proxy_config_secret_identifier,
+                                          upstream_proxy_config_secret_space_id, upstream_proxy_config_token,
+                                          upstream_proxy_config_created_at, upstream_proxy_config_updated_at,
+                                          upstream_proxy_config_created_by, upstream_proxy_config_updated_by)
+select upstream_proxy_config_id,
+       upstream_proxy_config_registry_id,
+       upstream_proxy_config_source,
+       upstream_proxy_config_url,
+       upstream_proxy_config_auth_type,
+       upstream_proxy_config_user_name,
+       upstream_proxy_config_secret_identifier,
+       upstream_proxy_config_secret_space_id,
+       upstream_proxy_config_token,
+       upstream_proxy_config_created_at,
+       upstream_proxy_config_updated_at,
+       upstream_proxy_config_created_by,
+       upstream_proxy_config_updated_by
+from upstream_proxy_configs;
+
+drop table upstream_proxy_configs;
+
+alter table upstream_proxy_configs_dg_tmp
+    rename to upstream_proxy_configs;
+
+create index index_upstream_proxy_config_on_registry_id
+    on upstream_proxy_configs (upstream_proxy_config_registry_id);
+

app/store/database/migrate/sqlite/0070_drop_index_upstream_proxy_configs.up.sql

@@ -0,0 +1,51 @@
+create table upstream_proxy_configs_dg_tmp
+(
+    upstream_proxy_config_id                INTEGER
+        primary key autoincrement,
+    upstream_proxy_config_registry_id       INTEGER not null
+        constraint fk_upstream_proxy_config_registry_id
+            references registries
+            on delete cascade,
+    upstream_proxy_config_source            text,
+    upstream_proxy_config_url               text,
+    upstream_proxy_config_auth_type         text    not null,
+    upstream_proxy_config_user_name         text,
+    upstream_proxy_config_secret_identifier text,
+    upstream_proxy_config_secret_space_id   int,
+    upstream_proxy_config_token             text,
+    upstream_proxy_config_created_at        INTEGER,
+    upstream_proxy_config_updated_at        INTEGER,
+    upstream_proxy_config_created_by        INTEGER,
+    upstream_proxy_config_updated_by        INTEGER
+);
+
+insert into upstream_proxy_configs_dg_tmp(upstream_proxy_config_id, upstream_proxy_config_registry_id,
+                                          upstream_proxy_config_source, upstream_proxy_config_url,
+                                          upstream_proxy_config_auth_type, upstream_proxy_config_user_name,
+                                          upstream_proxy_config_secret_identifier,
+                                          upstream_proxy_config_secret_space_id, upstream_proxy_config_token,
+                                          upstream_proxy_config_created_at, upstream_proxy_config_updated_at,
+                                          upstream_proxy_config_created_by, upstream_proxy_config_updated_by)
+select upstream_proxy_config_id,
+       upstream_proxy_config_registry_id,
+       upstream_proxy_config_source,
+       upstream_proxy_config_url,
+       upstream_proxy_config_auth_type,
+       upstream_proxy_config_user_name,
+       upstream_proxy_config_secret_identifier,
+       upstream_proxy_config_secret_space_id,
+       upstream_proxy_config_token,
+       upstream_proxy_config_created_at,
+       upstream_proxy_config_updated_at,
+       upstream_proxy_config_created_by,
+       upstream_proxy_config_updated_by
+from upstream_proxy_configs;
+
+drop table upstream_proxy_configs;
+
+alter table upstream_proxy_configs_dg_tmp
+    rename to upstream_proxy_configs;
+
+create index index_upstream_proxy_config_on_registry_id
+    on upstream_proxy_configs (upstream_proxy_config_registry_id);
+

