Merge pull request #2249 from Infisical/maidul-sqhdqwdgvqwjf

patch findProjectUserWorkspaceKey

backend/package-lock.json

@@ -25,6 +25,7 @@
         "@fastify/swagger": "^8.14.0",
         "@fastify/swagger-ui": "^2.1.0",
         "@node-saml/passport-saml": "^4.0.4",
+        "@octokit/plugin-retry": "^5.0.5",
         "@octokit/rest": "^20.0.2",
         "@octokit/webhooks-types": "^7.3.1",
         "@peculiar/asn1-schema": "^2.3.8",
@@ -7812,19 +7813,45 @@
       }
     },
     "node_modules/@octokit/plugin-retry": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-retry/-/plugin-retry-6.0.1.tgz",
-      "integrity": "sha512-SKs+Tz9oj0g4p28qkZwl/topGcb0k0qPNX/i7vBKmDsjoeqnVfFUquqrE/O9oJY7+oLzdCtkiWSXLpLjvl6uog==",
+      "version": "5.0.5",
+      "resolved": "https://registry.npmjs.org/@octokit/plugin-retry/-/plugin-retry-5.0.5.tgz",
+      "integrity": "sha512-sB1RWMhSrre02Atv95K6bhESlJ/sPdZkK/wE/w1IdSCe0yM6FxSjksLa6T7aAvxvxlLKzQEC4KIiqpqyov1Tbg==",
       "dependencies": {
-        "@octokit/request-error": "^5.0.0",
-        "@octokit/types": "^12.0.0",
+        "@octokit/request-error": "^4.0.1",
+        "@octokit/types": "^10.0.0",
         "bottleneck": "^2.15.3"
       },
       "engines": {
         "node": ">= 18"
       },
       "peerDependencies": {
-        "@octokit/core": ">=5"
+        "@octokit/core": ">=3"
+      }
+    },
+    "node_modules/@octokit/plugin-retry/node_modules/@octokit/openapi-types": {
+      "version": "18.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-18.1.1.tgz",
+      "integrity": "sha512-VRaeH8nCDtF5aXWnjPuEMIYf1itK/s3JYyJcWFJT8X9pSNnBtriDf7wlEWsGuhPLl4QIH4xM8fqTXDwJ3Mu6sw=="
+    },
+    "node_modules/@octokit/plugin-retry/node_modules/@octokit/request-error": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-4.0.2.tgz",
+      "integrity": "sha512-uqwUEmZw3x4I9DGYq9fODVAAvcLsPQv97NRycP6syEFu5916M189VnNBW2zANNwqg3OiligNcAey7P0SET843w==",
+      "dependencies": {
+        "@octokit/types": "^10.0.0",
+        "deprecation": "^2.0.0",
+        "once": "^1.4.0"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/@octokit/plugin-retry/node_modules/@octokit/types": {
+      "version": "10.0.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-10.0.0.tgz",
+      "integrity": "sha512-Vm8IddVmhCgU1fxC1eyinpwqzXPEYu0NrYzD3YZjlGjyftdLBTeqNblRC0jmJmgxbJIsQlyogVeGnrNaaMVzIg==",
+      "dependencies": {
+        "@octokit/openapi-types": "^18.0.0"
       }
     },
     "node_modules/@octokit/plugin-throttling": {
@@ -17396,6 +17423,22 @@
         "node": ">=18"
       }
     },
+    "node_modules/probot/node_modules/@octokit/plugin-retry": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/@octokit/plugin-retry/-/plugin-retry-6.0.1.tgz",
+      "integrity": "sha512-SKs+Tz9oj0g4p28qkZwl/topGcb0k0qPNX/i7vBKmDsjoeqnVfFUquqrE/O9oJY7+oLzdCtkiWSXLpLjvl6uog==",
+      "dependencies": {
+        "@octokit/request-error": "^5.0.0",
+        "@octokit/types": "^12.0.0",
+        "bottleneck": "^2.15.3"
+      },
+      "engines": {
+        "node": ">= 18"
+      },
+      "peerDependencies": {
+        "@octokit/core": ">=5"
+      }
+    },
     "node_modules/probot/node_modules/commander": {
       "version": "11.1.0",
       "resolved": "https://registry.npmjs.org/commander/-/commander-11.1.0.tgz",

backend/package.json

@@ -121,6 +121,7 @@
     "@fastify/swagger": "^8.14.0",
     "@fastify/swagger-ui": "^2.1.0",
     "@node-saml/passport-saml": "^4.0.4",
+    "@octokit/plugin-retry": "^5.0.5",
     "@octokit/rest": "^20.0.2",
     "@octokit/webhooks-types": "^7.3.1",
     "@peculiar/asn1-schema": "^2.3.8",

backend/src/@types/fastify.d.ts

@@ -18,6 +18,7 @@ import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-ser
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { TProjectUserAdditionalPrivilegeServiceFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-service";
 import { TRateLimitServiceFactory } from "@app/ee/services/rate-limit/rate-limit-service";
+import { RateLimitConfiguration } from "@app/ee/services/rate-limit/rate-limit-types";
 import { TSamlConfigServiceFactory } from "@app/ee/services/saml-config/saml-config-service";
 import { TScimServiceFactory } from "@app/ee/services/scim/scim-service";
 import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
@@ -89,6 +90,7 @@ declare module "fastify" {
       id: string;
       orgId: string;
     };
+    rateLimits: RateLimitConfiguration;
     // passport data
     passportUser: {
       isUserCompleted: string;

backend/src/db/migrations/20240802181855_ca-cert-version.ts

@@ -1,117 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.CertificateAuthority)) {
-    const hasActiveCaCertIdColumn = await knex.schema.hasColumn(TableName.CertificateAuthority, "activeCaCertId");
-    if (!hasActiveCaCertIdColumn) {
-      await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
-        t.uuid("activeCaCertId").nullable();
-        t.foreign("activeCaCertId").references("id").inTable(TableName.CertificateAuthorityCert);
-      });
-
-      await knex.raw(`
-        UPDATE "${TableName.CertificateAuthority}" ca
-        SET "activeCaCertId" = cac.id
-        FROM "${TableName.CertificateAuthorityCert}" cac
-        WHERE ca.id = cac."caId"
-      `);
-    }
-  }
-
-  if (await knex.schema.hasTable(TableName.CertificateAuthorityCert)) {
-    const hasVersionColumn = await knex.schema.hasColumn(TableName.CertificateAuthorityCert, "version");
-    if (!hasVersionColumn) {
-      await knex.schema.alterTable(TableName.CertificateAuthorityCert, (t) => {
-        t.integer("version").nullable();
-        t.dropUnique(["caId"]);
-      });
-
-      await knex(TableName.CertificateAuthorityCert).update({ version: 1 }).whereNull("version");
-
-      await knex.schema.alterTable(TableName.CertificateAuthorityCert, (t) => {
-        t.integer("version").notNullable().alter();
-      });
-    }
-
-    const hasCaSecretIdColumn = await knex.schema.hasColumn(TableName.CertificateAuthorityCert, "caSecretId");
-    if (!hasCaSecretIdColumn) {
-      await knex.schema.alterTable(TableName.CertificateAuthorityCert, (t) => {
-        t.uuid("caSecretId").nullable();
-        t.foreign("caSecretId").references("id").inTable(TableName.CertificateAuthoritySecret).onDelete("CASCADE");
-      });
-
-      await knex.raw(`
-        UPDATE "${TableName.CertificateAuthorityCert}" cert
-        SET "caSecretId" = (
-          SELECT sec.id
-          FROM "${TableName.CertificateAuthoritySecret}" sec
-          WHERE sec."caId" = cert."caId"
-        )
-      `);
-
-      await knex.schema.alterTable(TableName.CertificateAuthorityCert, (t) => {
-        t.uuid("caSecretId").notNullable().alter();
-      });
-    }
-  }
-
-  if (await knex.schema.hasTable(TableName.CertificateAuthoritySecret)) {
-    await knex.schema.alterTable(TableName.CertificateAuthoritySecret, (t) => {
-      t.dropUnique(["caId"]);
-    });
-  }
-
-  if (await knex.schema.hasTable(TableName.Certificate)) {
-    await knex.schema.alterTable(TableName.Certificate, (t) => {
-      t.uuid("caCertId").nullable();
-      t.foreign("caCertId").references("id").inTable(TableName.CertificateAuthorityCert);
-    });
-
-    await knex.raw(`
-        UPDATE "${TableName.Certificate}" cert
-        SET "caCertId" = (
-          SELECT caCert.id
-          FROM "${TableName.CertificateAuthorityCert}" caCert
-          WHERE caCert."caId" = cert."caId"
-        )
-      `);
-
-    await knex.schema.alterTable(TableName.Certificate, (t) => {
-      t.uuid("caCertId").notNullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.CertificateAuthority)) {
-    if (await knex.schema.hasColumn(TableName.CertificateAuthority, "activeCaCertId")) {
-      await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
-        t.dropColumn("activeCaCertId");
-      });
-    }
-  }
-
-  if (await knex.schema.hasTable(TableName.CertificateAuthorityCert)) {
-    if (await knex.schema.hasColumn(TableName.CertificateAuthorityCert, "version")) {
-      await knex.schema.alterTable(TableName.CertificateAuthorityCert, (t) => {
-        t.dropColumn("version");
-      });
-    }
-
-    if (await knex.schema.hasColumn(TableName.CertificateAuthorityCert, "caSecretId")) {
-      await knex.schema.alterTable(TableName.CertificateAuthorityCert, (t) => {
-        t.dropColumn("caSecretId");
-      });
-    }
-  }
-
-  if (await knex.schema.hasTable(TableName.Certificate)) {
-    if (await knex.schema.hasColumn(TableName.Certificate, "caCertId")) {
-      await knex.schema.alterTable(TableName.Certificate, (t) => {
-        t.dropColumn("caCertId");
-      });
-    }
-  }
-}

backend/src/db/migrations/20240806113425_remove-creation-limit-rate-limit.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCreationLimitCol = await knex.schema.hasColumn(TableName.RateLimit, "creationLimit");
+  await knex.schema.alterTable(TableName.RateLimit, (t) => {
+    if (hasCreationLimitCol) {
+      t.dropColumn("creationLimit");
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasCreationLimitCol = await knex.schema.hasColumn(TableName.RateLimit, "creationLimit");
+  await knex.schema.alterTable(TableName.RateLimit, (t) => {
+    if (!hasCreationLimitCol) {
+      t.integer("creationLimit").defaultTo(30).notNullable();
+    }
+  });
+}

backend/src/db/schemas/certificate-authorities.ts

@@ -27,8 +27,7 @@ export const CertificateAuthoritiesSchema = z.object({
   maxPathLength: z.number().nullable().optional(),
   keyAlgorithm: z.string(),
   notBefore: z.date().nullable().optional(),
-  notAfter: z.date().nullable().optional(),
-  activeCaCertId: z.string().uuid().nullable().optional()
+  notAfter: z.date().nullable().optional()
 });
 
 export type TCertificateAuthorities = z.infer<typeof CertificateAuthoritiesSchema>;

backend/src/db/schemas/certificate-authority-certs.ts

@@ -15,9 +15,7 @@ export const CertificateAuthorityCertsSchema = z.object({
   updatedAt: z.date(),
   caId: z.string().uuid(),
   encryptedCertificate: zodBuffer,
-  encryptedCertificateChain: zodBuffer,
-  version: z.number(),
-  caSecretId: z.string().uuid()
+  encryptedCertificateChain: zodBuffer
 });
 
 export type TCertificateAuthorityCerts = z.infer<typeof CertificateAuthorityCertsSchema>;

backend/src/db/schemas/certificates.ts

@@ -20,8 +20,7 @@ export const CertificatesSchema = z.object({
   notAfter: z.date(),
   revokedAt: z.date().nullable().optional(),
   revocationReason: z.number().nullable().optional(),
-  altNames: z.string().default("").nullable().optional(),
-  caCertId: z.string().uuid()
+  altNames: z.string().default("").nullable().optional()
 });
 
 export type TCertificates = z.infer<typeof CertificatesSchema>;

backend/src/db/schemas/rate-limit.ts

@@ -15,7 +15,6 @@ export const RateLimitSchema = z.object({
   authRateLimit: z.number().default(60),
   inviteUserRateLimit: z.number().default(30),
   mfaRateLimit: z.number().default(20),
-  creationLimit: z.number().default(30),
   publicEndpointLimit: z.number().default(30),
   createdAt: z.date(),
   updatedAt: z.date()

backend/src/ee/routes/v1/rate-limit-router.ts

@@ -58,7 +58,6 @@ export const registerRateLimitRouter = async (server: FastifyZodProvider) => {
         authRateLimit: z.number(),
         inviteUserRateLimit: z.number(),
         mfaRateLimit: z.number(),
-        creationLimit: z.number(),
         publicEndpointLimit: z.number()
       }),
       response: {

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -130,9 +130,7 @@ export enum EventType {
   GET_CA = "get-certificate-authority",
   UPDATE_CA = "update-certificate-authority",
   DELETE_CA = "delete-certificate-authority",
-  RENEW_CA = "renew-certificate-authority",
   GET_CA_CSR = "get-certificate-authority-csr",
-  GET_CA_CERTS = "get-certificate-authority-certs",
   GET_CA_CERT = "get-certificate-authority-cert",
   SIGN_INTERMEDIATE = "sign-intermediate",
   IMPORT_CA_CERT = "import-certificate-authority-cert",
@@ -340,6 +338,7 @@ interface DeleteIntegrationEvent {
     targetServiceId?: string;
     path?: string;
     region?: string;
+    shouldDeleteIntegrationSecrets?: boolean;
   };
 }
 
@@ -1097,14 +1096,6 @@ interface DeleteCa {
   };
 }
 
-interface RenewCa {
-  type: EventType.RENEW_CA;
-  metadata: {
-    caId: string;
-    dn: string;
-  };
-}
-
 interface GetCaCsr {
   type: EventType.GET_CA_CSR;
   metadata: {
@@ -1113,14 +1104,6 @@ interface GetCaCsr {
   };
 }
 
-interface GetCaCerts {
-  type: EventType.GET_CA_CERTS;
-  metadata: {
-    caId: string;
-    dn: string;
-  };
-}
-
 interface GetCaCert {
   type: EventType.GET_CA_CERT;
   metadata: {
@@ -1366,9 +1349,7 @@ export type Event =
   | GetCa
   | UpdateCa
   | DeleteCa
-  | RenewCa
   | GetCaCsr
-  | GetCaCerts
   | GetCaCert
   | SignIntermediate
   | ImportCaCert

backend/src/ee/services/license/licence-fns.ts

@@ -40,7 +40,12 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   secretRotation: true,
   caCrl: false,
   instanceUserManagement: false,
-  externalKms: false
+  externalKms: false,
+  rateLimits: {
+    readLimit: 60,
+    writeLimit: 200,
+    secretsLimit: 40
+  }
 });
 
 export const setupLicenceRequestWithStore = (baseURL: string, refreshUrl: string, licenseKey: string) => {

backend/src/ee/services/license/license-types.ts

@@ -58,6 +58,11 @@ export type TFeatureSet = {
   caCrl: false;
   instanceUserManagement: false;
   externalKms: false;
+  rateLimits: {
+    readLimit: number;
+    writeLimit: number;
+    secretsLimit: number;
+  };
 };
 
 export type TOrgPlansTableDTO = {

backend/src/ee/services/rate-limit/rate-limit-service.ts

@@ -4,17 +4,16 @@ import { logger } from "@app/lib/logger";
 
 import { TLicenseServiceFactory } from "../license/license-service";
 import { TRateLimitDALFactory } from "./rate-limit-dal";
-import { TRateLimit, TRateLimitUpdateDTO } from "./rate-limit-types";
+import { RateLimitConfiguration, TRateLimit, TRateLimitUpdateDTO } from "./rate-limit-types";
 
-let rateLimitMaxConfiguration = {
+let rateLimitMaxConfiguration: RateLimitConfiguration = {
   readLimit: 60,
   publicEndpointLimit: 30,
   writeLimit: 200,
   secretsLimit: 60,
   authRateLimit: 60,
   inviteUserRateLimit: 30,
-  mfaRateLimit: 20,
-  creationLimit: 30
+  mfaRateLimit: 20
 };
 
 Object.freeze(rateLimitMaxConfiguration);
@@ -67,8 +66,7 @@ export const rateLimitServiceFactory = ({ rateLimitDAL, licenseService }: TRateL
           secretsLimit: rateLimit.secretsRateLimit,
           authRateLimit: rateLimit.authRateLimit,
           inviteUserRateLimit: rateLimit.inviteUserRateLimit,
-          mfaRateLimit: rateLimit.mfaRateLimit,
-          creationLimit: rateLimit.creationLimit
+          mfaRateLimit: rateLimit.mfaRateLimit
         };
 
         logger.info(`syncRateLimitConfiguration: rate limit configuration: %o`, newRateLimitMaxConfiguration);

backend/src/ee/services/rate-limit/rate-limit-types.ts

@@ -5,7 +5,6 @@ export type TRateLimitUpdateDTO = {
   authRateLimit: number;
   inviteUserRateLimit: number;
   mfaRateLimit: number;
-  creationLimit: number;
   publicEndpointLimit: number;
 };
 
