infrahub-server 1.4.9__py3-none-any.whl → 1.4.11__py3-none-any.whl

infrahub/api/oauth2.py

@@ -11,14 +11,16 @@ from opentelemetry import trace
 
 from infrahub import config, models
 from infrahub.api.dependencies import get_db
-from infrahub.auth import get_groups_from_provider, signin_sso_account
-from infrahub.exceptions import GatewayError, ProcessingError
+from infrahub.auth import (
+    get_groups_from_provider,
+    signin_sso_account,
+    validate_auth_response,
+)
+from infrahub.exceptions import ProcessingError
 from infrahub.log import get_logger
 from infrahub.message_bus.types import KVTTL
 
 if TYPE_CHECKING:
-    import httpx
-
     from infrahub.database import InfrahubDatabase
     from infrahub.services import InfrahubServices
 
@@ -95,7 +97,7 @@ async def token(
     }
 
     token_response = await service.http.post(provider.token_url, data=token_data)
-    _validate_response(response=token_response)
+    validate_auth_response(response=token_response, provider_type="OAuth 2.0")
 
     with trace.get_tracer(__name__).start_as_current_span("sso_token_request") as span:
         span.set_attribute("token_request_data", ujson.dumps(token_response.json()))
@@ -107,12 +109,17 @@ async def token(
     else:
         userinfo_response = await service.http.post(provider.userinfo_url, headers=headers)
 
-    _validate_response(response=userinfo_response)
+    validate_auth_response(response=userinfo_response, provider_type="OAuth 2.0")
     user_info = userinfo_response.json()
     sso_groups = user_info.get("groups", []) or await get_groups_from_provider(
         provider=provider, service=service, payload=payload, user_info=user_info
     )
 
+    log.info(
+        "SSO user authenticated",
+        body={"user_name": user_info.get("name"), "groups": sso_groups},
+    )
+
     if not sso_groups and config.SETTINGS.security.sso_user_default_group:
         sso_groups = [config.SETTINGS.security.sso_user_default_group]
 
@@ -134,16 +141,3 @@ async def token(
     return models.UserTokenWithUrl(
         access_token=user_token.access_token, refresh_token=user_token.refresh_token, final_url=stored_final_url
     )
-
-
-def _validate_response(response: httpx.Response) -> None:
-    if 200 <= response.status_code <= 299:
-        return
-
-    log.error(
-        "Invalid response from the OAuth provider",
-        url=response.url,
-        status_code=response.status_code,
-        body=response.json(),
-    )
-    raise GatewayError(message="Invalid response from Authentication provider")

infrahub/api/oidc.py

@@ -13,14 +13,16 @@ from pydantic import BaseModel, HttpUrl
 
 from infrahub import config, models
 from infrahub.api.dependencies import get_db
-from infrahub.auth import get_groups_from_provider, signin_sso_account
-from infrahub.exceptions import GatewayError, ProcessingError
+from infrahub.auth import (
+    get_groups_from_provider,
+    signin_sso_account,
+    validate_auth_response,
+)
+from infrahub.exceptions import ProcessingError
 from infrahub.log import get_logger
 from infrahub.message_bus.types import KVTTL
 
 if TYPE_CHECKING:
-    import httpx
-
     from infrahub.database import InfrahubDatabase
     from infrahub.services import InfrahubServices
 
@@ -69,7 +71,7 @@ async def authorize(request: Request, provider_name: str, final_url: str | None
     service: InfrahubServices = request.app.state.service
 
     response = await service.http.get(url=provider.discovery_url)
-    _validate_response(response=response)
+    validate_auth_response(response=response, provider_type="OIDC")
     oidc_config = OIDCDiscoveryConfig(**response.json())
 
     with trace.get_tracer(__name__).start_as_current_span("sso_oauth2_client_configuration") as span:
@@ -129,12 +131,12 @@ async def token(
     }
 
     discovery_response = await service.http.get(url=provider.discovery_url)
-    _validate_response(response=discovery_response)
+    validate_auth_response(response=discovery_response, provider_type="OIDC")
 
     oidc_config = OIDCDiscoveryConfig(**discovery_response.json())
 
     token_response = await service.http.post(str(oidc_config.token_endpoint), data=token_data)
-    _validate_response(response=token_response)
+    validate_auth_response(response=token_response, provider_type="OIDC")
 
     with trace.get_tracer(__name__).start_as_current_span("sso_token_request") as span:
         span.set_attribute("token_request_data", ujson.dumps(token_response.json()))
@@ -147,7 +149,7 @@ async def token(
     else:
         userinfo_response = await service.http.post(str(oidc_config.userinfo_endpoint), headers=headers)
 
