Revert "Revert "Add support for Identity-Based Pricing""

Revert "Add support for Identity-Based Pricing"

.infisicalignore

@@ -5,3 +5,4 @@ frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/M
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:292
 docs/self-hosting/configuration/envars.mdx:generic-api-key:106
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:451
+docs/mint.json:generic-api-key:651

backend/src/db/migrations/20240624221840_certificate-alt-names.ts

@@ -0,0 +1,24 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Certificate)) {
+    const hasAltNamesColumn = await knex.schema.hasColumn(TableName.Certificate, "altNames");
+    if (!hasAltNamesColumn) {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.string("altNames").defaultTo("");
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Certificate)) {
+    if (await knex.schema.hasColumn(TableName.Certificate, "altNames")) {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.dropColumn("altNames");
+      });
+    }
+  }
+}

backend/src/db/schemas/certificates.ts

@@ -19,7 +19,8 @@ export const CertificatesSchema = z.object({
   notBefore: z.date(),
   notAfter: z.date(),
   revokedAt: z.date().nullable().optional(),
-  revocationReason: z.number().nullable().optional()
+  revocationReason: z.number().nullable().optional(),
+  altNames: z.string().default("").nullable().optional()
 });
 
 export type TCertificates = z.infer<typeof CertificatesSchema>;

backend/src/db/schemas/projects.ts

@@ -17,8 +17,8 @@ export const ProjectsSchema = z.object({
   updatedAt: z.date(),
   version: z.number().default(1),
   upgradeStatus: z.string().nullable().optional(),
-  kmsCertificateKeyId: z.string().uuid().nullable().optional(),
-  pitVersionLimit: z.number().default(10)
+  pitVersionLimit: z.number().default(10),
+  kmsCertificateKeyId: z.string().uuid().nullable().optional()
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -65,25 +65,31 @@ export enum EventType {
   ADD_IDENTITY_UNIVERSAL_AUTH = "add-identity-universal-auth",
   UPDATE_IDENTITY_UNIVERSAL_AUTH = "update-identity-universal-auth",
   GET_IDENTITY_UNIVERSAL_AUTH = "get-identity-universal-auth",
+  REVOKE_IDENTITY_UNIVERSAL_AUTH = "revoke-identity-universal-auth",
   LOGIN_IDENTITY_KUBERNETES_AUTH = "login-identity-kubernetes-auth",
   ADD_IDENTITY_KUBERNETES_AUTH = "add-identity-kubernetes-auth",
   UPDATE_IDENTITY_KUBENETES_AUTH = "update-identity-kubernetes-auth",
   GET_IDENTITY_KUBERNETES_AUTH = "get-identity-kubernetes-auth",
+  REVOKE_IDENTITY_KUBERNETES_AUTH = "revoke-identity-kubernetes-auth",
   CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
   REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "revoke-identity-universal-auth-client-secret",
   GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
+  GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET_BY_ID = "get-identity-universal-auth-client-secret-by-id",
   LOGIN_IDENTITY_GCP_AUTH = "login-identity-gcp-auth",
   ADD_IDENTITY_GCP_AUTH = "add-identity-gcp-auth",
   UPDATE_IDENTITY_GCP_AUTH = "update-identity-gcp-auth",
+  REVOKE_IDENTITY_GCP_AUTH = "revoke-identity-gcp-auth",
   GET_IDENTITY_GCP_AUTH = "get-identity-gcp-auth",
   LOGIN_IDENTITY_AWS_AUTH = "login-identity-aws-auth",
   ADD_IDENTITY_AWS_AUTH = "add-identity-aws-auth",
   UPDATE_IDENTITY_AWS_AUTH = "update-identity-aws-auth",
+  REVOKE_IDENTITY_AWS_AUTH = "revoke-identity-aws-auth",
   GET_IDENTITY_AWS_AUTH = "get-identity-aws-auth",
   LOGIN_IDENTITY_AZURE_AUTH = "login-identity-azure-auth",
   ADD_IDENTITY_AZURE_AUTH = "add-identity-azure-auth",
   UPDATE_IDENTITY_AZURE_AUTH = "update-identity-azure-auth",
   GET_IDENTITY_AZURE_AUTH = "get-identity-azure-auth",
+  REVOKE_IDENTITY_AZURE_AUTH = "revoke-identity-azure-auth",
   CREATE_ENVIRONMENT = "create-environment",
   UPDATE_ENVIRONMENT = "update-environment",
   DELETE_ENVIRONMENT = "delete-environment",
@@ -434,6 +440,13 @@ interface GetIdentityUniversalAuthEvent {
   };
 }
 
+interface DeleteIdentityUniversalAuthEvent {
+  type: EventType.REVOKE_IDENTITY_UNIVERSAL_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface LoginIdentityKubernetesAuthEvent {
   type: EventType.LOGIN_IDENTITY_KUBERNETES_AUTH;
   metadata: {
@@ -457,6 +470,13 @@ interface AddIdentityKubernetesAuthEvent {
   };
 }
 
+interface DeleteIdentityKubernetesAuthEvent {
+  type: EventType.REVOKE_IDENTITY_KUBERNETES_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface UpdateIdentityKubernetesAuthEvent {
   type: EventType.UPDATE_IDENTITY_KUBENETES_AUTH;
   metadata: {
@@ -493,6 +513,14 @@ interface GetIdentityUniversalAuthClientSecretsEvent {
   };
 }
 
+interface GetIdentityUniversalAuthClientSecretByIdEvent {
+  type: EventType.GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET_BY_ID;
+  metadata: {
+    identityId: string;
+    clientSecretId: string;
+  };
+}
+
 interface RevokeIdentityUniversalAuthClientSecretEvent {
   type: EventType.REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET;
   metadata: {
@@ -525,6 +553,13 @@ interface AddIdentityGcpAuthEvent {
   };
 }
 
+interface DeleteIdentityGcpAuthEvent {
+  type: EventType.REVOKE_IDENTITY_GCP_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface UpdateIdentityGcpAuthEvent {
   type: EventType.UPDATE_IDENTITY_GCP_AUTH;
   metadata: {
@@ -570,6 +605,13 @@ interface AddIdentityAwsAuthEvent {
   };
 }
 
+interface DeleteIdentityAwsAuthEvent {
+  type: EventType.REVOKE_IDENTITY_AWS_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface UpdateIdentityAwsAuthEvent {
   type: EventType.UPDATE_IDENTITY_AWS_AUTH;
   metadata: {
@@ -613,6 +655,13 @@ interface AddIdentityAzureAuthEvent {
   };
 }
 
+interface DeleteIdentityAzureAuthEvent {
+  type: EventType.REVOKE_IDENTITY_AZURE_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface UpdateIdentityAzureAuthEvent {
   type: EventType.UPDATE_IDENTITY_AZURE_AUTH;
   metadata: {
@@ -1003,24 +1052,30 @@ export type Event =
   | LoginIdentityUniversalAuthEvent
   | AddIdentityUniversalAuthEvent
   | UpdateIdentityUniversalAuthEvent
+  | DeleteIdentityUniversalAuthEvent
   | GetIdentityUniversalAuthEvent
   | LoginIdentityKubernetesAuthEvent
+  | DeleteIdentityKubernetesAuthEvent
   | AddIdentityKubernetesAuthEvent
   | UpdateIdentityKubernetesAuthEvent
   | GetIdentityKubernetesAuthEvent
   | CreateIdentityUniversalAuthClientSecretEvent
   | GetIdentityUniversalAuthClientSecretsEvent
+  | GetIdentityUniversalAuthClientSecretByIdEvent
   | RevokeIdentityUniversalAuthClientSecretEvent
   | LoginIdentityGcpAuthEvent
   | AddIdentityGcpAuthEvent
+  | DeleteIdentityGcpAuthEvent
   | UpdateIdentityGcpAuthEvent
   | GetIdentityGcpAuthEvent
   | LoginIdentityAwsAuthEvent
   | AddIdentityAwsAuthEvent
   | UpdateIdentityAwsAuthEvent
   | GetIdentityAwsAuthEvent
+  | DeleteIdentityAwsAuthEvent
   | LoginIdentityAzureAuthEvent
   | AddIdentityAzureAuthEvent
+  | DeleteIdentityAzureAuthEvent
   | UpdateIdentityAzureAuthEvent
   | GetIdentityAzureAuthEvent
   | CreateEnvironmentEvent

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -450,6 +450,21 @@ export const ldapConfigServiceFactory = ({
         }
       });
     } else {
+      const plan = await licenseService.getPlan(orgId);
+      if (plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
+        // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
+        throw new BadRequestError({
+          message: "Failed to create new member via LDAP due to member limit reached. Upgrade plan to add more members."
+        });
+      }
+
+      if (plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
+        // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
+        throw new BadRequestError({
+          message: "Failed to create new member via LDAP due to member limit reached. Upgrade plan to add more members."
+        });
+      }
+
       userAlias = await userDAL.transaction(async (tx) => {
         let newUser: TUsers | undefined;
         if (serverCfg.trustSamlEmails) {

backend/src/ee/services/license/__mocks__/licence-fns.ts

@@ -7,6 +7,8 @@ export const getDefaultOnPremFeatures = () => {
     workspacesUsed: 0,
     memberLimit: null,
     membersUsed: 0,
+    identityLimit: null,
+    identitiesUsed: 0,
     environmentLimit: null,
     environmentsUsed: 0,
     secretVersioning: true,

backend/src/ee/services/license/licence-fns.ts

@@ -15,6 +15,8 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   membersUsed: 0,
   environmentLimit: null,
   environmentsUsed: 0,
+  identityLimit: null,
+  identitiesUsed: 0,
   dynamicSecret: false,
   secretVersioning: true,
   pitRecovery: false,

backend/src/ee/services/license/license-dal.ts

@@ -19,11 +19,44 @@ export const licenseDALFactory = (db: TDbClient) => {
         .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
         .where(`${TableName.Users}.isGhost`, false)
         .count();
-      return doc?.[0].count;
+      return Number(doc?.[0].count);
     } catch (error) {
       throw new DatabaseError({ error, name: "Count of Org Members" });
     }
   };
 
-  return { countOfOrgMembers };
+  const countOrgUsersAndIdentities = async (orgId: string | null, tx?: Knex) => {
+    try {
+      // count org users
+      const userDoc = await (tx || db)(TableName.OrgMembership)
+        .where({ status: OrgMembershipStatus.Accepted })
+        .andWhere((bd) => {
+          if (orgId) {
+            void bd.where({ orgId });
+          }
+        })
+        .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
+        .where(`${TableName.Users}.isGhost`, false)
+        .count();
+
+      const userCount = Number(userDoc?.[0].count);
+
+      // count org identities
+      const identityDoc = await (tx || db)(TableName.IdentityOrgMembership)
+        .where((bd) => {
+          if (orgId) {
+            void bd.where({ orgId });
+          }
+        })
+        .count();
+
+      const identityCount = Number(identityDoc?.[0].count);
+
+      return userCount + identityCount;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Count of Org Users + Identities" });
+    }
+  };
+
+  return { countOfOrgMembers, countOrgUsersAndIdentities };
 };

backend/src/ee/services/license/license-service.ts

@@ -155,6 +155,7 @@ export const licenseServiceFactory = ({
           LICENSE_SERVER_CLOUD_PLAN_TTL,
           JSON.stringify(currentPlan)
         );
+
         return currentPlan;
       }
     } catch (error) {
@@ -204,16 +205,22 @@ export const licenseServiceFactory = ({
       const org = await orgDAL.findOrgById(orgId);
       if (!org) throw new BadRequestError({ message: "Org not found" });
 
