docs(java-sdk): updated for v3.0.0

fix(cli): tests failing

.env.example

@@ -74,6 +74,14 @@ CAPTCHA_SECRET=
 
 NEXT_PUBLIC_CAPTCHA_SITE_KEY=
 
+OTEL_TELEMETRY_COLLECTION_ENABLED=false
+OTEL_EXPORT_TYPE=prometheus
+OTEL_EXPORT_OTLP_ENDPOINT=
+OTEL_OTLP_PUSH_INTERVAL=
+
+OTEL_COLLECTOR_BASIC_AUTH_USERNAME=
+OTEL_COLLECTOR_BASIC_AUTH_PASSWORD=
+
 PLAIN_API_KEY=
 PLAIN_WISH_LABEL_IDS=
 

.husky/pre-commit

@@ -1,6 +1,12 @@
 #!/usr/bin/env sh
 . "$(dirname -- "$0")/_/husky.sh"
 
+# Check if infisical is installed
+if ! command -v infisical >/dev/null 2>&1; then
+    echo "\nError: Infisical CLI is not installed. Please install the Infisical CLI before comitting.\n You can refer to the documentation at https://infisical.com/docs/cli/overview\n\n"
+    exit 1
+fi
+
 npx lint-staged
 
 infisical scan git-changes --staged -v

Dockerfile.fips.standalone-infisical

@@ -69,13 +69,21 @@ RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
 
 WORKDIR /app
 
-# Required for pkcs11js
+# Required for pkcs11js and ODBC
 RUN apt-get update && apt-get install -y \
     python3 \
     make \
     g++ \
+    unixodbc \
+    unixodbc-dev \
+    freetds-dev \
+    freetds-bin \
+    tdsodbc \
     && rm -rf /var/lib/apt/lists/*
 
+# Configure ODBC
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
 COPY backend/package*.json ./
 RUN npm ci --only-production
 
@@ -91,13 +99,21 @@ ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
 
 WORKDIR /app
 
-# Required for pkcs11js
+# Required for pkcs11js and ODBC
 RUN apt-get update && apt-get install -y \
     python3 \
     make \
     g++ \
+    unixodbc \
+    unixodbc-dev \
+    freetds-dev \
+    freetds-bin \
+    tdsodbc \
     && rm -rf /var/lib/apt/lists/*
 
+# Configure ODBC
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
 COPY backend/package*.json ./
 RUN npm ci --only-production
 
@@ -108,13 +124,24 @@ RUN mkdir frontend-build
 # Production stage
 FROM base AS production
 
-# Install necessary packages
+# Install necessary packages including ODBC
 RUN apt-get update && apt-get install -y \
     ca-certificates \
     curl \
     git \
+    python3 \
+    make \
+    g++ \
+    unixodbc \
+    unixodbc-dev \
+    freetds-dev \
+    freetds-bin \
+    tdsodbc \
     && rm -rf /var/lib/apt/lists/*
 
+# Configure ODBC in production
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
 # Install Infisical CLI
 RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
     && apt-get update && apt-get install -y infisical=0.31.1 \

Dockerfile.standalone-infisical

@@ -72,8 +72,16 @@ RUN addgroup --system --gid 1001 nodejs \
 
 WORKDIR /app
 
-# Required for pkcs11js
-RUN apk add --no-cache python3 make g++ 
+# Install all required dependencies for build
+RUN apk --update add \
+    python3 \
+    make \
+    g++ \
+    unixodbc \
+    freetds \
+    unixodbc-dev \
+    libc-dev \
+    freetds-dev
 
 COPY backend/package*.json ./
 RUN npm ci --only-production
@@ -88,8 +96,19 @@ FROM base AS backend-runner
 
 WORKDIR /app
 
-# Required for pkcs11js
-RUN apk add --no-cache python3 make g++ 
+# Install all required dependencies for runtime
+RUN apk --update add \
+    python3 \
+    make \
+    g++ \
+    unixodbc \
+    freetds \
+    unixodbc-dev \
+    libc-dev \
+    freetds-dev
+
+# Configure ODBC
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 
 COPY backend/package*.json ./
 RUN npm ci --only-production
@@ -100,11 +119,32 @@ RUN mkdir frontend-build
 
 # Production stage
 FROM base AS production
+
 RUN apk add --upgrade --no-cache ca-certificates
 RUN apk add --no-cache bash curl && curl -1sLf \
   'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
   && apk add infisical=0.31.1 && apk add --no-cache git
 
+WORKDIR /
+
+# Install all required runtime dependencies
+RUN apk --update add \
+    python3 \
+    make \
+    g++ \
+    unixodbc \
+    freetds \
+    unixodbc-dev \
+    libc-dev \
+    freetds-dev \
+    bash \
+    curl \
+    git
+
+# Configure ODBC in production
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
+# Setup user permissions
 RUN addgroup --system --gid 1001 nodejs \
   && adduser --system --uid 1001 non-root-user
 
@@ -127,7 +167,6 @@ ARG CAPTCHA_SITE_KEY
 ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
   BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 
-WORKDIR / 
 
 COPY --from=backend-runner /app /backend
 
@@ -149,4 +188,4 @@ EXPOSE 443
 
 USER non-root-user
 
-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]

Makefile

@@ -10,6 +10,9 @@ up-dev:
 up-dev-ldap:
 	docker compose -f docker-compose.dev.yml --profile ldap up --build
 
+up-dev-metrics:
+	docker compose -f docker-compose.dev.yml --profile metrics up --build
+
 up-prod:
 	docker-compose -f docker-compose.prod.yml up --build
 
@@ -27,4 +30,3 @@ reviewable-api:
 	npm run type:check
 
 reviewable: reviewable-ui reviewable-api
-

backend/Dockerfile

@@ -9,6 +9,15 @@ RUN apk --update add \
         make \
         g++
 
+# install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apk add --no-cache \
+    unixodbc \
+    freetds \
+    unixodbc-dev \
+    libc-dev \
+    freetds-dev
+
+
 COPY package*.json ./
 RUN npm ci --only-production
 
@@ -28,6 +37,17 @@ RUN apk --update add \
         make \
         g++
 
+# install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apk add --no-cache \
+    unixodbc \
+    freetds \
+    unixodbc-dev \
+    libc-dev \
+    freetds-dev
+
+
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
 RUN npm ci --only-production && npm cache clean --force
 