@@ -14,3 +13,13 @@ export type TRateLimit = {
   createdAt: Date;
   updatedAt: Date;
 } & TRateLimitUpdateDTO;
+
+export type RateLimitConfiguration = {
+  readLimit: number;
+  publicEndpointLimit: number;
+  writeLimit: number;
+  secretsLimit: number;
+  authRateLimit: number;
+  inviteUserRateLimit: number;
+  mfaRateLimit: number;
+};

backend/src/lib/api-docs/constants.ts

@@ -1048,27 +1048,12 @@ export const CERTIFICATE_AUTHORITIES = {
     caId: "The ID of the CA to generate CSR from",
     csr: "The generated CSR from the CA"
   },
-  RENEW_CA_CERT: {
-    caId: "The ID of the CA to renew the CA certificate for",
-    type: "The type of behavior to use for the renewal operation. Currently Infisical is only able to renew a CA certificate with the same key pair.",
-    notAfter: "The expiry date and time for the renewed CA certificate in YYYY-MM-DDTHH:mm:ss.sssZ format",
-    certificate: "The renewed CA certificate body",
-    certificateChain: "The certificate chain of the CA",
-    serialNumber: "The serial number of the renewed CA certificate"
-  },
   GET_CERT: {
     caId: "The ID of the CA to get the certificate body and certificate chain from",
     certificate: "The certificate body of the CA",
     certificateChain: "The certificate chain of the CA",
     serialNumber: "The serial number of the CA certificate"
   },
-  GET_CA_CERTS: {
-    caId: "The ID of the CA to get the CA certificates for",
-    certificate: "The certificate body of the CA certificate",
-    certificateChain: "The certificate chain of the CA certificate",
-    serialNumber: "The serial number of the CA certificate",
-    version: "The version of the CA certificate. The version is incremented for each CA renewal operation."
-  },
   SIGN_INTERMEDIATE: {
     caId: "The ID of the CA to sign the intermediate certificate with",
     csr: "The pem-encoded CSR to sign with the CA",

backend/src/server/config/rateLimiter.ts

@@ -1,7 +1,6 @@
 import type { RateLimitOptions, RateLimitPluginOptions } from "@fastify/rate-limit";
 import { Redis } from "ioredis";
 
-import { getRateLimiterConfig } from "@app/ee/services/rate-limit/rate-limit-service";
 import { getConfig } from "@app/lib/config/env";
 
 export const globalRateLimiterCfg = (): RateLimitPluginOptions => {
@@ -22,14 +21,16 @@ export const globalRateLimiterCfg = (): RateLimitPluginOptions => {
 // GET endpoints
 export const readLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
-  max: () => getRateLimiterConfig().readLimit,
+  hook: "preValidation",
+  max: (req) => req.rateLimits.readLimit,
   keyGenerator: (req) => req.realIp
 };
 
 // POST, PATCH, PUT, DELETE endpoints
 export const writeLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
-  max: () => getRateLimiterConfig().writeLimit,
+  hook: "preValidation",
+  max: (req) => req.rateLimits.writeLimit,
   keyGenerator: (req) => req.realIp
 };
 
@@ -37,42 +38,40 @@ export const writeLimit: RateLimitOptions = {
 export const secretsLimit: RateLimitOptions = {
   // secrets, folders, secret imports
   timeWindow: 60 * 1000,
-  max: () => getRateLimiterConfig().secretsLimit,
+  hook: "preValidation",
+  max: (req) => req.rateLimits.secretsLimit,
   keyGenerator: (req) => req.realIp
 };
 
 export const authRateLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
-  max: () => getRateLimiterConfig().authRateLimit,
+  hook: "preValidation",
+  max: (req) => req.rateLimits.authRateLimit,
   keyGenerator: (req) => req.realIp
 };
 
 export const inviteUserRateLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
-  max: () => getRateLimiterConfig().inviteUserRateLimit,
+  hook: "preValidation",
+  max: (req) => req.rateLimits.inviteUserRateLimit,
   keyGenerator: (req) => req.realIp
 };
 
 export const mfaRateLimit: RateLimitOptions = {
   timeWindow: 60 * 1000,
-  max: () => getRateLimiterConfig().mfaRateLimit,
+  hook: "preValidation",
+  max: (req) => req.rateLimits.mfaRateLimit,
   keyGenerator: (req) => {
     return req.headers.authorization?.split(" ")[1] || req.realIp;
   }
 };
 
-export const creationLimit: RateLimitOptions = {
-  // identity, project, org
-  timeWindow: 60 * 1000,
-  max: () => getRateLimiterConfig().creationLimit,
-  keyGenerator: (req) => req.realIp
-};
-
 // Public endpoints to avoid brute force attacks
 export const publicEndpointLimit: RateLimitOptions = {
   // Read Shared Secrets
   timeWindow: 60 * 1000,
-  max: () => getRateLimiterConfig().publicEndpointLimit,
+  hook: "preValidation",
+  max: (req) => req.rateLimits.publicEndpointLimit,
   keyGenerator: (req) => req.realIp
 };
 

backend/src/server/plugins/inject-rate-limits.ts

@@ -0,0 +1,38 @@
+import fp from "fastify-plugin";
+
+import { getRateLimiterConfig } from "@app/ee/services/rate-limit/rate-limit-service";
+import { getConfig } from "@app/lib/config/env";
+
+export const injectRateLimits = fp(async (server) => {
+  server.decorateRequest("rateLimits", null);
+  server.addHook("onRequest", async (req) => {
+    const appCfg = getConfig();
+
+    const instanceRateLimiterConfig = getRateLimiterConfig();
+    if (!req.auth?.orgId) {
+      // for public endpoints, we always use the instance-wide default rate limits
+      req.rateLimits = instanceRateLimiterConfig;
+      return;
+    }
+
+    const { rateLimits, customRateLimits } = await server.services.license.getPlan(req.auth.orgId);
+
+    if (customRateLimits && !appCfg.isCloud) {
+      // we do this because for self-hosted/dedicated instances, we want custom rate limits to be based on admin configuration
+      // note that the syncing of custom rate limit happens on the instanceRateLimiterConfig object
+      req.rateLimits = instanceRateLimiterConfig;
+      return;
+    }
+
+    // we're using the null coalescing operator in order to handle outdated licenses
+    req.rateLimits = {
+      readLimit: rateLimits?.readLimit ?? instanceRateLimiterConfig.readLimit,
+      writeLimit: rateLimits?.writeLimit ?? instanceRateLimiterConfig.writeLimit,
+      secretsLimit: rateLimits?.secretsLimit ?? instanceRateLimiterConfig.secretsLimit,
+      publicEndpointLimit: instanceRateLimiterConfig.publicEndpointLimit,
+      authRateLimit: instanceRateLimiterConfig.authRateLimit,
+      inviteUserRateLimit: instanceRateLimiterConfig.inviteUserRateLimit,
+      mfaRateLimit: instanceRateLimiterConfig.mfaRateLimit
+    };
+  });
+});

backend/src/server/routes/index.ts

@@ -184,6 +184,7 @@ import { webhookServiceFactory } from "@app/services/webhook/webhook-service";
 import { injectAuditLogInfo } from "../plugins/audit-log";
 import { injectIdentity } from "../plugins/auth/inject-identity";
 import { injectPermission } from "../plugins/auth/inject-permission";
+import { injectRateLimits } from "../plugins/inject-rate-limits";
 import { registerSecretScannerGhApp } from "../plugins/secret-scanner";
 import { registerV1Routes } from "./v1";
 import { registerV2Routes } from "./v2";
@@ -896,8 +897,15 @@ export const registerRoutes = async (
     folderDAL,
     integrationDAL,
     integrationAuthDAL,
-    secretQueueService
+    secretQueueService,
+    integrationAuthService,
+    projectBotService,
+    secretV2BridgeDAL,
+    secretImportDAL,
+    secretDAL,
+    kmsService
   });
+
   const serviceTokenService = serviceTokenServiceFactory({
     projectEnvDAL,
     serviceTokenDAL,
@@ -1142,6 +1150,7 @@ export const registerRoutes = async (
 
   await server.register(injectIdentity, { userDAL, serviceTokenDAL });
   await server.register(injectPermission);
+  await server.register(injectRateLimits);
   await server.register(injectAuditLogInfo);
 
   server.route({

backend/src/server/routes/v1/certificate-authority-router.ts

@@ -8,7 +8,7 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
-import { CaRenewalType, CaStatus, CaType } from "@app/services/certificate-authority/certificate-authority-types";
+import { CaStatus, CaType } from "@app/services/certificate-authority/certificate-authority-types";
 import {
   validateAltNamesField,
   validateCaDateField
@@ -275,118 +275,15 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
     }
   });
 
-  server.route({
-    method: "POST",
-    url: "/:caId/renew",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Perform CA certificate renewal",
-      params: z.object({
-        caId: z.string().trim().describe(CERTIFICATE_AUTHORITIES.RENEW_CA_CERT.caId)
-      }),
-      body: z.object({
-        type: z.nativeEnum(CaRenewalType).describe(CERTIFICATE_AUTHORITIES.RENEW_CA_CERT.type),
-        notAfter: validateCaDateField.describe(CERTIFICATE_AUTHORITIES.RENEW_CA_CERT.notAfter)
-      }),
-      response: {
-        200: z.object({
-          certificate: z.string().trim().describe(CERTIFICATE_AUTHORITIES.RENEW_CA_CERT.certificate),
-          certificateChain: z.string().trim().describe(CERTIFICATE_AUTHORITIES.RENEW_CA_CERT.certificateChain),
-          serialNumber: z.string().trim().describe(CERTIFICATE_AUTHORITIES.RENEW_CA_CERT.serialNumber)
-        })
-      }
-    },
-    handler: async (req) => {
-      const { certificate, certificateChain, serialNumber, ca } =
-        await server.services.certificateAuthority.renewCaCert({
-          caId: req.params.caId,
-          actor: req.permission.type,
-          actorId: req.permission.id,
-          actorAuthMethod: req.permission.authMethod,
-          actorOrgId: req.permission.orgId,
-          ...req.body
-        });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: ca.projectId,
-        event: {
-          type: EventType.RENEW_CA,
-          metadata: {
-            caId: ca.id,
-            dn: ca.dn
-          }
-        }
-      });
-
-      return {
-        certificate,
-        certificateChain,
-        serialNumber
-      };
-    }
-  });
-
   server.route({
     method: "GET",
-    url: "/:caId/ca-certificates",
+    url: "/:caId/certificate",
     config: {
       rateLimit: readLimit
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      description: "Get list of past and current CA certificates for a CA",
-      params: z.object({
-        caId: z.string().trim().describe(CERTIFICATE_AUTHORITIES.GET_CA_CERTS.caId)
-      }),
-      response: {
-        200: z.array(
-          z.object({
-            certificate: z.string().describe(CERTIFICATE_AUTHORITIES.GET_CA_CERTS.certificate),
-            certificateChain: z.string().describe(CERTIFICATE_AUTHORITIES.GET_CA_CERTS.certificateChain),
-            serialNumber: z.string().describe(CERTIFICATE_AUTHORITIES.GET_CA_CERTS.serialNumber),
-            version: z.number().describe(CERTIFICATE_AUTHORITIES.GET_CA_CERTS.version)
-          })
-        )
-      }
-    },
-    handler: async (req) => {
-      const { caCerts, ca } = await server.services.certificateAuthority.getCaCerts({
-        caId: req.params.caId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: ca.projectId,
-        event: {
-          type: EventType.GET_CA_CERTS,
-          metadata: {
-            caId: ca.id,
-            dn: ca.dn
-          }
-        }
-      });
-
-      return caCerts;
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/:caId/certificate", // TODO: consider updating endpoint structure considering CA certificates
-    config: {
-      rateLimit: readLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Get current CA cert and cert chain of a CA",
+      description: "Get cert and cert chain of a CA",
       params: z.object({
         caId: z.string().trim().describe(CERTIFICATE_AUTHORITIES.GET_CERT.caId)
       }),

backend/src/server/routes/v1/identity-router.ts

@@ -3,7 +3,7 @@ import { z } from "zod";
 import { IdentitiesSchema, IdentityOrgMembershipsSchema, OrgMembershipRole, OrgRolesSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { IDENTITIES } from "@app/lib/api-docs";
-import { creationLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -16,7 +16,7 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
     method: "POST",
     url: "/",
     config: {
-      rateLimit: creationLimit
+      rateLimit: writeLimit
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {

backend/src/server/routes/v1/integration-router.ts

@@ -170,6 +170,12 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
       params: z.object({
         integrationId: z.string().trim().describe(INTEGRATION.DELETE.integrationId)
       }),
+      querystring: z.object({
+        shouldDeleteIntegrationSecrets: z
+          .enum(["true", "false"])
+          .optional()
+          .transform((val) => val === "true")
+      }),
       response: {
         200: z.object({
           integration: IntegrationsSchema
@@ -183,7 +189,8 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
         actorAuthMethod: req.permission.authMethod,
         actor: req.permission.type,
         actorOrgId: req.permission.orgId,
-        id: req.params.integrationId
+        id: req.params.integrationId,
+        shouldDeleteIntegrationSecrets: req.query.shouldDeleteIntegrationSecrets
       });
 
       await server.services.auditLog.createAuditLog({
@@ -205,7 +212,8 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
             targetService: integration.targetService,
             targetServiceId: integration.targetServiceId,
             path: integration.path,
-            region: integration.region
+            region: integration.region,
+            shouldDeleteIntegrationSecrets: req.query.shouldDeleteIntegrationSecrets
             // eslint-disable-next-line
           }) as any
         }

backend/src/server/routes/v2/organization-router.ts

@@ -9,7 +9,7 @@ import {
   UsersSchema
 } from "@app/db/schemas";
 import { ORGANIZATIONS } from "@app/lib/api-docs";
-import { creationLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
 
@@ -307,7 +307,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
     method: "POST",
     url: "/",
     config: {
-      rateLimit: creationLimit
+      rateLimit: writeLimit
     },
     schema: {
       body: z.object({

backend/src/server/routes/v2/project-router.ts

@@ -4,7 +4,7 @@ import { z } from "zod";
 import { CertificateAuthoritiesSchema, CertificatesSchema, ProjectKeysSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { PROJECTS } from "@app/lib/api-docs";
-import { creationLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -142,7 +142,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
     method: "POST",
     url: "/",
     config: {
-      rateLimit: creationLimit
+      rateLimit: writeLimit
     },
     schema: {
       description: "Create a new project",

backend/src/services/certificate-authority/certificate-authority-fns.ts

@@ -5,13 +5,7 @@ import { BadRequestError } from "@app/lib/errors";
 import { getProjectKmsCertificateKeyId } from "@app/services/project/project-fns";
 
 import { CertKeyAlgorithm, CertStatus } from "../certificate/certificate-types";
-import {
-  TDNParts,
-  TGetCaCertChainDTO,
-  TGetCaCertChainsDTO,
-  TGetCaCredentialsDTO,
-  TRebuildCaCrlDTO
-} from "./certificate-authority-types";
+import { TDNParts, TGetCaCertChainDTO, TGetCaCredentialsDTO, TRebuildCaCrlDTO } from "./certificate-authority-types";
 
 export const createDistinguishedName = (parts: TDNParts) => {
   const dnParts = [];
@@ -95,8 +89,6 @@ export const keyAlgorithmToAlgCfg = (keyAlgorithm: CertKeyAlgorithm) => {
  * Return the public and private key of CA with id [caId]
  * Note: credentials are returned as crypto.webcrypto.CryptoKey
  * suitable for use with @peculiar/x509 module
- *
- * TODO: Update to get latest CA Secret once support for CA renewal with new key pair is added
  */
 export const getCaCredentials = async ({
   caId,
@@ -140,73 +132,26 @@ export const getCaCredentials = async ({
   ]);
 
   return {
-    caSecret,
     caPrivateKey,
     caPublicKey
   };
 };
 
 /**
- * Return the list of decrypted pem-encoded certificates and certificate chains
+ * Return the decrypted pem-encoded certificate and certificate chain
  * for CA with id [caId].
  */
-export const getCaCertChains = async ({
+export const getCaCertChain = async ({
   caId,
   certificateAuthorityDAL,
   certificateAuthorityCertDAL,
   projectDAL,
   kmsService
-}: TGetCaCertChainsDTO) => {
+}: TGetCaCertChainDTO) => {
   const ca = await certificateAuthorityDAL.findById(caId);
   if (!ca) throw new BadRequestError({ message: "CA not found" });
 