-      const count = await licenseDAL.countOfOrgMembers(orgId);
+      const quantity = await licenseDAL.countOfOrgMembers(orgId);
+      const quantityIdentities = await licenseDAL.countOrgUsersAndIdentities(orgId);
       if (org?.customerId) {
         await licenseServerCloudApi.request.patch(`/api/license-server/v1/customers/${org.customerId}/cloud-plan`, {
-          quantity: count
+          quantity,
+          quantityIdentities
         });
       }
       await keyStore.deleteItem(FEATURE_CACHE_KEY(orgId));
     } else if (instanceType === InstanceType.EnterpriseOnPrem) {
       const usedSeats = await licenseDAL.countOfOrgMembers(null);
-      await licenseServerOnPremApi.request.patch(`/api/license/v1/license`, { usedSeats });
+      const usedIdentitySeats = await licenseDAL.countOrgUsersAndIdentities(null);
+      await licenseServerOnPremApi.request.patch(`/api/license/v1/license`, {
+        usedSeats,
+        usedIdentitySeats
+      });
     }
     await refreshPlan(orgId);
   };

backend/src/ee/services/license/license-types.ts

@@ -31,6 +31,8 @@ export type TFeatureSet = {
   dynamicSecret: false;
   memberLimit: null;
   membersUsed: 0;
+  identityLimit: null;
+  identitiesUsed: 0;
   environmentLimit: null;
   environmentsUsed: 0;
   secretVersioning: true;

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -380,6 +380,21 @@ export const samlConfigServiceFactory = ({
         return foundUser;
       });
     } else {
+      const plan = await licenseService.getPlan(orgId);
+      if (plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
+        // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
+        throw new BadRequestError({
+          message: "Failed to create new member via SAML due to member limit reached. Upgrade plan to add more members."
+        });
+      }
+
+      if (plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
+        // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
+        throw new BadRequestError({
+          message: "Failed to create new member via SAML due to member limit reached. Upgrade plan to add more members."
+        });
+      }
+
       user = await userDAL.transaction(async (tx) => {
         let newUser: TUsers | undefined;
         if (serverCfg.trustSamlEmails) {

backend/src/lib/api-docs/constants.ts

@@ -42,6 +42,13 @@ export const IDENTITIES = {
   },
   DELETE: {
     identityId: "The ID of the identity to delete."
+  },
+  GET_BY_ID: {
+    identityId: "The ID of the identity to get details.",
+    orgId: "The ID of the org of the identity"
+  },
+  LIST: {
+    orgId: "The ID of the organization to list identities."
   }
 } as const;
 
@@ -65,6 +72,9 @@ export const UNIVERSAL_AUTH = {
   RETRIEVE: {
     identityId: "The ID of the identity to retrieve."
   },
+  REVOKE: {
+    identityId: "The ID of the identity to revoke."
+  },
   UPDATE: {
     identityId: "The ID of the identity to update.",
     clientSecretTrustedIps: "The new list of IPs or CIDR ranges that the Client Secret can be used from.",
@@ -83,6 +93,10 @@ export const UNIVERSAL_AUTH = {
   LIST_CLIENT_SECRETS: {
     identityId: "The ID of the identity to list client secrets for."
   },
+  GET_CLIENT_SECRET: {
+    identityId: "The ID of the identity to get the client secret from.",
+    clientSecretId: "The ID of the client secret to get details."
+  },
   REVOKE_CLIENT_SECRET: {
     identityId: "The ID of the identity to revoke the client secret from.",
     clientSecretId: "The ID of the client secret to revoke."
@@ -104,6 +118,27 @@ export const AWS_AUTH = {
     iamRequestBody:
       "The base64-encoded body of the signed request. Most likely, the base64-encoding of Action=GetCallerIdentity&Version=2011-06-15.",
     iamRequestHeaders: "The base64-encoded headers of the sts:GetCallerIdentity signed request."
+  },
+  REVOKE: {
+    identityId: "The ID of the identity to revoke."
+  }
+} as const;
+
+export const AZURE_AUTH = {
+  REVOKE: {
+    identityId: "The ID of the identity to revoke."
+  }
+} as const;
+
+export const GCP_AUTH = {
+  REVOKE: {
+    identityId: "The ID of the identity to revoke."
+  }
+} as const;
+
+export const KUBERNETES_AUTH = {
+  REVOKE: {
+    identityId: "The ID of the identity to revoke."
   }
 } as const;
 
@@ -347,6 +382,7 @@ export const RAW_SECRETS = {
     tagIds: "The ID of the tags to be attached to the created secret."
   },
   GET: {
+    expand: "Whether or not to expand secret references",
     secretName: "The name of the secret to get.",
     workspaceId: "The ID of the project to get the secret from.",
     workspaceSlug: "The slug of the project to get the secret from.",
@@ -804,6 +840,8 @@ export const CERTIFICATE_AUTHORITIES = {
     caId: "The ID of the CA to issue the certificate from",
     friendlyName: "A friendly name for the certificate",
     commonName: "The common name (CN) for the certificate",
+    altNames:
+      "A comma-delimited list of Subject Alternative Names (SANs) for the certificate; these can be host names or email addresses.",
     ttl: "The time to live for the certificate such as 1m, 1h, 1d, 1y, ...",
     notBefore: "The date and time when the certificate becomes valid in YYYY-MM-DDTHH:mm:ss.sssZ format",
     notAfter: "The date and time when the certificate expires in YYYY-MM-DDTHH:mm:ss.sssZ format",

backend/src/server/routes/index.ts

@@ -806,7 +806,8 @@ export const registerRoutes = async (
   const identityService = identityServiceFactory({
     permissionService,
     identityDAL,
-    identityOrgMembershipDAL
+    identityOrgMembershipDAL,
+    licenseService
   });
   const identityAccessTokenService = identityAccessTokenServiceFactory({
     identityAccessTokenDAL,

backend/src/server/routes/v1/certificate-authority-router.ts

@@ -9,7 +9,10 @@ import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 import { CaStatus, CaType } from "@app/services/certificate-authority/certificate-authority-types";
-import { validateCaDateField } from "@app/services/certificate-authority/certificate-authority-validators";
+import {
+  validateAltNamesField,
+  validateCaDateField
+} from "@app/services/certificate-authority/certificate-authority-validators";
 
 export const registerCaRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -452,6 +455,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
         .object({
           friendlyName: z.string().optional().describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.friendlyName),
           commonName: z.string().trim().min(1).describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.commonName),
+          altNames: validateAltNamesField.describe(CERTIFICATE_AUTHORITIES.ISSUE_CERT.altNames),
           ttl: z
             .string()
             .refine((val) => ms(val) > 0, "TTL must be a positive number")

backend/src/server/routes/v1/identity-aws-iam-auth-router.ts

@@ -266,4 +266,51 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
       return { identityAwsAuth };
     }
   });
+
+  server.route({
+    method: "DELETE",
+    url: "/aws-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Delete AWS Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(AWS_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityAwsAuth: IdentityAwsAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityAwsAuth = await server.services.identityAwsAuth.revokeIdentityAwsAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityAwsAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_AWS_AUTH,
+          metadata: {
+            identityId: identityAwsAuth.identityId
+          }
+        }
+      });
+
+      return { identityAwsAuth };
+    }
+  });
 };

backend/src/server/routes/v1/identity-azure-auth-router.ts

@@ -2,6 +2,7 @@ import { z } from "zod";
 
 import { IdentityAzureAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { AZURE_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -259,4 +260,51 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
       return { identityAzureAuth };
     }
   });
+
+  server.route({
+    method: "DELETE",
+    url: "/azure-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Delete Azure Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(AZURE_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityAzureAuth: IdentityAzureAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityAzureAuth = await server.services.identityAzureAuth.revokeIdentityAzureAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityAzureAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_AZURE_AUTH,
+          metadata: {
+            identityId: identityAzureAuth.identityId
+          }
+        }
+      });
+
+      return { identityAzureAuth };
+    }
+  });
 };

backend/src/server/routes/v1/identity-gcp-auth-router.ts

@@ -2,6 +2,7 @@ import { z } from "zod";
 
 import { IdentityGcpAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { GCP_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -265,4 +266,51 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
       return { identityGcpAuth };
     }
   });
+
+  server.route({
+    method: "DELETE",
+    url: "/gcp-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Delete GCP Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(GCP_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityGcpAuth: IdentityGcpAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityGcpAuth = await server.services.identityGcpAuth.revokeIdentityGcpAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityGcpAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_GCP_AUTH,
+          metadata: {
+            identityId: identityGcpAuth.identityId
+          }
+        }
+      });
+
+      return { identityGcpAuth };
+    }
+  });
 };

backend/src/server/routes/v1/identity-kubernetes-auth-router.ts

@@ -2,6 +2,7 @@ import { z } from "zod";
 
 import { IdentityKubernetesAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { KUBERNETES_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -280,4 +281,54 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
       return { identityKubernetesAuth: IdentityKubernetesAuthResponseSchema.parse(identityKubernetesAuth) };
     }
   });
+
+  server.route({
+    method: "DELETE",
+    url: "/kubernetes-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Delete Kubernetes Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(KUBERNETES_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityKubernetesAuth: IdentityKubernetesAuthResponseSchema.omit({
+            caCert: true,
+            tokenReviewerJwt: true
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityKubernetesAuth = await server.services.identityKubernetesAuth.revokeIdentityKubernetesAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityKubernetesAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_KUBERNETES_AUTH,
+          metadata: {
+            identityId: identityKubernetesAuth.identityId
+          }
+        }
+      });
+
+      return { identityKubernetesAuth };
+    }
+  });
 };

backend/src/server/routes/v1/identity-router.ts

@@ -1,9 +1,9 @@
 import { z } from "zod";
 
-import { IdentitiesSchema, OrgMembershipRole } from "@app/db/schemas";
+import { IdentitiesSchema, IdentityOrgMembershipsSchema, OrgMembershipRole, OrgRolesSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { IDENTITIES } from "@app/lib/api-docs";
-import { creationLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { creationLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -170,4 +170,94 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
       return { identity };
     }
   });
+
+  server.route({
+    method: "GET",
+    url: "/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Get an identity by id",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(IDENTITIES.GET_BY_ID.identityId)
+      }),
+      response: {
+        200: z.object({
+          identity: IdentityOrgMembershipsSchema.extend({
+            customRole: OrgRolesSchema.pick({
+              id: true,
+              name: true,
+              slug: true,
+              permissions: true,
+              description: true
+            }).optional(),
+            identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true })
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const identity = await server.services.identity.getIdentityById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.identityId
+      });
+
+      return { identity };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "List identities",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      querystring: z.object({
+        orgId: z.string().describe(IDENTITIES.LIST.orgId)
+      }),
+      response: {
+        200: z.object({
+          identities: IdentityOrgMembershipsSchema.extend({
+            customRole: OrgRolesSchema.pick({
+              id: true,
+              name: true,
+              slug: true,
+              permissions: true,
+              description: true
+            }).optional(),
+            identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true })
+          }).array()
+        })
+      }
+    },
+    handler: async (req) => {
+      const identities = await server.services.identity.listOrgIdentities({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        orgId: req.query.orgId
+      });
+
+      return { identities };
+    }
+  });
 };

backend/src/server/routes/v1/identity-universal-auth-router.ts

@@ -134,7 +134,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const identityUniversalAuth = await server.services.identityUa.attachUa({
+      const identityUniversalAuth = await server.services.identityUa.attachUniversalAuth({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorOrgId: req.permission.orgId,
@@ -219,7 +219,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const identityUniversalAuth = await server.services.identityUa.updateUa({
+      const identityUniversalAuth = await server.services.identityUa.updateUniversalAuth({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorOrgId: req.permission.orgId,
@@ -272,7 +272,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const identityUniversalAuth = await server.services.identityUa.getIdentityUa({
+      const identityUniversalAuth = await server.services.identityUa.getIdentityUniversalAuth({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
@@ -295,6 +295,53 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "DELETE",
+    url: "/universal-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Delete Universal Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(UNIVERSAL_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityUniversalAuth: IdentityUniversalAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityUniversalAuth = await server.services.identityUa.revokeIdentityUniversalAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityUniversalAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_UNIVERSAL_AUTH,
+          metadata: {
+            identityId: identityUniversalAuth.identityId
+          }
+        }
+      });
+
+      return { identityUniversalAuth };
+    }
+  });
+
   server.route({
     method: "POST",
     url: "/universal-auth/identities/:identityId/client-secrets",
@@ -325,14 +372,15 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { clientSecret, clientSecretData, orgId } = await server.services.identityUa.createUaClientSecret({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        identityId: req.params.identityId,
-        ...req.body
-      });
+      const { clientSecret, clientSecretData, orgId } =
+        await server.services.identityUa.createUniversalAuthClientSecret({
+          actor: req.permission.type,
+          actorId: req.permission.id,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          identityId: req.params.identityId,
+          ...req.body
+        });
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
@@ -374,13 +422,15 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { clientSecrets: clientSecretData, orgId } = await server.services.identityUa.getUaClientSecrets({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        identityId: req.params.identityId
-      });
+      const { clientSecrets: clientSecretData, orgId } = await server.services.identityUa.getUniversalAuthClientSecrets(
+        {
+          actor: req.permission.type,
+          actorId: req.permission.id,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          identityId: req.params.identityId
+        }
+      );
 