 COPY --from=build /app .

backend/Dockerfile.dev

@@ -7,7 +7,7 @@ ARG SOFTHSM2_VERSION=2.5.0
 ENV SOFTHSM2_VERSION=${SOFTHSM2_VERSION} \
     SOFTHSM2_SOURCES=/tmp/softhsm2
 
-# install build dependencies including python3
+# install build dependencies including python3 (required for pkcs11js and partially TDS driver)
 RUN apk --update add \
         alpine-sdk \
         autoconf \
@@ -19,7 +19,19 @@ RUN apk --update add \
         make \
         g++
 
+# install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apk add --no-cache \
+    unixodbc \
+    freetds \
+    unixodbc-dev \
+    libc-dev \
+    freetds-dev
+
+
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
 # build and install SoftHSM2
+
 RUN git clone https://github.com/opendnssec/SoftHSMv2.git ${SOFTHSM2_SOURCES}
 WORKDIR ${SOFTHSM2_SOURCES}
 

backend/e2e-test/routes/v3/secret-recursive.spec.ts

@@ -0,0 +1,86 @@
+import { createFolder, deleteFolder } from "e2e-test/testUtils/folders";
+import { createSecretV2, deleteSecretV2, getSecretsV2 } from "e2e-test/testUtils/secrets";
+
+import { seedData1 } from "@app/db/seed-data";
+
+describe("Secret Recursive Testing", async () => {
+  const projectId = seedData1.projectV3.id;
+  const folderAndSecretNames = [
+    { name: "deep1", path: "/", expectedSecretCount: 4 },
+    { name: "deep21", path: "/deep1", expectedSecretCount: 2 },
+    { name: "deep3", path: "/deep1/deep2", expectedSecretCount: 1 },
+    { name: "deep22", path: "/deep2", expectedSecretCount: 1 }
+  ];
+
+  beforeAll(async () => {
+    const rootFolderIds: string[] = [];
+    for (const folder of folderAndSecretNames) {
+      // eslint-disable-next-line no-await-in-loop
+      const createdFolder = await createFolder({
+        authToken: jwtAuthToken,
+        environmentSlug: "prod",
+        workspaceId: projectId,
+        secretPath: folder.path,
+        name: folder.name
+      });
+
+      if (folder.path === "/") {
+        rootFolderIds.push(createdFolder.id);
+      }
+      // eslint-disable-next-line no-await-in-loop
+      await createSecretV2({
+        secretPath: folder.path,
+        authToken: jwtAuthToken,
+        environmentSlug: "prod",
+        workspaceId: projectId,
+        key: folder.name,
+        value: folder.name
+      });
+    }
+
+    return async () => {
+      await Promise.all(
+        rootFolderIds.map((id) =>
+          deleteFolder({
+            authToken: jwtAuthToken,
+            secretPath: "/",
+            id,
+            workspaceId: projectId,
+            environmentSlug: "prod"
+          })
+        )
+      );
+
+      await deleteSecretV2({
+        authToken: jwtAuthToken,
+        secretPath: "/",
+        workspaceId: projectId,
+        environmentSlug: "prod",
+        key: folderAndSecretNames[0].name
+      });
+    };
+  });
+
+  test.each(folderAndSecretNames)("$path recursive secret fetching", async ({ path, expectedSecretCount }) => {
+    const secrets = await getSecretsV2({
+      authToken: jwtAuthToken,
+      secretPath: path,
+      workspaceId: projectId,
+      environmentSlug: "prod",
+      recursive: true
+    });
+
+    expect(secrets.secrets.length).toEqual(expectedSecretCount);
+    expect(secrets.secrets.sort((a, b) => a.secretKey.localeCompare(b.secretKey))).toEqual(
+      folderAndSecretNames
+        .filter((el) => el.path.startsWith(path))
+        .sort((a, b) => a.name.localeCompare(b.name))
+        .map((el) =>
+          expect.objectContaining({
+            secretKey: el.name,
+            secretValue: el.name
+          })
+        )
+    );
+  });
+});

backend/e2e-test/testUtils/secrets.ts

@@ -97,6 +97,7 @@ export const getSecretsV2 = async (dto: {
   environmentSlug: string;
   secretPath: string;
   authToken: string;
+  recursive?: boolean;
 }) => {
   const getSecretsResponse = await testServer.inject({
     method: "GET",
@@ -109,7 +110,8 @@ export const getSecretsV2 = async (dto: {
       environment: dto.environmentSlug,
       secretPath: dto.secretPath,
       expandSecretReferences: "true",
-      include_imports: "true"
+      include_imports: "true",
+      recursive: String(dto.recursive || false)
     }
   });
   expect(getSecretsResponse.statusCode).toBe(200);

backend/package.json

@@ -132,6 +132,7 @@
     "@fastify/multipart": "8.3.0",
     "@fastify/passport": "^2.4.0",
     "@fastify/rate-limit": "^9.0.0",
+    "@fastify/request-context": "^5.1.0",
     "@fastify/session": "^10.7.0",
     "@fastify/swagger": "^8.14.0",
     "@fastify/swagger-ui": "^2.1.0",
@@ -140,6 +141,15 @@
     "@octokit/plugin-retry": "^5.0.5",
     "@octokit/rest": "^20.0.2",
     "@octokit/webhooks-types": "^7.3.1",
+    "@octopusdeploy/api-client": "^3.4.1",
+    "@opentelemetry/api": "^1.9.0",
+    "@opentelemetry/auto-instrumentations-node": "^0.53.0",
+    "@opentelemetry/exporter-metrics-otlp-proto": "^0.55.0",
+    "@opentelemetry/exporter-prometheus": "^0.55.0",
+    "@opentelemetry/instrumentation": "^0.55.0",
+    "@opentelemetry/resources": "^1.28.0",
+    "@opentelemetry/sdk-metrics": "^1.28.0",
+    "@opentelemetry/semantic-conventions": "^1.27.0",
     "@peculiar/asn1-schema": "^2.3.8",
     "@peculiar/x509": "^1.12.1",
     "@serdnam/pino-cloudwatch-transport": "^1.0.4",
@@ -180,6 +190,7 @@
     "mysql2": "^3.9.8",
     "nanoid": "^3.3.4",
     "nodemailer": "^6.9.9",
+    "odbc": "^2.4.9",
     "openid-client": "^5.6.5",
     "ora": "^7.0.1",
     "oracledb": "^6.4.0",

backend/src/@types/fastify-request-context.d.ts

@@ -0,0 +1,7 @@
+import "@fastify/request-context";
+
+declare module "@fastify/request-context" {
+  interface RequestContextData {
+    requestId: string;
+  }
+}

backend/src/@types/fastify-zod.d.ts

@@ -1,6 +1,6 @@
 import { FastifyInstance, RawReplyDefaultExpression, RawRequestDefaultExpression, RawServerDefault } from "fastify";
-import { Logger } from "pino";
 