-    _validate_response(response=userinfo_response)
+    validate_auth_response(response=userinfo_response, provider_type="OIDC")
     user_info: dict[str, Any] = userinfo_response.json()
     sso_groups = (
         user_info.get("groups")
@@ -157,6 +159,11 @@ async def token(
         or await get_groups_from_provider(provider=provider, service=service, payload=payload, user_info=user_info)
     )
 
+    log.info(
+        "SSO user authenticated",
+        body={"user_name": user_info.get("name"), "groups": sso_groups},
+    )
+
     if not sso_groups and config.SETTINGS.security.sso_user_default_group:
         sso_groups = [config.SETTINGS.security.sso_user_default_group]
 
@@ -180,19 +187,6 @@ async def token(
     )
 
 
-def _validate_response(response: httpx.Response) -> None:
-    if 200 <= response.status_code <= 299:
-        return
-
-    log.error(
-        "Invalid response from the OIDC provider",
-        url=response.url,
-        status_code=response.status_code,
-        body=response.json(),
-    )
-    raise GatewayError(message="Invalid response from Authentication provider")
-
-
 async def _get_id_token_groups(
     oidc_config: OIDCDiscoveryConfig, service: InfrahubServices, payload: dict[str, Any], client_id: str
 ) -> list[str]:

infrahub/artifacts/models.py

@@ -25,7 +25,8 @@ class CheckArtifactCreate(BaseModel):
     target_kind: str = Field(..., description="The kind of the target object for this artifact")
     target_name: str = Field(..., description="Name of the artifact target")
     artifact_id: str | None = Field(default=None, description="The id of the artifact if it previously existed")
-    query: str = Field(..., description="The name of the query to use when collecting data")
+    query: str = Field(..., description="The name of the query to use when collecting data")  # Deprecated
+    query_id: str = Field(..., description="The id of the query to use when collecting data")
     timeout: int = Field(..., description="Timeout for requests used to generate this artifact")
     variables: dict = Field(..., description="Input variables when generating the artifact")
     validator_id: str = Field(..., description="The ID of the validator")

infrahub/auth.py

@@ -3,27 +3,37 @@ from __future__ import annotations
 import uuid
 from datetime import datetime, timedelta, timezone
 from enum import Enum
-from typing import TYPE_CHECKING
+from typing import TYPE_CHECKING, Any
 
 import bcrypt
 import jwt
 from pydantic import BaseModel
 
 from infrahub import config, models
-from infrahub.config import SecurityOAuth2Google, SecurityOAuth2Settings, SecurityOIDCGoogle, SecurityOIDCSettings
+from infrahub.config import (
+    SecurityOAuth2Google,
+    SecurityOAuth2Settings,
+    SecurityOIDCGoogle,
+    SecurityOIDCSettings,
+)
 from infrahub.core.account import validate_token
 from infrahub.core.constants import AccountStatus, InfrahubKind
 from infrahub.core.manager import NodeManager
 from infrahub.core.node import Node
 from infrahub.core.protocols import CoreAccount, CoreAccountGroup
 from infrahub.core.registry import registry
-from infrahub.exceptions import AuthorizationError, NodeNotFoundError
+from infrahub.exceptions import AuthorizationError, GatewayError, NodeNotFoundError
+from infrahub.log import get_logger
 
 if TYPE_CHECKING:
+    import httpx
+
     from infrahub.core.protocols import CoreGenericAccount
     from infrahub.database import InfrahubDatabase
     from infrahub.services import InfrahubServices
 