       await server.services.auditLog.createAuditLog({
         ...req.auditLogInfo,
@@ -396,6 +446,56 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "GET",
+    url: "/universal-auth/identities/:identityId/client-secrets/:clientSecretId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Get Universal Auth Client Secret for identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(UNIVERSAL_AUTH.GET_CLIENT_SECRET.identityId),
+        clientSecretId: z.string().describe(UNIVERSAL_AUTH.GET_CLIENT_SECRET.clientSecretId)
+      }),
+      response: {
+        200: z.object({
+          clientSecretData: sanitizedClientSecretSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const clientSecretData = await server.services.identityUa.getUniversalAuthClientSecretById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId,
+        clientSecretId: req.params.clientSecretId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: clientSecretData.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET,
+          metadata: {
+            identityId: clientSecretData.identityId,
+            clientSecretId: clientSecretData.id
+          }
+        }
+      });
+
+      return { clientSecretData };
+    }
+  });
+
   server.route({
     method: "POST",
     url: "/universal-auth/identities/:identityId/client-secrets/:clientSecretId/revoke",
@@ -421,7 +521,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const clientSecretData = await server.services.identityUa.revokeUaClientSecret({
+      const clientSecretData = await server.services.identityUa.revokeUniversalAuthClientSecret({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,

backend/src/server/routes/v1/index.ts

@@ -9,7 +9,7 @@ import { registerIdentityAzureAuthRouter } from "./identity-azure-auth-router";
 import { registerIdentityGcpAuthRouter } from "./identity-gcp-auth-router";
 import { registerIdentityKubernetesRouter } from "./identity-kubernetes-auth-router";
 import { registerIdentityRouter } from "./identity-router";
-import { registerIdentityUaRouter } from "./identity-ua";
+import { registerIdentityUaRouter } from "./identity-universal-auth-router";
 import { registerIntegrationAuthRouter } from "./integration-auth-router";
 import { registerIntegrationRouter } from "./integration-router";
 import { registerInviteOrgRouter } from "./invite-org-router";

backend/src/server/routes/v3/secret-router.ts

@@ -300,6 +300,11 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.GET.secretPath),
         version: z.coerce.number().optional().describe(RAW_SECRETS.GET.version),
         type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.GET.type),
+        expandSecretReferences: z
+          .enum(["true", "false"])
+          .default("false")
+          .transform((value) => value === "true")
+          .describe(RAW_SECRETS.GET.expand),
         include_imports: z
           .enum(["true", "false"])
           .default("false")
@@ -344,6 +349,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         actor: req.permission.type,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
+        expandSecretReferences: req.query.expandSecretReferences,
         environment,
         projectId: workspaceId,
         projectSlug: workspaceSlug,

backend/src/services/auth/auth-login-service.ts

@@ -354,9 +354,12 @@ export const authLoginServiceFactory = ({
     // Check if the user actually has access to the specified organization.
     const userOrgs = await orgDAL.findAllOrgsByUserId(user.id);
     const hasOrganizationMembership = userOrgs.some((org) => org.id === organizationId);
+    const selectedOrg = await orgDAL.findById(organizationId);
 
     if (!hasOrganizationMembership) {
-      throw new UnauthorizedError({ message: "User does not have access to the organization" });
+      throw new UnauthorizedError({
+        message: `User does not have access to the organization named ${selectedOrg?.name}`
+      });
     }
 
     await tokenDAL.incrementTokenSessionVersion(user.id, decodedToken.tokenVersionId);

backend/src/services/certificate-authority/certificate-authority-service.ts

@@ -3,6 +3,7 @@ import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import crypto, { KeyObject } from "crypto";
 import ms from "ms";
+import { z } from "zod";
 
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@@ -38,6 +39,7 @@ import {
   TSignIntermediateDTO,
   TUpdateCaDTO
 } from "./certificate-authority-types";
+import { hostnameRegex } from "./certificate-authority-validators";
 
 type TCertificateAuthorityServiceFactoryDep = {
   certificateAuthorityDAL: Pick<
@@ -653,6 +655,7 @@ export const certificateAuthorityServiceFactory = ({
     caId,
     friendlyName,
     commonName,
+    altNames,
     ttl,
     notBefore,
     notAfter,
@@ -738,6 +741,45 @@ export const certificateAuthorityServiceFactory = ({
       kmsService
     });
 
+    const extensions: x509.Extension[] = [
+      new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature | x509.KeyUsageFlags.keyEncipherment, true),
+      new x509.BasicConstraintsExtension(false),
+      await x509.AuthorityKeyIdentifierExtension.create(caCertObj, false),
+      await x509.SubjectKeyIdentifierExtension.create(csrObj.publicKey)
+    ];
+
+    if (altNames) {
+      const altNamesArray: {
+        type: "email" | "dns";
+        value: string;
+      }[] = altNames
+        .split(",")
+        .map((name) => name.trim())
+        .map((altName) => {
+          // check if the altName is a valid email
+          if (z.string().email().safeParse(altName).success) {
+            return {
+              type: "email",
+              value: altName
+            };
+          }
+
+          // check if the altName is a valid hostname
+          if (hostnameRegex.test(altName)) {
+            return {
+              type: "dns",
+              value: altName
+            };
+          }
+
+          // If altName is neither a valid email nor a valid hostname, throw an error or handle it accordingly
+          throw new Error(`Invalid altName: ${altName}`);
+        });
+
+      const altNamesExtension = new x509.SubjectAlternativeNameExtension(altNamesArray, false);
+      extensions.push(altNamesExtension);
+    }
+
     const serialNumber = crypto.randomBytes(32).toString("hex");
     const leafCert = await x509.X509CertificateGenerator.create({
       serialNumber,
@@ -748,12 +790,7 @@ export const certificateAuthorityServiceFactory = ({
       signingKey: caPrivateKey,
       publicKey: csrObj.publicKey,
       signingAlgorithm: alg,
-      extensions: [
-        new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature | x509.KeyUsageFlags.keyEncipherment, true),
-        new x509.BasicConstraintsExtension(false),
-        await x509.AuthorityKeyIdentifierExtension.create(caCertObj, false),
-        await x509.SubjectKeyIdentifierExtension.create(csrObj.publicKey)
-      ]
+      extensions
     });
 
     const skLeafObj = KeyObject.from(leafKeys.privateKey);
@@ -771,6 +808,7 @@ export const certificateAuthorityServiceFactory = ({
           status: CertStatus.ACTIVE,
           friendlyName: friendlyName || commonName,
           commonName,
+          altNames,
           serialNumber,
           notBefore: notBeforeDate,
           notAfter: notAfterDate

backend/src/services/certificate-authority/certificate-authority-types.ts

@@ -75,6 +75,7 @@ export type TIssueCertFromCaDTO = {
   caId: string;
   friendlyName?: string;
   commonName: string;
+  altNames: string;
   ttl: string;
   notBefore?: string;
   notAfter?: string;

backend/src/services/certificate-authority/certificate-authority-validators.ts

@@ -6,3 +6,29 @@ const isValidDate = (dateString: string) => {
 };
 
 export const validateCaDateField = z.string().trim().refine(isValidDate, { message: "Invalid date format" });
+
+export const hostnameRegex = /^(?!:\/\/)([a-zA-Z0-9-_]{1,63}\.?)+(?!:\/\/)([a-zA-Z]{2,63})$/;
+export const validateAltNamesField = z
+  .string()
+  .trim()
+  .default("")
+  .transform((data) => {
+    if (data === "") return "";
+    // Trim each alt name and join with ', ' to ensure formatting
+    return data
+      .split(",")
+      .map((id) => id.trim())
+      .join(", ");
+  })
+  .refine(
+    (data) => {
+      if (data === "") return true;
+      // Split and validate each alt name
+      return data.split(", ").every((name) => {
+        return hostnameRegex.test(name) || z.string().email().safeParse(name).success;
+      });
+    },
+    {
+      message: "Each alt name must be a valid hostname or email address"
+    }
+  );

backend/src/services/identity-aws-auth/identity-aws-auth-service.ts

@@ -7,11 +7,12 @@ import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 
-import { AuthTokenType } from "../auth/auth-type";
+import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
@@ -24,12 +25,13 @@ import {
   TGetAwsAuthDTO,
   TGetCallerIdentityResponse,
   TLoginAwsAuthDTO,
+  TRevokeAwsAuthDTO,
   TUpdateAwsAuthDTO
 } from "./identity-aws-auth-types";
 
 type TIdentityAwsAuthServiceFactoryDep = {
   identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
-  identityAwsAuthDAL: Pick<TIdentityAwsAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
+  identityAwsAuthDAL: Pick<TIdentityAwsAuthDALFactory, "findOne" | "transaction" | "create" | "updateById" | "delete">;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
   identityDAL: Pick<TIdentityDALFactory, "updateById">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
@@ -301,10 +303,54 @@ export const identityAwsAuthServiceFactory = ({
     return { ...awsIdentityAuth, orgId: identityMembershipOrg.orgId };
   };
 
+  const revokeIdentityAwsAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeAwsAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have aws auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to revoke aws auth of identity with more privileged role"
+      });
+
+    const revokedIdentityAwsAuth = await identityAwsAuthDAL.transaction(async (tx) => {
+      const deletedAwsAuth = await identityAwsAuthDAL.delete({ identityId }, tx);
+      await identityDAL.updateById(identityId, { authMethod: null }, tx);
+      return { ...deletedAwsAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityAwsAuth;
+  };
+
   return {
     login,
     attachAwsAuth,
     updateAwsAuth,
-    getAwsAuth
+    getAwsAuth,
+    revokeIdentityAwsAuth
   };
 };

backend/src/services/identity-aws-auth/identity-aws-auth-types.ts

@@ -52,3 +52,7 @@ export type TGetCallerIdentityResponse = {
     ResponseMetadata: { RequestId: string };
   };
 };
+
+export type TRevokeAwsAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;

backend/src/services/identity-azure-auth/identity-azure-auth-service.ts

@@ -5,11 +5,12 @@ import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 
-import { AuthTokenType } from "../auth/auth-type";
+import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
@@ -20,11 +21,15 @@ import {
   TAttachAzureAuthDTO,
   TGetAzureAuthDTO,
   TLoginAzureAuthDTO,
+  TRevokeAzureAuthDTO,
   TUpdateAzureAuthDTO
 } from "./identity-azure-auth-types";
 
 type TIdentityAzureAuthServiceFactoryDep = {
-  identityAzureAuthDAL: Pick<TIdentityAzureAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
+  identityAzureAuthDAL: Pick<
+    TIdentityAzureAuthDALFactory,
+    "findOne" | "transaction" | "create" | "updateById" | "delete"
+  >;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
   identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
   identityDAL: Pick<TIdentityDALFactory, "updateById">;
@@ -277,10 +282,54 @@ export const identityAzureAuthServiceFactory = ({
     return { ...identityAzureAuth, orgId: identityMembershipOrg.orgId };
   };
 