-  const keyId = await getProjectKmsCertificateKeyId({
-    projectId: ca.projectId,
-    projectDAL,
-    kmsService
-  });
-
-  const kmsDecryptor = await kmsService.decryptWithKmsKey({
-    kmsId: keyId
-  });
-
-  const caCerts = await certificateAuthorityCertDAL.find({ caId: ca.id }, { sort: [["version", "asc"]] });
-
-  const decryptedChains = await Promise.all(
-    caCerts.map(async (caCert) => {
-      const decryptedCaCert = await kmsDecryptor({
-        cipherTextBlob: caCert.encryptedCertificate
-      });
-      const caCertObj = new x509.X509Certificate(decryptedCaCert);
-      const decryptedChain = await kmsDecryptor({
-        cipherTextBlob: caCert.encryptedCertificateChain
-      });
-      return {
-        certificate: caCertObj.toString("pem"),
-        certificateChain: decryptedChain.toString("utf-8"),
-        serialNumber: caCertObj.serialNumber,
-        version: caCert.version
-      };
-    })
-  );
-
-  return decryptedChains;
-};
-
-/**
- * Return the decrypted pem-encoded certificate and certificate chain
- * corresponding to CA certificate with id [caCertId].
- */
-export const getCaCertChain = async ({
-  caCertId,
-  certificateAuthorityDAL,
-  certificateAuthorityCertDAL,
-  projectDAL,
-  kmsService
-}: TGetCaCertChainDTO) => {
-  const caCert = await certificateAuthorityCertDAL.findById(caCertId);
-  if (!caCert) throw new BadRequestError({ message: "CA certificate not found" });
-  const ca = await certificateAuthorityDAL.findById(caCert.caId);
+  const caCert = await certificateAuthorityCertDAL.findOne({ caId: ca.id });
 
   const keyId = await getProjectKmsCertificateKeyId({
     projectId: ca.projectId,

backend/src/services/certificate-authority/certificate-authority-service.ts

@@ -20,8 +20,7 @@ import { TCertificateAuthorityCertDALFactory } from "./certificate-authority-cer
 import { TCertificateAuthorityDALFactory } from "./certificate-authority-dal";
 import {
   createDistinguishedName,
-  getCaCertChain, // TODO: consider rename
-  getCaCertChains,
+  getCaCertChain,
   getCaCredentials,
   keyAlgorithmToAlgCfg,
   parseDistinguishedName
@@ -34,12 +33,10 @@ import {
   TCreateCaDTO,
   TDeleteCaDTO,
   TGetCaCertDTO,
-  TGetCaCertsDTO,
   TGetCaCsrDTO,
   TGetCaDTO,
   TImportCertToCaDTO,
   TIssueCertFromCaDTO,
-  TRenewCaCertDTO,
   TSignCertFromCaDTO,
   TSignIntermediateDTO,
   TUpdateCaDTO
@@ -51,10 +48,7 @@ type TCertificateAuthorityServiceFactoryDep = {
     TCertificateAuthorityDALFactory,
     "transaction" | "create" | "findById" | "updateById" | "deleteById" | "findOne"
   >;
-  certificateAuthorityCertDAL: Pick<
-    TCertificateAuthorityCertDALFactory,
-    "create" | "findOne" | "transaction" | "find" | "findById"
-  >;
+  certificateAuthorityCertDAL: Pick<TCertificateAuthorityCertDALFactory, "create" | "findOne" | "transaction">;
   certificateAuthoritySecretDAL: Pick<TCertificateAuthoritySecretDALFactory, "create" | "findOne">;
   certificateAuthorityCrlDAL: Pick<TCertificateAuthorityCrlDALFactory, "create" | "findOne" | "update">;
   certificateAuthorityQueue: TCertificateAuthorityQueueFactory; // TODO: Pick
@@ -171,24 +165,6 @@ export const certificateAuthorityServiceFactory = ({
         kmsId: certificateManagerKmsId
       });
 
-      // https://nodejs.org/api/crypto.html#static-method-keyobjectfromkey
-      const skObj = KeyObject.from(keys.privateKey);
-
-      const { cipherTextBlob: encryptedPrivateKey } = await kmsEncryptor({
-        plainText: skObj.export({
-          type: "pkcs8",
-          format: "der"
-        })
-      });
-
-      const caSecret = await certificateAuthoritySecretDAL.create(
-        {
-          caId: ca.id,
-          encryptedPrivateKey
-        },
-        tx
-      );
-
       if (type === CaType.ROOT) {
         // note: create self-signed cert only applicable for root CA
         const cert = await x509.X509CertificateGenerator.createSelfSigned({
@@ -215,21 +191,11 @@ export const certificateAuthorityServiceFactory = ({
           plainText: Buffer.alloc(0)
         });
 
-        const caCert = await certificateAuthorityCertDAL.create(
+        await certificateAuthorityCertDAL.create(
           {
             caId: ca.id,
             encryptedCertificate,
-            encryptedCertificateChain,
-            version: 1,
-            caSecretId: caSecret.id
-          },
-          tx
-        );
-
-        await certificateAuthorityDAL.updateById(
-          ca.id,
-          {
-            activeCaCertId: caCert.id
+            encryptedCertificateChain
           },
           tx
         );
@@ -257,6 +223,24 @@ export const certificateAuthorityServiceFactory = ({
         tx
       );
 
+      // https://nodejs.org/api/crypto.html#static-method-keyobjectfromkey
+      const skObj = KeyObject.from(keys.privateKey);
+
+      const { cipherTextBlob: encryptedPrivateKey } = await kmsEncryptor({
+        plainText: skObj.export({
+          type: "pkcs8",
+          format: "der"
+        })
+      });
+
+      await certificateAuthoritySecretDAL.create(
+        {
+          caId: ca.id,
+          encryptedPrivateKey
+        },
+        tx
+      );
+
       return ca;
     });
 
@@ -357,7 +341,9 @@ export const certificateAuthorityServiceFactory = ({
     );
 
     if (ca.type === CaType.ROOT) throw new BadRequestError({ message: "Root CA cannot generate CSR" });
-    if (ca.activeCaCertId) throw new BadRequestError({ message: "CA already has a certificate installed" });
+
+    const caCert = await certificateAuthorityCertDAL.findOne({ caId: ca.id });
+    if (caCert) throw new BadRequestError({ message: "CA already has a certificate installed" });
 
     const { caPrivateKey, caPublicKey } = await getCaCredentials({
       caId,
@@ -395,320 +381,11 @@ export const certificateAuthorityServiceFactory = ({
   };
 
   /**
-   * Renew certificate for CA with id [caId]
-   * Note: Currently implements CA renewal with same key-pair only
-   */
-  const renewCaCert = async ({ caId, notAfter, actorId, actorAuthMethod, actor, actorOrgId }: TRenewCaCertDTO) => {
-    const ca = await certificateAuthorityDAL.findById(caId);
-    if (!ca) throw new BadRequestError({ message: "CA not found" });
-
-    if (!ca.activeCaCertId) throw new BadRequestError({ message: "CA does not have a certificate installed" });
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      ca.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Create,
-      ProjectPermissionSub.CertificateAuthorities
-    );
-
-    if (ca.status === CaStatus.DISABLED) throw new BadRequestError({ message: "CA is disabled" });
-
-    // get latest CA certificate
-    const caCert = await certificateAuthorityCertDAL.findById(ca.activeCaCertId);
-
-    const serialNumber = crypto.randomBytes(32).toString("hex");
-
-    const certificateManagerKmsId = await getProjectKmsCertificateKeyId({
-      projectId: ca.projectId,
-      projectDAL,
-      kmsService
-    });
-
-    const kmsEncryptor = await kmsService.encryptWithKmsKey({
-      kmsId: certificateManagerKmsId
-    });
-
-    const { caPrivateKey, caPublicKey, caSecret } = await getCaCredentials({
-      caId: ca.id,
-      certificateAuthorityDAL,
-      certificateAuthoritySecretDAL,
-      projectDAL,
-      kmsService
-    });
-
-    const alg = keyAlgorithmToAlgCfg(ca.keyAlgorithm as CertKeyAlgorithm);
-
-    const kmsDecryptor = await kmsService.decryptWithKmsKey({
-      kmsId: certificateManagerKmsId
-    });
-    const decryptedCaCert = await kmsDecryptor({
-      cipherTextBlob: caCert.encryptedCertificate
-    });
-
-    const caCertObj = new x509.X509Certificate(decryptedCaCert);
-
-    let certificate = "";
-    let certificateChain = "";
-
-    switch (ca.type) {
-      case CaType.ROOT: {
-        if (new Date(notAfter) <= new Date(caCertObj.notAfter)) {
-          throw new BadRequestError({
-            message:
-              "New Root CA certificate must have notAfter date that is greater than the current certificate notAfter date"
-          });
-        }
-
-        const notBeforeDate = new Date();
-        const cert = await x509.X509CertificateGenerator.createSelfSigned({
-          name: ca.dn,
-          serialNumber,
-          notBefore: notBeforeDate,
-          notAfter: new Date(notAfter),
-          signingAlgorithm: alg,
-          keys: {
-            privateKey: caPrivateKey,
-            publicKey: caPublicKey
-          },
-          extensions: [
-            new x509.BasicConstraintsExtension(
-              true,
-              ca.maxPathLength === -1 || !ca.maxPathLength ? undefined : ca.maxPathLength,
-              true
-            ),
-            new x509.ExtendedKeyUsageExtension(["1.2.3.4.5.6.7", "2.3.4.5.6.7.8"], true),
-            // eslint-disable-next-line no-bitwise
-            new x509.KeyUsagesExtension(x509.KeyUsageFlags.keyCertSign | x509.KeyUsageFlags.cRLSign, true),
-            await x509.SubjectKeyIdentifierExtension.create(caPublicKey)
-          ]
-        });
-
-        const { cipherTextBlob: encryptedCertificate } = await kmsEncryptor({
-          plainText: Buffer.from(new Uint8Array(cert.rawData))
-        });
-
-        const { cipherTextBlob: encryptedCertificateChain } = await kmsEncryptor({
-          plainText: Buffer.alloc(0)
-        });
-
-        await certificateAuthorityDAL.transaction(async (tx) => {
-          const newCaCert = await certificateAuthorityCertDAL.create(
-            {
-              caId: ca.id,
-              encryptedCertificate,
-              encryptedCertificateChain,
-              version: caCert.version + 1,
-              caSecretId: caSecret.id
-            },
-            tx
-          );
-
-          await certificateAuthorityDAL.updateById(
-            ca.id,
-            {
-              activeCaCertId: newCaCert.id,
-              notBefore: notBeforeDate,
-              notAfter: new Date(notAfter)
-            },
-            tx
-          );
-        });
-
-        certificate = cert.toString("pem");
-        break;
-      }
-      case CaType.INTERMEDIATE: {
-        if (!ca.parentCaId) {
-          // TODO: look into optimal way to support renewal of intermediate CA with external parent CA
-          throw new BadRequestError({
-            message: "Failed to renew intermediate CA certificate with external parent CA"
-          });
-        }
-
-        const parentCa = await certificateAuthorityDAL.findById(ca.parentCaId);
-        const { caPrivateKey: parentCaPrivateKey } = await getCaCredentials({
-          caId: parentCa.id,
-          certificateAuthorityDAL,
-          certificateAuthoritySecretDAL,
-          projectDAL,
-          kmsService
-        });
-
-        // get latest parent CA certificate
-        if (!parentCa.activeCaCertId)
-          throw new BadRequestError({ message: "Parent CA does not have a certificate installed" });
-        const parentCaCert = await certificateAuthorityCertDAL.findById(parentCa.activeCaCertId);
-
-        const decryptedParentCaCert = await kmsDecryptor({
-          cipherTextBlob: parentCaCert.encryptedCertificate
-        });
-
-        const parentCaCertObj = new x509.X509Certificate(decryptedParentCaCert);
-
-        if (new Date(notAfter) <= new Date(caCertObj.notAfter)) {
-          throw new BadRequestError({
-            message:
-              "New Intermediate CA certificate must have notAfter date that is greater than the current certificate notAfter date"
-          });
-        }
-
-        if (new Date(notAfter) > new Date(parentCaCertObj.notAfter)) {
-          throw new BadRequestError({
-            message:
-              "New Intermediate CA certificate must have notAfter date that is equal to or smaller than the notAfter date of the parent CA certificate current certificate notAfter date"
-          });
-        }
-
-        const csrObj = await x509.Pkcs10CertificateRequestGenerator.create({
-          name: ca.dn,
-          keys: {
-            privateKey: caPrivateKey,
-            publicKey: caPublicKey
-          },
-          signingAlgorithm: alg,
-          extensions: [
-            // eslint-disable-next-line no-bitwise
-            new x509.KeyUsagesExtension(
-              x509.KeyUsageFlags.keyCertSign |
-                x509.KeyUsageFlags.cRLSign |
-                x509.KeyUsageFlags.digitalSignature |
-                x509.KeyUsageFlags.keyEncipherment
-            )
-          ],
-          attributes: [new x509.ChallengePasswordAttribute("password")]
-        });
-
-        const notBeforeDate = new Date();
-        const intermediateCert = await x509.X509CertificateGenerator.create({
-          serialNumber,
-          subject: csrObj.subject,
-          issuer: parentCaCertObj.subject,
-          notBefore: notBeforeDate,
-          notAfter: new Date(notAfter),
-          signingKey: parentCaPrivateKey,
-          publicKey: csrObj.publicKey,
-          signingAlgorithm: alg,
-          extensions: [
-            new x509.KeyUsagesExtension(
-              x509.KeyUsageFlags.keyCertSign |
-                x509.KeyUsageFlags.cRLSign |
-                x509.KeyUsageFlags.digitalSignature |
-                x509.KeyUsageFlags.keyEncipherment,
-              true
-            ),
-            new x509.BasicConstraintsExtension(
-              true,
-              ca.maxPathLength === -1 || !ca.maxPathLength ? undefined : ca.maxPathLength,
-              true
-            ),
-            await x509.AuthorityKeyIdentifierExtension.create(parentCaCertObj, false),
-            await x509.SubjectKeyIdentifierExtension.create(csrObj.publicKey)
-          ]
-        });
-
-        const { cipherTextBlob: encryptedCertificate } = await kmsEncryptor({
-          plainText: Buffer.from(new Uint8Array(intermediateCert.rawData))
-        });
-
-        const { caCert: parentCaCertificate, caCertChain: parentCaCertChain } = await getCaCertChain({
-          caCertId: parentCa.activeCaCertId,
-          certificateAuthorityDAL,
-          certificateAuthorityCertDAL,
-          projectDAL,
-          kmsService
-        });
-
-        certificateChain = `${parentCaCertificate}\n${parentCaCertChain}`.trim();
-
-        const { cipherTextBlob: encryptedCertificateChain } = await kmsEncryptor({
-          plainText: Buffer.from(certificateChain)
-        });
-
-        await certificateAuthorityDAL.transaction(async (tx) => {
-          const newCaCert = await certificateAuthorityCertDAL.create(
-            {
-              caId: ca.id,
-              encryptedCertificate,
-              encryptedCertificateChain,
-              version: caCert.version + 1,
-              caSecretId: caSecret.id
-            },
-            tx
-          );
-
-          await certificateAuthorityDAL.updateById(
-            ca.id,
-            {
-              activeCaCertId: newCaCert.id,
-              notBefore: notBeforeDate,
-              notAfter: new Date(notAfter)
-            },
-            tx
-          );
-        });
-
-        certificate = intermediateCert.toString("pem");
-        break;
-      }
-      default: {
-        throw new BadRequestError({
-          message: "Unrecognized CA type"
-        });
-      }
-    }
-
-    return {
-      certificate,
-      certificateChain,
-      serialNumber,
-      ca
-    };
-  };
-
-  const getCaCerts = async ({ caId, actorId, actorAuthMethod, actor, actorOrgId }: TGetCaCertsDTO) => {
-    const ca = await certificateAuthorityDAL.findById(caId);
-    if (!ca) throw new BadRequestError({ message: "CA not found" });
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      ca.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Read,
-      ProjectPermissionSub.CertificateAuthorities
-    );
-
-    const caCertChains = await getCaCertChains({
-      caId,
-      certificateAuthorityDAL,
-      certificateAuthorityCertDAL,
-      projectDAL,
-      kmsService
-    });
-
-    return {
-      ca,
-      caCerts: caCertChains
-    };
-  };
-
-  /**
-   * Return current certificate and certificate chain for CA
+   * Return certificate and certificate chain for CA
    */
   const getCaCert = async ({ caId, actorId, actorAuthMethod, actor, actorOrgId }: TGetCaCertDTO) => {
     const ca = await certificateAuthorityDAL.findById(caId);
     if (!ca) throw new BadRequestError({ message: "CA not found" });
-    if (!ca.activeCaCertId) throw new BadRequestError({ message: "CA does not have a certificate installed" });
 
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -724,7 +401,7 @@ export const certificateAuthorityServiceFactory = ({
     );
 
     const { caCert, caCertChain, serialNumber } = await getCaCertChain({
-      caCertId: ca.activeCaCertId,
+      caId,
       certificateAuthorityDAL,
       certificateAuthorityCertDAL,
       projectDAL,
@@ -770,13 +447,6 @@ export const certificateAuthorityServiceFactory = ({
     );
 
     if (ca.status === CaStatus.DISABLED) throw new BadRequestError({ message: "CA is disabled" });
-    if (!ca.activeCaCertId) throw new BadRequestError({ message: "CA does not have a certificate installed" });
-
-    const caCert = await certificateAuthorityCertDAL.findById(ca.activeCaCertId);
-
-    if (ca.notAfter && new Date() > new Date(ca.notAfter)) {
-      throw new BadRequestError({ message: "CA is expired" });
-    }
 
     const alg = keyAlgorithmToAlgCfg(ca.keyAlgorithm as CertKeyAlgorithm);
 
@@ -789,6 +459,7 @@ export const certificateAuthorityServiceFactory = ({
       kmsId: certificateManagerKmsId
     });
 
+    const caCert = await certificateAuthorityCertDAL.findOne({ caId: ca.id });
     const decryptedCaCert = await kmsDecryptor({
       cipherTextBlob: caCert.encryptedCertificate
     });
@@ -860,7 +531,7 @@ export const certificateAuthorityServiceFactory = ({
     });
 
     const { caCert: issuingCaCertificate, caCertChain } = await getCaCertChain({
-      caCertId: ca.activeCaCertId,
+      caId,
       certificateAuthorityDAL,
       certificateAuthorityCertDAL,
       projectDAL,
@@ -906,7 +577,8 @@ export const certificateAuthorityServiceFactory = ({
       ProjectPermissionSub.CertificateAuthorities
     );
 
-    if (ca.activeCaCertId) throw new BadRequestError({ message: "CA has already imported a certificate" });
+    const caCert = await certificateAuthorityCertDAL.findOne({ caId: ca.id });
+    if (caCert) throw new BadRequestError({ message: "CA has already imported a certificate" });
 
     const certObj = new x509.X509Certificate(certificate);
     const maxPathLength = certObj.getExtension(x509.BasicConstraintsExtension)?.pathLength;
@@ -953,32 +625,12 @@ export const certificateAuthorityServiceFactory = ({
       plainText: Buffer.from(certificateChain)
     });
 