+log = get_logger()
+
 
 class AuthType(str, Enum):
     NONE = "none"
@@ -256,3 +266,127 @@ async def get_groups_from_provider(
                 return [membership["groupKey"]["id"] for membership in group_memberships["memberships"]]
 
     return []
+
+
+def safe_get_response_body(response: httpx.Response, raise_error_on_empty_body: bool = True) -> str | dict[str, Any]:
+    """Safely extract response body from HTTP response. If the response body cannot be JSON parsed or is empty,
+    it raises a GatewayError.
+
+    Args:
+        response: The HTTP response object
+        raise_error_on_empty_body: Whether to raise an error if the response body is empty
+
+    Returns:
+        The response body as JSON dict if possible, otherwise as text
+
+    Raises:
+        GatewayError: When the response body cannot be parsed or is empty
+    """
+    # Try to parse as JSON first
+    try:
+        return response.json()
+    except Exception as json_error:
+        try:
+            # Try to get as text
+            text_body = response.text
+            if not text_body.strip() and raise_error_on_empty_body:  # Check for empty or whitespace-only response
+                log.error(
+                    "Empty response body from authentication provider",
+                    url=str(response.url),
+                    status_code=response.status_code,
+                )
+                raise GatewayError(message="Authentication provider returned an empty response") from json_error
+        except Exception:
+            log.error(
+                "Unable to read response body from authentication provider",
+                url=str(response.url),
+                status_code=response.status_code,
+            )
+            raise GatewayError(message="Unable to read response from authentication provider") from json_error
+
+    # Here it means we got a text response but not JSON
+    return text_body
+
+
+def extract_auth_error_message(response_body: str | dict[str, Any], base_message: str) -> str:
+    """Extract error message from OAuth 2.0/OIDC provider response following RFC 6749.
+
+    Args:
+        response_body: The response body from the authentication provider
+        base_message: Base error message to use if no specific error is found
+
+    Returns:
+        Formatted error message with provider details if available
+    """
+    if not isinstance(response_body, dict):
+        return base_message
+
+    # RFC 6749 standard error response format
+    error_description = response_body.get("error_description")
+    error_code = response_body.get("error")
+
+    if error_description:
+        return f"{base_message}: {error_description}"
+    if error_code:
+        return f"{base_message}: {error_code}"
+
+    return base_message
+
+
+def validate_auth_response(response: httpx.Response, provider_type: str = "authentication") -> None:
+    """Validate HTTP response from OAuth 2.0/OIDC provider and raise appropriate errors.
+
+    Args:
+        response: The HTTP response from the authentication provider
+        provider_type: Type of provider for logging (e.g., "OAuth 2.0", "OIDC")
+
+    Raises:
+        GatewayError: When the response indicates an error or invalid state
+    """
+    # If the status code is successful, simply return
+    if 200 <= response.status_code <= 299:
+        # Verify that we can read the response body safely and it is not empty
+        safe_get_response_body(response)
+        return
+
+    # Prepare variables with default values for logging
+    response_body = safe_get_response_body(response, raise_error_on_empty_body=False)
+    log_message: str = f"Unexpected response from {provider_type} provider"
+    base_msg: str = "Unexpected response from authentication provider."
+
+    # Handle specific HTTP status codes with appropriate error messages
+    match response.status_code:
+        case 400:
+            log_message = f"Bad request to {provider_type} provider"
+            base_msg = "Bad request to authentication provider. Please try again later or contact your administrator."
+
+        case 401:
+            log_message = f"Unauthorized request to {provider_type} provider"
+            base_msg = (
+                "Unauthorized request to authentication provider. Please try again later or contact your administrator."
+            )
+
+        case 403:
+            log_message = f"Forbidden request to {provider_type} provider"
+            base_msg = (
+                "Access forbidden by authentication provider. Please try again later or contact your administrator."
+            )
+
+        case 404:
+            log_message = f"Resource not found for {provider_type} provider"
+            base_msg = (
+                "Authentication provider endpoint not found. Please try again later or contact your administrator."
+            )
+
+        case 429:
+            log_message = f"Rate limited by {provider_type} provider"
+            base_msg = "Rate limited by authentication provider. Please try again later."
+
+        case status_code if 500 <= status_code <= 599:
+            log_message = f"Server error from {provider_type} provider"
+            base_msg = "Authentication provider is experiencing server issues. Please try again later or contact your administrator."
+
+    # Print proper log and raise gateway error
+    log.error(log_message, url=str(response.url), status_code=response.status_code, body=response_body)
+    error_msg = extract_auth_error_message(response_body, base_msg)
+    raise GatewayError(message=error_msg)

infrahub/cli/db.py

@@ -54,6 +54,7 @@ from infrahub.log import get_logger
 
 from .constants import ERROR_BADGE, FAILED_BADGE, SUCCESS_BADGE
 from .db_commands.check_inheritance import check_inheritance
+from .db_commands.clean_duplicate_schema_fields import clean_duplicate_schema_fields
 from .patch import patch_app
 