+  const revokeIdentityAzureAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeAzureAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AZURE_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have azure auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to revoke azure auth of identity with more privileged role"
+      });
+
+    const revokedIdentityAzureAuth = await identityAzureAuthDAL.transaction(async (tx) => {
+      const deletedAzureAuth = await identityAzureAuthDAL.delete({ identityId }, tx);
+      await identityDAL.updateById(identityId, { authMethod: null }, tx);
+      return { ...deletedAzureAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityAzureAuth;
+  };
+
   return {
     login,
     attachAzureAuth,
     updateAzureAuth,
-    getAzureAuth
+    getAzureAuth,
+    revokeIdentityAzureAuth
   };
 };

backend/src/services/identity-azure-auth/identity-azure-auth-types.ts

@@ -118,3 +118,7 @@ export type TDecodedAzureAuthJwt = {
     [key: string]: string;
   };
 };
+
+export type TRevokeAzureAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;

backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts

@@ -5,11 +5,12 @@ import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 
-import { AuthTokenType } from "../auth/auth-type";
+import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
@@ -21,11 +22,12 @@ import {
   TGcpIdentityDetails,
   TGetGcpAuthDTO,
   TLoginGcpAuthDTO,
+  TRevokeGcpAuthDTO,
   TUpdateGcpAuthDTO
 } from "./identity-gcp-auth-types";
 
 type TIdentityGcpAuthServiceFactoryDep = {
-  identityGcpAuthDAL: Pick<TIdentityGcpAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
+  identityGcpAuthDAL: Pick<TIdentityGcpAuthDALFactory, "findOne" | "transaction" | "create" | "updateById" | "delete">;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
   identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
   identityDAL: Pick<TIdentityDALFactory, "updateById">;
@@ -315,10 +317,54 @@ export const identityGcpAuthServiceFactory = ({
     return { ...identityGcpAuth, orgId: identityMembershipOrg.orgId };
   };
 
+  const revokeIdentityGcpAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeGcpAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.GCP_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have gcp auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to revoke gcp auth of identity with more privileged role"
+      });
+
+    const revokedIdentityGcpAuth = await identityGcpAuthDAL.transaction(async (tx) => {
+      const deletedGcpAuth = await identityGcpAuthDAL.delete({ identityId }, tx);
+      await identityDAL.updateById(identityId, { authMethod: null }, tx);
+      return { ...deletedGcpAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityGcpAuth;
+  };
+
   return {
     login,
     attachGcpAuth,
     updateGcpAuth,
-    getGcpAuth
+    getGcpAuth,
+    revokeIdentityGcpAuth
   };
 };

backend/src/services/identity-gcp-auth/identity-gcp-auth-types.ts

@@ -76,3 +76,7 @@ export type TDecodedGcpIamAuthJwt = {
     [key: string]: string;
   };
 };
+
+export type TRevokeGcpAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts

@@ -7,6 +7,7 @@ import { IdentityAuthMethod, SecretKeyEncoding, TIdentityKubernetesAuthsUpdate }
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
 import {
   decryptSymmetric,
@@ -16,11 +17,11 @@ import {
   infisicalSymmetricDecrypt,
   infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 
-import { AuthTokenType } from "../auth/auth-type";
+import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
@@ -32,13 +33,14 @@ import {
   TCreateTokenReviewResponse,
   TGetKubernetesAuthDTO,
   TLoginKubernetesAuthDTO,
+  TRevokeKubernetesAuthDTO,
   TUpdateKubernetesAuthDTO
 } from "./identity-kubernetes-auth-types";
 
 type TIdentityKubernetesAuthServiceFactoryDep = {
   identityKubernetesAuthDAL: Pick<
     TIdentityKubernetesAuthDALFactory,
-    "create" | "findOne" | "transaction" | "updateById"
+    "create" | "findOne" | "transaction" | "updateById" | "delete"
   >;
   identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne" | "findById">;
@@ -533,10 +535,54 @@ export const identityKubernetesAuthServiceFactory = ({
     return { ...identityKubernetesAuth, caCert, tokenReviewerJwt, orgId: identityMembershipOrg.orgId };
   };
 
+  const revokeIdentityKubernetesAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeKubernetesAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.KUBERNETES_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have kubenetes auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to revoke kubenetes auth of identity with more privileged role"
+      });
+
+    const revokedIdentityKubernetesAuth = await identityKubernetesAuthDAL.transaction(async (tx) => {
+      const deletedKubernetesAuth = await identityKubernetesAuthDAL.delete({ identityId }, tx);
+      await identityDAL.updateById(identityId, { authMethod: null }, tx);
+      return { ...deletedKubernetesAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityKubernetesAuth;
+  };
+
   return {
     login,
     attachKubernetesAuth,
     updateKubernetesAuth,
-    getKubernetesAuth
+    getKubernetesAuth,
+    revokeIdentityKubernetesAuth
   };
 };

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-types.ts

@@ -59,3 +59,7 @@ export type TCreateTokenReviewResponse = {
   };
   status: TCreateTokenReviewSuccessResponse | TCreateTokenReviewErrorResponse;
 };
+
+export type TRevokeKubernetesAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;

backend/src/services/identity-ua/identity-ua-service.ts

@@ -25,7 +25,9 @@ import {
   TCreateUaClientSecretDTO,
   TGetUaClientSecretsDTO,
   TGetUaDTO,
+  TGetUniversalAuthClientSecretByIdDTO,
   TRevokeUaClientSecretDTO,
+  TRevokeUaDTO,
   TUpdateUaDTO
 } from "./identity-ua-types";
 
@@ -136,7 +138,7 @@ export const identityUaServiceFactory = ({
     return { accessToken, identityUa, validClientSecretInfo, identityAccessToken, identityMembershipOrg };
   };
 
-  const attachUa = async ({
+  const attachUniversalAuth = async ({
     accessTokenMaxTTL,
     identityId,
     accessTokenNumUsesLimit,
@@ -227,7 +229,7 @@ export const identityUaServiceFactory = ({
     return { ...identityUa, orgId: identityMembershipOrg.orgId };
   };
 
-  const updateUa = async ({
+  const updateUniversalAuth = async ({
     accessTokenMaxTTL,
     identityId,
     accessTokenNumUsesLimit,
@@ -312,7 +314,7 @@ export const identityUaServiceFactory = ({
     return { ...updatedUaAuth, orgId: identityMembershipOrg.orgId };
   };
 
-  const getIdentityUa = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetUaDTO) => {
+  const getIdentityUniversalAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetUaDTO) => {
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
     if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
     if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.Univeral)
@@ -333,7 +335,50 @@ export const identityUaServiceFactory = ({
     return { ...uaIdentityAuth, orgId: identityMembershipOrg.orgId };
   };
 
-  const createUaClientSecret = async ({
+  const revokeIdentityUniversalAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeUaDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.Univeral)
+      throw new BadRequestError({
+        message: "The identity does not have universal auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to revoke universal auth of identity with more privileged role"
+      });
+
+    const revokedIdentityUniversalAuth = await identityUaDAL.transaction(async (tx) => {
+      const deletedUniversalAuth = await identityUaDAL.delete({ identityId }, tx);
+      await identityDAL.updateById(identityId, { authMethod: null }, tx);
+      return { ...deletedUniversalAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityUniversalAuth;
+  };
+
+  const createUniversalAuthClientSecret = async ({
     actor,
     actorId,
     actorOrgId,
@@ -396,7 +441,7 @@ export const identityUaServiceFactory = ({
     };
   };
 
-  const getUaClientSecrets = async ({
+  const getUniversalAuthClientSecrets = async ({
     actor,
     actorId,
     actorOrgId,
@@ -442,7 +487,47 @@ export const identityUaServiceFactory = ({
     return { clientSecrets, orgId: identityMembershipOrg.orgId };
   };
 
-  const revokeUaClientSecret = async ({
+  const getUniversalAuthClientSecretById = async ({
+    identityId,
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    clientSecretId
+  }: TGetUniversalAuthClientSecretByIdDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.Univeral)
+      throw new BadRequestError({
+        message: "The identity does not have universal auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to read identity client secret of project with more privileged role"
+      });
+
+    const clientSecret = await identityUaClientSecretDAL.findById(clientSecretId);
+    return { ...clientSecret, identityId, orgId: identityMembershipOrg.orgId };
+  };
+
+  const revokeUniversalAuthClientSecret = async ({
     identityId,
     actorId,
     actor,
@@ -475,7 +560,7 @@ export const identityUaServiceFactory = ({
     const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
     if (!hasPriviledge)
       throw new ForbiddenRequestError({
-        message: "Failed to add identity to project with more privileged role"
+        message: "Failed to revoke identity client secret with more privileged role"
       });
 
     const clientSecret = await identityUaClientSecretDAL.updateById(clientSecretId, {
@@ -486,11 +571,13 @@ export const identityUaServiceFactory = ({
 
   return {
     login,
-    attachUa,
-    updateUa,
-    getIdentityUa,
-    createUaClientSecret,
-    getUaClientSecrets,
-    revokeUaClientSecret
+    attachUniversalAuth,
+    updateUniversalAuth,
+    getIdentityUniversalAuth,
+    revokeIdentityUniversalAuth,
+    createUniversalAuthClientSecret,
+    getUniversalAuthClientSecrets,
+    revokeUniversalAuthClientSecret,
+    getUniversalAuthClientSecretById
   };
 };

backend/src/services/identity-ua/identity-ua-types.ts

@@ -22,6 +22,10 @@ export type TGetUaDTO = {
   identityId: string;
 } & Omit<TProjectPermission, "projectId">;
 
+export type TRevokeUaDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
+
 export type TCreateUaClientSecretDTO = {
   identityId: string;
   description: string;
@@ -37,3 +41,8 @@ export type TRevokeUaClientSecretDTO = {
   identityId: string;
   clientSecretId: string;
 } & Omit<TProjectPermission, "projectId">;
+
+export type TGetUniversalAuthClientSecretByIdDTO = {
+  identityId: string;
+  clientSecretId: string;
+} & Omit<TProjectPermission, "projectId">;

backend/src/services/identity/identity-org-dal.ts

@@ -27,10 +27,10 @@ export const identityOrgDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findByOrgId = async (orgId: string, tx?: Knex) => {
+  const find = async (filter: Partial<TIdentityOrgMemberships>, tx?: Knex) => {
     try {
       const docs = await (tx || db)(TableName.IdentityOrgMembership)
-        .where(`${TableName.IdentityOrgMembership}.orgId`, orgId)
+        .where(filter)
         .join(TableName.Identity, `${TableName.IdentityOrgMembership}.identityId`, `${TableName.Identity}.id`)
         .leftJoin(TableName.OrgRoles, `${TableName.IdentityOrgMembership}.roleId`, `${TableName.OrgRoles}.id`)
         .select(selectAllTableCols(TableName.IdentityOrgMembership))
@@ -79,5 +79,5 @@ export const identityOrgDALFactory = (db: TDbClient) => {
     }
   };
 
-  return { ...identityOrgOrm, findOne, findByOrgId };
+  return { ...identityOrgOrm, find, findOne };
 };

backend/src/services/identity/identity-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { OrgMembershipRole, TOrgRoles } from "@app/db/schemas";
+import { OrgMembershipRole, TableName, TOrgRoles } from "@app/db/schemas";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
@@ -10,12 +11,13 @@ import { TOrgPermission } from "@app/lib/types";
 import { ActorType } from "../auth/auth-type";
 import { TIdentityDALFactory } from "./identity-dal";
 import { TIdentityOrgDALFactory } from "./identity-org-dal";
-import { TCreateIdentityDTO, TDeleteIdentityDTO, TUpdateIdentityDTO } from "./identity-types";
+import { TCreateIdentityDTO, TDeleteIdentityDTO, TGetIdentityByIdDTO, TUpdateIdentityDTO } from "./identity-types";
 
 type TIdentityServiceFactoryDep = {
   identityDAL: TIdentityDALFactory;
   identityOrgMembershipDAL: TIdentityOrgDALFactory;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission" | "getOrgPermissionByRole">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan" | "updateSubscriptionOrgMemberCount">;
 };
 
 export type TIdentityServiceFactory = ReturnType<typeof identityServiceFactory>;
@@ -23,7 +25,8 @@ export type TIdentityServiceFactory = ReturnType<typeof identityServiceFactory>;
 export const identityServiceFactory = ({
   identityDAL,
   identityOrgMembershipDAL,
-  permissionService
+  permissionService,
+  licenseService
 }: TIdentityServiceFactoryDep) => {
   const createIdentity = async ({
     name,
@@ -45,6 +48,14 @@ export const identityServiceFactory = ({
     const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, rolePermission);
     if (!hasRequiredPriviledges) throw new BadRequestError({ message: "Failed to create a more privileged identity" });
 
+    const plan = await licenseService.getPlan(orgId);
+    if (plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
+      // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
+      throw new BadRequestError({
+        message: "Failed to create identity due to identity limit reached. Upgrade plan to create more identities."
+      });
+    }
+
     const identity = await identityDAL.transaction(async (tx) => {
       const newIdentity = await identityDAL.create({ name }, tx);
       await identityOrgMembershipDAL.create(
@@ -58,6 +69,7 @@ export const identityServiceFactory = ({
       );
       return newIdentity;
     });
+    await licenseService.updateSubscriptionOrgMemberCount(orgId);
 
     return identity;
   };
@@ -126,6 +138,24 @@ export const identityServiceFactory = ({
     return { ...identity, orgId: identityOrgMembership.orgId };
   };
 