-    // TODO: validate that latest key-pair of CA is used to sign the certificate
-    // once renewal with new key pair is supported
-    const { caSecret, caPublicKey } = await getCaCredentials({
-      caId: ca.id,
-      certificateAuthorityDAL,
-      certificateAuthoritySecretDAL,
-      projectDAL,
-      kmsService
-    });
-
-    const isCaAndCertPublicKeySame = Buffer.from(await crypto.subtle.exportKey("spki", caPublicKey)).equals(
-      Buffer.from(certObj.publicKey.rawData)
-    );
-
-    if (!isCaAndCertPublicKeySame) {
-      throw new BadRequestError({ message: "CA and certificate public key do not match" });
-    }
-
     await certificateAuthorityCertDAL.transaction(async (tx) => {
-      const newCaCert = await certificateAuthorityCertDAL.create(
+      await certificateAuthorityCertDAL.create(
         {
           caId: ca.id,
           encryptedCertificate,
-          encryptedCertificateChain,
-          version: 1,
-          caSecretId: caSecret.id
+          encryptedCertificateChain
         },
         tx
       );
@@ -991,8 +643,7 @@ export const certificateAuthorityServiceFactory = ({
           notBefore: new Date(certObj.notBefore),
           notAfter: new Date(certObj.notAfter),
           serialNumber: certObj.serialNumber,
-          parentCaId: parentCa?.id,
-          activeCaCertId: newCaCert.id
+          parentCaId: parentCa?.id
         },
         tx
       );
@@ -1032,12 +683,9 @@ export const certificateAuthorityServiceFactory = ({
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Certificates);
 
     if (ca.status === CaStatus.DISABLED) throw new BadRequestError({ message: "CA is disabled" });
-    if (!ca.activeCaCertId) throw new BadRequestError({ message: "CA does not have a certificate installed" });
-    const caCert = await certificateAuthorityCertDAL.findById(ca.activeCaCertId);
 
-    if (ca.notAfter && new Date() > new Date(ca.notAfter)) {
-      throw new BadRequestError({ message: "CA is expired" });
-    }
+    const caCert = await certificateAuthorityCertDAL.findOne({ caId: ca.id });
+    if (!caCert) throw new BadRequestError({ message: "CA does not have a certificate installed" });
 
     const certificateManagerKmsId = await getProjectKmsCertificateKeyId({
       projectId: ca.projectId,
@@ -1166,7 +814,6 @@ export const certificateAuthorityServiceFactory = ({
       const cert = await certificateDAL.create(
         {
           caId: ca.id,
-          caCertId: caCert.id,
           status: CertStatus.ACTIVE,
           friendlyName: friendlyName || commonName,
           commonName,
@@ -1190,7 +837,7 @@ export const certificateAuthorityServiceFactory = ({
     });
 
     const { caCert: issuingCaCertificate, caCertChain } = await getCaCertChain({
-      caCertId: caCert.id,
+      caId: ca.id,
       certificateAuthorityDAL,
       certificateAuthorityCertDAL,
       projectDAL,
@@ -1239,13 +886,9 @@ export const certificateAuthorityServiceFactory = ({
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Certificates);
 
     if (ca.status === CaStatus.DISABLED) throw new BadRequestError({ message: "CA is disabled" });
-    if (!ca.activeCaCertId) throw new BadRequestError({ message: "CA does not have a certificate installed" });
 
-    const caCert = await certificateAuthorityCertDAL.findById(ca.activeCaCertId);
-
-    if (ca.notAfter && new Date() > new Date(ca.notAfter)) {
-      throw new BadRequestError({ message: "CA is expired" });
-    }
+    const caCert = await certificateAuthorityCertDAL.findOne({ caId: ca.id });
+    if (!caCert) throw new BadRequestError({ message: "CA does not have a certificate installed" });
 
     const certificateManagerKmsId = await getProjectKmsCertificateKeyId({
       projectId: ca.projectId,
@@ -1370,7 +1013,6 @@ export const certificateAuthorityServiceFactory = ({
       const cert = await certificateDAL.create(
         {
           caId: ca.id,
-          caCertId: caCert.id,
           status: CertStatus.ACTIVE,
           friendlyName: friendlyName || csrObj.subject,
           commonName: cn,
@@ -1394,7 +1036,7 @@ export const certificateAuthorityServiceFactory = ({
     });
 
     const { caCert: issuingCaCertificate, caCertChain } = await getCaCertChain({
-      caCertId: ca.activeCaCertId,
+      caId: ca.id,
       certificateAuthorityDAL,
       certificateAuthorityCertDAL,
       projectDAL,
@@ -1416,8 +1058,6 @@ export const certificateAuthorityServiceFactory = ({
     updateCaById,
     deleteCaById,
     getCaCsr,
-    renewCaCert,
-    getCaCerts,
     getCaCert,
     signIntermediate,
     importCertToCa,

backend/src/services/certificate-authority/certificate-authority-types.ts

@@ -20,10 +20,6 @@ export enum CaStatus {
   PENDING_CERTIFICATE = "pending-certificate"
 }
 
-export enum CaRenewalType {
-  EXISTING = "existing"
-}
-
 export type TCreateCaDTO = {
   projectSlug: string;
   type: CaType;
@@ -57,16 +53,6 @@ export type TGetCaCsrDTO = {
   caId: string;
 } & Omit<TProjectPermission, "projectId">;
 
-export type TRenewCaCertDTO = {
-  caId: string;
-  notAfter: string;
-  type: CaRenewalType;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TGetCaCertsDTO = {
-  caId: string;
-} & Omit<TProjectPermission, "projectId">;
-
 export type TGetCaCertDTO = {
   caId: string;
 } & Omit<TProjectPermission, "projectId">;
@@ -123,18 +109,10 @@ export type TGetCaCredentialsDTO = {
   kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
 };
 
-export type TGetCaCertChainsDTO = {
+export type TGetCaCertChainDTO = {
   caId: string;
   certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findById">;
-  certificateAuthorityCertDAL: Pick<TCertificateAuthorityCertDALFactory, "find">;
-  projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
-  kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
-};
-
-export type TGetCaCertChainDTO = {
-  caCertId: string;
-  certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findById">;
-  certificateAuthorityCertDAL: Pick<TCertificateAuthorityCertDALFactory, "findById">;
+  certificateAuthorityCertDAL: Pick<TCertificateAuthorityCertDALFactory, "findOne">;
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
   kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
 };

backend/src/services/certificate/certificate-service.ts

@@ -21,7 +21,7 @@ type TCertificateServiceFactoryDep = {
   certificateDAL: Pick<TCertificateDALFactory, "findOne" | "deleteById" | "update" | "find">;
   certificateBodyDAL: Pick<TCertificateBodyDALFactory, "findOne">;
   certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findById">;
-  certificateAuthorityCertDAL: Pick<TCertificateAuthorityCertDALFactory, "findById">;
+  certificateAuthorityCertDAL: Pick<TCertificateAuthorityCertDALFactory, "findOne">;
   certificateAuthorityCrlDAL: Pick<TCertificateAuthorityCrlDALFactory, "update">;
   certificateAuthoritySecretDAL: Pick<TCertificateAuthoritySecretDALFactory, "findOne">;
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "findById" | "transaction">;
@@ -180,7 +180,7 @@ export const certificateServiceFactory = ({
     const certObj = new x509.X509Certificate(decryptedCert);
 
     const { caCert, caCertChain } = await getCaCertChain({
-      caCertId: cert.caCertId,
+      caId: ca.id,
       certificateAuthorityDAL,
       certificateAuthorityCertDAL,
       projectDAL,

backend/src/services/integration-auth/integration-delete-secret.ts

@@ -0,0 +1,357 @@
+import { retry } from "@octokit/plugin-retry";
+import { Octokit } from "@octokit/rest";
+
+import { TIntegrationAuths, TIntegrations } from "@app/db/schemas";
+import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
+
+import { IntegrationMetadataSchema } from "../integration/integration-schema";
+import { TKmsServiceFactory } from "../kms/kms-service";
+import { KmsDataKey } from "../kms/kms-types";
+import { TProjectBotServiceFactory } from "../project-bot/project-bot-service";
+import { TSecretDALFactory } from "../secret/secret-dal";
+import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
+import { TSecretImportDALFactory } from "../secret-import/secret-import-dal";
+import { fnSecretsV2FromImports } from "../secret-import/secret-import-fns";
+import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
+import { TIntegrationAuthServiceFactory } from "./integration-auth-service";
+import { Integrations } from "./integration-list";
+
+const MAX_SYNC_SECRET_DEPTH = 5;
+
+/**
+ * Return the secrets in a given [folderId] including secrets from
+ * nested imported folders recursively.
+ */
+const getIntegrationSecretsV2 = async (
+  dto: {
+    projectId: string;
+    environment: string;
+    folderId: string;
+    depth: number;
+    decryptor: (value: Buffer | null | undefined) => string;
+  },
+  secretV2BridgeDAL: Pick<TSecretV2BridgeDALFactory, "find" | "findByFolderId">,
+  folderDAL: Pick<TSecretFolderDALFactory, "findByManySecretPath">,
+  secretImportDAL: Pick<TSecretImportDALFactory, "find" | "findByFolderIds">
+) => {
+  const content: Record<string, boolean> = {};
+  if (dto.depth > MAX_SYNC_SECRET_DEPTH) {
+    logger.info(
+      `getIntegrationSecrets: secret depth exceeded for [projectId=${dto.projectId}] [folderId=${dto.folderId}] [depth=${dto.depth}]`
+    );
+    return content;
+  }
+
+  // process secrets in current folder
+  const secrets = await secretV2BridgeDAL.findByFolderId(dto.folderId);
+
+  secrets.forEach((secret) => {
+    const secretKey = secret.key;
+    content[secretKey] = true;
+  });
+
+  // check if current folder has any imports from other folders
+  const secretImports = await secretImportDAL.find({ folderId: dto.folderId, isReplication: false });
+
+  // if no imports then return secrets in the current folder
+  if (!secretImports.length) return content;
+  const importedSecrets = await fnSecretsV2FromImports({
+    decryptor: dto.decryptor,
+    folderDAL,
+    secretDAL: secretV2BridgeDAL,
+    secretImportDAL,
+    allowedImports: secretImports
+  });
+
+  for (let i = importedSecrets.length - 1; i >= 0; i -= 1) {
+    for (let j = 0; j < importedSecrets[i].secrets.length; j += 1) {
+      const importedSecret = importedSecrets[i].secrets[j];
+      if (!content[importedSecret.key]) {
+        content[importedSecret.key] = true;
+      }
+    }
+  }
+  return content;
+};
+
+/**
+ * Return the secrets in a given [folderId] including secrets from
+ * nested imported folders recursively.
+ */
+const getIntegrationSecretsV1 = async (
+  dto: {
+    projectId: string;
+    environment: string;
+    folderId: string;
+    key: string;
+    depth: number;
+  },
+  secretDAL: Pick<TSecretDALFactory, "findByFolderId">,
+  folderDAL: Pick<TSecretFolderDALFactory, "findByManySecretPath">,
+  secretImportDAL: Pick<TSecretImportDALFactory, "find" | "findByFolderIds">
+) => {
+  let content: Record<string, boolean> = {};
+  if (dto.depth > MAX_SYNC_SECRET_DEPTH) {
+    logger.info(
+      `getIntegrationSecrets: secret depth exceeded for [projectId=${dto.projectId}] [folderId=${dto.folderId}] [depth=${dto.depth}]`
+    );
+    return content;
+  }
+
+  // process secrets in current folder
+  const secrets = await secretDAL.findByFolderId(dto.folderId);
+  secrets.forEach((secret) => {
+    const secretKey = decryptSymmetric128BitHexKeyUTF8({
+      ciphertext: secret.secretKeyCiphertext,
+      iv: secret.secretKeyIV,
+      tag: secret.secretKeyTag,
+      key: dto.key
+    });
+
+    content[secretKey] = true;
+  });
+
+  // check if current folder has any imports from other folders
+  const secretImport = await secretImportDAL.find({ folderId: dto.folderId, isReplication: false });
+
+  // if no imports then return secrets in the current folder
+  if (!secretImport) return content;
+
+  const importedFolders = await folderDAL.findByManySecretPath(
+    secretImport.map(({ importEnv, importPath }) => ({
+      envId: importEnv.id,
+      secretPath: importPath
+    }))
+  );
+
+  for await (const folder of importedFolders) {
+    if (folder) {
+      // get secrets contained in each imported folder by recursively calling
+      // this function against the imported folder
+      const importedSecrets = await getIntegrationSecretsV1(
+        {
+          environment: dto.environment,
+          projectId: dto.projectId,
+          folderId: folder.id,
+          key: dto.key,
+          depth: dto.depth + 1
+        },
+        secretDAL,
+        folderDAL,
+        secretImportDAL
+      );
+
+      // add the imported secrets to the current folder secrets
+      content = { ...importedSecrets, ...content };
+    }
+  }
+
+  return content;
+};
+
+export const deleteGithubSecrets = async ({
+  integration,
+  secrets,
+  accessToken
+}: {
+  integration: Omit<TIntegrations, "envId">;
+  secrets: Record<string, boolean>;
+  accessToken: string;
+}) => {
+  interface GitHubSecret {
+    name: string;
+    created_at: string;
+    updated_at: string;
+    visibility?: "all" | "private" | "selected";
+    selected_repositories_url?: string | undefined;
+  }
+
+  const OctokitWithRetry = Octokit.plugin(retry);
+  const octokit = new OctokitWithRetry({
+    auth: accessToken
+  });
+
+  enum GithubScope {
+    Repo = "github-repo",
+    Org = "github-org",
+    Env = "github-env"
+  }
+
+  let encryptedGithubSecrets: GitHubSecret[];
+
+  switch (integration.scope) {
+    case GithubScope.Org: {
+      encryptedGithubSecrets = (
+        await octokit.request("GET /orgs/{org}/actions/secrets", {
+          org: integration.owner as string
+        })
+      ).data.secrets;
+      break;
+    }
+    case GithubScope.Env: {
+      encryptedGithubSecrets = (
+        await octokit.request("GET /repositories/{repository_id}/environments/{environment_name}/secrets", {
+          repository_id: Number(integration.appId),
+          environment_name: integration.targetEnvironmentId as string
+        })
+      ).data.secrets;
+      break;
+    }
+    default: {
+      encryptedGithubSecrets = (
+        await octokit.request("GET /repos/{owner}/{repo}/actions/secrets", {
+          owner: integration.owner as string,
+          repo: integration.app as string
+        })
+      ).data.secrets;
+      break;
+    }
+  }
+
+  for await (const encryptedSecret of encryptedGithubSecrets) {
+    if (encryptedSecret.name in secrets) {
+      switch (integration.scope) {
+        case GithubScope.Org: {
+          await octokit.request("DELETE /orgs/{org}/actions/secrets/{secret_name}", {
+            org: integration.owner as string,
+            secret_name: encryptedSecret.name
+          });
+          break;
+        }
+        case GithubScope.Env: {
+          await octokit.request(
+            "DELETE /repositories/{repository_id}/environments/{environment_name}/secrets/{secret_name}",
+            {
+              repository_id: Number(integration.appId),
+              environment_name: integration.targetEnvironmentId as string,
+              secret_name: encryptedSecret.name
+            }
+          );
+          break;
+        }
+        default: {
+          await octokit.request("DELETE /repos/{owner}/{repo}/actions/secrets/{secret_name}", {
+            owner: integration.owner as string,
+            repo: integration.app as string,
+            secret_name: encryptedSecret.name
+          });
+          break;
+        }
+      }
+
+      // small delay to prevent hitting API rate limits
+      await new Promise((resolve) => {
+        setTimeout(resolve, 50);
+      });
+    }
+  }
+};
+
+export const deleteIntegrationSecrets = async ({
+  integration,
+  integrationAuth,
+  integrationAuthService,
+  projectBotService,
+  secretV2BridgeDAL,
+  folderDAL,
+  secretDAL,
+  secretImportDAL,
+  kmsService
+}: {
+  integration: Omit<TIntegrations, "envId"> & {
+    projectId: string;
+    environment: {
+      id: string;
+      name: string;
+      slug: string;
+    };
+    secretPath: string;
+  };
+  integrationAuth: TIntegrationAuths;
+  integrationAuthService: Pick<TIntegrationAuthServiceFactory, "getIntegrationAccessToken" | "getIntegrationAuth">;
+  projectBotService: Pick<TProjectBotServiceFactory, "getBotKey">;
+  secretV2BridgeDAL: Pick<TSecretV2BridgeDALFactory, "find" | "findByFolderId">;
+  folderDAL: Pick<TSecretFolderDALFactory, "findByManySecretPath" | "findBySecretPath">;
+  secretImportDAL: Pick<TSecretImportDALFactory, "find" | "findByFolderIds">;
+  secretDAL: Pick<TSecretDALFactory, "findByFolderId">;
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+}) => {
+  const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integration.projectId);
+  const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
+    type: KmsDataKey.SecretManager,
+    projectId: integration.projectId
+  });
+
+  const folder = await folderDAL.findBySecretPath(
+    integration.projectId,
+    integration.environment.slug,
+    integration.secretPath
+  );
+
+  if (!folder) {
+    throw new NotFoundError({
+      message: "Folder not found."
+    });
+  }
+
+  const { accessToken } = await integrationAuthService.getIntegrationAccessToken(
+    integrationAuth,
+    shouldUseSecretV2Bridge,
+    botKey
+  );
+
+  const secrets = shouldUseSecretV2Bridge
+    ? await getIntegrationSecretsV2(
+        {
+          environment: integration.environment.id,
+          projectId: integration.projectId,
+          folderId: folder.id,
+          depth: 1,
+          decryptor: (value) => (value ? secretManagerDecryptor({ cipherTextBlob: value }).toString() : "")
+        },
+        secretV2BridgeDAL,
+        folderDAL,
+        secretImportDAL
+      )
+    : await getIntegrationSecretsV1(
+        {
+          environment: integration.environment.id,
+          projectId: integration.projectId,
+          folderId: folder.id,
+          key: botKey as string,
+          depth: 1
+        },
+        secretDAL,
+        folderDAL,
+        secretImportDAL
+      );
+
+  const suffixedSecrets: typeof secrets = {};
+  const metadata = IntegrationMetadataSchema.parse(integration.metadata);
+
+  if (metadata) {
+    Object.keys(secrets).forEach((key) => {
+      const prefix = metadata?.secretPrefix || "";
+      const suffix = metadata?.secretSuffix || "";
+      const newKey = prefix + key + suffix;
+      suffixedSecrets[newKey] = secrets[key];
+    });
+  }
+
+  switch (integration.integration) {
+    case Integrations.GITHUB: {
+      await deleteGithubSecrets({
+        integration,
+        accessToken,
+        secrets: Object.keys(suffixedSecrets).length !== 0 ? suffixedSecrets : secrets
+      });
+      break;
+    }
+    default:
+      throw new BadRequestError({
+        message: "Invalid integration"
+      });
+  }
+};