+import { CustomLogger } from "@app/lib/logger/logger";
 import { ZodTypeProvider } from "@app/server/plugins/fastify-zod";
 
 declare global {
@@ -8,7 +8,7 @@ declare global {
     RawServerDefault,
     RawRequestDefaultExpression<RawServerDefault>,
     RawReplyDefaultExpression<RawServerDefault>,
-    Readonly<Logger>,
+    Readonly<CustomLogger>,
     ZodTypeProvider
   >;
 

backend/src/db/migrations/20241119143026_add-project-descripton.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasProjectDescription = await knex.schema.hasColumn(TableName.Project, "description");
+
+  if (!hasProjectDescription) {
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.string("description");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasProjectDescription = await knex.schema.hasColumn(TableName.Project, "description");
+
+  if (hasProjectDescription) {
+    await knex.schema.alterTable(TableName.Project, (t) => {
+      t.dropColumn("description");
+    });
+  }
+}

backend/src/db/migrations/20241119184509_access-tokens-auth-method-identity-id-index.ts

@@ -1,25 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasIdentityIdColumn = await knex.schema.hasColumn(TableName.IdentityAccessToken, "identityId");
-  const hasAuthMethodColumn = await knex.schema.hasColumn(TableName.IdentityAccessToken, "authMethod");
-
-  await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
-    if (hasIdentityIdColumn && hasAuthMethodColumn) {
-      t.index(["authMethod", "identityId"]);
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasIdentityIdColumn = await knex.schema.hasColumn(TableName.IdentityAccessToken, "identityId");
-  const hasAuthMethodColumn = await knex.schema.hasColumn(TableName.IdentityAccessToken, "authMethod");
-
-  await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
-    if (hasIdentityIdColumn && hasAuthMethodColumn) {
-      t.dropIndex(["authMethod", "identityId"]);
-    }
-  });
-}

backend/src/db/migrations/20241121131344_make-identity-metadata-not-nullable-again.ts

@@ -0,0 +1,20 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.IdentityMetadata, "value")) {
+    await knex(TableName.IdentityMetadata).whereNull("value").delete();
+    await knex.schema.alterTable(TableName.IdentityMetadata, (t) => {
+      t.string("value", 1020).notNullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.IdentityMetadata, "value")) {
+    await knex.schema.alterTable(TableName.IdentityMetadata, (t) => {
+      t.string("value", 1020).alter();
+    });
+  }
+}

backend/src/db/schemas/kms-root-config.ts

@@ -12,7 +12,7 @@ import { TImmutableDBKeys } from "./models";
 export const KmsRootConfigSchema = z.object({
   id: z.string().uuid(),
   encryptedRootKey: zodBuffer,
-  encryptionStrategy: z.string(),
+  encryptionStrategy: z.string().default("SOFTWARE").nullable().optional(),
   createdAt: z.date(),
   updatedAt: z.date()
 });

backend/src/db/schemas/projects.ts

@@ -23,7 +23,8 @@ export const ProjectsSchema = z.object({
   kmsCertificateKeyId: z.string().uuid().nullable().optional(),
   auditLogsRetentionDays: z.number().nullable().optional(),
   kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
-  kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional()
+  kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
+  description: z.string().nullable().optional()
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -112,7 +112,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       })
     ) as object;
 
-    const selectedTTL = ttl ?? dynamicSecretCfg.defaultTTL;
+    const selectedTTL = ttl || dynamicSecretCfg.defaultTTL;
     const { maxTTL } = dynamicSecretCfg;
     const expireAt = new Date(new Date().getTime() + ms(selectedTTL));
     if (maxTTL) {
@@ -187,7 +187,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       })
     ) as object;
 
-    const selectedTTL = ttl ?? dynamicSecretCfg.defaultTTL;
+    const selectedTTL = ttl || dynamicSecretCfg.defaultTTL;
     const { maxTTL } = dynamicSecretCfg;
     const expireAt = new Date(dynamicSecretLease.expireAt.getTime() + ms(selectedTTL));
     if (maxTTL) {

backend/src/ee/services/dynamic-secret/providers/aws-elasticache.ts

@@ -80,7 +80,7 @@ const ElastiCacheUserManager = (credentials: TBasicAWSCredentials, region: strin
     }
   };
 
-  const addUserToInfisicalGroup = async (userId: string) => {
+  const $addUserToInfisicalGroup = async (userId: string) => {
     // figure out if the default user is already in the group, if it is, then we shouldn't add it again
 
     const addUserToGroupCommand = new ModifyUserGroupCommand({
@@ -96,7 +96,7 @@ const ElastiCacheUserManager = (credentials: TBasicAWSCredentials, region: strin
     await ensureInfisicalGroupExists(clusterName);
 
     await elastiCache.send(new CreateUserCommand(creationInput)); // First create the user
-    await addUserToInfisicalGroup(creationInput.UserId); // Then add the user to the group. We know the group is already a part of the cluster because of ensureInfisicalGroupExists()
+    await $addUserToInfisicalGroup(creationInput.UserId); // Then add the user to the group. We know the group is already a part of the cluster because of ensureInfisicalGroupExists()
 
     return {
       userId: creationInput.UserId,
@@ -212,7 +212,7 @@ export const AwsElastiCacheDatabaseProvider = (): TDynamicProviderFns => {
   };
 
   const renew = async (inputs: unknown, entityId: string) => {
-    // Do nothing
+    // No renewal necessary
     return { entityId };
   };
 

backend/src/ee/services/dynamic-secret/providers/aws-iam.ts

@@ -33,7 +33,7 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
     return providerInputs;
   };
 