+  const getIdentityById = async ({ id, actor, actorId, actorOrgId, actorAuthMethod }: TGetIdentityByIdDTO) => {
+    const doc = await identityOrgMembershipDAL.find({
+      [`${TableName.IdentityOrgMembership}.identityId` as "identityId"]: id
+    });
+    const identity = doc[0];
+    if (!identity) throw new BadRequestError({ message: `Failed to find identity with id ${id}` });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identity.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+    return identity;
+  };
+
   const deleteIdentity = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TDeleteIdentityDTO) => {
     const identityOrgMembership = await identityOrgMembershipDAL.findOne({ identityId: id });
     if (!identityOrgMembership) throw new BadRequestError({ message: `Failed to find identity with id ${id}` });
@@ -150,6 +180,9 @@ export const identityServiceFactory = ({
       throw new ForbiddenRequestError({ message: "Failed to delete more privileged identity" });
 
     const deletedIdentity = await identityDAL.deleteById(id);
+
+    await licenseService.updateSubscriptionOrgMemberCount(identityOrgMembership.orgId);
+
     return { ...deletedIdentity, orgId: identityOrgMembership.orgId };
   };
 
@@ -157,7 +190,9 @@ export const identityServiceFactory = ({
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
 
-    const identityMemberships = await identityOrgMembershipDAL.findByOrgId(orgId);
+    const identityMemberships = await identityOrgMembershipDAL.find({
+      [`${TableName.IdentityOrgMembership}.orgId` as "orgId"]: orgId
+    });
     return identityMemberships;
   };
 
@@ -165,6 +200,7 @@ export const identityServiceFactory = ({
     createIdentity,
     updateIdentity,
     deleteIdentity,
-    listOrgIdentities
+    listOrgIdentities,
+    getIdentityById
   };
 };

backend/src/services/identity/identity-types.ts

@@ -16,6 +16,10 @@ export type TDeleteIdentityDTO = {
   id: string;
 } & Omit<TOrgPermission, "orgId">;
 
+export type TGetIdentityByIdDTO = {
+  id: string;
+} & Omit<TOrgPermission, "orgId">;
+
 export interface TIdentityTrustedIp {
   ipAddress: string;
   type: IPType;

backend/src/services/org/org-service.ts

@@ -420,13 +420,20 @@ export const orgServiceFactory = ({
     }
 
     const plan = await licenseService.getPlan(orgId);
-    if (plan.memberLimit !== null && plan.membersUsed >= plan.memberLimit) {
-      // case: limit imposed on number of members allowed
-      // case: number of members used exceeds the number of members allowed
+    if (plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
+      // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
       throw new BadRequestError({
         message: "Failed to invite member due to member limit reached. Upgrade plan to invite more members."
       });
     }
+
+    if (plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
+      // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
+      throw new BadRequestError({
+        message: "Failed to invite member due to member limit reached. Upgrade plan to invite more members."
+      });
+    }
+
     const invitee = await orgDAL.transaction(async (tx) => {
       const inviteeUser = await userDAL.findUserByUsername(inviteeEmail, tx);
       if (inviteeUser) {

backend/src/services/secret-blind-index/secret-blind-index-dal.ts

@@ -30,7 +30,6 @@ export const secretBlindIndexDALFactory = (db: TDbClient) => {
         .leftJoin(TableName.SecretFolder, `${TableName.SecretFolder}.id`, `${TableName.Secret}.folderId`)
         .leftJoin(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretFolder}.envId`)
         .where({ projectId })
-        .whereNull("secretBlindIndex")
         .select(selectAllTableCols(TableName.Secret))
         .select(
           db.ref("slug").withSchema(TableName.Environment).as("environment"),
@@ -49,7 +48,6 @@ export const secretBlindIndexDALFactory = (db: TDbClient) => {
         .leftJoin(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretFolder}.envId`)
         .where({ projectId })
         .whereIn(`${TableName.Secret}.id`, secretIds)
-        .whereNull("secretBlindIndex")
         .select(selectAllTableCols(TableName.Secret))
         .select(
           db.ref("slug").withSchema(TableName.Environment).as("environment"),

backend/src/services/secret/secret-service.ts

@@ -1078,6 +1078,7 @@ export const secretServiceFactory = ({
     actor,
     environment,
     projectId: workspaceId,
+    expandSecretReferences,
     projectSlug,
     actorId,
     actorOrgId,
@@ -1091,7 +1092,7 @@ export const secretServiceFactory = ({
     const botKey = await projectBotService.getBotKey(projectId);
     if (!botKey) throw new BadRequestError({ message: "Project bot not found", name: "bot_not_found_error" });
 
-    const secret = await getSecretByName({
+    const encryptedSecret = await getSecretByName({
       actorId,
       projectId,
       actorAuthMethod,
@@ -1105,7 +1106,46 @@ export const secretServiceFactory = ({
       version
     });
 
-    return decryptSecretRaw(secret, botKey);
+    const decryptedSecret = decryptSecretRaw(encryptedSecret, botKey);
+
+    if (expandSecretReferences) {
+      const expandSecrets = interpolateSecrets({
+        folderDAL,
+        projectId,
+        secretDAL,
+        secretEncKey: botKey
+      });
+
+      const expandSingleSecret = async (secret: {
+        secretKey: string;
+        secretValue: string;
+        secretComment?: string;
+        secretPath: string;
+        skipMultilineEncoding: boolean | null | undefined;
+      }) => {
+        const secretRecord: Record<
+          string,
+          { value: string; comment?: string; skipMultilineEncoding: boolean | null | undefined }
+        > = {
+          [secret.secretKey]: {
+            value: secret.secretValue,
+            comment: secret.secretComment,
+            skipMultilineEncoding: secret.skipMultilineEncoding
+          }
+        };
+
+        await expandSecrets(secretRecord);
+
+        // Update the secret with the expanded value
+        // eslint-disable-next-line no-param-reassign
+        secret.secretValue = secretRecord[secret.secretKey].value;
+      };
+
+      // Expand the secret
+      await expandSingleSecret(decryptedSecret);
+    }
+
+    return decryptedSecret;
   };
 
   const createSecretRaw = async ({

backend/src/services/secret/secret-types.ts

@@ -151,6 +151,7 @@ export type TGetASecretRawDTO = {
   secretName: string;
   path: string;
   environment: string;
+  expandSecretReferences?: boolean;
   type: "shared" | "personal";
   includeImports?: boolean;
   version?: number;

cli/packages/cmd/secrets.go

@@ -73,6 +73,11 @@ var secretsCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}
 
+		plainOutput, err := cmd.Flags().GetBool("plain")
+		if err != nil {
+			util.HandleError(err, "Unable to parse flag")
+		}
+
 		request := models.GetAllSecretsParameters{
 			Environment:   environmentName,
 			WorkspaceId:   projectId,
@@ -100,7 +105,6 @@ var secretsCmd = &cobra.Command{
 		}
 
 		if shouldExpandSecrets {
-
 			authParams := models.ExpandSecretsAuthentication{}
 			if token != nil && token.Type == util.SERVICE_TOKEN_IDENTIFIER {
 				authParams.InfisicalToken = token.Token
@@ -114,7 +118,14 @@ var secretsCmd = &cobra.Command{
 		// Sort the secrets by key so we can create a consistent output
 		secrets = util.SortSecretsByKeys(secrets)
 
-		visualize.PrintAllSecretDetails(secrets)
+		if plainOutput {
+			for _, secret := range secrets {
+				fmt.Println(secret.Value)
+			}
+		} else {
+			visualize.PrintAllSecretDetails(secrets)
+		}
+
 		Telemetry.CaptureEvent("cli-command:secrets", posthog.NewProperties().Set("secretCount", len(secrets)).Set("version", util.CLI_VERSION))
 	},
 }
@@ -325,9 +336,20 @@ func getSecretsByNames(cmd *cobra.Command, args []string) {
 		util.HandleError(err, "Unable to parse recursive flag")
 	}
 
+	// deprecated, in favor of --plain
 	showOnlyValue, err := cmd.Flags().GetBool("raw-value")
 	if err != nil {
-		util.HandleError(err, "Unable to parse path flag")
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	plainOutput, err := cmd.Flags().GetBool("plain")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	includeImports, err := cmd.Flags().GetBool("include-imports")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
 	}
 
 	request := models.GetAllSecretsParameters{
@@ -335,7 +357,7 @@ func getSecretsByNames(cmd *cobra.Command, args []string) {
 		WorkspaceId:   projectId,
 		TagSlugs:      tagSlugs,
 		SecretsPath:   secretsPath,
-		IncludeImport: true,
+		IncludeImport: includeImports,
 		Recursive:     recursive,
 	}
 
@@ -377,15 +399,15 @@ func getSecretsByNames(cmd *cobra.Command, args []string) {
 		}
 	}
 
-	if showOnlyValue && len(requestedSecrets) > 1 {
-		util.PrintErrorMessageAndExit("--raw-value only works with one secret.")
-	}
-
-	if showOnlyValue {
-		fmt.Printf(requestedSecrets[0].Value)
+	// showOnlyValue deprecated in favor of --plain, below only for backward compatibility
+	if plainOutput || showOnlyValue {
+		for _, secret := range requestedSecrets {
+			fmt.Println(secret.Value)
+		}
 	} else {
 		visualize.PrintAllSecretDetails(requestedSecrets)
 	}
+
 	Telemetry.CaptureEvent("cli-command:secrets get", posthog.NewProperties().Set("secretCount", len(secrets)).Set("version", util.CLI_VERSION))
 }
 
@@ -639,11 +661,12 @@ func init() {
 	secretsGetCmd.Flags().String("token", "", "Fetch secrets using service token or machine identity access token")
 	secretsGetCmd.Flags().String("projectId", "", "manually set the project ID to fetch secrets from when using machine identity based auth")
 	secretsGetCmd.Flags().String("path", "/", "get secrets within a folder path")
-	secretsGetCmd.Flags().Bool("expand", true, "Parse shell parameter expansions in your secrets")
-	secretsGetCmd.Flags().Bool("raw-value", false, "Returns only the value of secret, only works with one secret")
+	secretsGetCmd.Flags().Bool("plain", false, "print values without formatting, one per line")
+	secretsGetCmd.Flags().Bool("raw-value", false, "deprecated. Returns only the value of secret, only works with one secret. Use --plain instead")
+	secretsGetCmd.Flags().Bool("include-imports", true, "Imported linked secrets ")
+	secretsGetCmd.Flags().Bool("expand", true, "Parse shell parameter expansions in your secrets, and process your referenced secrets")
 	secretsGetCmd.Flags().Bool("recursive", false, "Fetch secrets from all sub-folders")
 	secretsCmd.AddCommand(secretsGetCmd)
-
 	secretsCmd.Flags().Bool("secret-overriding", true, "Prioritizes personal secrets, if any, with the same name over shared secrets")
 	secretsCmd.AddCommand(secretsSetCmd)
 	secretsSetCmd.Flags().String("token", "", "Fetch secrets using service token or machine identity access token")
@@ -687,10 +710,11 @@ func init() {
 	secretsCmd.Flags().String("token", "", "Fetch secrets using service token or machine identity access token")
 	secretsCmd.Flags().String("projectId", "", "manually set the projectId to fetch secrets when using machine identity based auth")
 	secretsCmd.PersistentFlags().String("env", "dev", "Used to select the environment name on which actions should be taken on")
-	secretsCmd.Flags().Bool("expand", true, "Parse shell parameter expansions in your secrets")
+	secretsCmd.Flags().Bool("expand", true, "Parse shell parameter expansions in your secrets, and process your referenced secrets")
 	secretsCmd.Flags().Bool("include-imports", true, "Imported linked secrets ")
 	secretsCmd.Flags().Bool("recursive", false, "Fetch secrets from all sub-folders")
 	secretsCmd.PersistentFlags().StringP("tags", "t", "", "filter secrets by tag slugs")
 	secretsCmd.Flags().String("path", "/", "get secrets within a folder path")
+	secretsCmd.Flags().Bool("plain", false, "print values without formatting, one per line")
 	rootCmd.AddCommand(secretsCmd)
 }

docs/api-reference/endpoints/identities/get-by-id.mdx

@@ -0,0 +1,5 @@
+---
+title: "Get By ID"
+openapi: "GET /api/v1/identities/{identityId}"
+---
+

docs/api-reference/endpoints/identities/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/identities"
+---

docs/api-reference/endpoints/universal-auth/get-client-secret-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Get Client Secret By ID"
+openapi: "GET /api/v1/auth/universal-auth/identities/{identityId}/client-secrets/{clientSecretId}"
+---

docs/api-reference/endpoints/universal-auth/revoke.mdx

@@ -0,0 +1,4 @@
+---
+title: "Revoke"
+openapi: "DELETE /api/v1/auth/universal-auth/identities/{identityId}"
+---

docs/cli/commands/secrets.mdx

@@ -88,6 +88,27 @@ $ infisical secrets
     ```
 
   </Accordion>
+  <Accordion title="--plain">
+    The `--plain` flag will output all your secret values without formatting, one per line.
+
+    ```bash
+    # Example
+    infisical secrets --plain --silent
+    ```
+
+  </Accordion>
+
+  <Accordion title="--silent">
+    The `--silent` flag disables output of tip/info messages. Useful when running in scripts or CI/CD pipelines.
+
+    ```bash
+    # Example
+    infisical secrets --silent
+    ```
+
+    Can be used inline to replace `INFISICAL_DISABLE_UPDATE_CHECK`
+
+  </Accordion>
 
 </Accordion>
 
@@ -99,6 +120,7 @@ $ infisical secrets get <secret-name-a> <secret-name-b> ...
 