backend/src/services/integration/integration-service.ts

@@ -6,8 +6,15 @@ import { BadRequestError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";
 
 import { TIntegrationAuthDALFactory } from "../integration-auth/integration-auth-dal";
+import { TIntegrationAuthServiceFactory } from "../integration-auth/integration-auth-service";
+import { deleteIntegrationSecrets } from "../integration-auth/integration-delete-secret";
+import { TKmsServiceFactory } from "../kms/kms-service";
+import { TProjectBotServiceFactory } from "../project-bot/project-bot-service";
+import { TSecretDALFactory } from "../secret/secret-dal";
 import { TSecretQueueFactory } from "../secret/secret-queue";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
+import { TSecretImportDALFactory } from "../secret-import/secret-import-dal";
+import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
 import { TIntegrationDALFactory } from "./integration-dal";
 import {
   TCreateIntegrationDTO,
@@ -19,9 +26,15 @@ import {
 type TIntegrationServiceFactoryDep = {
   integrationDAL: TIntegrationDALFactory;
   integrationAuthDAL: TIntegrationAuthDALFactory;
-  folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath">;
+  integrationAuthService: TIntegrationAuthServiceFactory;
+  folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath" | "findByManySecretPath">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+  projectBotService: TProjectBotServiceFactory;
   secretQueueService: Pick<TSecretQueueFactory, "syncIntegrations">;
+  secretV2BridgeDAL: Pick<TSecretV2BridgeDALFactory, "find" | "findByFolderId">;
+  secretImportDAL: Pick<TSecretImportDALFactory, "find" | "findByFolderIds">;
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+  secretDAL: Pick<TSecretDALFactory, "findByFolderId">;
 };
 
 export type TIntegrationServiceFactory = ReturnType<typeof integrationServiceFactory>;
@@ -31,7 +44,13 @@ export const integrationServiceFactory = ({
   integrationAuthDAL,
   folderDAL,
   permissionService,
-  secretQueueService
+  secretQueueService,
+  integrationAuthService,
+  projectBotService,
+  secretV2BridgeDAL,
+  secretImportDAL,
+  kmsService,
+  secretDAL
 }: TIntegrationServiceFactoryDep) => {
   const createIntegration = async ({
     app,
@@ -161,7 +180,14 @@ export const integrationServiceFactory = ({
     return updatedIntegration;
   };
 
-  const deleteIntegration = async ({ actorId, id, actor, actorAuthMethod, actorOrgId }: TDeleteIntegrationDTO) => {
+  const deleteIntegration = async ({
+    actorId,
+    id,
+    actor,
+    actorAuthMethod,
+    actorOrgId,
+    shouldDeleteIntegrationSecrets
+  }: TDeleteIntegrationDTO) => {
     const integration = await integrationDAL.findById(id);
     if (!integration) throw new BadRequestError({ message: "Integration auth not found" });
 
@@ -174,6 +200,22 @@ export const integrationServiceFactory = ({
     );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);
 
+    const integrationAuth = await integrationAuthDAL.findById(integration.integrationAuthId);
+
+    if (shouldDeleteIntegrationSecrets) {
+      await deleteIntegrationSecrets({
+        integration,
+        integrationAuth,
+        projectBotService,
+        integrationAuthService,
+        secretV2BridgeDAL,
+        folderDAL,
+        secretImportDAL,
+        secretDAL,
+        kmsService
+      });
+    }
+
     const deletedIntegration = await integrationDAL.transaction(async (tx) => {
       // delete integration
       const deletedIntegrationResult = await integrationDAL.deleteById(id, tx);

backend/src/services/integration/integration-types.ts

@@ -63,6 +63,7 @@ export type TUpdateIntegrationDTO = {
 
 export type TDeleteIntegrationDTO = {
   id: string;
+  shouldDeleteIntegrationSecrets?: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TSyncIntegrationDTO = {

backend/src/services/project-bot/project-bot-dal.ts

@@ -46,6 +46,7 @@ export const projectBotDALFactory = (db: TDbClient) => {
       const doc = await db
         .replicaNode()(TableName.ProjectMembership)
         .where(`${TableName.ProjectMembership}.projectId` as "projectId", projectId)
+        .where(`${TableName.ProjectKeys}.projectId` as "projectId", projectId)
         .where(`${TableName.Users}.isGhost` as "isGhost", false)
         .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
         .join(TableName.ProjectKeys, `${TableName.ProjectMembership}.userId`, `${TableName.ProjectKeys}.receiverId`)

backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts

@@ -542,8 +542,8 @@ export const reshapeBridgeSecret = (
   secretPath,
   workspace: workspaceId,
   environment,
-  secretValue: secret.value,
-  secretComment: secret.comment,
+  secretValue: secret.value || "",
+  secretComment: secret.comment || "",
   version: secret.version,
   type: secret.type,
   _id: secret.id,

backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts

@@ -522,7 +522,7 @@ export const secretV2BridgeServiceFactory = ({
           await expandSecretReferences(secretsGroupByKey);
           secretsGroupByPath[secretPathKey].forEach((decryptedSecret) => {
             // eslint-disable-next-line no-param-reassign
-            decryptedSecret.secretValue = secretsGroupByKey[decryptedSecret.secretKey].value;
+            decryptedSecret.secretValue = secretsGroupByKey[decryptedSecret.secretKey].value || "";
           });
         }
       }

docs/api-reference/endpoints/certificate-authorities/list-ca-certs.mdx

@@ -1,4 +0,0 @@
----
-title: "List CA certificates"
-openapi: "GET /api/v1/pki/ca/{caId}/ca-certificates"
----

docs/api-reference/endpoints/certificate-authorities/renew.mdx

@@ -1,4 +0,0 @@
----
-title: "Renew"
-openapi: "POST /api/v1/pki/ca/{caId}/renew"
----

docs/documentation/platform/pki/private-ca.mdx

@@ -36,7 +36,7 @@ A typical workflow for setting up a Private CA hierarchy consists of the followi
   intermediate certificate back to the intermediate CA as part of Step 2.
 </Note>
 
-## Guide to Creating a CA Hierarchy
+## Guide
 
 In the following steps, we explore how to create a simple Private CA hierarchy
 consisting of a root CA and an intermediate CA.
@@ -240,51 +240,6 @@ consisting of a root CA and an intermediate CA.
   </Tab>
 </Tabs>
 
-## Guide to CA Renewal
-
-In the following steps, we explore how to renew a CA certificate via same key pair.
-
-<Tabs>
-  <Tab title="Infisical UI">
-    Head to the CA Page of the CA you wish you renew and press **Renew CA** on
-    the left side. ![pki ca renewal
-    page](/images/platform/pki/ca-renewal-page.png) Input a new **Valid Until**
-    date to be used for the renewed CA certificate and press **Renew** to renew
-    the CA. ![pki ca renewal. modal](/images/platform/pki/ca-renewal-modal.png)
-    <Note>
-      The new **Valid Until** date must be within the validity period of the
-      parent CA.
-    </Note>
-  </Tab>
-  <Tab title="API">
-  
-  To renew a CA certificate, make an API request to the [Renew CA](/api-reference/endpoints/certificate-authorities/renew) API endpoint, specifying the new `notAfter` date for the CA.
-
-    ### Sample request
-
-    ```bash Request
-    curl --location --request POST 'https://app.infisical.com/api/v1/pki/ca/<ca-id>/renew' \
-      --header 'Authorization: Bearer <access-token>' \
-      --header 'Content-Type: application/json' \
-      --data-raw '{
-          "type": "existing",
-          "notAfter": "2029-06-12"
-      }'
-    ```
-
-    ### Sample response
-
-    ```bash Response
-    {
-      certificate: "...",
-      certificateChain: "...",
-      serialNumber: "..."
-    }
-    ```
-
-  </Tab>
-</Tabs>
-
 ## FAQ
 
 <AccordionGroup>
@@ -292,8 +247,4 @@ In the following steps, we explore how to renew a CA certificate via same key pa
     Infisical supports `RSA 2048`, `RSA 4096`, `ECDSA P-256`, `ECDSA P-384` key
     algorithms specified at the time of creating a CA.
   </Accordion>
-  <Accordion title="Does Infisical support CA renewal via new key pair">
-    At the moment, Infisical only supports CA renewal via same key pair. We
-    anticipate supporting CA renewal via new key pair in the coming month.
-  </Accordion>
 </AccordionGroup>

docs/mint.json

@@ -667,8 +667,6 @@
             "api-reference/endpoints/certificate-authorities/read",
             "api-reference/endpoints/certificate-authorities/update",
             "api-reference/endpoints/certificate-authorities/delete",
-            "api-reference/endpoints/certificate-authorities/renew",
-            "api-reference/endpoints/certificate-authorities/list-ca-certs",
             "api-reference/endpoints/certificate-authorities/csr",
             "api-reference/endpoints/certificate-authorities/cert",
             "api-reference/endpoints/certificate-authorities/sign-intermediate",

frontend/package-lock.json

@@ -22,7 +22,6 @@
         "@headlessui/react": "^1.7.7",
         "@hookform/resolvers": "^2.9.10",
         "@octokit/rest": "^19.0.7",
-        "@peculiar/x509": "^1.11.0",
         "@radix-ui/react-accordion": "^1.1.2",
         "@radix-ui/react-alert-dialog": "^1.0.5",
         "@radix-ui/react-checkbox": "^1.0.4",
@@ -4521,149 +4520,6 @@
         "@octokit/openapi-types": "^18.0.0"
       }
     },
-    "node_modules/@peculiar/asn1-cms": {
-      "version": "2.3.13",
-      "resolved": "https://registry.npmjs.org/@peculiar/asn1-cms/-/asn1-cms-2.3.13.tgz",
-      "integrity": "sha512-joqu8A7KR2G85oLPq+vB+NFr2ro7Ls4ol13Zcse/giPSzUNN0n2k3v8kMpf6QdGUhI13e5SzQYN8AKP8sJ8v4w==",
-      "dependencies": {
-        "@peculiar/asn1-schema": "^2.3.13",
-        "@peculiar/asn1-x509": "^2.3.13",
-        "@peculiar/asn1-x509-attr": "^2.3.13",
-        "asn1js": "^3.0.5",
-        "tslib": "^2.6.2"
-      }
-    },
-    "node_modules/@peculiar/asn1-csr": {
-      "version": "2.3.13",
-      "resolved": "https://registry.npmjs.org/@peculiar/asn1-csr/-/asn1-csr-2.3.13.tgz",
-      "integrity": "sha512-+JtFsOUWCw4zDpxp1LbeTYBnZLlGVOWmHHEhoFdjM5yn4wCn+JiYQ8mghOi36M2f6TPQ17PmhNL6/JfNh7/jCA==",
-      "dependencies": {
-        "@peculiar/asn1-schema": "^2.3.13",
-        "@peculiar/asn1-x509": "^2.3.13",
-        "asn1js": "^3.0.5",
-        "tslib": "^2.6.2"
-      }
-    },
-    "node_modules/@peculiar/asn1-ecc": {
-      "version": "2.3.13",
-      "resolved": "https://registry.npmjs.org/@peculiar/asn1-ecc/-/asn1-ecc-2.3.13.tgz",
-      "integrity": "sha512-3dF2pQcrN/WJEMq+9qWLQ0gqtn1G81J4rYqFl6El6QV367b4IuhcRv+yMA84tNNyHOJn9anLXV5radnpPiG3iA==",
-      "dependencies": {
-        "@peculiar/asn1-schema": "^2.3.13",
-        "@peculiar/asn1-x509": "^2.3.13",
-        "asn1js": "^3.0.5",
-        "tslib": "^2.6.2"
-      }
-    },
-    "node_modules/@peculiar/asn1-pfx": {
-      "version": "2.3.13",
-      "resolved": "https://registry.npmjs.org/@peculiar/asn1-pfx/-/asn1-pfx-2.3.13.tgz",
-      "integrity": "sha512-fypYxjn16BW+5XbFoY11Rm8LhZf6euqX/C7BTYpqVvLem1GvRl7A+Ro1bO/UPwJL0z+1mbvXEnkG0YOwbwz2LA==",
-      "dependencies": {
-        "@peculiar/asn1-cms": "^2.3.13",
-        "@peculiar/asn1-pkcs8": "^2.3.13",
-        "@peculiar/asn1-rsa": "^2.3.13",
-        "@peculiar/asn1-schema": "^2.3.13",
-        "asn1js": "^3.0.5",
-        "tslib": "^2.6.2"
-      }
-    },
-    "node_modules/@peculiar/asn1-pkcs8": {
-      "version": "2.3.13",
-      "resolved": "https://registry.npmjs.org/@peculiar/asn1-pkcs8/-/asn1-pkcs8-2.3.13.tgz",
-      "integrity": "sha512-VP3PQzbeSSjPjKET5K37pxyf2qCdM0dz3DJ56ZCsol3FqAXGekb4sDcpoL9uTLGxAh975WcdvUms9UcdZTuGyQ==",
-      "dependencies": {
-        "@peculiar/asn1-schema": "^2.3.13",
-        "@peculiar/asn1-x509": "^2.3.13",
-        "asn1js": "^3.0.5",
-        "tslib": "^2.6.2"
-      }
-    },
-    "node_modules/@peculiar/asn1-pkcs9": {
-      "version": "2.3.13",
-      "resolved": "https://registry.npmjs.org/@peculiar/asn1-pkcs9/-/asn1-pkcs9-2.3.13.tgz",
-      "integrity": "sha512-rIwQXmHpTo/dgPiWqUgby8Fnq6p1xTJbRMxCiMCk833kQCeZrC5lbSKg6NDnJTnX2kC6IbXBB9yCS2C73U2gJg==",
-      "dependencies": {
-        "@peculiar/asn1-cms": "^2.3.13",
-        "@peculiar/asn1-pfx": "^2.3.13",
-        "@peculiar/asn1-pkcs8": "^2.3.13",
-        "@peculiar/asn1-schema": "^2.3.13",
-        "@peculiar/asn1-x509": "^2.3.13",
-        "@peculiar/asn1-x509-attr": "^2.3.13",
-        "asn1js": "^3.0.5",
-        "tslib": "^2.6.2"
-      }
-    },
-    "node_modules/@peculiar/asn1-rsa": {
-      "version": "2.3.13",
-      "resolved": "https://registry.npmjs.org/@peculiar/asn1-rsa/-/asn1-rsa-2.3.13.tgz",
-      "integrity": "sha512-wBNQqCyRtmqvXkGkL4DR3WxZhHy8fDiYtOjTeCd7SFE5F6GBeafw3EJ94PX/V0OJJrjQ40SkRY2IZu3ZSyBqcg==",
-      "dependencies": {
-        "@peculiar/asn1-schema": "^2.3.13",
-        "@peculiar/asn1-x509": "^2.3.13",
-        "asn1js": "^3.0.5",
-        "tslib": "^2.6.2"
-      }
-    },
-    "node_modules/@peculiar/asn1-schema": {
-      "version": "2.3.13",
-      "resolved": "https://registry.npmjs.org/@peculiar/asn1-schema/-/asn1-schema-2.3.13.tgz",
-      "integrity": "sha512-3Xq3a01WkHRZL8X04Zsfg//mGaA21xlL4tlVn4v2xGT0JStiztATRkMwa5b+f/HXmY2smsiLXYK46Gwgzvfg3g==",
-      "dependencies": {
-        "asn1js": "^3.0.5",
-        "pvtsutils": "^1.3.5",
-        "tslib": "^2.6.2"
-      }
-    },
-    "node_modules/@peculiar/asn1-x509": {
-      "version": "2.3.13",
-      "resolved": "https://registry.npmjs.org/@peculiar/asn1-x509/-/asn1-x509-2.3.13.tgz",
-      "integrity": "sha512-PfeLQl2skXmxX2/AFFCVaWU8U6FKW1Db43mgBhShCOFS1bVxqtvusq1hVjfuEcuSQGedrLdCSvTgabluwN/M9A==",
-      "dependencies": {
-        "@peculiar/asn1-schema": "^2.3.13",
-        "asn1js": "^3.0.5",
-        "ipaddr.js": "^2.1.0",
-        "pvtsutils": "^1.3.5",
-        "tslib": "^2.6.2"
-      }
-    },
-    "node_modules/@peculiar/asn1-x509-attr": {
-      "version": "2.3.13",
-      "resolved": "https://registry.npmjs.org/@peculiar/asn1-x509-attr/-/asn1-x509-attr-2.3.13.tgz",
-      "integrity": "sha512-WpEos6CcnUzJ6o2Qb68Z7Dz5rSjRGv/DtXITCNBtjZIRWRV12yFVci76SVfOX8sisL61QWMhpLKQibrG8pi2Pw==",
-      "dependencies": {
-        "@peculiar/asn1-schema": "^2.3.13",
-        "@peculiar/asn1-x509": "^2.3.13",
-        "asn1js": "^3.0.5",
-        "tslib": "^2.6.2"
-      }
-    },
-    "node_modules/@peculiar/asn1-x509/node_modules/ipaddr.js": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-2.2.0.tgz",
-      "integrity": "sha512-Ag3wB2o37wslZS19hZqorUnrnzSkpOVy+IiiDEiTqNubEYpYuHWIf6K4psgN2ZWKExS4xhVCrRVfb/wfW8fWJA==",
-      "engines": {
-        "node": ">= 10"
-      }
-    },
-    "node_modules/@peculiar/x509": {
-      "version": "1.11.0",
-      "resolved": "https://registry.npmjs.org/@peculiar/x509/-/x509-1.11.0.tgz",
-      "integrity": "sha512-8rdxE//tsWLb2Yo2TYO2P8gieStbrHK/huFMV5PPfwX8I5HmtOus+Ox6nTKrPA9o+WOPaa5xKenee+QdmHBd5g==",
-      "dependencies": {
-        "@peculiar/asn1-cms": "^2.3.8",
-        "@peculiar/asn1-csr": "^2.3.8",
-        "@peculiar/asn1-ecc": "^2.3.8",
-        "@peculiar/asn1-pkcs9": "^2.3.8",
-        "@peculiar/asn1-rsa": "^2.3.8",
-        "@peculiar/asn1-schema": "^2.3.8",
-        "@peculiar/asn1-x509": "^2.3.8",
-        "pvtsutils": "^1.3.5",
-        "reflect-metadata": "^0.2.2",
-        "tslib": "^2.6.2",
-        "tsyringe": "^4.8.0"
-      }
-    },
     "node_modules/@pkgjs/parseargs": {
       "version": "0.11.0",
       "resolved": "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz",
@@ -10014,19 +9870,6 @@
       "integrity": "sha512-c98Bf3tPniI+scsdk237ku1Dc3ujXQTSgyiPUDEOe7tRkhrqridvh8klBv0HCEso1OLOYcHuCv/cS6DNxKH+ZA==",
       "dev": true
     },
-    "node_modules/asn1js": {
-      "version": "3.0.5",
-      "resolved": "https://registry.npmjs.org/asn1js/-/asn1js-3.0.5.tgz",
-      "integrity": "sha512-FVnvrKJwpt9LP2lAMl8qZswRNm3T4q9CON+bxldk2iwk3FFpuwhx2FfinyitizWHsVYyaY+y5JzDR0rCMV5yTQ==",
-      "dependencies": {
-        "pvtsutils": "^1.3.2",
-        "pvutils": "^1.1.3",
-        "tslib": "^2.4.0"
-      },
-      "engines": {
-        "node": ">=12.0.0"
-      }
-    },
     "node_modules/assert": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/assert/-/assert-2.1.0.tgz",
@@ -20477,22 +20320,6 @@
         "async-limiter": "~1.0.0"
       }
     },
-    "node_modules/pvtsutils": {
-      "version": "1.3.5",
-      "resolved": "https://registry.npmjs.org/pvtsutils/-/pvtsutils-1.3.5.tgz",
-      "integrity": "sha512-ARvb14YB9Nm2Xi6nBq1ZX6dAM0FsJnuk+31aUp4TrcZEdKUlSqOqsxJHUPJDNE3qiIp+iUPEIeR6Je/tgV7zsA==",
-      "dependencies": {
-        "tslib": "^2.6.1"
-      }
-    },
-    "node_modules/pvutils": {
-      "version": "1.1.3",
-      "resolved": "https://registry.npmjs.org/pvutils/-/pvutils-1.1.3.tgz",
-      "integrity": "sha512-pMpnA0qRdFp32b1sJl1wOJNxZLQ2cbQx+k6tjNtZ8CpvVhNqEPRgivZ2WOUev2YMajecdH7ctUPDvEe87nariQ==",
-      "engines": {
-        "node": ">=6.0.0"
-      }
-    },
     "node_modules/qs": {
       "version": "6.11.2",
       "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.2.tgz",
@@ -21359,11 +21186,6 @@
         "redux": "^4"
       }
     },
-    "node_modules/reflect-metadata": {
-      "version": "0.2.2",
-      "resolved": "https://registry.npmjs.org/reflect-metadata/-/reflect-metadata-0.2.2.tgz",
-      "integrity": "sha512-urBwgfrvVP/eAyXx4hluJivBKzuEbSQs9rKWCrCkbSxNv8mxPcUZKeuoF3Uy4mJl3Lwprp6yy5/39VWigZ4K6Q=="
-    },
     "node_modules/reflect.getprototypeof": {
       "version": "1.0.4",
       "resolved": "https://registry.npmjs.org/reflect.getprototypeof/-/reflect.getprototypeof-1.0.4.tgz",
@@ -23751,22 +23573,6 @@
       "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg==",
       "dev": true
     },
-    "node_modules/tsyringe": {
-      "version": "4.8.0",
-      "resolved": "https://registry.npmjs.org/tsyringe/-/tsyringe-4.8.0.tgz",
-      "integrity": "sha512-YB1FG+axdxADa3ncEtRnQCFq/M0lALGLxSZeVNbTU8NqhOVc51nnv2CISTcvc1kyv6EGPtXVr0v6lWeDxiijOA==",
-      "dependencies": {
-        "tslib": "^1.9.3"
-      },
-      "engines": {
-        "node": ">= 6.0.0"
-      }
-    },
-    "node_modules/tsyringe/node_modules/tslib": {
-      "version": "1.14.1",
-      "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz",
-      "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
-    },
     "node_modules/tty-browserify": {
       "version": "0.0.1",
       "resolved": "https://registry.npmjs.org/tty-browserify/-/tty-browserify-0.0.1.tgz",