-  const getClient = async (providerInputs: z.infer<typeof DynamicSecretAwsIamSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretAwsIamSchema>) => {
     const client = new IAMClient({
       region: providerInputs.region,
       credentials: {
@@ -47,7 +47,7 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const isConnected = await client.send(new GetUserCommand({})).then(() => true);
     return isConnected;
@@ -55,7 +55,7 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
 
   const create = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const username = generateUsername();
     const { policyArns, userGroups, policyDocument, awsPath, permissionBoundaryPolicyArn } = providerInputs;
@@ -118,7 +118,7 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
 
   const revoke = async (inputs: unknown, entityId: string) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const username = entityId;
 
@@ -179,9 +179,8 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
   };
 
   const renew = async (_inputs: unknown, entityId: string) => {
-    // do nothing
-    const username = entityId;
-    return { entityId: username };
+    // No renewal necessary
+    return { entityId };
   };
 
   return {

backend/src/ee/services/dynamic-secret/providers/azure-entra-id.ts

@@ -23,7 +23,7 @@ export const AzureEntraIDProvider = (): TDynamicProviderFns & {
     return providerInputs;
   };
 
-  const getToken = async (
+  const $getToken = async (
     tenantId: string,
     applicationId: string,
     clientSecret: string
@@ -51,18 +51,13 @@ export const AzureEntraIDProvider = (): TDynamicProviderFns & {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const data = await getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
+    const data = await $getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
     return data.success;
   };
 
-  const renew = async (inputs: unknown, entityId: string) => {
-    // Do nothing
-    return { entityId };
-  };
-
   const create = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const data = await getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
+    const data = await $getToken(providerInputs.tenantId, providerInputs.applicationId, providerInputs.clientSecret);
     if (!data.success) {
       throw new BadRequestError({ message: "Failed to authorize to Microsoft Entra ID" });
     }
@@ -98,7 +93,7 @@ export const AzureEntraIDProvider = (): TDynamicProviderFns & {
   };
 
   const fetchAzureEntraIdUsers = async (tenantId: string, applicationId: string, clientSecret: string) => {
-    const data = await getToken(tenantId, applicationId, clientSecret);
+    const data = await $getToken(tenantId, applicationId, clientSecret);
     if (!data.success) {
       throw new BadRequestError({ message: "Failed to authorize to Microsoft Entra ID" });
     }
@@ -127,6 +122,11 @@ export const AzureEntraIDProvider = (): TDynamicProviderFns & {
     return users;
   };
 
+  const renew = async (inputs: unknown, entityId: string) => {
+    // No renewal necessary
+    return { entityId };
+  };
+
   return {
     validateProviderInputs,
     validateConnection,

backend/src/ee/services/dynamic-secret/providers/cassandra.ts

@@ -27,7 +27,7 @@ export const CassandraProvider = (): TDynamicProviderFns => {
     return providerInputs;
   };
 
-  const getClient = async (providerInputs: z.infer<typeof DynamicSecretCassandraSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretCassandraSchema>) => {
     const sslOptions = providerInputs.ca ? { rejectUnauthorized: false, ca: providerInputs.ca } : undefined;
     const client = new cassandra.Client({
       sslOptions,
@@ -47,7 +47,7 @@ export const CassandraProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const isConnected = await client.execute("SELECT * FROM system_schema.keyspaces").then(() => true);
     await client.shutdown();
@@ -56,7 +56,7 @@ export const CassandraProvider = (): TDynamicProviderFns => {
 
   const create = async (inputs: unknown, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const username = generateUsername();
     const password = generatePassword();
@@ -82,7 +82,7 @@ export const CassandraProvider = (): TDynamicProviderFns => {
 
   const revoke = async (inputs: unknown, entityId: string) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const username = entityId;
     const { keyspace } = providerInputs;
@@ -99,20 +99,24 @@ export const CassandraProvider = (): TDynamicProviderFns => {
 
   const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    if (!providerInputs.renewStatement) return { entityId };
+
+    const client = await $getClient(providerInputs);
 
-    const username = entityId;
     const expiration = new Date(expireAt).toISOString();
     const { keyspace } = providerInputs;
 
-    const renewStatement = handlebars.compile(providerInputs.revocationStatement)({ username, keyspace, expiration });
+    const renewStatement = handlebars.compile(providerInputs.renewStatement)({
+      username: entityId,
+      keyspace,
+      expiration
+    });
     const queries = renewStatement.toString().split(";").filter(Boolean);
-    for (const query of queries) {
-      // eslint-disable-next-line
+    for await (const query of queries) {
       await client.execute(query);
     }
     await client.shutdown();
-    return { entityId: username };
+    return { entityId };
   };
 
   return {

backend/src/ee/services/dynamic-secret/providers/elastic-search.ts

@@ -24,7 +24,7 @@ export const ElasticSearchProvider = (): TDynamicProviderFns => {
     return providerInputs;
   };
 
-  const getClient = async (providerInputs: z.infer<typeof DynamicSecretElasticSearchSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretElasticSearchSchema>) => {
     const connection = new ElasticSearchClient({
       node: {
         url: new URL(`${providerInputs.host}:${providerInputs.port}`),
@@ -55,7 +55,7 @@ export const ElasticSearchProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const connection = await getClient(providerInputs);
+    const connection = await $getClient(providerInputs);
 
     const infoResponse = await connection
       .info()
@@ -67,7 +67,7 @@ export const ElasticSearchProvider = (): TDynamicProviderFns => {
 
   const create = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const connection = await getClient(providerInputs);
+    const connection = await $getClient(providerInputs);
 
     const username = generateUsername();
     const password = generatePassword();
@@ -85,7 +85,7 @@ export const ElasticSearchProvider = (): TDynamicProviderFns => {
 
   const revoke = async (inputs: unknown, entityId: string) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const connection = await getClient(providerInputs);
+    const connection = await $getClient(providerInputs);
 
     await connection.security.deleteUser({
       username: entityId
@@ -96,7 +96,7 @@ export const ElasticSearchProvider = (): TDynamicProviderFns => {
   };
 