cmd/gitness/wire_gen.go

@@ -435,7 +435,7 @@ func initSystem(ctx context.Context, config *types.Config) (*server.System, erro
 	manifestService := docker.ManifestServiceProvider(registryRepository, manifestRepository, blobRepository, mediaTypesRepository, manifestReferenceRepository, tagRepository, artifactRepository, artifactStatRepository, layerRepository, gcService, transactor)
 	registryBlobRepository := database2.ProvideRegistryBlobDao(db)
 	localRegistry := docker.LocalRegistryProvider(app, manifestService, blobRepository, registryRepository, manifestRepository, registryBlobRepository, mediaTypesRepository, tagRepository, artifactRepository, artifactStatRepository, gcService, transactor)
-	upstreamProxyConfigRepository := database2.ProvideUpstreamDao(db, registryRepository)
+	upstreamProxyConfigRepository := database2.ProvideUpstreamDao(db, registryRepository, spacePathStore)
 	secretService := secret3.ProvideSecretService(secretStore, encrypter, spacePathStore)
 	remoteRegistry := docker.RemoteRegistryProvider(localRegistry, app, upstreamProxyConfigRepository, spacePathStore, secretService)
 	coreController := pkg.CoreControllerProvider(registryRepository)
@@ -443,7 +443,7 @@ func initSystem(ctx context.Context, config *types.Config) (*server.System, erro
 	handler := api2.NewHandlerProvider(dockerController, spaceStore, tokenStore, controller, authenticator, provider, authorizer)
 	registryOCIHandler := router.OCIHandlerProvider(handler)
 	cleanupPolicyRepository := database2.ProvideCleanupPolicyDao(db, transactor)
-	apiHandler := router.APIHandlerProvider(registryRepository, upstreamProxyConfigRepository, tagRepository, manifestRepository, cleanupPolicyRepository, artifactRepository, storageDriver, spaceStore, transactor, authenticator, provider, authorizer, auditService)
+	apiHandler := router.APIHandlerProvider(registryRepository, upstreamProxyConfigRepository, tagRepository, manifestRepository, cleanupPolicyRepository, artifactRepository, storageDriver, spaceStore, transactor, authenticator, provider, authorizer, auditService, spacePathStore)
 	appRouter := router.AppRouterProvider(registryOCIHandler, apiHandler)
 	routerRouter := router2.ProvideRouter(ctx, config, authenticator, repoController, reposettingsController, executionController, logsController, spaceController, pipelineController, secretController, triggerController, connectorController, templateController, pluginController, pullreqController, webhookController, githookController, gitInterface, serviceaccountController, controller, principalController, usergroupController, checkController, systemController, uploadController, keywordsearchController, infraproviderController, gitspaceController, migrateController, aiagentController, capabilitiesController, provider, openapiService, appRouter)
 	serverServer := server2.ProvideServer(config, routerRouter)

registry/app/api/controller/metadata/base.go

@@ -316,13 +316,10 @@ func CreateUpstreamProxyResponseJSONResponse(upstreamproxy *types.UpstreamProxy)
 	if api.AuthType(upstreamproxy.RepoAuthType) == api.AuthTypeUserPassword {
 		auth := api.UserPassword{}
 		auth.UserName = upstreamproxy.UserName
-		auth.SecretIdentifier = &upstreamproxy.SecretIdentifier.String
+		auth.SecretIdentifier = &upstreamproxy.SecretIdentifier
-		auth.SecretSpaceId = nil
+		secretSpaceIDInt := int(upstreamproxy.SecretSpaceID)
-		if upstreamproxy.SecretSpaceID.Valid {
+		auth.SecretSpaceId = &secretSpaceIDInt
-			// Convert int32 to int and assign to the expected field
+		auth.SecretSpacePath = &upstreamproxy.SecretSpacePath
-			secretSpaceID := int(upstreamproxy.SecretSpaceID.Int32)
-			auth.SecretSpaceId = &secretSpaceID
-		}
 		_ = configAuth.FromUserPassword(auth)
 	}
 

registry/app/api/controller/metadata/controller.go

@@ -38,6 +38,7 @@ type APIController struct {
 	URLProvider        urlprovider.Provider
 	Authorizer         authz.Authorizer
 	AuditService       audit.Service
+	spacePathStore     corestore.SpacePathStore
 }
 
 func NewAPIController(
@@ -53,6 +54,7 @@ func NewAPIController(
 	urlProvider urlprovider.Provider,
 	authorizer authz.Authorizer,
 	auditService audit.Service,
+	spacePathStore corestore.SpacePathStore,
 ) *APIController {
 	return &APIController{
 		RegistryRepository: repositoryStore,
@@ -67,5 +69,6 @@ func NewAPIController(
 		URLProvider:        urlProvider,
 		Authorizer:         authorizer,
 		AuditService:       auditService,
+		spacePathStore:     spacePathStore,
 	}
 }

registry/app/api/controller/metadata/create_registry.go

@@ -75,7 +75,8 @@ func (c *APIController) CreateRegistry(
 	if registryRequest.Config.Type == artifact.RegistryTypeVIRTUAL {
 		return c.createVirtualRegistry(ctx, registryRequest, regInfo, session, parentRef)
 	}
-	registry, upstreamproxy, err := CreateUpstreamProxyEntity(
+	registry, upstreamproxy, err := c.CreateUpstreamProxyEntity(
+		ctx,
 		registryRequest,
 		regInfo.parentID, regInfo.rootIdentifierID,
 	)
@@ -254,10 +255,8 @@ func CreateRegistryEntity(
 	return entity, nil
 }
 