frontend/package.json

@@ -30,7 +30,6 @@
     "@headlessui/react": "^1.7.7",
     "@hookform/resolvers": "^2.9.10",
     "@octokit/rest": "^19.0.7",
-    "@peculiar/x509": "^1.11.0",
     "@radix-ui/react-accordion": "^1.1.2",
     "@radix-ui/react-alert-dialog": "^1.0.5",
     "@radix-ui/react-checkbox": "^1.0.4",

frontend/src/components/v2/DeleteActionModal/DeleteActionModal.tsx

@@ -1,4 +1,4 @@
-import { useEffect, useState } from "react";
+import { ReactNode, useEffect, useState } from "react";
 
 import { useToggle } from "@app/hooks";
 
@@ -16,6 +16,7 @@ type Props = {
   subTitle?: string;
   onDeleteApproved: () => Promise<void>;
   buttonText?: string;
+  children?: ReactNode;
 };
 
 export const DeleteActionModal = ({
@@ -26,7 +27,8 @@ export const DeleteActionModal = ({
   onDeleteApproved,
   title,
   subTitle = "This action is irreversible.",
-  buttonText = "Delete"
+  buttonText = "Delete",
+  children
 }: Props): JSX.Element => {
   const [inputData, setInputData] = useState("");
   const [isLoading, setIsLoading] = useToggle();
@@ -97,6 +99,7 @@ export const DeleteActionModal = ({
               placeholder={`Type ${deleteKey} here`}
             />
           </FormControl>
+          {children}
         </form>
       </ModalContent>
     </Modal>

frontend/src/components/v2/index.tsx

@@ -1,6 +1,5 @@
 export * from "./Accordion";
 export * from "./Alert";
-export * from "./Badge";
 export * from "./Button";
 export * from "./Card";
 export * from "./Checkbox";

frontend/src/hooks/api/ca/constants.tsx

@@ -1,4 +1,4 @@
-import { CaStatus, CaType } from "./enums";
+import { CaStatus,CaType } from "./enums";
 
 export const caTypeToNameMap: { [K in CaType]: string } = {
   [CaType.ROOT]: "Root",
@@ -10,14 +10,3 @@ export const caStatusToNameMap: { [K in CaStatus]: string } = {
   [CaStatus.DISABLED]: "Disabled",
   [CaStatus.PENDING_CERTIFICATE]: "Pending Certificate"
 };
-
-export const getStatusBadgeVariant = (status: CaStatus) => {
-  switch (status) {
-    case CaStatus.ACTIVE:
-      return "success";
-    case CaStatus.DISABLED:
-      return "danger";
-    default:
-      return "primary";
-  }
-};

frontend/src/hooks/api/ca/enums.tsx

@@ -8,7 +8,3 @@ export enum CaStatus {
   DISABLED = "disabled",
   PENDING_CERTIFICATE = "pending-certificate"
 }
-
-export enum CaRenewalType {
-  EXISTING = "existing"
-}

frontend/src/hooks/api/ca/index.tsx

@@ -1,10 +1,10 @@
-export { CaRenewalType,CaStatus, CaType } from "./enums";
+export { CaStatus, CaType } from "./enums";
 export {
   useCreateCa,
   useCreateCertificate,
   useDeleteCa,
   useImportCaCertificate,
-  useRenewCa,
   useSignIntermediate,
-  useUpdateCa} from "./mutations";
-export { useGetCaById, useGetCaCert, useGetCaCerts, useGetCaCrl, useGetCaCsr } from "./queries";
+  useUpdateCa
+} from "./mutations";
+export { useGetCaById, useGetCaCert, useGetCaCrl,useGetCaCsr } from "./queries";

frontend/src/hooks/api/ca/mutations.tsx

@@ -3,7 +3,6 @@ import { useMutation, useQueryClient } from "@tanstack/react-query";
 import { apiRequest } from "@app/config/request";
 
 import { workspaceKeys } from "../workspace/queries";
-import { caKeys } from "./queries";
 import {
   TCertificateAuthority,
   TCreateCaDTO,
@@ -12,8 +11,6 @@ import {
   TDeleteCaDTO,
   TImportCaCertificateDTO,
   TImportCaCertificateResponse,
-  TRenewCaDTO,
-  TRenewCaResponse,
   TSignIntermediateDTO,
   TSignIntermediateResponse,
   TUpdateCaDTO
@@ -87,10 +84,8 @@ export const useImportCaCertificate = () => {
       );
       return data;
     },
-    onSuccess: (_, { caId, projectSlug }) => {
+    onSuccess: (_, { projectSlug }) => {
       queryClient.invalidateQueries(workspaceKeys.getWorkspaceCas({ projectSlug }));
-      queryClient.invalidateQueries(caKeys.getCaCerts(caId));
-      queryClient.invalidateQueries(caKeys.getCaCert(caId));
     }
   });
 };
@@ -111,24 +106,3 @@ export const useCreateCertificate = () => {
     }
   });
 };
-
-export const useRenewCa = () => {
-  const queryClient = useQueryClient();
-  return useMutation<TRenewCaResponse, {}, TRenewCaDTO>({
-    mutationFn: async (body) => {
-      const { data } = await apiRequest.post<TRenewCaResponse>(
-        `/api/v1/pki/ca/${body.caId}/renew`,
-        body
-      );
-      return data;
-    },
-    onSuccess: (_, { caId, projectSlug }) => {
-      queryClient.invalidateQueries(workspaceKeys.getWorkspaceCas({ projectSlug }));
-      queryClient.invalidateQueries(caKeys.getCaById(caId));
-      queryClient.invalidateQueries(caKeys.getCaCert(caId));
-      queryClient.invalidateQueries(caKeys.getCaCerts(caId));
-      queryClient.invalidateQueries(caKeys.getCaCsr(caId));
-      queryClient.invalidateQueries(caKeys.getCaCrl(caId));
-    }
-  });
-};

frontend/src/hooks/api/ca/queries.tsx

@@ -6,7 +6,6 @@ import { TCertificateAuthority } from "./types";
 
 export const caKeys = {
   getCaById: (caId: string) => [{ caId }, "ca"],
-  getCaCerts: (caId: string) => [{ caId }, "ca-cert"],
   getCaCert: (caId: string) => [{ caId }, "ca-cert"],
   getCaCsr: (caId: string) => [{ caId }, "ca-csr"],
   getCaCrl: (caId: string) => [{ caId }, "ca-crl"]
@@ -25,24 +24,6 @@ export const useGetCaById = (caId: string) => {
   });
 };
 
-export const useGetCaCerts = (caId: string) => {
-  return useQuery({
-    queryKey: caKeys.getCaCerts(caId),
-    queryFn: async () => {
-      const { data } = await apiRequest.get<
-        {
-          certificate: string;
-          certificateChain: string;
-          serialNumber: string;
-          version: number;
-        }[]
-      >(`/api/v1/pki/ca/${caId}/ca-certificates`); // TODO: consider updating endpoint structure
-      return data;
-    },
-    enabled: Boolean(caId)
-  });
-};
-
 export const useGetCaCert = (caId: string) => {
   return useQuery({
     queryKey: caKeys.getCaCert(caId),
@@ -51,7 +32,7 @@ export const useGetCaCert = (caId: string) => {
         certificate: string;
         certificateChain: string;
         serialNumber: string;
-      }>(`/api/v1/pki/ca/${caId}/certificate`); // TODO: consider updating endpoint structure
+      }>(`/api/v1/pki/ca/${caId}/certificate`);
       return data;
     },
     enabled: Boolean(caId)

frontend/src/hooks/api/ca/types.ts

@@ -1,5 +1,5 @@
 import { CertKeyAlgorithm } from "../certificates/enums";
-import { CaRenewalType, CaStatus, CaType } from "./enums";
+import { CaStatus, CaType } from "./enums";
 
 export type TCertificateAuthority = {
   id: string;
@@ -19,7 +19,6 @@ export type TCertificateAuthority = {
   notAfter?: string;
   notBefore?: string;
   keyAlgorithm: CertKeyAlgorithm;
-  activeCaCertId?: string;
   createdAt: string;
   updatedAt: string;
 };
@@ -95,16 +94,3 @@ export type TCreateCertificateResponse = {
   privateKey: string;
   serialNumber: string;
 };
-
-export type TRenewCaDTO = {
-  projectSlug: string;
-  caId: string;
-  type: CaRenewalType;
-  notAfter: string;
-};
-
-export type TRenewCaResponse = {
-  certificate: string;
-  certificateChain: string;
-  serialNumber: string;
-};

frontend/src/hooks/api/integrations/queries.tsx

@@ -110,8 +110,15 @@ export const useCreateIntegration = () => {
 export const useDeleteIntegration = () => {
   const queryClient = useQueryClient();
 
-  return useMutation<{}, {}, { id: string; workspaceId: string }>({
-    mutationFn: ({ id }) => apiRequest.delete(`/api/v1/integration/${id}`),
+  return useMutation<
+    {},
+    {},
+    { id: string; workspaceId: string; shouldDeleteIntegrationSecrets: boolean }
+  >({
+    mutationFn: ({ id, shouldDeleteIntegrationSecrets }) =>
+      apiRequest.delete(
+        `/api/v1/integration/${id}?shouldDeleteIntegrationSecrets=${shouldDeleteIntegrationSecrets}`
+      ),
     onSuccess: (_, { workspaceId }) => {
       queryClient.invalidateQueries(workspaceKeys.getWorkspaceIntegrations(workspaceId));
       queryClient.invalidateQueries(workspaceKeys.getWorkspaceAuthorization(workspaceId));

frontend/src/hooks/api/rateLimit/types.ts

@@ -5,6 +5,5 @@ export type TRateLimit = {
   authRateLimit: number;
   inviteUserRateLimit: number;
   mfaRateLimit: number;
-  creationLimit: number;
   publicEndpointLimit: number;
 };

frontend/src/pages/project/[id]/ca/[caId]/index.tsx

@@ -1,18 +0,0 @@
-/* eslint-disable @typescript-eslint/no-unused-vars */
-import Head from "next/head";
-
-import { CaPage } from "@app/views/Project/CaPage";
-
-export default function Ca() {
-  return (
-    <>
-      <Head>
-        <title>Certificate Authority</title>
-        <link rel="icon" href="/infisical.ico" />
-      </Head>
-      <CaPage />
-    </>
-  );
-}
-
-Ca.requireAuth = true;

frontend/src/views/IntegrationsPage/IntegrationsPage.tsx

@@ -106,9 +106,13 @@ export const IntegrationsPage = withProjectPermission(
       handleProviderIntegration(provider);
     };
 
-    const handleIntegrationDelete = async (integrationId: string, cb: () => void) => {
+    const handleIntegrationDelete = async (
+      integrationId: string,
+      shouldDeleteIntegrationSecrets: boolean,
+      cb: () => void
+    ) => {
       try {
-        await deleteIntegration({ id: integrationId, workspaceId });
+        await deleteIntegration({ id: integrationId, workspaceId, shouldDeleteIntegrationSecrets });
         if (cb) cb();
         createNotification({
           type: "success",
@@ -152,7 +156,7 @@ export const IntegrationsPage = withProjectPermission(
           isLoading={isIntegrationLoading}
           integrations={integrations}
           environments={environments}
-          onIntegrationDelete={({ id }, cb) => handleIntegrationDelete(id, cb)}
+          onIntegrationDelete={handleIntegrationDelete}
           workspaceId={workspaceId}
         />
         <CloudIntegrationSection

frontend/src/views/IntegrationsPage/components/IntegrationsSection/IntegrationsSection.tsx

@@ -7,6 +7,7 @@ import { integrationSlugNameMapping } from "public/data/frequentConstants";
 import { ProjectPermissionCan } from "@app/components/permissions";
 import {
   Button,
+  Checkbox,
   DeleteActionModal,
   EmptyState,
   FormLabel,
@@ -16,7 +17,7 @@ import {
   Tooltip
 } from "@app/components/v2";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/context";
-import { usePopUp } from "@app/hooks";
+import { usePopUp, useToggle } from "@app/hooks";
 import { useSyncIntegration } from "@app/hooks/api/integrations/queries";
 import { IntegrationMappingBehavior } from "@app/hooks/api/integrations/types";
 import { TIntegration } from "@app/hooks/api/types";
@@ -25,7 +26,11 @@ type Props = {
   environments: Array<{ name: string; slug: string; id: string }>;
   integrations?: TIntegration[];
   isLoading?: boolean;
-  onIntegrationDelete: (integration: TIntegration, cb: () => void) => void;
+  onIntegrationDelete: (
+    integrationId: string,
+    shouldDeleteIntegrationSecrets: boolean,
+    cb: () => void
+  ) => Promise<void>;
   workspaceId: string;
 };
 