 # Example
 $ infisical secrets get DOMAIN
+$ infisical secrets get DOMAIN PORT
 
 ```
 
@@ -111,7 +133,41 @@ $ infisical secrets get DOMAIN
 
   </Accordion>
 
-  <Accordion title="--raw-value">
+  <Accordion title="--plain">
+    The `--plain` flag will output all your requested secret values without formatting, one per line.
+
+    Default value: `false`
+
+    ```bash
+    # Example
+    infisical secrets get FOO --plain
+    infisical secrets get FOO BAR --plain
+
+    # Fetch a single value and assign it to a variable
+    API_KEY=$(infisical secrets get FOO --plain --silent)
+    ```
+
+    <Tip>
+      When running in CI/CD environments or in a script, set `INFISICAL_DISABLE_UPDATE_CHECK=true` or add the `--silent` flag. This will help hide any CLI info/debug output and only show the secret value.
+    </Tip>
+
+  </Accordion>
+
+  <Accordion title="--silent">
+    The `--silent` flag disables output of tip/info messages. Useful when running in scripts or CI/CD pipelines.
+
+    ```bash
+    # Example
+    infisical secrets get FOO --plain --silent
+    ```
+
+    Can be used inline to replace `INFISICAL_DISABLE_UPDATE_CHECK`
+
+  </Accordion>
+
+  <Accordion title="--raw-value (deprecated)">
+    Use `--plain` instead, as it supports single and multiple secrets.
+
     Used to print the plain value of a single requested secret without any table style.
 
     Default value: `false`
@@ -119,10 +175,11 @@ $ infisical secrets get DOMAIN
     Example: `infisical secrets get DOMAIN --raw-value`
 
     <Tip>
-      When running in CI/CD environments or in a script, set `INFISICAL_DISABLE_UPDATE_CHECK` env to `true`. This will help hide any CLI update messages and only show the secret value.
+      When running in CI/CD environments or in a script, set `INFISICAL_DISABLE_UPDATE_CHECK=true` or add the `--silent` flag. This will help hide any CLI info/debug output and only show the secret value.
     </Tip>
 
   </Accordion>
+
 </Accordion>
 
 <Accordion title="infisical secrets set">

docs/documentation/platform/pki/certificates.mdx

@@ -56,9 +56,9 @@ In the following steps, we explore how to issue a X.509 certificate under a CA.
 
     - Issuing CA: The CA under which to issue the certificate.
     - Friendly Name: A friendly name for the certificate; this is only for display and defaults to the common name of the certificate if left empty.
-    - Common Name (CN): The (common) name of the certificate.
+    - Common Name (CN): The (common) name for the certificate like `service.acme.com`.
+    - Alternative Names (SANs): A comma-delimited list of Subject Alternative Names (SANs) for the certificate; these can be host names or email addresses like `app1.acme.com, app2.acme.com`.
     - TTL: The lifetime of the certificate in seconds.
-    - Valid Until: The date until which the certificate is valid in the date time string format specified [here](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date#date_time_string_format). For example, the following formats would be valid: `YYYY`, `YYYY-MM`, `YYYY-MM-DD`, `YYYY-MM-DDTHH:mm:ss.sssZ`.
 
   </Step>
   <Step title="Copying the certificate details">

docs/integrations/cicd/bitbucket.mdx

@@ -7,26 +7,62 @@ Prerequisites:
 
 - Set up and add envars to [Infisical Cloud](https://app.infisical.com)
 
-<Steps>
-  <Step title="Authorize Infisical for Bitbucket">
-    Navigate to your project's integrations tab in Infisical.
+<AccordionGroup>
+  <Accordion title="Push secrets to Bitbucket from Infisical">
+    <Steps>
+      <Step title="Authorize Infisical for Bitbucket">
+        Navigate to your project's integrations tab in Infisical.
 
-    ![integrations](../../images/integrations.png)
+        ![integrations](../../images/integrations.png)
 
-    Press on the Bitbucket tile and grant Infisical access to your Bitbucket account.
+        Press on the Bitbucket tile and grant Infisical access to your Bitbucket account.
 
-    ![integrations bitbucket authorization](../../images/integrations/bitbucket/integrations-bitbucket-auth.png)
+        ![integrations bitbucket authorization](../../images/integrations/bitbucket/integrations-bitbucket-auth.png)
 
-    <Info>
-      If this is your project's first cloud integration, then you'll have to grant
-      Infisical access to your project's environment variables. Although this step
-      breaks E2EE, it's necessary for Infisical to sync the environment variables to
-      the cloud platform.
-    </Info>
-  </Step>
-  <Step title="Start integration">
-    Select which Infisical environment secrets you want to sync to which Bitbucket repo and press start integration to start syncing secrets to the repo.
+      </Step>
+      <Step title="Start integration">
+        Select which Infisical environment secrets you want to sync to which Bitbucket repo and press start integration to start syncing secrets to the repo.
 
-    ![integrations bitbucket](../../images/integrations/bitbucket/integrations-bitbucket.png)
-  </Step>
-</Steps>
+        ![integrations bitbucket](../../images/integrations/bitbucket/integrations-bitbucket.png)
+      </Step>
+    </Steps>
+
+  </Accordion>
+  <Accordion title="Pull secrets in Bitbucket pipelines from Infisical">
+    <Steps>
+      <Step title="Configure Infisical Access">
+        Configure a [Machine Identity](https://infisical.com/docs/documentation/platform/identities/universal-auth) for your project and give it permissions to read secrets from your desired Infisical projects and environments.
+      </Step>
+      <Step title="Initialize Bitbucket variables">
+      Create Bitbucket variables (can be either workspace, repository, or deployment-level) to store Machine Identity Client ID and Client Secret.
+      
+      ![integrations bitbucket](../../images/integrations/bitbucket/integrations-bitbucket-env.png)
+      </Step>
+      <Step title="Integrate Infisical secrets into the pipeline">
+        Edit your Bitbucket pipeline YAML file to include the use of the Infisical CLI to fetch and inject secrets into any script or command within the pipeline.
+        
+        #### Example
+
+        ```yaml
+        image: atlassian/default-image:3
+
+        pipelines:
+          default:
+            - step:
+                name: Build application with secrets from Infisical
+                script:
+                  - apt update && apt install -y curl
+                  - curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash
+                  - apt-get update && apt-get install -y infisical
+                  - export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=$INFISICAL_CLIENT_ID --client-secret=$INFISICAL_CLIENT_SECRET --silent --plain)
+                  - infisical run --projectId=1d0443c1-cd43-4b3a-91a3-9d5f81254a89 --env=dev -- npm run build
+        ```
+
+      <Tip>
+        Set the values of `projectId` and `env` flags in the `infisical run` command to your intended source path. For more options, refer to the CLI command reference [here](https://infisical.com/docs/cli/commands/run).
+      </Tip>
+      </Step>
+    </Steps>
+
+  </Accordion>
+</AccordionGroup>

docs/mint.json

@@ -419,7 +419,9 @@
           "pages": [
             "api-reference/endpoints/identities/create",
             "api-reference/endpoints/identities/update",
-            "api-reference/endpoints/identities/delete"
+            "api-reference/endpoints/identities/delete",
+            "api-reference/endpoints/identities/get-by-id",
+            "api-reference/endpoints/identities/list"
           ]
         },
         {
@@ -429,9 +431,11 @@
             "api-reference/endpoints/universal-auth/attach",
             "api-reference/endpoints/universal-auth/retrieve",
             "api-reference/endpoints/universal-auth/update",
+            "api-reference/endpoints/universal-auth/revoke",
             "api-reference/endpoints/universal-auth/create-client-secret",
             "api-reference/endpoints/universal-auth/list-client-secrets",
             "api-reference/endpoints/universal-auth/revoke-client-secret",
+            "api-reference/endpoints/universal-auth/get-client-secret-by-id",
             "api-reference/endpoints/universal-auth/renew-access-token",
             "api-reference/endpoints/universal-auth/revoke-access-token"
           ]

docs/sdks/overview.mdx

@@ -19,7 +19,7 @@ From local development to production, Infisical SDKs provide the easiest way for
     <Card href="/sdks/languages/java" title="Java" icon="java" color="#e41f23">
         Manage secrets for your Java application on demand
     </Card>
-    <Card href="/sdks/languages/go" title="Go icon="golang" color="#367B99">
+    <Card href="/sdks/languages/go" title="Go" icon="golang" color="#367B99">
         Manage secrets for your Go application on demand
     </Card>
     <Card href="/sdks/languages/csharp" title="C#" icon="bars" color="#368833">

frontend/src/hooks/api/ca/types.ts

@@ -81,6 +81,7 @@ export type TCreateCertificateDTO = {
   caId: string;
   friendlyName?: string;
   commonName: string;
+  altNames: string; // sans
   ttl: string; // string compatible with ms
   notBefore?: string;
   notAfter?: string;

frontend/src/hooks/api/certificates/types.ts

@@ -6,6 +6,7 @@ export type TCertificate = {
   status: CertStatus;
   friendlyName: string;
   commonName: string;
+  altNames: string;
   serialNumber: string;
   notBefore: string;
   notAfter: string;

frontend/src/hooks/api/subscriptions/types.ts

@@ -2,6 +2,8 @@ export type SubscriptionPlan = {
   id: string;
   membersUsed: number;
   memberLimit: number;
+  identitiesUsed: number;
+  identityLimit: number;
   auditLogs: boolean;
   dynamicSecret: boolean;
   auditLogsRetentionDays: number;

frontend/src/views/IntegrationsPage/components/IntegrationsSection/IntegrationsSection.tsx

@@ -297,6 +297,7 @@ export const IntegrationsSection = ({
           (popUp?.deleteConfirmation?.data as TIntegration)?.app ||
           (popUp?.deleteConfirmation?.data as TIntegration)?.owner ||
           (popUp?.deleteConfirmation?.data as TIntegration)?.path ||
+          (popUp?.deleteConfirmation?.data as TIntegration)?.integration ||
           ""
         }
         onDeleteApproved={async () =>

frontend/src/views/Org/MembersPage/components/OrgIdentityTab/components/IdentitySection/IdentitySection.tsx

@@ -4,8 +4,13 @@ import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
 import { createNotification } from "@app/components/notifications";
 import { OrgPermissionCan } from "@app/components/permissions";
-import { Button, DeleteActionModal } from "@app/components/v2";
-import { OrgPermissionActions, OrgPermissionSubjects, useOrganization } from "@app/context";
+import { Button, DeleteActionModal, UpgradePlanModal } from "@app/components/v2";
+import {
+  OrgPermissionActions,
+  OrgPermissionSubjects,
+  useOrganization,
+  useSubscription
+} from "@app/context";
 import { withPermission } from "@app/hoc";
 import { useDeleteIdentity } from "@app/hooks/api";
 import { usePopUp } from "@app/hooks/usePopUp";
@@ -17,10 +22,10 @@ import { IdentityUniversalAuthClientSecretModal } from "./IdentityUniversalAuthC
 
 export const IdentitySection = withPermission(
   () => {
+    const { subscription } = useSubscription();
     const { currentOrg } = useOrganization();
     const orgId = currentOrg?.id || "";
 
-    
     const { mutateAsync: deleteMutateAsync } = useDeleteIdentity();
     const { popUp, handlePopUpOpen, handlePopUpClose, handlePopUpToggle } = usePopUp([