-func CreateUpstreamProxyEntity(
+func (c *APIController) CreateUpstreamProxyEntity(
-	dto artifact.RegistryRequest,
+	ctx context.Context, dto artifact.RegistryRequest, parentID int64, rootParentID int64,
-	parentID int64,
-	rootParentID int64,
 ) (*registrytypes.Registry, *registrytypes.UpstreamProxyConfig, error) {
 	allowedPattern := []string{}
 	if dto.AllowedPattern != nil {
@@ -311,11 +310,32 @@ func CreateUpstreamProxyEntity(
 			return nil, nil, err
 		}
 		upstreamProxyConfigEntity.UserName = res.UserName
-		if res.SecretIdentifier == nil || res.SecretSpaceId == nil {
+		if res.SecretIdentifier == nil {
-			return nil, nil, fmt.Errorf("failed to create upstream proxy: secret_identifier or secret_space_id missing")
+			return nil, nil, fmt.Errorf("failed to create upstream proxy: secret_identifier missing")
 		}
-		upstreamProxyConfigEntity.SecretIdentifier = *res.SecretIdentifier
+
+		upstreamProxyConfigEntity.SecretSpaceID, err = c.getSecretID(ctx, res.SecretSpaceId, res.SecretSpacePath)
+		if err != nil {
+			return nil, nil, err
+		}
+
 		upstreamProxyConfigEntity.SecretSpaceID = *res.SecretSpaceId
 	}
 	return repoEntity, upstreamProxyConfigEntity, nil
 }
+
+func (c *APIController) getSecretID(ctx context.Context, secretSpaceID *int, secretSpacePath *string) (int, error) {
+	if secretSpaceID == nil && secretSpacePath == nil {
+		return -1, fmt.Errorf("failed to create upstream proxy: secret space missing")
+	}
+
+	if secretSpaceID != nil {
+		return *secretSpaceID, nil
+	}
+
+	path, err := c.spacePathStore.FindByPath(ctx, *secretSpacePath)
+	if err != nil {
+		return -1, fmt.Errorf("failed to get Space Path: %w", err)
+	}
+	return int(path.SpaceID), nil
+}

registry/app/api/controller/metadata/update_registry.go

@@ -89,7 +89,8 @@ func (c *APIController) ModifyRegistry(
 	if err != nil {
 		return throwModifyRegistry500Error(err), err
 	}
-	registry, upstreamproxy, err := UpdateUpstreamProxyEntity(
+	registry, upstreamproxy, err := c.UpdateUpstreamProxyEntity(
+		ctx,
 		artifact.RegistryRequest(*r.Body),
 		regInfo.parentID, regInfo.rootIdentifierID, upstreamproxyEntity,
 	)
@@ -327,11 +328,8 @@ func UpdateRepoEntity(
 	return entity, nil
 }
 
-func UpdateUpstreamProxyEntity(
+func (c *APIController) UpdateUpstreamProxyEntity(
-	dto artifact.RegistryRequest,
+	ctx context.Context, dto artifact.RegistryRequest, parentID int64, rootParentID int64, u *types.UpstreamProxy,
-	parentID int64,
-	rootParentID int64,
-	u *types.UpstreamProxy,
 ) (*types.Registry, *types.UpstreamProxyConfig, error) {
 	allowedPattern := []string{}
 	if dto.AllowedPattern != nil {
@@ -387,7 +385,14 @@ func UpdateUpstreamProxyEntity(
 			return nil, nil, err
 		}
 		upstreamProxyConfigEntity.UserName = res.UserName
-		upstreamProxyConfigEntity.SecretIdentifier = *res.SecretIdentifier
+		if res.SecretIdentifier == nil {
+			return nil, nil, fmt.Errorf("failed to create upstream proxy: secret_identifier missing")
+		}
+
+		upstreamProxyConfigEntity.SecretSpaceID, err = c.getSecretID(ctx, res.SecretSpaceId, res.SecretSpacePath)
+		if err != nil {
+			return nil, nil, err
+		}
 		upstreamProxyConfigEntity.SecretSpaceID = *res.SecretSpaceId
 	} else {
 		upstreamProxyConfigEntity.UserName = ""