   const renew = async (inputs: unknown, entityId: string) => {
-    // Do nothing
+    // No renewal necessary
     return { entityId };
   };
 

backend/src/ee/services/dynamic-secret/providers/index.ts

@@ -6,15 +6,17 @@ import { AzureEntraIDProvider } from "./azure-entra-id";
 import { CassandraProvider } from "./cassandra";
 import { ElasticSearchProvider } from "./elastic-search";
 import { LdapProvider } from "./ldap";
-import { DynamicSecretProviders } from "./models";
+import { DynamicSecretProviders, TDynamicProviderFns } from "./models";
 import { MongoAtlasProvider } from "./mongo-atlas";
 import { MongoDBProvider } from "./mongo-db";
 import { RabbitMqProvider } from "./rabbit-mq";
 import { RedisDatabaseProvider } from "./redis";
+import { SapAseProvider } from "./sap-ase";
 import { SapHanaProvider } from "./sap-hana";
 import { SqlDatabaseProvider } from "./sql-database";
+import { TotpProvider } from "./totp";
 
-export const buildDynamicSecretProviders = () => ({
+export const buildDynamicSecretProviders = (): Record<DynamicSecretProviders, TDynamicProviderFns> => ({
   [DynamicSecretProviders.SqlDatabase]: SqlDatabaseProvider(),
   [DynamicSecretProviders.Cassandra]: CassandraProvider(),
   [DynamicSecretProviders.AwsIam]: AwsIamProvider(),
@@ -27,5 +29,7 @@ export const buildDynamicSecretProviders = () => ({
   [DynamicSecretProviders.AzureEntraID]: AzureEntraIDProvider(),
   [DynamicSecretProviders.Ldap]: LdapProvider(),
   [DynamicSecretProviders.SapHana]: SapHanaProvider(),
-  [DynamicSecretProviders.Snowflake]: SnowflakeProvider()
+  [DynamicSecretProviders.Snowflake]: SnowflakeProvider(),
+  [DynamicSecretProviders.Totp]: TotpProvider(),
+  [DynamicSecretProviders.SapAse]: SapAseProvider()
 });

backend/src/ee/services/dynamic-secret/providers/ldap.ts

@@ -52,7 +52,7 @@ export const LdapProvider = (): TDynamicProviderFns => {
     return providerInputs;
   };
 
-  const getClient = async (providerInputs: z.infer<typeof LdapSchema>): Promise<ldapjs.Client> => {
+  const $getClient = async (providerInputs: z.infer<typeof LdapSchema>): Promise<ldapjs.Client> => {
     return new Promise((resolve, reject) => {
       const client = ldapjs.createClient({
         url: providerInputs.url,
@@ -83,7 +83,7 @@ export const LdapProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
     return client.connected;
   };
 
@@ -191,7 +191,7 @@ export const LdapProvider = (): TDynamicProviderFns => {
 
   const create = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     if (providerInputs.credentialType === LdapCredentialType.Static) {
       const dnMatch = providerInputs.rotationLdif.match(/^dn:\s*(.+)/m);
@@ -235,7 +235,7 @@ export const LdapProvider = (): TDynamicProviderFns => {
 
   const revoke = async (inputs: unknown, entityId: string) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     if (providerInputs.credentialType === LdapCredentialType.Static) {
       const dnMatch = providerInputs.rotationLdif.match(/^dn:\s*(.+)/m);
@@ -268,7 +268,7 @@ export const LdapProvider = (): TDynamicProviderFns => {
   };
 
   const renew = async (inputs: unknown, entityId: string) => {
-    // Do nothing
+    // No renewal necessary
     return { entityId };
   };
 

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -4,7 +4,8 @@ export enum SqlProviders {
   Postgres = "postgres",
   MySQL = "mysql2",
   Oracle = "oracledb",
-  MsSQL = "mssql"
+  MsSQL = "mssql",
+  SapAse = "sap-ase"
 }
 
 export enum ElasticSearchAuthTypes {
@@ -17,6 +18,17 @@ export enum LdapCredentialType {
   Static = "static"
 }
 
+export enum TotpConfigType {
+  URL = "url",
+  MANUAL = "manual"
+}
+
+export enum TotpAlgorithm {
+  SHA1 = "sha1",
+  SHA256 = "sha256",
+  SHA512 = "sha512"
+}
+
 export const DynamicSecretRedisDBSchema = z.object({
   host: z.string().trim().toLowerCase(),
   port: z.number(),
@@ -107,6 +119,16 @@ export const DynamicSecretCassandraSchema = z.object({
   ca: z.string().optional()
 });
 
+export const DynamicSecretSapAseSchema = z.object({
+  host: z.string().trim().toLowerCase(),
+  port: z.number(),
+  database: z.string().trim(),
+  username: z.string().trim(),
+  password: z.string().trim(),
+  creationStatement: z.string().trim(),
+  revocationStatement: z.string().trim()
+});
+
 export const DynamicSecretAwsIamSchema = z.object({
   accessKey: z.string().trim().min(1),
   secretAccessKey: z.string().trim().min(1),
@@ -221,6 +243,34 @@ export const LdapSchema = z.union([
   })
 ]);
 
+export const DynamicSecretTotpSchema = z.discriminatedUnion("configType", [
+  z.object({
+    configType: z.literal(TotpConfigType.URL),
+    url: z
+      .string()
+      .url()
+      .trim()
+      .min(1)
+      .refine((val) => {
+        const urlObj = new URL(val);
+        const secret = urlObj.searchParams.get("secret");
+
+        return Boolean(secret);
+      }, "OTP URL must contain secret field")
+  }),
+  z.object({
+    configType: z.literal(TotpConfigType.MANUAL),
+    secret: z
+      .string()
+      .trim()
+      .min(1)
+      .transform((val) => val.replace(/\s+/g, "")),
+    period: z.number().optional(),
+    algorithm: z.nativeEnum(TotpAlgorithm).optional(),
+    digits: z.number().optional()
+  })
+]);
+
 export enum DynamicSecretProviders {
   SqlDatabase = "sql-database",
   Cassandra = "cassandra",
@@ -234,12 +284,15 @@ export enum DynamicSecretProviders {
   AzureEntraID = "azure-entra-id",
   Ldap = "ldap",
   SapHana = "sap-hana",
-  Snowflake = "snowflake"
+  Snowflake = "snowflake",
+  Totp = "totp",
+  SapAse = "sap-ase"
 }
 