@@ -37,10 +42,12 @@ export const IntegrationsSection = ({
   workspaceId
 }: Props) => {
   const { popUp, handlePopUpOpen, handlePopUpClose, handlePopUpToggle } = usePopUp([
-    "deleteConfirmation"
+    "deleteConfirmation",
+    "deleteSecretsConfirmation"
   ] as const);
 
   const { mutate: syncIntegration } = useSyncIntegration();
+  const [shouldDeleteSecrets, setShouldDeleteSecrets] = useToggle(false);
 
   return (
     <div className="mb-8">
@@ -249,7 +256,10 @@ export const IntegrationsSection = ({
                     <div className="flex items-end opacity-80 duration-200 hover:opacity-100">
                       <Tooltip content="Remove Integration">
                         <IconButton
-                          onClick={() => handlePopUpOpen("deleteConfirmation", integration)}
+                          onClick={() => {
+                            setShouldDeleteSecrets.off();
+                            handlePopUpOpen("deleteConfirmation", integration);
+                          }}
                           ariaLabel="delete"
                           isDisabled={!isAllowed}
                           colorSchema="danger"
@@ -281,11 +291,49 @@ export const IntegrationsSection = ({
           (popUp?.deleteConfirmation?.data as TIntegration)?.integration ||
           ""
         }
-        onDeleteApproved={async () =>
-          onIntegrationDelete(popUp?.deleteConfirmation.data as TIntegration, () =>
-            handlePopUpClose("deleteConfirmation")
-          )
-        }
+        onDeleteApproved={async () => {
+          if (shouldDeleteSecrets) {
+            handlePopUpOpen("deleteSecretsConfirmation");
+            return;
+          }
+
+          await onIntegrationDelete(
+            (popUp?.deleteConfirmation.data as TIntegration).id,
+            false,
+            () => handlePopUpClose("deleteConfirmation")
+          );
+        }}
+      >
+        {(popUp?.deleteConfirmation?.data as TIntegration)?.integration === "github" && (
+          <div className="mt-4">
+            <Checkbox
+              id="delete-integration-secrets"
+              checkIndicatorBg="text-white"
+              onCheckedChange={() => setShouldDeleteSecrets.toggle()}
+            >
+              Delete previously synced secrets from the destination
+            </Checkbox>
+          </div>
+        )}
+      </DeleteActionModal>
+      <DeleteActionModal
+        isOpen={popUp.deleteSecretsConfirmation.isOpen}
+        title={`Are you sure you also want to delete secrets on ${
+          (popUp?.deleteConfirmation.data as TIntegration)?.integration
+        }?`}
+        subTitle="By confirming, you acknowledge that all secrets managed by this integration will be removed from the destination. This action is irreversible."
+        onChange={(isOpen) => handlePopUpToggle("deleteSecretsConfirmation", isOpen)}
+        deleteKey="confirm"
+        onDeleteApproved={async () => {
+          await onIntegrationDelete(
+            (popUp?.deleteConfirmation.data as TIntegration).id,
+            true,
+            () => {
+              handlePopUpClose("deleteSecretsConfirmation");
+              handlePopUpClose("deleteConfirmation");
+            }
+          );
+        }}
       />
     </div>
   );

frontend/src/views/Project/CaPage/CaPage.tsx

@@ -1,145 +0,0 @@
-/* eslint-disable @typescript-eslint/no-unused-vars */
-import { useRouter } from "next/router";
-import { faChevronLeft, faEllipsis } from "@fortawesome/free-solid-svg-icons";
-import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
-import { twMerge } from "tailwind-merge";
-
-import { createNotification } from "@app/components/notifications";
-import { ProjectPermissionCan } from "@app/components/permissions";
-import {
-  Button,
-  DeleteActionModal,
-  DropdownMenu,
-  DropdownMenuContent,
-  DropdownMenuItem,
-  DropdownMenuTrigger,
-  Tooltip
-} from "@app/components/v2";
-import { ProjectPermissionActions, ProjectPermissionSub, useWorkspace } from "@app/context";
-import { withProjectPermission } from "@app/hoc";
-import { useDeleteCa, useGetCaById } from "@app/hooks/api";
-import { usePopUp } from "@app/hooks/usePopUp";
-import { CaModal } from "@app/views/Project/CertificatesPage/components/CaTab/components/CaModal";
-
-import { CaInstallCertModal } from "../CertificatesPage/components/CaTab/components/CaInstallCertModal";
-import { TabSections } from "../Types";
-import { CaCertificatesSection, CaDetailsSection, CaRenewalModal } from "./components";
-
-export const CaPage = withProjectPermission(
-  () => {
-    const router = useRouter();
-    const caId = router.query.caId as string;
-    const { data } = useGetCaById(caId);
-
-    const { currentWorkspace } = useWorkspace();
-    const projectId = currentWorkspace?.id || "";
-
-    const { mutateAsync: deleteCa } = useDeleteCa();
-
-    const { popUp, handlePopUpOpen, handlePopUpClose, handlePopUpToggle } = usePopUp([
-      "ca",
-      "deleteCa",
-      "installCaCert",
-      "renewCa"
-    ] as const);
-
-    const onRemoveCaSubmit = async (caIdToDelete: string) => {
-      try {
-        if (!currentWorkspace?.slug) return;
-
-        await deleteCa({ caId: caIdToDelete, projectSlug: currentWorkspace.slug });
-
-        await createNotification({
-          text: "Successfully deleted CA",
-          type: "success"
-        });
-
-        handlePopUpClose("deleteCa");
-        router.push(`/project/${projectId}/certificates`);
-      } catch (err) {
-        console.error(err);
-        createNotification({
-          text: "Failed to delete CA",
-          type: "error"
-        });
-      }
-    };
-
-    return (
-      <div className="container mx-auto flex flex-col justify-between bg-bunker-800 text-white">
-        {data && (
-          <div className="mx-auto mb-6 w-full max-w-7xl py-6 px-6">
-            <Button
-              variant="link"
-              type="submit"
-              leftIcon={<FontAwesomeIcon icon={faChevronLeft} />}
-              onClick={() => router.push(`/project/${projectId}/certificates`)}
-              className="mb-4"
-            >
-              Certificate Authorities
-            </Button>
-            <div className="mb-4 flex items-center justify-between">
-              <p className="text-3xl font-semibold text-white">{data.friendlyName}</p>
-              <DropdownMenu>
-                <DropdownMenuTrigger asChild className="rounded-lg">
-                  <div className="hover:text-primary-400 data-[state=open]:text-primary-400">
-                    <Tooltip content="More options">
-                      <FontAwesomeIcon size="sm" icon={faEllipsis} />
-                    </Tooltip>
-                  </div>
-                </DropdownMenuTrigger>
-                <DropdownMenuContent align="start" className="p-1">
-                  <ProjectPermissionCan
-                    I={ProjectPermissionActions.Delete}
-                    a={ProjectPermissionSub.CertificateAuthorities}
-                  >
-                    {(isAllowed) => (
-                      <DropdownMenuItem
-                        className={twMerge(
-                          isAllowed
-                            ? "hover:!bg-red-500 hover:!text-white"
-                            : "pointer-events-none cursor-not-allowed opacity-50"
-                        )}
-                        onClick={() =>
-                          handlePopUpOpen("deleteCa", {
-                            caId: data.id,
-                            dn: data.dn
-                          })
-                        }
-                        disabled={!isAllowed}
-                      >
-                        Delete CA
-                      </DropdownMenuItem>
-                    )}
-                  </ProjectPermissionCan>
-                </DropdownMenuContent>
-              </DropdownMenu>
-            </div>
-            <div className="flex">
-              <div className="mr-4 w-96">
-                <CaDetailsSection caId={caId} handlePopUpOpen={handlePopUpOpen} />
-              </div>
-              <CaCertificatesSection caId={caId} />
-            </div>
-          </div>
-        )}
-        <CaModal popUp={popUp} handlePopUpToggle={handlePopUpToggle} />
-        <CaRenewalModal popUp={popUp} handlePopUpToggle={handlePopUpToggle} />
-        <CaInstallCertModal popUp={popUp} handlePopUpToggle={handlePopUpToggle} />
-        <DeleteActionModal
-          isOpen={popUp.deleteCa.isOpen}
-          title={`Are you sure want to remove the CA ${
-            (popUp?.deleteCa?.data as { dn: string })?.dn || ""
-          } from the project?`}
-          subTitle="This action will delete other CAs and certificates below it in your CA hierarchy."
-          onChange={(isOpen) => handlePopUpToggle("deleteCa", isOpen)}
-          deleteKey="confirm"
-          onDeleteApproved={() =>
-            onRemoveCaSubmit((popUp?.deleteCa?.data as { caId: string })?.caId)
-          }
-        />
-      </div>
-    );
-  },
-  { action: ProjectPermissionActions.Read, subject: ProjectPermissionSub.CertificateAuthorities }
-);

frontend/src/views/Project/CaPage/components/CaCertificatesSection/CaCertificatesSection.tsx

@@ -1,31 +0,0 @@
-// import { faPlus } from "@fortawesome/free-solid-svg-icons";
-// import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
-// import { IconButton } from "@app/components/v2";
-import { CaCertificatesTable } from "./CaCertificatesTable";
-
-type Props = {
-  caId: string;
-};
-
-export const CaCertificatesSection = ({ caId }: Props) => {
-  return (
-    <div className="w-full rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
-      <div className="flex items-center justify-between border-b border-mineshaft-400 pb-4">
-        <h3 className="text-lg font-semibold text-mineshaft-100">CA Certificates</h3>
-        {/* <IconButton
-          ariaLabel="copy icon"
-          variant="plain"
-          className="group relative"
-          onClick={() => {
-            // handlePopUpOpen("addIdentityToProject");
-          }}
-        >
-          <FontAwesomeIcon icon={faPlus} />
-        </IconButton> */}
-      </div>
-      <div className="py-4">
-        <CaCertificatesTable caId={caId} />
-      </div>
-    </div>
-  );
-};

frontend/src/views/Project/CaPage/components/CaCertificatesSection/CaCertificatesTable.tsx

@@ -1,133 +0,0 @@
-import { faCertificate, faEllipsis } from "@fortawesome/free-solid-svg-icons";
-import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
-import * as x509 from "@peculiar/x509";
-import { format } from "date-fns";
-import FileSaver from "file-saver";
-import { twMerge } from "tailwind-merge";
-
-import { ProjectPermissionCan } from "@app/components/permissions";
-import {
-  Badge,
-  DropdownMenu,
-  DropdownMenuContent,
-  DropdownMenuItem,
-  DropdownMenuTrigger,
-  EmptyState,
-  Table,
-  TableContainer,
-  TableSkeleton,
-  TBody,
-  Td,
-  Th,
-  THead,
-  Tr
-} from "@app/components/v2";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/context";
-import { useGetCaCerts } from "@app/hooks/api";
-
-type Props = {
-  caId: string;
-};
-
-export const CaCertificatesTable = ({ caId }: Props) => {
-  const { data: caCerts, isLoading } = useGetCaCerts(caId);
-
-  const downloadTxtFile = (filename: string, content: string) => {
-    const blob = new Blob([content], { type: "text/plain;charset=utf-8" });
-    FileSaver.saveAs(blob, filename);
-  };
-
-  return (
-    <TableContainer>
-      <Table>
-        <THead>
-          <Tr>
-            <Th>CA Certificate #</Th>
-            <Th>Not Before</Th>
-            <Th>Not After</Th>
-            <Th className="w-5" />
-          </Tr>
-        </THead>
-        <TBody>
-          {isLoading && <TableSkeleton columns={4} innerKey="ca-certificates" />}
-          {!isLoading &&
-            caCerts?.map((caCert, index) => {
-              const isLastItem = index === caCerts.length - 1;
-              const caCertObj = new x509.X509Certificate(caCert.certificate);
-              return (
-                <Tr key={`ca-cert=${caCert.serialNumber}`}>
-                  <Td>
-                    <div className="flex items-center">
-                      CA Certificate {caCert.version}
-                      {isLastItem && (
-                        <Badge variant="success" className="ml-4">
-                          Current
-                        </Badge>
-                      )}
-                    </div>
-                  </Td>
-                  <Td>{format(new Date(caCertObj.notBefore), "yyyy-MM-dd")}</Td>
-                  <Td>{format(new Date(caCertObj.notAfter), "yyyy-MM-dd")}</Td>
-                  <Td>
-                    <DropdownMenu>
-                      <DropdownMenuTrigger asChild className="rounded-lg">
-                        <div className="hover:text-primary-400 data-[state=open]:text-primary-400">
-                          <FontAwesomeIcon size="sm" icon={faEllipsis} />
-                        </div>
-                      </DropdownMenuTrigger>
-                      <DropdownMenuContent align="start" className="p-1">
-                        <ProjectPermissionCan
-                          I={ProjectPermissionActions.Edit}
-                          a={ProjectPermissionSub.Identity}
-                        >
-                          {(isAllowed) => (
-                            <DropdownMenuItem
-                              className={twMerge(
-                                !isAllowed && "pointer-events-none cursor-not-allowed opacity-50"
-                              )}
-                              onClick={(e) => {
-                                e.stopPropagation();
-                                downloadTxtFile("cert.pem", caCert.certificate);
-                              }}
-                              disabled={!isAllowed}
-                            >
-                              Download CA Certificate
-                            </DropdownMenuItem>
-                          )}
-                        </ProjectPermissionCan>
-                        <ProjectPermissionCan
-                          I={ProjectPermissionActions.Delete}
-                          a={ProjectPermissionSub.Identity}
-                        >
-                          {(isAllowed) => (
-                            <DropdownMenuItem
-                              className={twMerge(
-                                !isAllowed && "pointer-events-none cursor-not-allowed opacity-50"
-                              )}
-                              onClick={(e) => {
-                                e.stopPropagation();
-                                downloadTxtFile("chain.pem", caCert.certificateChain);
-                              }}
-                              disabled={!isAllowed}
-                            >
-                              Download CA Certificate Chain
-                            </DropdownMenuItem>
-                          )}
-                        </ProjectPermissionCan>
-                      </DropdownMenuContent>
-                    </DropdownMenu>
-                  </Td>
-                </Tr>
-              );
-            })}
-        </TBody>
-      </Table>
-      {!isLoading && !caCerts?.length && (
-        <EmptyState
-          title="This CA does not have any CA certificates installed"
-          icon={faCertificate}
-        />
-      )}
-    </TableContainer>
-  );
-};

frontend/src/views/Project/CaPage/components/CaCertificatesSection/index.tsx

@@ -1 +0,0 @@
-export { CaCertificatesSection } from "./CaCertificatesSection";