registry/app/api/openapi/api.yaml

@@ -1465,6 +1465,8 @@ components:
           type: string
         secretSpaceId:
           type: integer
+        secretSpacePath:
+          type: string
       required:
         - userName
         - password

registry/app/api/openapi/contracts/artifact/services.gen.go

@@ -3725,26 +3725,26 @@ var swaggerSpec = []string{
 	"ip1hMnGdRvryKd6QZ4TVhS3RCXgP9WRSlAHVNIdY4vqgO5x8NK2Km5vHbEJRAUy9aLayuP2IqUdlpfKs",
 	"EEKmGdP3o+/Ozy+nU+Sjt2dX13eTS+Sjy8nk48TIvjFjtDfAxe8FkWU1xmIX1cUtyX6Y3opwIYOR24S3",
 	"UqrTN9/VhTzLr0tfcHLBYlVGJK6fKUgA+uVbcmNmUdwjH50XlGWJUXNOUa+SqAVSH/14tQKpVw84LjhB",
-	"BRduHl0b7cJ4CAiwnto3STTNcQBXobnmqKBALNtfjfFUlNwFS7G45lfTlAEoUomby+t10QDaiwqZ+E9R",
+	"BRduHl0b7cJ4CAiwnto3STTNcQBXobnmSCOxrsgXFIhli6wx5oqSu2kpOrfOaiozAGkquXN5BS8aYHxR",
-	"OstUQX25Xl5eDGPPVV55ITxAzOWi5aQ1RgvGcjoejR4fH08WsulJlAkxIhZ3d3h2e6VtRYzR65PTk1OR",
+	"sRP/KUpnmSq6L9fUy8tj7PnMKy+EB4i5XLSc2MZowVhOx6PR4+PjyUI2PYkyIUbE4u4Oz26vtO2KMXp9",
-	"IOaQ4jxCY/S7+ElO62K0I6K9weWZadvhvLxhpWJ0gkSX0gYcCSWJ/oan3e1ncdOaZGS40YgnnPXlOE82",
+	"cnpyKpLIHFKcR2iMfhc/yalfjHZEtLe8PDNtTZyXt7BUjE6Q6FLagKOlJNHfArX7/yyuXJOMDLce8aS0",
-	"P1y5P6d9dUzj/pffTl/bOyrpRq3zN0sfvTk97W+oXeQgmjjwMhzReHP6u2s7dbLCR/9ykc90xlOcylDV",
+	"vkDnyearK3fstK+XadwR89vpa3tHJd2odUZn6aM3p6f9DbXLHkQTB16GYxxvTn93badOX/joXy7ymc6B",
-	"DcrSup0ZnnMTIs2ZvvJGFW5Gz/r1Y0sJnxiYYbK8EL9rQPIiuduKg4An0MKd+f/z6AFS7zs8tYAmu1gb",
+	"ipMbqgJCWVq3M8NzbkKkOdNX3qjCzehZv6JsKeETAzNMqBfidw1IXiR3ZHEQ8CRbuDP/fx49QOp9h6cW",
-	"aMar1yTUVmDioE11GOknQMeb0zf9jaqDcJuDU8veNjz5aA7MdFUhK0hKa7iUpQ3DYfMO2CFg5mcMLfsC",
+	"0GQXawPNeD2bhNoKTBy0qQ4s/QToeHP6pr9RdVhuc3Bq2duGJx/NgZmuM2QFSWkNl7L8YThs3gE7BMz8",
-	"j834dgzlhQFDd+IYIX1R0BGv1k/bANDG57cjCDcKwjZ61pgSR2rtaVS/GBvj3XVEWXNnu51rtfbL6YYQ",
+	"jKFlX+CxGd+OobwwYOhOHDWkLwo64vX7aRsA2vj8dgThRkHYRs8aU+JIrU+N6pdnY7y7jihr7n63c63W",
-	"6fe20+5ydaQWq0MOtNo9pOuFVvuVEUd4W+FtApwG8LqyxxHfVB2rNML7HbDGycoT00S9ckbzbUY2HHf7",
+	"njrdECL93nbafa+O1GIFyYFWu6t0vdBqv1biCG8rvE2A0wBeV/844puqo5dGeL8D1jh9eWKaqFfOcb7N",