 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
   z.object({ type: z.literal(DynamicSecretProviders.SqlDatabase), inputs: DynamicSecretSqlDBSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.Cassandra), inputs: DynamicSecretCassandraSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.SapAse), inputs: DynamicSecretSapAseSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.AwsIam), inputs: DynamicSecretAwsIamSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.Redis), inputs: DynamicSecretRedisDBSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.SapHana), inputs: DynamicSecretSapHanaSchema }),
@@ -250,7 +303,8 @@ export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
   z.object({ type: z.literal(DynamicSecretProviders.RabbitMq), inputs: DynamicSecretRabbitMqSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.AzureEntraID), inputs: AzureEntraIDSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.Ldap), inputs: LdapSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.Snowflake), inputs: DynamicSecretSnowflakeSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.Snowflake), inputs: DynamicSecretSnowflakeSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.Totp), inputs: DynamicSecretTotpSchema })
 ]);
 
 export type TDynamicProviderFns = {

backend/src/ee/services/dynamic-secret/providers/mongo-atlas.ts

@@ -22,7 +22,7 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
     return providerInputs;
   };
 
-  const getClient = async (providerInputs: z.infer<typeof DynamicSecretMongoAtlasSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretMongoAtlasSchema>) => {
     const client = axios.create({
       baseURL: "https://cloud.mongodb.com/api/atlas",
       headers: {
@@ -40,7 +40,7 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const isConnected = await client({
       method: "GET",
@@ -59,7 +59,7 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
 
   const create = async (inputs: unknown, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const username = generateUsername();
     const password = generatePassword();
@@ -87,7 +87,7 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
 
   const revoke = async (inputs: unknown, entityId: string) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const username = entityId;
     const isExisting = await client({
@@ -114,7 +114,7 @@ export const MongoAtlasProvider = (): TDynamicProviderFns => {
 
   const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const username = entityId;
     const expiration = new Date(expireAt).toISOString();

backend/src/ee/services/dynamic-secret/providers/mongo-db.ts

@@ -23,7 +23,7 @@ export const MongoDBProvider = (): TDynamicProviderFns => {
     return providerInputs;
   };
 
-  const getClient = async (providerInputs: z.infer<typeof DynamicSecretMongoDBSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretMongoDBSchema>) => {
     const isSrv = !providerInputs.port;
     const uri = isSrv
       ? `mongodb+srv://${providerInputs.host}`
@@ -42,7 +42,7 @@ export const MongoDBProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const isConnected = await client
       .db(providerInputs.database)
@@ -55,7 +55,7 @@ export const MongoDBProvider = (): TDynamicProviderFns => {
 
   const create = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const username = generateUsername();
     const password = generatePassword();
@@ -74,7 +74,7 @@ export const MongoDBProvider = (): TDynamicProviderFns => {
 
   const revoke = async (inputs: unknown, entityId: string) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const username = entityId;
 
@@ -88,6 +88,7 @@ export const MongoDBProvider = (): TDynamicProviderFns => {
   };
 
   const renew = async (_inputs: unknown, entityId: string) => {
+    // No renewal necessary
     return { entityId };
   };
 

backend/src/ee/services/dynamic-secret/providers/rabbit-mq.ts

@@ -84,7 +84,7 @@ export const RabbitMqProvider = (): TDynamicProviderFns => {
     return providerInputs;
   };
 
-  const getClient = async (providerInputs: z.infer<typeof DynamicSecretRabbitMqSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretRabbitMqSchema>) => {
     const axiosInstance = axios.create({
       baseURL: `${removeTrailingSlash(providerInputs.host)}:${providerInputs.port}/api`,
       auth: {
@@ -105,7 +105,7 @@ export const RabbitMqProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const connection = await getClient(providerInputs);
+    const connection = await $getClient(providerInputs);
 
     const infoResponse = await connection.get("/whoami").then(() => true);
 
@@ -114,7 +114,7 @@ export const RabbitMqProvider = (): TDynamicProviderFns => {
 
   const create = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const connection = await getClient(providerInputs);
+    const connection = await $getClient(providerInputs);
 
     const username = generateUsername();
     const password = generatePassword();
@@ -134,7 +134,7 @@ export const RabbitMqProvider = (): TDynamicProviderFns => {
 
   const revoke = async (inputs: unknown, entityId: string) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const connection = await getClient(providerInputs);
+    const connection = await $getClient(providerInputs);
 
     await deleteRabbitMqUser({ axiosInstance: connection, usernameToDelete: entityId });
 
@@ -142,7 +142,7 @@ export const RabbitMqProvider = (): TDynamicProviderFns => {
   };
 
   const renew = async (inputs: unknown, entityId: string) => {
-    // Do nothing
+    // No renewal necessary
     return { entityId };
   };
 

backend/src/ee/services/dynamic-secret/providers/redis.ts

@@ -55,7 +55,7 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {
     return providerInputs;
   };
 
-  const getClient = async (providerInputs: z.infer<typeof DynamicSecretRedisDBSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretRedisDBSchema>) => {
     let connection: Redis | null = null;
     try {
       connection = new Redis({
@@ -92,7 +92,7 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const connection = await getClient(providerInputs);
+    const connection = await $getClient(providerInputs);
 
     const pingResponse = await connection
       .ping()
@@ -104,7 +104,7 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {
 
   const create = async (inputs: unknown, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const connection = await getClient(providerInputs);
+    const connection = await $getClient(providerInputs);
 
     const username = generateUsername();
     const password = generatePassword();
@@ -126,7 +126,7 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {
 
   const revoke = async (inputs: unknown, entityId: string) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const connection = await getClient(providerInputs);
+    const connection = await $getClient(providerInputs);
 
     const username = entityId;
 