 
@@ -200,6 +201,29 @@ async def check_inheritance_cmd(
     await dbdriver.close()
 
 
+@app.command(name="check-duplicate-schema-fields")
+async def check_duplicate_schema_fields_cmd(
+    ctx: typer.Context,
+    fix: bool = typer.Option(False, help="Fix the duplicate schema fields on the default branch."),
+    config_file: str = typer.Argument("infrahub.toml", envvar="INFRAHUB_CONFIG"),
+) -> None:
+    """Check for any duplicate schema attributes or relationships on the default branch"""
+    logging.getLogger("infrahub").setLevel(logging.WARNING)
+    logging.getLogger("neo4j").setLevel(logging.ERROR)
+    logging.getLogger("prefect").setLevel(logging.ERROR)
+
+    config.load_and_exit(config_file_name=config_file)
+
+    context: CliContext = ctx.obj
+    dbdriver = await context.init_db(retry=1)
+
+    success = await clean_duplicate_schema_fields(db=dbdriver, fix=fix)
+    if not success:
+        raise typer.Exit(code=1)
+
+    await dbdriver.close()
+
+
 @app.command(name="update-core-schema")
 async def update_core_schema_cmd(
     ctx: typer.Context,

infrahub/cli/db_commands/clean_duplicate_schema_fields.py

@@ -0,0 +1,212 @@
+from dataclasses import dataclass
+from enum import Enum
+from typing import Any
+
+from rich import print as rprint
+from rich.console import Console
+from rich.table import Table
+
+from infrahub.cli.constants import FAILED_BADGE, SUCCESS_BADGE
+from infrahub.core.query import Query, QueryType
+from infrahub.database import InfrahubDatabase
+
+
+class SchemaFieldType(str, Enum):
+    ATTRIBUTE = "attribute"
+    RELATIONSHIP = "relationship"
+
+
+@dataclass
+class SchemaFieldDetails:
+    schema_kind: str
+    schema_uuid: str
+    field_type: SchemaFieldType
+    field_name: str
+
+
+class DuplicateSchemaFields(Query):
+    async def query_init(self, db: InfrahubDatabase, **kwargs: dict[str, Any]) -> None:  # noqa: ARG002
+        query = """
+MATCH (root:Root)
+LIMIT 1
+WITH root.default_branch AS default_branch
+MATCH (field:SchemaAttribute|SchemaRelationship)
+CALL (default_branch, field) {
+    MATCH (field)-[is_part_of:IS_PART_OF]->(:Root)
+    WHERE is_part_of.branch = default_branch
+    ORDER BY is_part_of.from DESC
+    RETURN is_part_of
+    LIMIT 1
+}
+WITH default_branch, field, CASE
+    WHEN is_part_of.status = "active" AND is_part_of.to IS NULL THEN is_part_of.from
+    ELSE NULL
+END AS active_from
+WHERE active_from IS NOT NULL
+WITH default_branch, field, active_from, "SchemaAttribute" IN labels(field) AS is_attribute
+CALL (field, default_branch) {
+    MATCH (field)-[r1:HAS_ATTRIBUTE]->(:Attribute {name: "name"})-[r2:HAS_VALUE]->(name_value:AttributeValue)
+    WHERE r1.branch = default_branch AND r2.branch = default_branch
+    AND r1.status = "active" AND r2.status = "active"
+    AND r1.to IS NULL AND r2.to IS NULL
+    ORDER BY r1.from DESC, r1.status ASC, r2.from DESC, r2.status ASC
+    LIMIT 1
+    RETURN name_value.value AS field_name
+}
+CALL (field, default_branch) {
+    MATCH (field)-[r1:IS_RELATED]-(rel:Relationship)-[r2:IS_RELATED]-(peer:SchemaNode|SchemaGeneric)
+    WHERE rel.name IN ["schema__node__relationships", "schema__node__attributes"]