-	"sbh6a7NDA/1y1PXQa7538YhcK3LbWHoJbp/VX0stRHekE/1BWtLtKUy371lfK9sw3xb7EngfA/OgvGOT",
+	"yIbjbj8WV292dmigX6C6HnrNdzMekWtFbhtLL8Hts/prqYXojnSiP0hLuj2F6fZd7GtlG+YbZV8C72Ng",
-	"oVmD+Oaj9D6RfYznx3jeBfb66I4D3CVxN+DrMz57DeZrQ7JxMe8RlI6grOy+CViWi/Sj5/KP5UheEzrS",
+	"HpR3bDI0axDffJTeJ7KP8fwYz7vAXh/vcYC7JO4GfH0OaK/BfG1INi7vPYLSEZSV3TcBy3KRfvRc/rEc",
-	"zrtY8Wo+1klNqDWdEz3wcN26mt+hjf5hl/Xco/Oe36OPdKzxcnTeg2c9a6zcpUGwUa+pT1E6O011VLHH",
+	"yatER9qZGCtezUc/qQm1prOkBx6uW9f3O7TRP/6ynnt03gV89JGONV6OznvwrOeRlbs0CDbqNfVJS2en",
-	"Z+ojjUeXMblM4/Lio6sMd5UKYrtwFf10mLOzaGfNetxFP5V2dJiuOaZ1JfHRdYa7jga3XToPXct7qLv7",
+	"qY4z9vhMfezx6DIml2lccHx0leGuUkFsF66inyBzdhbtPFqPu+gn144O0zXHtK4tPrrOcNfR4LZL56Fr",
-	"/HQTzgscon3F+9ET1veErc8jC4gTp9cU02l2owu0j8b/GvDvuMb/6AH9HmC5LUGBf+XxBqHvlEBZj+p3",
+	"eQ91d5+fbsJ5gUO0r4E/esL6nrD1eWQBceL0mmI68W50gfbx+V8D/h1X/R89oN8DLDcqKPCvPN4g9J0S",
-	"gv9nTZ5ejP5jLvRi/BsyoS14wKDl1Mb9kp3Lqo27K38FB+j5YtrRBdwWZtu3mG5wgba7WId6OI5F8VhT",
+	"KOtx/k7w/6zJ04vRf8yFXox/Qya0BQ8YtJzauIOyc1m1cb/lr+AAPV9VO7qA28Js+6bTDS7QdhfrUA/H",
-	"GsumWRyfNW8aOGikb7Hgp/ogryOx/ELwrkuJmh8TOTqlYzGRhu+h7ig/xfdKfIrvVd+LhioTPb++8kx3",
+	"sSgea0pj2TSL47PmbQQHjfQtFvxUH+11JJZfEd51KVHzgyNHp3QsJtLwPdQd5ef6XonP9b3qe9FQZaLn",
-	"xXr3mELoZak68K4u3Ww5p+E22t375tAZaP3Zp+Pbj0eQ91Yl2+DWVR4qTrnQ0XP1ze1tV86Jk1prH8Y5",
+	"11ee6T5Z7x5TCL0sVYfi1cWcLec03Fi7e98cOgOtP/t0fB/yCPLeqmQb3LrKQ8UpFzp6rr7Lve3KOXFU",
-	"1lj8yjUWHWAdmhP15kJ0NxiVRVQDcp/qYLBzm0nrPv9jquWaah1deGCOpbuvCPUdvrt6m5GD89azl817",
+	"a+3DOMcai1+5xqIDrENzot5ciO4Go7KIakDuUx0edm4zad35f0y1XFOtowsPzLF09xWhvsN3V288cnDe",
-	"V4/Xbt99X+KPgxr9sp54PBk00BNXXKDtiuLIPO9AOkXzxaU61iBPfo9wHo0eXgv7lX217h27vRJ3Tahv",
+	"evayee/q8drtu+9L/HFQo1/WE48ngwZ64ooLtF1RnJnnHUinaL64VMca5MnvEc6j0cNrYb+yr9bdZLdX",
-	"5clv5PkrXzWUwpSHzzUBOYjMvc2B+auf1NR6qINNZwfVHczZrPnBa62z1n6Uc58rX67VemwscS6/Lv8X",
+	"4j4K9T09+R09f+XLh1KY8vC5JiAHkbm3OTB/9bObWg91sOnsoLqnOZs1P4qtddbaj3Luc+XrtlqPjSXO",
-	"AAD//4u67HhmjgAA",
+	"5dfl/wIAAP//tvNQvIqOAAA=",
 }
 