       "identity",
@@ -31,6 +36,10 @@ export const IdentitySection = withPermission(
       "upgradePlan"
     ] as const);
 
+    const isMoreIdentitiesAllowed = subscription?.identityLimit
+      ? subscription.identitiesUsed < subscription.identityLimit
+      : true;
+
     const onDeleteIdentitySubmit = async (identityId: string) => {
       try {
         await deleteMutateAsync({
@@ -81,7 +90,15 @@ export const IdentitySection = withPermission(
                 colorSchema="primary"
                 type="submit"
                 leftIcon={<FontAwesomeIcon icon={faPlus} />}
-                onClick={() => handlePopUpOpen("identity")}
+                onClick={() => {
+                  if (!isMoreIdentitiesAllowed) {
+                    handlePopUpOpen("upgradePlan", {
+                      description: "You can add more identities if you upgrade your Infisical plan."
+                    });
+                    return;
+                  }
+                  handlePopUpOpen("identity");
+                }}
                 isDisabled={!isAllowed}
               >
                 Create identity
@@ -118,6 +135,11 @@ export const IdentitySection = withPermission(
             )
           }
         />
+        <UpgradePlanModal
+          isOpen={popUp.upgradePlan.isOpen}
+          onOpenChange={(isOpen) => handlePopUpToggle("upgradePlan", isOpen)}
+          text={(popUp.upgradePlan?.data as { description: string })?.description}
+        />
       </div>
     );
   },

frontend/src/views/Org/MembersPage/components/OrgMembersTab/components/OrgMembersSection/OrgMembersSection.tsx

@@ -23,7 +23,6 @@ import { AddOrgMemberModal } from "./AddOrgMemberModal";
 import { OrgMembersTable } from "./OrgMembersTable";
 
 export const OrgMembersSection = () => {
-  
   const { subscription } = useSubscription();
   const { currentOrg } = useOrganization();
   const orgId = currentOrg?.id ?? "";
@@ -39,9 +38,13 @@ export const OrgMembersSection = () => {
 
   const { mutateAsync: deleteMutateAsync } = useDeleteOrgMembership();
 
-  const isMoreUsersNotAllowed = subscription?.memberLimit
-    ? subscription.membersUsed >= subscription.memberLimit
-    : false;
+  const isMoreUsersAllowed = subscription?.memberLimit
+    ? subscription.membersUsed < subscription.memberLimit
+    : true;
+
+  const isMoreIdentitiesAllowed = subscription?.identityLimit
+    ? subscription.identitiesUsed < subscription.identityLimit
+    : true;
 
   const handleAddMemberModal = () => {
     if (currentOrg?.authEnforced) {
@@ -52,13 +55,14 @@ export const OrgMembersSection = () => {
       return;
     }
 
-    if (isMoreUsersNotAllowed) {
+    if (!isMoreUsersAllowed || !isMoreIdentitiesAllowed) {
       handlePopUpOpen("upgradePlan", {
         description: "You can add more members if you upgrade your Infisical plan."
       });
-    } else {
-      handlePopUpOpen("addMember");
+      return;
     }
+
+    handlePopUpOpen("addMember");
   };
 
   const onRemoveMemberSubmit = async (orgMembershipId: string) => {

frontend/src/views/Project/CertificatesPage/components/CertificatesTab/components/CertificateModal.tsx

@@ -24,6 +24,7 @@ const schema = z.object({
   caId: z.string(),
   friendlyName: z.string(),
   commonName: z.string().trim().min(1),
+  altNames: z.string(),
   ttl: z.string().trim()
 });
 
@@ -71,6 +72,7 @@ export const CertificateModal = ({ popUp, handlePopUpToggle }: Props) => {
         caId: cert.caId,
         friendlyName: cert.friendlyName,
         commonName: cert.commonName,
+        altNames: cert.altNames,
         ttl: ""
       });
     } else {
@@ -78,12 +80,13 @@ export const CertificateModal = ({ popUp, handlePopUpToggle }: Props) => {
         caId: "",
         friendlyName: "",
         commonName: "",
+        altNames: "",
         ttl: ""
       });
     }
   }, [cert]);
 
-  const onFormSubmit = async ({ caId, friendlyName, commonName, ttl }: FormData) => {
+  const onFormSubmit = async ({ caId, friendlyName, commonName, altNames, ttl }: FormData) => {
     try {
       if (!currentWorkspace?.slug) return;
 
@@ -92,6 +95,7 @@ export const CertificateModal = ({ popUp, handlePopUpToggle }: Props) => {
         caId,
         friendlyName,
         commonName,
+        altNames,
         ttl
       });
 
@@ -192,6 +196,24 @@ export const CertificateModal = ({ popUp, handlePopUpToggle }: Props) => {
                 </FormControl>
               )}
             />
+            <Controller
+              control={control}
+              defaultValue=""
+              name="altNames"
+              render={({ field, fieldState: { error } }) => (
+                <FormControl
+                  label="Alternative Names (SANs)"
+                  isError={Boolean(error)}
+                  errorText={error?.message}
+                >
+                  <Input
+                    {...field}
+                    placeholder="app1.acme.com, app2.acme.com, ..."
+                    isDisabled={Boolean(cert)}
+                  />
+                </FormControl>
+              )}
+            />
             <Controller
               control={control}
               name="ttl"

frontend/src/views/SecretMainPage/components/SecretListView/SecretDetaiSidebar.tsx

@@ -7,6 +7,7 @@ import {
   faCircleDot,
   faClock,
   faPlus,
+  faShare,
   faTag
 } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
@@ -57,6 +58,7 @@ type Props = {
   ) => Promise<void>;
   tags: WsTag[];
   onCreateTag: () => void;
+  handleSecretShare: (value: string) => void;
 };
 
 export const SecretDetailSidebar = ({
@@ -69,7 +71,8 @@ export const SecretDetailSidebar = ({
   tags,
   onCreateTag,
   environment,
-  secretPath
+  secretPath,
+  handleSecretShare
 }: Props) => {
   const {
     register,
@@ -381,7 +384,7 @@ export const SecretDetailSidebar = ({
                   rows={5}
                 />
               </FormControl>
-              <div className="my-2 mb-6 border-b border-mineshaft-600 pb-4">
+              <div className="my-2 mb-4 border-b border-mineshaft-600 pb-4">
                 <Controller
                   control={control}
                   name="skipMultilineEncoding"
@@ -412,7 +415,17 @@ export const SecretDetailSidebar = ({
                   )}
                 />
               </div>
-              <div className="dark mb-4 flex-grow text-sm text-bunker-300">
+              <div className="ml-1 flex items-center space-x-2">
+                <Button
+                  className="px-2 py-1"
+                  variant="outline_bg"
+                  leftIcon={<FontAwesomeIcon icon={faShare} />}
+                  onClick={() => handleSecretShare(secret.valueOverride ?? secret.value)}
+                >
+                  Share Secret
+                </Button>
+              </div>
+              <div className="dark mt-4 mb-4 flex-grow text-sm text-bunker-300">
                 <div className="mb-2">Version History</div>
                 <div className="flex h-48 flex-col space-y-2 overflow-y-auto overflow-x-hidden rounded-md border border-mineshaft-600 bg-bunker-800 p-2 dark:[color-scheme:dark]">
                   {secretVersion?.map(({ createdAt, value, id }, i) => (

frontend/src/views/SecretMainPage/components/SecretListView/SecretItem.tsx

@@ -61,6 +61,7 @@ type Props = {
   onCreateTag: () => void;
   environment: string;
   secretPath: string;
+  handleSecretShare: () => void;
 };
 
 export const SecretItem = memo(
@@ -75,7 +76,8 @@ export const SecretItem = memo(
     onCreateTag,
     onToggleSecretSelect,
     environment,
-    secretPath
+    secretPath,
+    handleSecretShare
   }: Props) => {
     const { currentWorkspace } = useWorkspace();
     const { permission } = useProjectPermission();
@@ -420,8 +422,9 @@ export const SecretItem = memo(
                       <Tooltip
                         content={
                           secretReminderRepeatDays && secretReminderRepeatDays > 0
-                            ? `Every ${secretReminderRepeatDays} day${Number(secretReminderRepeatDays) > 1 ? "s" : ""
-                            }
+                            ? `Every ${secretReminderRepeatDays} day${
+                                Number(secretReminderRepeatDays) > 1 ? "s" : ""
+                              }
                           `
                             : "Reminder"
                         }
@@ -461,6 +464,20 @@ export const SecretItem = memo(
                         </PopoverTrigger>
                       )}
                     </ProjectPermissionCan>
+                    <IconButton
+                      className="w-0 overflow-hidden p-0 group-hover:mr-2 group-hover:w-5 data-[state=open]:w-6"
+                      variant="plain"
+                      size="md"
+                      ariaLabel="share-secret"
+                      onClick={handleSecretShare}
+                    >
+                      <Tooltip content="Share Secret">
+                        <FontAwesomeSymbol
+                          className="h-3.5 w-3.5"
+                          symbolName={FontAwesomeSpriteName.ShareSecret}
+                        />
+                      </Tooltip>
+                    </IconButton>
                     <PopoverContent
                       className="w-auto border border-mineshaft-600 bg-mineshaft-800 p-2 drop-shadow-2xl"
                       sticky="always"

frontend/src/views/SecretMainPage/components/SecretListView/SecretListView.tsx

@@ -13,6 +13,7 @@ import { secretKeys } from "@app/hooks/api/secrets/queries";
 import { DecryptedSecret, SecretType } from "@app/hooks/api/secrets/types";
 import { secretSnapshotKeys } from "@app/hooks/api/secretSnapshots/queries";
 import { UserWsKeyPair, WsTag } from "@app/hooks/api/types";
+import { AddShareSecretModal } from "@app/views/ShareSecretPage/components/AddShareSecretModal";
 
 import { useSelectedSecretActions, useSelectedSecrets } from "../../SecretMainPage.store";
 import { Filter, GroupBy, SortDir } from "../../SecretMainPage.types";
@@ -95,7 +96,8 @@ export const SecretListView = ({
   const { popUp, handlePopUpToggle, handlePopUpOpen, handlePopUpClose } = usePopUp([
     "deleteSecret",
     "secretDetail",
-    "createTag"
+    "createTag",
+    "createSharedSecret"
   ] as const);
 
   // strip of side effect queries
@@ -365,6 +367,11 @@ export const SecretListView = ({
                   onDeleteSecret={onDeleteSecret}
                   onDetailViewSecret={onDetailViewSecret}
                   onCreateTag={onCreateTag}
+                  handleSecretShare={() =>
+                    handlePopUpOpen("createSharedSecret", {
+                      value: secret.valueOverride ?? secret.value
+                    })
+                  }
                 />
               ))}
             </div>
@@ -391,11 +398,18 @@ export const SecretListView = ({
         onSaveSecret={handleSaveSecret}
         tags={wsTags}
         onCreateTag={() => handlePopUpOpen("createTag")}
+        handleSecretShare={(value: string) => handlePopUpOpen("createSharedSecret", { value })}
       />
       <CreateTagModal
         isOpen={popUp.createTag.isOpen}
         onToggle={(isOpen) => handlePopUpToggle("createTag", isOpen)}
       />
+      <AddShareSecretModal
+        popUp={popUp}
+        handlePopUpToggle={handlePopUpToggle}
+        isPublic={false}
+        inModal
+      />
     </>
   );
 };

frontend/src/views/SecretMainPage/components/SecretListView/SecretListView.utils.ts

@@ -10,6 +10,7 @@ import {
   faCopy,