@@ -141,7 +141,9 @@ export const RedisDatabaseProvider = (): TDynamicProviderFns => {
 
   const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const connection = await getClient(providerInputs);
+    if (!providerInputs.renewStatement) return { entityId };
+
+    const connection = await $getClient(providerInputs);
 
     const username = entityId;
     const expiration = new Date(expireAt).toISOString();

backend/src/ee/services/dynamic-secret/providers/sap-ase.ts

@@ -0,0 +1,145 @@
+import handlebars from "handlebars";
+import { customAlphabet } from "nanoid";
+import odbc from "odbc";
+import { z } from "zod";
+
+import { BadRequestError } from "@app/lib/errors";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { verifyHostInputValidity } from "../dynamic-secret-fns";
+import { DynamicSecretSapAseSchema, TDynamicProviderFns } from "./models";
+
+const generatePassword = (size = 48) => {
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+  return customAlphabet(charset, 48)(size);
+};
+
+const generateUsername = () => {
+  return alphaNumericNanoId(25);
+};
+
+enum SapCommands {
+  CreateLogin = "sp_addlogin",
+  DropLogin = "sp_droplogin"
+}
+
+export const SapAseProvider = (): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await DynamicSecretSapAseSchema.parseAsync(inputs);
+
+    verifyHostInputValidity(providerInputs.host);
+    return providerInputs;
+  };
+
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSapAseSchema>, useMaster?: boolean) => {
+    const connectionString =
+      `DRIVER={FreeTDS};` +
+      `SERVER=${providerInputs.host};` +
+      `PORT=${providerInputs.port};` +
+      `DATABASE=${useMaster ? "master" : providerInputs.database};` +
+      `UID=${providerInputs.username};` +
+      `PWD=${providerInputs.password};` +
+      `TDS_VERSION=5.0`;
+
+    const client = await odbc.connect(connectionString);
+
+    return client;
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const masterClient = await $getClient(providerInputs, true);
+    const client = await $getClient(providerInputs);
+
+    const [resultFromMasterDatabase] = await masterClient.query<{ version: string }>("SELECT @@VERSION AS version");
+    const [resultFromSelectedDatabase] = await client.query<{ version: string }>("SELECT @@VERSION AS version");
+
+    if (!resultFromSelectedDatabase.version) {
+      throw new BadRequestError({
+        message: "Failed to validate SAP ASE connection, version query failed"
+      });
+    }
+
+    if (resultFromMasterDatabase.version !== resultFromSelectedDatabase.version) {
+      throw new BadRequestError({
+        message: "Failed to validate SAP ASE connection (master), version mismatch"
+      });
+    }
+
+    return true;
+  };
+
+  const create = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const username = `inf_${generateUsername()}`;
+    const password = `${generatePassword()}`;
+
+    const client = await $getClient(providerInputs);
+    const masterClient = await $getClient(providerInputs, true);
+
+    const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
+      username,
+      password
+    });
+
+    const queries = creationStatement.trim().replace(/\n/g, "").split(";").filter(Boolean);
+
+    for await (const query of queries) {
+      // If it's an adduser query, we need to first call sp_addlogin on the MASTER database.
+      // If not done, then the newly created user won't be able to authenticate.
+      await (query.startsWith(SapCommands.CreateLogin) ? masterClient : client).query(query);
+    }
+
+    await masterClient.close();
+    await client.close();
+
+    return { entityId: username, data: { DB_USERNAME: username, DB_PASSWORD: password } };
+  };
+
+  const revoke = async (inputs: unknown, username: string) => {
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const revokeStatement = handlebars.compile(providerInputs.revocationStatement, { noEscape: true })({
+      username
+    });
+
+    const queries = revokeStatement.trim().replace(/\n/g, "").split(";").filter(Boolean);
+
+    const client = await $getClient(providerInputs);
+    const masterClient = await $getClient(providerInputs, true);
+
+    // Get all processes for this login and kill them. If there are active connections to the database when drop login happens, it will throw an error.
+    const result = await masterClient.query<{ spid?: string }>(`sp_who '${username}'`);
+
+    if (result && result.length > 0) {
+      for await (const row of result) {
+        if (row.spid) {
+          await masterClient.query(`KILL ${row.spid.trim()}`);
+        }
+      }
+    }
+
+    for await (const query of queries) {
+      await (query.startsWith(SapCommands.DropLogin) ? masterClient : client).query(query);
+    }
+
+    await masterClient.close();
+    await client.close();
+
+    return { entityId: username };
+  };
+
+  const renew = async (_: unknown, username: string) => {
+    // No need for renewal
+    return { entityId: username };
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};

backend/src/ee/services/dynamic-secret/providers/sap-hana.ts

@@ -32,7 +32,7 @@ export const SapHanaProvider = (): TDynamicProviderFns => {
     return providerInputs;
   };
 
-  const getClient = async (providerInputs: z.infer<typeof DynamicSecretSapHanaSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSapHanaSchema>) => {
     const client = hdb.createClient({
       host: providerInputs.host,
       port: providerInputs.port,
@@ -64,9 +64,9 @@ export const SapHanaProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
-    const testResult: boolean = await new Promise((resolve, reject) => {
+    const testResult = await new Promise<boolean>((resolve, reject) => {
       client.exec("SELECT 1 FROM DUMMY;", (err: any) => {
         if (err) {
           reject();
@@ -86,7 +86,7 @@ export const SapHanaProvider = (): TDynamicProviderFns => {
     const password = generatePassword();
     const expiration = new Date(expireAt).toISOString();
 
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
     const creationStatement = handlebars.compile(providerInputs.creationStatement, { noEscape: true })({
       username,
       password,
@@ -114,7 +114,7 @@ export const SapHanaProvider = (): TDynamicProviderFns => {
 
   const revoke = async (inputs: unknown, username: string) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
     const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username });
     const queries = revokeStatement.toString().split(";").filter(Boolean);
     for await (const query of queries) {
@@ -135,13 +135,15 @@ export const SapHanaProvider = (): TDynamicProviderFns => {
     return { entityId: username };
   };
 
-  const renew = async (inputs: unknown, username: string, expireAt: number) => {
+  const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    if (!providerInputs.renewStatement) return { entityId };
+
+    const client = await $getClient(providerInputs);
     try {
       const expiration = new Date(expireAt).toISOString();
 