 // GetSwagger returns the content of the embedded swagger specification file

registry/app/api/openapi/contracts/artifact/types.gen.go

@@ -414,6 +414,7 @@ type UpstreamConfigSource string
 type UserPassword struct {
 	SecretIdentifier *string `json:"secretIdentifier,omitempty"`
 	SecretSpaceId    *int    `json:"secretSpaceId,omitempty"`
+	SecretSpacePath  *string `json:"secretSpacePath,omitempty"`
 	UserName         string  `json:"userName"`
 }
 

registry/app/api/router/harness/route.go

@@ -65,6 +65,7 @@ func NewAPIHandler(
 	urlProvider urlprovider.Provider,
 	authorizer authz.Authorizer,
 	auditService audit.Service,
+	spacePathStore corestore.SpacePathStore,
 ) APIHandler {
 	r := chi.NewRouter()
 	r.Use(audit.Middleware())
@@ -83,6 +84,7 @@ func NewAPIHandler(
 		urlProvider,
 		authorizer,
 		auditService,
+		spacePathStore,
 	)
 	handler := artifact.NewStrictHandler(apiController, []artifact.StrictMiddlewareFunc{})
 	muxHandler := artifact.HandlerFromMuxWithBaseURL(handler, r, baseURL)

registry/app/api/router/wire.go

@@ -52,6 +52,7 @@ func APIHandlerProvider(
 	urlProvider urlprovider.Provider,
 	authorizer authz.Authorizer,
 	auditService audit.Service,
+	spacePathStore corestore.SpacePathStore,
 ) harness.APIHandler {
 	return harness.NewAPIHandler(
 		repoDao,
@@ -68,6 +69,7 @@ func APIHandlerProvider(
 		urlProvider,
 		authorizer,
 		auditService,
+		spacePathStore,
 	)
 }
 

registry/app/remote/adapter/native/adapter.go

@@ -63,15 +63,8 @@ func getPwd(
 	ctx context.Context, spacePathStore store.SpacePathStore, secretService secret.Service, reg types.UpstreamProxy,
 ) string {
 	if api.AuthType(reg.RepoAuthType) == api.AuthTypeUserPassword {
-		secretSpaceID := int64(0)
+		secretSpaceID := reg.SecretSpaceID
-		if reg.SecretSpaceID.Valid {
+		secretIdentifier := reg.SecretIdentifier
-			secretSpaceID = int64(reg.SecretSpaceID.Int32)
-		}
-
-		secretIdentifier := ""
-		if reg.SecretIdentifier.Valid {
-			secretIdentifier = reg.SecretIdentifier.String
-		}
 
 		spacePath, err := spacePathStore.FindPrimaryBySpaceID(ctx, secretSpaceID)
 		if err != nil {

registry/app/store/database/upstream_proxy.go

@@ -21,6 +21,7 @@ import (
 	"time"
 
 	"github.com/harness/gitness/app/api/request"
+	corestore "github.com/harness/gitness/app/store"
 	"github.com/harness/gitness/registry/app/api/openapi/contracts/artifact"
 	"github.com/harness/gitness/registry/app/store"
 	"github.com/harness/gitness/registry/app/store/database/util"
@@ -37,12 +38,16 @@ import (
 type UpstreamproxyDao struct {
 	registryDao    store.RegistryRepository
 	db             *sqlx.DB
+	spacePathStore corestore.SpacePathStore
 }
 
-func NewUpstreamproxyDao(db *sqlx.DB, registryDao store.RegistryRepository) store.UpstreamProxyConfigRepository {
+func NewUpstreamproxyDao(
+	db *sqlx.DB, registryDao store.RegistryRepository, spacePathStore corestore.SpacePathStore,
+) store.UpstreamProxyConfigRepository {
 	return &UpstreamproxyDao{
 		registryDao:    registryDao,
 		db:             db,
+		spacePathStore: spacePathStore,
 	}
 }
 