   faEllipsis,
   faKey,
+  faShare,
   faTags
 } from "@fortawesome/free-solid-svg-icons";
 import { z } from "zod";
@@ -66,7 +67,8 @@ export enum FontAwesomeSpriteName {
   Override = "secret-override",
   Close = "close",
   CheckedCircle = "check-circle",
-  ReplicatedSecretKey = "secret-replicated"
+  ReplicatedSecretKey = "secret-replicated",
+  ShareSecret = "share-secret"
 }
 
 // this is an optimization technique
@@ -82,5 +84,6 @@ export const FontAwesomeSpriteSymbols = [
   { icon: faCodeBranch, symbol: FontAwesomeSpriteName.Override },
   { icon: faClose, symbol: FontAwesomeSpriteName.Close },
   { icon: faCheckCircle, symbol: FontAwesomeSpriteName.CheckedCircle },
-  { icon: faClone, symbol: FontAwesomeSpriteName.ReplicatedSecretKey }
+  { icon: faClone, symbol: FontAwesomeSpriteName.ReplicatedSecretKey },
+  { icon: faShare, symbol: FontAwesomeSpriteName.ShareSecret }
 ];

frontend/src/views/Settings/ProjectSettingsPage/components/ProjectGeneralTab/ProjectGeneralTab.tsx

@@ -5,6 +5,7 @@ import { E2EESection } from "../E2EESection";
 import { EnvironmentSection } from "../EnvironmentSection";
 import { PointInTimeVersionLimitSection } from "../PointInTimeVersionLimitSection";
 import { ProjectNameChangeSection } from "../ProjectNameChangeSection";
+import { RebuildSecretIndicesSection } from "../RebuildSecretIndicesSection/RebuildSecretIndicesSection";
 import { SecretTagsSection } from "../SecretTagsSection";
 
 export const ProjectGeneralTab = () => {
@@ -17,6 +18,7 @@ export const ProjectGeneralTab = () => {
       <E2EESection />
       <PointInTimeVersionLimitSection />
       <BackfillSecretReferenceSecretion />
+      <RebuildSecretIndicesSection />
       <DeleteProjectSection />
     </div>
   );

frontend/src/views/Settings/ProjectSettingsPage/components/RebuildSecretIndicesSection/RebuildSecretIndicesSection.tsx

@@ -0,0 +1,93 @@
+import { createNotification } from "@app/components/notifications";
+import {
+  decryptAssymmetric,
+  decryptSymmetric
+} from "@app/components/utilities/cryptography/crypto";
+import { Button } from "@app/components/v2";
+import { useProjectPermission, useWorkspace } from "@app/context";
+import { useToggle } from "@app/hooks";
+import { useGetUserWsKey, useNameWorkspaceSecrets } from "@app/hooks/api";
+import { ProjectMembershipRole } from "@app/hooks/api/roles/types";
+import { fetchWorkspaceSecrets } from "@app/hooks/api/workspace/queries";
+
+export const RebuildSecretIndicesSection = () => {
+  const { currentWorkspace } = useWorkspace();
+  const { membership } = useProjectPermission();
+  const nameWorkspaceSecrets = useNameWorkspaceSecrets();
+
+  const [isIndexing, setIsIndexing] = useToggle();
+  const { data: decryptFileKey } = useGetUserWsKey(currentWorkspace?.id!);
+
+  if (!currentWorkspace) return null;
+
+  const onRebuildIndices = async () => {
+    if (!currentWorkspace?.id) return;
+    setIsIndexing.on();
+    try {
+      const encryptedSecrets = await fetchWorkspaceSecrets(currentWorkspace.id);
+
+      if (!currentWorkspace || !decryptFileKey) {
+        return;
+      }
+
+      const key = decryptAssymmetric({
+        ciphertext: decryptFileKey.encryptedKey,
+        nonce: decryptFileKey.nonce,
+        publicKey: decryptFileKey.sender.publicKey,
+        privateKey: localStorage.getItem("PRIVATE_KEY") as string
+      });
+
+      const secretsToUpdate = encryptedSecrets.map((encryptedSecret) => {
+        const secretName = decryptSymmetric({
+          ciphertext: encryptedSecret.secretKeyCiphertext,
+          iv: encryptedSecret.secretKeyIV,
+          tag: encryptedSecret.secretKeyTag,
+          key
+        });
+
+        return {
+          secretName,
+          secretId: encryptedSecret.id
+        };
+      });
+      await nameWorkspaceSecrets.mutateAsync({
+        workspaceId: currentWorkspace.id,
+        secretsToUpdate
+      });
+
+      createNotification({
+        text: "Successfully rebuilt secret indices",
+        type: "success"
+      });
+    } catch (err) {
+      console.log(err);
+    } finally {
+      setIsIndexing.off();
+    }
+  };
+
+  const isAdmin = membership.roles.includes(ProjectMembershipRole.Admin);
+
+  if (!isAdmin) {
+    return null;
+  }
+
+  return (
+    <div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
+      <div className="flex w-full items-center justify-between">
+        <p className="text-xl font-semibold">Rebuild Secret Indices</p>
+      </div>
+      <p className="mb-4 mt-2 max-w-2xl text-sm text-gray-400">
+        This will rebuild indices of all secrets in the project.
+      </p>
+      <Button
+        variant="outline_bg"
+        isLoading={isIndexing}
+        onClick={onRebuildIndices}
+        isDisabled={!isAdmin}
+      >
+        Rebuild Secret Indices
+      </Button>
+    </div>
+  );
+};

frontend/src/views/ShareSecretPage/components/AddShareSecretForm.tsx

@@ -6,14 +6,7 @@ import * as yup from "yup";
 
 import { createNotification } from "@app/components/notifications";
 import { encryptSymmetric } from "@app/components/utilities/cryptography/crypto";
-import {
-  Button,
-  FormControl,
-  Input,
-  ModalClose,
-  Select,
-  SelectItem
-} from "@app/components/v2";
+import { Button, FormControl, Input, ModalClose, Select, SelectItem } from "@app/components/v2";
 import { useCreatePublicSharedSecret, useCreateSharedSecret } from "@app/hooks/api/secretSharing";
 
 const schema = yup.object({
@@ -31,7 +24,8 @@ export const AddShareSecretForm = ({
   handleSubmit,
   control,
   isSubmitting,
-  setNewSharedSecret
+  setNewSharedSecret,
+  isInputDisabled
 }: {
   isPublic: boolean;
   inModal: boolean;
@@ -39,6 +33,7 @@ export const AddShareSecretForm = ({
   control: any;
   isSubmitting: boolean;
   setNewSharedSecret: (value: string) => void;
+  isInputDisabled?: boolean;
 }) => {
   const publicSharedSecretCreator = useCreatePublicSharedSecret();
   const privateSharedSecretCreator = useCreateSharedSecret();
@@ -124,12 +119,13 @@ export const AddShareSecretForm = ({
   };
   return (
     <form className="flex w-full flex-col items-center" onSubmit={handleSubmit(onFormSubmit)}>
-      <div className={`${!inModal && "border border-mineshaft-600 bg-mineshaft-800 rounded-md p-6"}`}>
+      <div
+        className={`${!inModal && "rounded-md border border-mineshaft-600 bg-mineshaft-800 p-6"}`}
+      >
         <div className="mb-4">
           <Controller
             control={control}
             name="value"
-            defaultValue=""
             render={({ field, fieldState: { error } }) => (
               <FormControl
                 label="Shared Secret"
@@ -137,16 +133,17 @@ export const AddShareSecretForm = ({
                 errorText={error?.message}
               >
                 <textarea
+                  disabled={isInputDisabled}
                   placeholder="Enter sensitive data to share via an encrypted link..."
                   {...field}
-                  className="py-1.5 w-full h-40 placeholder:text-mineshaft-400 rounded-md transition-all group-hover:mr-2 text-bunker-300 hover:border-primary-400/30 focus:border-primary-400/50 outline-none border border-mineshaft-600 bg-mineshaft-900 px-2 min-h-[70px]"
+                  className="h-40 min-h-[70px] w-full rounded-md border border-mineshaft-600 bg-mineshaft-900 py-1.5 px-2 text-bunker-300 outline-none transition-all placeholder:text-mineshaft-400 hover:border-primary-400/30 focus:border-primary-400/50 group-hover:mr-2"
                 />
               </FormControl>
             )}
           />
         </div>
         <div className="flex w-full flex-row justify-center">
-          <div className="hidden sm:block sm:w-2/6 flex">
+          <div className="flex hidden sm:block sm:w-2/6">
             <Controller
               control={control}
               name="expiresAfterViews"
@@ -163,12 +160,12 @@ export const AddShareSecretForm = ({
               )}
             />
           </div>
-          <div className="hidden sm:flex sm:w-1/7 items-center justify-center px-2 mx-auto">
+          <div className="sm:w-1/7 mx-auto hidden items-center justify-center px-2 sm:flex">
             <p className="px-4 text-sm text-gray-400">OR</p>
           </div>
-          <div className="w-full sm:w-3/6 flex justify-end">
+          <div className="flex w-full justify-end sm:w-3/6">
             <div className="flex justify-start">
-              <div className="flex w-full pr-2 justify-center">
+              <div className="flex w-full justify-center pr-2">
                 <Controller
                   control={control}
                   name="expiresInValue"

frontend/src/views/ShareSecretPage/components/AddShareSecretModal.tsx

@@ -34,6 +34,7 @@ export const AddShareSecretModal = ({ popUp, handlePopUpToggle, isPublic, inModa
     control,
     reset,
     handleSubmit,
+    setValue,
     formState: { isSubmitting }
   } = useForm<FormData>({
     resolver: yupResolver(schema)
@@ -45,6 +46,8 @@ export const AddShareSecretModal = ({ popUp, handlePopUpToggle, isPublic, inModa
     initialState: false
   });
 
+  const [isSecretInputDisabled, setIsSecretInputDisabled] = useState(false);
+
   const copyUrlToClipboard = () => {
     navigator.clipboard.writeText(newSharedSecret);
     setIsUrlCopied(true);
@@ -55,6 +58,13 @@ export const AddShareSecretModal = ({ popUp, handlePopUpToggle, isPublic, inModa
     }
   }, [isUrlCopied]);
 
+  useEffect(() => {
+    if (popUp.createSharedSecret.data) {
+      setValue("value", (popUp.createSharedSecret.data as { value: string }).value);
+      setIsSecretInputDisabled(true);
+    }
+  }, [popUp.createSharedSecret.data]);
+
   // eslint-disable-next-line no-nested-ternary
   return inModal ? (
     <Modal
@@ -63,6 +73,7 @@ export const AddShareSecretModal = ({ popUp, handlePopUpToggle, isPublic, inModa
         handlePopUpToggle("createSharedSecret", open);
         reset();
         setNewSharedSecret("");
+        setIsSecretInputDisabled(false);
       }}
     >
       <ModalContent
@@ -77,6 +88,7 @@ export const AddShareSecretModal = ({ popUp, handlePopUpToggle, isPublic, inModa
             handleSubmit={handleSubmit}
             isSubmitting={isSubmitting}
             setNewSharedSecret={setNewSharedSecret}
+            isInputDisabled={isSecretInputDisabled}
           />
         ) : (
           <ViewAndCopySharedSecret
@@ -96,6 +108,7 @@ export const AddShareSecretModal = ({ popUp, handlePopUpToggle, isPublic, inModa
       handleSubmit={handleSubmit}
       isSubmitting={isSubmitting}
       setNewSharedSecret={setNewSharedSecret}
+      isInputDisabled={isSecretInputDisabled}
     />
   ) : (
     <ViewAndCopySharedSecret

frontend/src/views/admin/DashboardPage/DashboardPage.tsx

@@ -203,9 +203,7 @@ export const AdminDashboardPage = () => {
                     Default organization
                   </div>
                   <div className="mb-4 max-w-sm text-sm text-mineshaft-400">
-                    Select the slug of the organization you want to set as default for SAML/LDAP
-                    logins. When this field is set, users will also skip the organization selection
-                    page and automatically be logged into the default organization.
+                    Select the default organization you want to set for SAML/LDAP based logins. When selected, user logins will be automatically scoped to the selected organization.
                   </div>
                   <Controller
                     control={control}