frontend/src/views/Project/CaPage/components/CaDetailsSection.tsx

@@ -1,167 +0,0 @@
-import { faCheck, faCopy } from "@fortawesome/free-solid-svg-icons";
-import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
-import { format } from "date-fns";
-
-import { ProjectPermissionCan } from "@app/components/permissions";
-import { Button, IconButton, Tooltip } from "@app/components/v2";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/context";
-import { useTimedReset } from "@app/hooks";
-import { CaStatus, useGetCaById } from "@app/hooks/api";
-import { caStatusToNameMap, caTypeToNameMap } from "@app/hooks/api/ca/constants";
-import { certKeyAlgorithmToNameMap } from "@app/hooks/api/certificates/constants";
-import { UsePopUpState } from "@app/hooks/usePopUp";
-
-type Props = {
-  caId: string;
-  handlePopUpOpen: (
-    popUpName: keyof UsePopUpState<["ca", "renewCa", "installCaCert"]>,
-    data?: {}
-  ) => void;
-};
-
-export const CaDetailsSection = ({ caId, handlePopUpOpen }: Props) => {
-  const [copyTextId, isCopyingId, setCopyTextId] = useTimedReset<string>({
-    initialState: "Copy ID to clipboard"
-  });
-  const [copyTextParentId, isCopyingParentId, setCopyTextParentId] = useTimedReset<string>({
-    initialState: "Copy ID to clipboard"
-  });
-
-  const { data: ca } = useGetCaById(caId);
-
-  return ca ? (
-    <div className="rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
-      <div className="flex items-center justify-between border-b border-mineshaft-400 pb-4">
-        <h3 className="text-lg font-semibold text-mineshaft-100">CA Details</h3>
-      </div>
-      <div className="pt-4">
-        <div className="mb-4">
-          <p className="text-sm font-semibold text-mineshaft-300">CA ID</p>
-          <div className="group flex align-top">
-            <p className="text-sm text-mineshaft-300">{ca.id}</p>
-            <div className="opacity-0 transition-opacity duration-300 group-hover:opacity-100">
-              <Tooltip content={copyTextId}>
-                <IconButton
-                  ariaLabel="copy icon"
-                  variant="plain"
-                  className="group relative ml-2"
-                  onClick={() => {
-                    navigator.clipboard.writeText(ca.id);
-                    setCopyTextId("Copied");
-                  }}
-                >
-                  <FontAwesomeIcon icon={isCopyingId ? faCheck : faCopy} />
-                </IconButton>
-              </Tooltip>
-            </div>
-          </div>
-        </div>
-        {ca.parentCaId && (
-          <div className="mb-4">
-            <p className="text-sm font-semibold text-mineshaft-300">Parent CA ID</p>
-            <div className="group flex align-top">
-              <p className="text-sm text-mineshaft-300">{ca.parentCaId}</p>
-              <div className="opacity-0 transition-opacity duration-300 group-hover:opacity-100">
-                <Tooltip content={copyTextParentId}>
-                  <IconButton
-                    ariaLabel="copy icon"
-                    variant="plain"
-                    className="group relative ml-2"
-                    onClick={() => {
-                      navigator.clipboard.writeText(ca.parentCaId as string);
-                      setCopyTextParentId("Copied");
-                    }}
-                  >
-                    <FontAwesomeIcon icon={isCopyingParentId ? faCheck : faCopy} />
-                  </IconButton>
-                </Tooltip>
-              </div>
-            </div>
-          </div>
-        )}
-        <div className="mb-4">
-          <p className="text-sm font-semibold text-mineshaft-300">Friendly Name</p>
-          <p className="text-sm text-mineshaft-300">{ca.friendlyName}</p>
-        </div>
-        <div className="mb-4">
-          <p className="text-sm font-semibold text-mineshaft-300">CA Type</p>
-          <p className="text-sm text-mineshaft-300">{caTypeToNameMap[ca.type]}</p>
-        </div>
-        <div className="mb-4">
-          <p className="text-sm font-semibold text-mineshaft-300">Status</p>
-          <p className="text-sm text-mineshaft-300">{caStatusToNameMap[ca.status]}</p>
-        </div>
-        <div className="mb-4">
-          <p className="text-sm font-semibold text-mineshaft-300">Key Algorithm</p>
-          <p className="text-sm text-mineshaft-300">{certKeyAlgorithmToNameMap[ca.keyAlgorithm]}</p>
-        </div>
-        <div className="mb-4">
-          <p className="text-sm font-semibold text-mineshaft-300">Max Path Length</p>
-          <p className="text-sm text-mineshaft-300">{ca.maxPathLength ?? "-"}</p>
-        </div>
-        <div className="mb-4">
-          <p className="text-sm font-semibold text-mineshaft-300">Not Before</p>
-          <p className="text-sm text-mineshaft-300">
-            {ca.notBefore ? format(new Date(ca.notBefore), "yyyy-MM-dd") : "-"}
-          </p>
-        </div>
-        <div className="mb-4">
-          <p className="text-sm font-semibold text-mineshaft-300">Not After</p>
-          <p className="text-sm text-mineshaft-300">
-            {ca.notAfter ? format(new Date(ca.notAfter), "yyyy-MM-dd") : "-"}
-          </p>
-        </div>
-        {ca.status === CaStatus.ACTIVE && (
-          <ProjectPermissionCan
-            I={ProjectPermissionActions.Edit}
-            a={ProjectPermissionSub.CertificateAuthorities}
-          >
-            {(isAllowed) => {
-              return (
-                <Button
-                  isDisabled={!isAllowed}
-                  className="mt-4 w-full"
-                  colorSchema="primary"
-                  type="submit"
-                  onClick={() => {
-                    handlePopUpOpen("renewCa", {
-                      caId
-                    });
-                  }}
-                >
-                  Renew CA
-                </Button>
-              );
-            }}
-          </ProjectPermissionCan>
-        )}
-        {ca.status === CaStatus.PENDING_CERTIFICATE && (
-          <ProjectPermissionCan
-            I={ProjectPermissionActions.Create}
-            a={ProjectPermissionSub.CertificateAuthorities}
-          >
-            {(isAllowed) => {
-              return (
-                <Button
-                  isDisabled={!isAllowed}
-                  className="mt-4 w-full"
-                  colorSchema="primary"
-                  type="submit"
-                  onClick={() => {
-                    handlePopUpOpen("installCaCert", {
-                      caId
-                    });
-                  }}
-                >
-                  Install CA Certificate
-                </Button>
-              );
-            }}
-          </ProjectPermissionCan>
-        )}
-      </div>
-    </div>
-  ) : (
-    <div />
-  );
-};

frontend/src/views/Project/CaPage/components/CaRenewalModal.tsx

@@ -1,182 +0,0 @@
-// import { useEffect } from "react";
-import { Controller, useForm } from "react-hook-form";
-import { zodResolver } from "@hookform/resolvers/zod";
-import { z } from "zod";
-
-import { createNotification } from "@app/components/notifications";
-import {
-  Button,
-  FormControl,
-  Input,
-  Modal,
-  ModalContent,
-  Select,
-  SelectItem
-} from "@app/components/v2";
-import { useWorkspace } from "@app/context";
-import {
-  CaRenewalType,
-  useRenewCa
-  //   useGetCaById,
-  // CaType,
-  //   CaStatus
-} from "@app/hooks/api/ca";
-import { UsePopUpState } from "@app/hooks/usePopUp";
-
-const caRenewalTypes = [{ label: "Renew with same key pair", value: CaRenewalType.EXISTING }];
-
-const isValidDate = (dateString: string) => {
-  const date = new Date(dateString);
-  return !Number.isNaN(date.getTime());
-};
-
-const schema = z
-  .object({
-    type: z.enum([CaRenewalType.EXISTING]),
-    notAfter: z.string().trim().refine(isValidDate, { message: "Invalid date format" })
-  })
-  .required();
-
-export type FormData = z.infer<typeof schema>;
-
-type Props = {
-  popUp: UsePopUpState<["renewCa"]>;
-  handlePopUpToggle: (popUpName: keyof UsePopUpState<["renewCa"]>, state?: boolean) => void;
-};
-
-export const CaRenewalModal = ({ popUp, handlePopUpToggle }: Props) => {
-  const { currentWorkspace } = useWorkspace();
-  const projectSlug = currentWorkspace?.slug || "";
-
-  const popUpData = popUp?.renewCa?.data as {
-    caId: string;
-  };
-
-  //   const { data: ca } = useGetCaById(popUpData?.caId || "");
-  //   const { data: parentCa } = useGetCaById(ca?.parentCaId || "");
-  const { mutateAsync: renewCa } = useRenewCa();
-
-  const {
-    control,
-    handleSubmit,
-    reset,
-    formState: { isSubmitting }
-    // setValue
-  } = useForm<FormData>({
-    resolver: zodResolver(schema),
-    defaultValues: {
-      type: CaRenewalType.EXISTING,
-      notAfter: "" // TODO: consider setting a default value
-    }
-  });
-
-  //   useEffect(() => {
-  //     if (ca && ca.status === CaStatus.ACTIVE) {
-  //       const notBeforeDate = new Date(ca.notBefore as string);
-  //       const notAfterDate = new Date(ca.notAfter as string);
-
-  //       const newNotAfterDate = new Date(
-  //         notAfterDate.getTime() + notAfterDate.getTime() - notBeforeDate.getTime()
-  //       );
-
-  //       setValue("notAfter", newNotAfterDate.toISOString().split("T")[0]);
-  //     }
-  //   }, [ca, parentCa]);
-
-  const onFormSubmit = async ({ type, notAfter }: FormData) => {
-    try {
-      if (!projectSlug || !popUpData.caId) return;
-
-      await renewCa({
-        projectSlug,
-        caId: popUpData.caId,
-        notAfter,
-        type
-      });
-
-      handlePopUpToggle("renewCa", false);
-
-      createNotification({
-        text: "Successfully renewed CA",
-        type: "success"
-      });
-
-      reset();
-    } catch (err) {
-      console.error(err);
-    }
-  };
-
-  return (
-    <Modal
-      isOpen={popUp?.renewCa?.isOpen}
-      onOpenChange={(isOpen) => {
-        handlePopUpToggle("renewCa", isOpen);
-        reset();
-      }}
-    >
-      <ModalContent title="Renew CA">
-        <form onSubmit={handleSubmit(onFormSubmit)}>
-          <Controller
-            control={control}
-            name="type"
-            defaultValue={CaRenewalType.EXISTING}
-            render={({ field: { onChange, ...field }, fieldState: { error } }) => (
-              <FormControl
-                label="CA Renewal Method"
-                errorText={error?.message}
-                isError={Boolean(error)}
-              >
-                <Select
-                  defaultValue={field.value}
-                  {...field}
-                  onValueChange={(e) => onChange(e)}
-                  className="w-full"
-                >
-                  {caRenewalTypes.map(({ label, value }) => (
-                    <SelectItem value={String(value || "")} key={label}>
-                      {label}
-                    </SelectItem>
-                  ))}
-                </Select>
-              </FormControl>
-            )}
-          />
-          <Controller
-            control={control}
-            defaultValue=""
-            name="notAfter"
-            render={({ field, fieldState: { error } }) => (
-              <FormControl
-                label="Valid Until"
-                isError={Boolean(error)}
-                errorText={error?.message}
-                isRequired
-              >
-                <Input {...field} placeholder="YYYY-MM-DD" />
-              </FormControl>
-            )}
-          />
-          <div className="flex items-center">
-            <Button
-              className="mr-4"
-              size="sm"
-              type="submit"
-              isLoading={isSubmitting}
-              isDisabled={isSubmitting}
-            >
-              Renew
-            </Button>
-            <Button
-              colorSchema="secondary"
-              variant="plain"
-              onClick={() => handlePopUpToggle("renewCa", false)}
-            >
-              Cancel
-            </Button>
-          </div>
-        </form>
-      </ModalContent>
-    </Modal>
-  );
-};

frontend/src/views/Project/CaPage/components/index.tsx

@@ -1,3 +0,0 @@
-export { CaCertificatesSection } from "./CaCertificatesSection/CaCertificatesSection";
-export { CaDetailsSection } from "./CaDetailsSection";
-export { CaRenewalModal } from "./CaRenewalModal";

frontend/src/views/Project/CaPage/index.tsx

@@ -1 +0,0 @@
-export { CaPage } from "./CaPage";

frontend/src/views/Project/CertificatesPage/components/CaTab/components/CaTable.tsx

@@ -1,4 +1,3 @@
-import { useRouter } from "next/router";
 import {
   faBan,
   faCertificate,
@@ -13,7 +12,6 @@ import { twMerge } from "tailwind-merge";
 
 import { ProjectPermissionCan } from "@app/components/permissions";
 import {
-  Badge,
   DropdownMenu,
   DropdownMenuContent,
   DropdownMenuItem,
@@ -33,14 +31,9 @@ import {
   ProjectPermissionActions,
   ProjectPermissionSub,
   useSubscription,
-  useWorkspace
-} from "@app/context";
+  useWorkspace} from "@app/context";
 import { CaStatus, useListWorkspaceCas } from "@app/hooks/api";
-import {
-  caStatusToNameMap,
-  caTypeToNameMap,
-  getStatusBadgeVariant
-} from "@app/hooks/api/ca/constants";
+import { caStatusToNameMap, caTypeToNameMap } from "@app/hooks/api/ca/constants";
 import { UsePopUpState } from "@app/hooks/usePopUp";
 
 type Props = {
@@ -58,13 +51,11 @@ type Props = {
 };
 
 export const CaTable = ({ handlePopUpOpen }: Props) => {
-  const router = useRouter();
   const { subscription } = useSubscription();
   const { currentWorkspace } = useWorkspace();
   const { data, isLoading } = useListWorkspaceCas({
     projectSlug: currentWorkspace?.slug ?? ""
   });
-
   return (
     <div>
       <TableContainer>
@@ -85,26 +76,11 @@ export const CaTable = ({ handlePopUpOpen }: Props) => {
               data.length > 0 &&
               data.map((ca) => {
                 return (
-                  <Tr
-                    className="h-10 cursor-pointer transition-colors duration-100 hover:bg-mineshaft-700"
-                    key={`ca-${ca.id}`}
-                    onClick={() => router.push(`/project/${currentWorkspace?.id}/ca/${ca.id}`)}
-                  >
+                  <Tr className="h-10" key={`ca-${ca.id}`}>
                     <Td>{ca.friendlyName}</Td>
-                    <Td>
-                      <Badge variant={getStatusBadgeVariant(ca.status)}>
-                        {caStatusToNameMap[ca.status]}
-                      </Badge>
-                    </Td>
+                    <Td>{caStatusToNameMap[ca.status]}</Td>
                     <Td>{caTypeToNameMap[ca.type]}</Td>
-                    <Td>
-                      <div className="flex items-center ">
-                        <p>{ca.notAfter ? format(new Date(ca.notAfter), "yyyy-MM-dd") : "-"}</p>
-                        {/* <Badge variant="danger" className="ml-4">
-                          Expires Soon
-                        </Badge> */}
-                      </div>
-                    </Td>
+                    <Td>{ca.notAfter ? format(new Date(ca.notAfter), "yyyy-MM-dd") : "-"}</Td>
                     <Td className="flex justify-end">
                       <DropdownMenu>
                         <DropdownMenuTrigger asChild className="rounded-lg">
@@ -126,8 +102,7 @@ export const CaTable = ({ handlePopUpOpen }: Props) => {
                                     !isAllowed &&
                                       "pointer-events-none cursor-not-allowed opacity-50"
                                   )}
-                                  onClick={(e) => {
-                                    e.stopPropagation();
+                                  onClick={async () => {
                                     handlePopUpOpen("installCaCert", {
                                       caId: ca.id
                                     });
@@ -135,7 +110,7 @@ export const CaTable = ({ handlePopUpOpen }: Props) => {
                                   disabled={!isAllowed}
                                   icon={<FontAwesomeIcon icon={faCertificate} />}
                                 >
-                                  Install CA Certificate
+                                  Install Certificate
                                 </DropdownMenuItem>
                               )}
                             </ProjectPermissionCan>
@@ -151,8 +126,7 @@ export const CaTable = ({ handlePopUpOpen }: Props) => {
                                     !isAllowed &&
                                       "pointer-events-none cursor-not-allowed opacity-50"
                                   )}
-                                  onClick={(e) => {
-                                    e.stopPropagation();
+                                  onClick={async () => {
                                     handlePopUpOpen("caCert", {
                                       caId: ca.id
                                     });
@@ -176,8 +150,7 @@ export const CaTable = ({ handlePopUpOpen }: Props) => {
                                     !isAllowed &&
                                       "pointer-events-none cursor-not-allowed opacity-50"
                                   )}
-                                  onClick={(e) => {
-                                    e.stopPropagation();
+                                  onClick={async () => {
                                     if (!subscription?.caCrl) {
                                       handlePopUpOpen("upgradePlan", {
                                         description:
@@ -206,12 +179,11 @@ export const CaTable = ({ handlePopUpOpen }: Props) => {
                                 className={twMerge(
                                   !isAllowed && "pointer-events-none cursor-not-allowed opacity-50"
                                 )}
-                                onClick={(e) => {
-                                  e.stopPropagation();
+                                onClick={async () =>
                                   handlePopUpOpen("ca", {
                                     caId: ca.id
-                                  });
-                                }}
+                                  })
+                                }
                                 disabled={!isAllowed}
                                 icon={<FontAwesomeIcon icon={faEye} />}
                               >
@@ -230,16 +202,15 @@ export const CaTable = ({ handlePopUpOpen }: Props) => {
                                     !isAllowed &&
                                       "pointer-events-none cursor-not-allowed opacity-50"
                                   )}
-                                  onClick={(e) => {
-                                    e.stopPropagation();
+                                  onClick={async () =>
                                     handlePopUpOpen("caStatus", {
                                       caId: ca.id,
                                       status:
                                         ca.status === CaStatus.ACTIVE
                                           ? CaStatus.DISABLED
                                           : CaStatus.ACTIVE
-                                    });
-                                  }}
+                                    })
+                                  }
                                   disabled={!isAllowed}
                                   icon={<FontAwesomeIcon icon={faBan} />}
                                 >
@@ -257,13 +228,12 @@ export const CaTable = ({ handlePopUpOpen }: Props) => {
                                 className={twMerge(
                                   !isAllowed && "pointer-events-none cursor-not-allowed opacity-50"
                                 )}
-                                onClick={(e) => {
-                                  e.stopPropagation();
+                                onClick={async () =>
                                   handlePopUpOpen("deleteCa", {
                                     caId: ca.id,
                                     dn: ca.dn
-                                  });
-                                }}
+                                  })
+                                }
                                 disabled={!isAllowed}
                                 icon={<FontAwesomeIcon icon={faTrash} />}
                               >

frontend/src/views/admin/DashboardPage/RateLimitPanel.tsx

@@ -15,7 +15,6 @@ const formSchema = z.object({
   authRateLimit: z.number(),
   inviteUserRateLimit: z.number(),
   mfaRateLimit: z.number(),
-  creationLimit: z.number(),
   publicEndpointLimit: z.number()
 });
 
@@ -41,7 +40,6 @@ export const RateLimitPanel = () => {
       authRateLimit: rateLimit?.authRateLimit ?? 60,
       inviteUserRateLimit: rateLimit?.inviteUserRateLimit ?? 30,
       mfaRateLimit: rateLimit?.mfaRateLimit ?? 20,
-      creationLimit: rateLimit?.creationLimit ?? 30,
       publicEndpointLimit: rateLimit?.publicEndpointLimit ?? 30
     }
   });
@@ -60,7 +58,6 @@ export const RateLimitPanel = () => {
         authRateLimit,
         inviteUserRateLimit,
         mfaRateLimit,
-        creationLimit,
         publicEndpointLimit
       } = formData;
 
@@ -71,7 +68,6 @@ export const RateLimitPanel = () => {
         authRateLimit,
         inviteUserRateLimit,
         mfaRateLimit,
-        creationLimit,
         publicEndpointLimit
       });
       createNotification({
@@ -210,25 +206,6 @@ export const RateLimitPanel = () => {
             </FormControl>
           )}
         />
-        <Controller
-          control={control}
-          defaultValue={300}
-          name="creationLimit"
-          render={({ field, fieldState: { error } }) => (
-            <FormControl
-              label="New resource creation requests per minute"
-              className="w-72"
-              isError={Boolean(error)}
-              errorText={error?.message}
-            >
-              <Input
-                {...field}
-                value={field.value || ""}
-                onChange={(e) => field.onChange(Number(e.target.value))}
-              />
-            </FormControl>
-          )}
-        />
         <Controller
           control={control}
           defaultValue={300}