+    AND r1.branch = default_branch AND r2.branch = default_branch
+    AND r1.status = "active" AND r2.status = "active"
+    AND r1.to IS NULL AND r2.to IS NULL
+    ORDER BY r1.from DESC, r1.status ASC, r2.from DESC, r2.status ASC
+    LIMIT 1
+    RETURN peer AS schema_vertex
+}
+WITH default_branch, field, field_name, is_attribute, active_from, schema_vertex
+ORDER BY active_from DESC
+WITH default_branch, field_name, is_attribute, schema_vertex, collect(field) AS fields_reverse_chron
+WHERE size(fields_reverse_chron) > 1
+        """
+        self.add_to_query(query)
+
+
+class GetDuplicateSchemaFields(DuplicateSchemaFields):
+    """
+    Get the kind, field type, and field name for any duplicated attributes or relationships on a given schema
+    on the default branch
+    """
+
+    name = "get_duplicate_schema_fields"
+    type = QueryType.READ
+    insert_return = False
+
+    async def query_init(self, db: InfrahubDatabase, **kwargs: dict[str, Any]) -> None:
+        await super().query_init(db=db, **kwargs)
+        query = """
+CALL (schema_vertex, default_branch) {
+    MATCH (schema_vertex)-[r1:HAS_ATTRIBUTE]->(:Attribute {name: "namespace"})-[r2:HAS_VALUE]->(name_value:AttributeValue)
+    WHERE r1.branch = default_branch AND r2.branch = default_branch
+    ORDER BY r1.from DESC, r1.status ASC, r2.from DESC, r2.status ASC
+    LIMIT 1
+    RETURN name_value.value AS schema_namespace
+}
+CALL (schema_vertex, default_branch) {
+    MATCH (schema_vertex)-[r1:HAS_ATTRIBUTE]->(:Attribute {name: "name"})-[r2:HAS_VALUE]->(name_value:AttributeValue)
+    WHERE r1.branch = default_branch AND r2.branch = default_branch
+    ORDER BY r1.from DESC, r1.status ASC, r2.from DESC, r2.status ASC
+    LIMIT 1
+    RETURN name_value.value AS schema_name
+}
+RETURN schema_namespace + schema_name AS schema_kind, schema_vertex.uuid AS schema_uuid, field_name, is_attribute
+ORDER BY schema_kind ASC, is_attribute DESC, field_name ASC
+        """
+        self.return_labels = ["schema_kind", "schema_uuid", "field_name", "is_attribute"]
+        self.add_to_query(query)
+
+    def get_schema_field_details(self) -> list[SchemaFieldDetails]:
+        schema_field_details: list[SchemaFieldDetails] = []
+        for result in self.results:
+            schema_kind = result.get_as_type(label="schema_kind", return_type=str)
+            schema_uuid = result.get_as_type(label="schema_uuid", return_type=str)
+            field_name = result.get_as_type(label="field_name", return_type=str)
+            is_attribute = result.get_as_type(label="is_attribute", return_type=bool)
+            schema_field_details.append(
+                SchemaFieldDetails(
+                    schema_kind=schema_kind,
+                    schema_uuid=schema_uuid,
+                    field_name=field_name,
+                    field_type=SchemaFieldType.ATTRIBUTE if is_attribute else SchemaFieldType.RELATIONSHIP,
+                )
+            )
+        return schema_field_details
+
+
+class FixDuplicateSchemaFields(DuplicateSchemaFields):
+    """