@@ -150,7 +155,8 @@ func (r UpstreamproxyDao) GetByRegistryIdentifier(
 }
 
 func (r UpstreamproxyDao) GetByParentID(ctx context.Context, parentID string) (
-	upstreamProxies *[]types.UpstreamProxy, err error) {
+	upstreamProxies *[]types.UpstreamProxy, err error,
+) {
 	q := getUpstreamProxyQuery()
 	q = q.Where("r.registry_parent_id = ? AND r.registry_type = 'UPSTREAM'",
 		parentID)
@@ -371,17 +377,35 @@ func (r UpstreamproxyDao) mapToInternalUpstreamProxy(
 }
 
 func (r UpstreamproxyDao) mapToUpstreamProxy(
-	_ context.Context,
+	ctx context.Context,
 	dst *upstreamProxyDB,
 ) (*types.UpstreamProxy, error) {
 	createdBy := int64(-1)
 	updatedBy := int64(-1)
+	secretIdentifier := ""
+	secretSpaceID := int64(-1)
 	if dst.CreatedBy.Valid {
 		createdBy = dst.CreatedBy.Int64
 	}
 	if dst.UpdatedBy.Valid {
 		updatedBy = dst.UpdatedBy.Int64
 	}
+	if dst.SecretIdentifier.Valid {
+		secretIdentifier = dst.SecretIdentifier.String
+	}
+	if dst.SecretSpaceID.Valid {
+		secretSpaceID = int64(dst.SecretSpaceID.Int32)
+	}
+
+	secretSpacePath := ""
+	if dst.SecretSpaceID.Valid {
+		primary, err := r.spacePathStore.FindPrimaryBySpaceID(ctx, int64(dst.SecretSpaceID.Int32))
+		if err != nil {
+			return nil, fmt.Errorf("failed to get secret space path: %w", err)
+		}
+		secretSpacePath = primary.Value
+	}
+
 	return &types.UpstreamProxy{
 		ID:               dst.ID,
 		RegistryID:       dst.RegistryID,
@@ -394,8 +418,9 @@ func (r UpstreamproxyDao) mapToUpstreamProxy(
 		RepoURL:          dst.RepoURL,
 		RepoAuthType:     dst.RepoAuthType,
 		UserName:         dst.UserName,
-		SecretIdentifier: dst.SecretIdentifier,
+		SecretIdentifier: secretIdentifier,
-		SecretSpaceID:    dst.SecretSpaceID,
+		SecretSpaceID:    secretSpaceID,
+		SecretSpacePath:  secretSpacePath,
 		Token:            dst.Token,
 		CreatedAt:        time.UnixMilli(dst.CreatedAt),
 		UpdatedAt:        time.UnixMilli(dst.UpdatedAt),

registry/app/store/database/wire.go

@@ -15,6 +15,7 @@
 package database
 
 import (
+	corestore "github.com/harness/gitness/app/store"
 	"github.com/harness/gitness/registry/app/store"
 	"github.com/harness/gitness/store/database/dbtx"
 
@@ -22,9 +23,12 @@ import (
 	"github.com/jmoiron/sqlx"
 )
 
-func ProvideUpstreamDao(db *sqlx.DB,
+func ProvideUpstreamDao(
-	registryDao store.RegistryRepository) store.UpstreamProxyConfigRepository {
+	db *sqlx.DB,
-	return NewUpstreamproxyDao(db, registryDao)
+	registryDao store.RegistryRepository,
+	spacePathStore corestore.SpacePathStore,
+) store.UpstreamProxyConfigRepository {
+	return NewUpstreamproxyDao(db, registryDao, spacePathStore)
 }
 
 func ProvideRepoDao(db *sqlx.DB, mtRepository store.MediaTypesRepository) store.RegistryRepository {

registry/types/upstream_proxy_config.go

@@ -15,7 +15,6 @@
 package types
 
 import (
-	"database/sql"
 	"time"
 
 	"github.com/harness/gitness/registry/app/api/openapi/contracts/artifact"
@@ -51,8 +50,9 @@ type UpstreamProxy struct {
 	RepoURL          string
 	RepoAuthType     string
 	UserName         string
-	SecretIdentifier sql.NullString
+	SecretIdentifier string
-	SecretSpaceID    sql.NullInt32
+	SecretSpaceID    int64
+	SecretSpacePath  string
 	Token            string
 	CreatedAt        time.Time
 	UpdatedAt        time.Time