+    Fix the duplicate schema fields by hard deleting the earlier duplicate(s)
+    """
+
+    name = "fix_duplicate_schema_fields"
+    type = QueryType.WRITE
+    insert_return = False
+
+    async def query_init(self, db: InfrahubDatabase, **kwargs: dict[str, Any]) -> None:
+        await super().query_init(db=db, **kwargs)
+        query = """
+WITH default_branch, tail(fields_reverse_chron) AS fields_to_delete
+UNWIND fields_to_delete AS field_to_delete
+CALL (field_to_delete, default_branch) {
+    MATCH (field_to_delete)-[r:IS_PART_OF {branch: default_branch}]-()
+    DELETE r
+    WITH field_to_delete
+    MATCH (field_to_delete)-[:IS_RELATED {branch: default_branch}]-(rel:Relationship)
+    WITH DISTINCT field_to_delete, rel
+    MATCH (rel)-[r {branch: default_branch}]-()
+    DELETE r
+    WITH field_to_delete, rel
+    OPTIONAL MATCH (rel)
+    WHERE NOT exists((rel)--())
+    DELETE rel
+    WITH DISTINCT field_to_delete
+    MATCH (field_to_delete)-[:HAS_ATTRIBUTE {branch: default_branch}]->(attr:Attribute)
+    MATCH (attr)-[r {branch: default_branch}]-()
+    DELETE r
+    WITH field_to_delete, attr
+    OPTIONAL MATCH (attr)
+    WHERE NOT exists((attr)--())
+    DELETE attr
+    WITH DISTINCT field_to_delete
+    OPTIONAL MATCH (field_to_delete)
+    WHERE NOT exists((field_to_delete)--())
+    DELETE field_to_delete
+}
+        """
+        self.add_to_query(query)
+
+
+def display_duplicate_schema_fields(duplicate_schema_fields: list[SchemaFieldDetails]) -> None:
+    console = Console()
+
+    table = Table(title="Duplicate Schema Fields on Default Branch")
+
+    table.add_column("Schema Kind")
+    table.add_column("Schema UUID")
+    table.add_column("Field Name")
+    table.add_column("Field Type")
+
+    for duplicate_schema_field in duplicate_schema_fields:
+        table.add_row(
+            duplicate_schema_field.schema_kind,
+            duplicate_schema_field.schema_uuid,
+            duplicate_schema_field.field_name,
+            duplicate_schema_field.field_type.value,
+        )
+
+    console.print(table)
+
+
+async def clean_duplicate_schema_fields(db: InfrahubDatabase, fix: bool = False) -> bool:
+    """
+    Identify any attributes or relationships that are duplicated in a schema on the default branch
+    If fix is True, runs cypher queries to hard delete the earlier duplicate
+    """
+
+    duplicate_schema_fields_query = await GetDuplicateSchemaFields.init(db=db)
+    await duplicate_schema_fields_query.execute(db=db)
+    duplicate_schema_fields = duplicate_schema_fields_query.get_schema_field_details()
+
+    if not duplicate_schema_fields:
+        rprint(f"{SUCCESS_BADGE} No duplicate schema fields found")
+        return True
+
+    display_duplicate_schema_fields(duplicate_schema_fields)
+
+    if not fix:
+        rprint(f"{FAILED_BADGE} Use the --fix flag to fix the duplicate schema fields")
+        return False
+
+    fix_duplicate_schema_fields_query = await FixDuplicateSchemaFields.init(db=db)
+    await fix_duplicate_schema_fields_query.execute(db=db)
+    rprint(f"{SUCCESS_BADGE} Duplicate schema fields deleted from the default branch")
+    return True

infrahub/computed_attribute/tasks.py

@@ -104,7 +104,7 @@ async def process_transform(
         )  # type: ignore[misc]
 
         data = await client.query_gql_query(
-            name=transform.query.peer.name.value,
+            name=transform.query.id,
             branch_name=branch_name,
             variables={"id": object_id},
             update_group=True,

infrahub/core/changelog/models.py

@@ -560,7 +560,7 @@ class RelationshipChangelogGetter:
 
         for peer in relationship.peers:
             if peer.peer_status == DiffAction.ADDED:
-                peer_schema = schema_branch.get(name=peer.peer_kind)
+                peer_schema = schema_branch.get(name=peer.peer_kind, duplicate=False)
                 secondaries.extend(
                     self._process_added_peers(
                         peer_id=peer.peer_id,
@@ -572,7 +572,7 @@ class RelationshipChangelogGetter:
                 )
 
             elif peer.peer_status == DiffAction.REMOVED:
-                peer_schema = schema_branch.get(name=peer.peer_kind)
+                peer_schema = schema_branch.get(name=peer.peer_kind, duplicate=False)
                 secondaries.extend(
                     self._process_removed_peers(
                         peer_id=peer.peer_id,

infrahub/core/diff/query/artifact.py

@@ -44,7 +44,7 @@ CALL (source_artifact) {
     MATCH (source_artifact)-[r:IS_PART_OF]->(:Root)
     WHERE %(source_branch_filter)s
     RETURN r AS root_rel
-    ORDER BY r.branch_level DESC, r.from DESC
+    ORDER BY r.branch_level DESC, r.from DESC, r.status ASC
     LIMIT 1
 }
 WITH source_artifact, root_rel
@@ -61,7 +61,7 @@ CALL (source_artifact) {
             target_node,
             (rrel1.status = "active" AND rrel2.status = "active") AS target_is_active,
             $source_branch_name IN [rrel1.branch, rrel2.branch] AS target_on_source_branch
-        ORDER BY rrel1.branch_level DESC, rrel1.branch_level DESC, rrel1.from DESC, rrel2.from DESC
+        ORDER BY rrel1.branch_level DESC, rrel2.branch_level DESC, rrel1.from DESC, rrel2.from DESC, rrel1.status ASC, rrel2.status ASC
         LIMIT 1
     }
     // -----------------------
@@ -75,7 +75,7 @@ CALL (source_artifact) {
             definition_node,
             (rrel1.status = "active" AND rrel2.status = "active") AS definition_is_active,
             $source_branch_name IN [rrel1.branch, rrel2.branch] AS definition_on_source_branch
-        ORDER BY rrel1.branch_level DESC, rrel1.branch_level DESC, rrel1.from DESC, rrel2.from DESC
+        ORDER BY rrel1.branch_level DESC, rrel2.branch_level DESC, rrel1.from DESC, rrel2.from DESC, rrel1.status ASC, rrel2.status ASC
         LIMIT 1
     }
     // -----------------------
@@ -89,7 +89,8 @@ CALL (source_artifact) {
             attr_val.value AS checksum,
             (attr_rel.status = "active" AND value_rel.status = "active") AS checksum_is_active,
             $source_branch_name IN [attr_rel.branch, value_rel.branch] AS checksum_on_source_branch
-        ORDER BY value_rel.branch_level DESC, attr_rel.branch_level DESC, value_rel.from DESC, attr_rel.from DESC
+        ORDER BY value_rel.branch_level DESC, attr_rel.branch_level DESC, value_rel.from DESC, attr_rel.from DESC,
+            value_rel.status ASC, attr_rel.status ASC
         LIMIT 1
     }
     // -----------------------
@@ -103,7 +104,8 @@ CALL (source_artifact) {
             attr_val.value AS storage_id,
             (attr_rel.status = "active" AND value_rel.status = "active") AS storage_id_is_active,
             $source_branch_name IN [attr_rel.branch, value_rel.branch] AS storage_id_on_source_branch
-        ORDER BY value_rel.branch_level DESC, attr_rel.branch_level DESC, value_rel.from DESC, attr_rel.from DESC
+        ORDER BY value_rel.branch_level DESC, attr_rel.branch_level DESC, value_rel.from DESC, attr_rel.from DESC,
+            value_rel.status ASC, attr_rel.status ASC
         LIMIT 1
     }
     WITH target_node, target_is_active, target_on_source_branch,
@@ -146,8 +148,9 @@ CALL (target_node, definition_node){
         )
         RETURN
             target_artifact,
-            (trel1.status = "active" AND trel2.status = "active" AND drel1.status = "active" AND drel1.status = "active") AS artifact_is_active
-        ORDER BY trel1.from DESC, trel2.from DESC, drel1.from DESC, drel2.from DESC
+            (trel1.status = "active" AND trel2.status = "active" AND drel1.status = "active" AND drel2.status = "active") AS artifact_is_active
+        ORDER BY trel1.from DESC, trel2.from DESC, drel1.from DESC, drel2.from DESC,
+            trel1.status ASC, trel2.status ASC, drel1.status ASC, drel2.status ASC
         LIMIT 1
     }
     WITH CASE
@@ -163,7 +166,7 @@ CALL (target_node, definition_node){
         AND attr_rel.branch = $target_branch_name
         AND value_rel.branch = $target_branch_name
         RETURN attr_val.value AS checksum, (attr_rel.status = "active" AND value_rel.status = "active") AS checksum_is_active
-        ORDER BY value_rel.from DESC, attr_rel.from DESC
+        ORDER BY value_rel.from DESC, attr_rel.from DESC, value_rel.status ASC, attr_rel.status ASC
         LIMIT 1
     }
     // -----------------------
@@ -175,7 +178,7 @@ CALL (target_node, definition_node){
         AND attr_rel.branch = $target_branch_name
         AND value_rel.branch = $target_branch_name
         RETURN attr_val.value AS storage_id, (attr_rel.status = "active" AND value_rel.status = "active") AS storage_id_is_active
-        ORDER BY value_rel.from DESC, attr_rel.from DESC
+        ORDER BY value_rel.from DESC, attr_rel.from DESC, value_rel.status ASC, attr_rel.status ASC
         LIMIT 1
     }
     RETURN target_artifact,