-      const renewStatement = handlebars.compile(providerInputs.renewStatement)({ username, expiration });
+      const renewStatement = handlebars.compile(providerInputs.renewStatement)({ username: entityId, expiration });
       const queries = renewStatement.toString().split(";").filter(Boolean);
       for await (const query of queries) {
         await new Promise((resolve, reject) => {
@@ -161,7 +163,7 @@ export const SapHanaProvider = (): TDynamicProviderFns => {
       client.disconnect();
     }
 
-    return { entityId: username };
+    return { entityId };
   };
 
   return {

backend/src/ee/services/dynamic-secret/providers/snowflake.ts

@@ -34,7 +34,7 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {
     return providerInputs;
   };
 
-  const getClient = async (providerInputs: z.infer<typeof DynamicSecretSnowflakeSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSnowflakeSchema>) => {
     const client = snowflake.createConnection({
       account: `${providerInputs.orgId}-${providerInputs.accountId}`,
       username: providerInputs.username,
@@ -49,7 +49,7 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     let isValidConnection: boolean;
 
@@ -72,7 +72,7 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {
   const create = async (inputs: unknown, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
 
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     const username = generateUsername();
     const password = generatePassword();
@@ -107,7 +107,7 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {
   const revoke = async (inputs: unknown, username: string) => {
     const providerInputs = await validateProviderInputs(inputs);
 
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     try {
       const revokeStatement = handlebars.compile(providerInputs.revocationStatement)({ username });
@@ -131,17 +131,16 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {
     return { entityId: username };
   };
 
-  const renew = async (inputs: unknown, username: string, expireAt: number) => {
+  const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
+    if (!providerInputs.renewStatement) return { entityId };
 
-    if (!providerInputs.renewStatement) return { entityId: username };
-
-    const client = await getClient(providerInputs);
+    const client = await $getClient(providerInputs);
 
     try {
       const expiration = getDaysToExpiry(new Date(expireAt));
       const renewStatement = handlebars.compile(providerInputs.renewStatement)({
-        username,
+        username: entityId,
         expiration
       });
 
@@ -161,7 +160,7 @@ export const SnowflakeProvider = (): TDynamicProviderFns => {
       client.destroy(noop);
     }
 
-    return { entityId: username };
+    return { entityId };
   };
 
   return {

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -32,7 +32,7 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
     return providerInputs;
   };
 
-  const getClient = async (providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>) => {
+  const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>) => {
     const ssl = providerInputs.ca ? { rejectUnauthorized: false, ca: providerInputs.ca } : undefined;
     const db = knex({
       client: providerInputs.client,
@@ -52,7 +52,7 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
 
   const validateConnection = async (inputs: unknown) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const db = await getClient(providerInputs);
+    const db = await $getClient(providerInputs);
     // oracle needs from keyword
     const testStatement = providerInputs.client === SqlProviders.Oracle ? "SELECT 1 FROM DUAL" : "SELECT 1";
 
@@ -63,7 +63,7 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
 
   const create = async (inputs: unknown, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const db = await getClient(providerInputs);
+    const db = await $getClient(providerInputs);
 
     const username = generateUsername(providerInputs.client);
     const password = generatePassword(providerInputs.client);
@@ -90,7 +90,7 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
 
   const revoke = async (inputs: unknown, entityId: string) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const db = await getClient(providerInputs);
+    const db = await $getClient(providerInputs);
 
     const username = entityId;
     const { database } = providerInputs;
@@ -110,13 +110,19 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
 
   const renew = async (inputs: unknown, entityId: string, expireAt: number) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const db = await getClient(providerInputs);
+    if (!providerInputs.renewStatement) return { entityId };
+
+    const db = await $getClient(providerInputs);
 
-    const username = entityId;
     const expiration = new Date(expireAt).toISOString();
     const { database } = providerInputs;
 
-    const renewStatement = handlebars.compile(providerInputs.renewStatement)({ username, expiration, database });
+    const renewStatement = handlebars.compile(providerInputs.renewStatement)({
+      username: entityId,
+      expiration,
+      database
+    });
+
     if (renewStatement) {
       const queries = renewStatement.toString().split(";").filter(Boolean);
       await db.transaction(async (tx) => {
@@ -128,7 +134,7 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
     }
 
     await db.destroy();
-    return { entityId: username };
+    return { entityId };
   };
 
   return {

backend/src/ee/services/dynamic-secret/providers/totp.ts

@@ -0,0 +1,90 @@
+import { authenticator } from "otplib";
+import { HashAlgorithms } from "otplib/core";
+
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { DynamicSecretTotpSchema, TDynamicProviderFns, TotpConfigType } from "./models";
+
+export const TotpProvider = (): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await DynamicSecretTotpSchema.parseAsync(inputs);
+
+    return providerInputs;
+  };
+
+  const validateConnection = async () => {
+    return true;
+  };
+
+  const create = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const entityId = alphaNumericNanoId(32);
+    const authenticatorInstance = authenticator.clone();
+
+    let secret: string;
+    let period: number | null | undefined;
+    let digits: number | null | undefined;
+    let algorithm: HashAlgorithms | null | undefined;
+
+    if (providerInputs.configType === TotpConfigType.URL) {
+      const urlObj = new URL(providerInputs.url);
+      secret = urlObj.searchParams.get("secret") as string;
+      const periodFromUrl = urlObj.searchParams.get("period");
+      const digitsFromUrl = urlObj.searchParams.get("digits");
+      const algorithmFromUrl = urlObj.searchParams.get("algorithm");
+
+      if (periodFromUrl) {
+        period = +periodFromUrl;
+      }
+
+      if (digitsFromUrl) {
+        digits = +digitsFromUrl;
+      }
+
+      if (algorithmFromUrl) {
+        algorithm = algorithmFromUrl.toLowerCase() as HashAlgorithms;
+      }
+    } else {
+      secret = providerInputs.secret;
+      period = providerInputs.period;
+      digits = providerInputs.digits;
+      algorithm = providerInputs.algorithm as unknown as HashAlgorithms;
+    }
+
+    if (digits) {
+      authenticatorInstance.options = { digits };
+    }
+
+    if (algorithm) {
+      authenticatorInstance.options = { algorithm };
+    }
+
+    if (period) {
+      authenticatorInstance.options = { step: period };
+    }
+
+    return {
+      entityId,
+      data: { TOTP: authenticatorInstance.generate(secret), TIME_REMAINING: authenticatorInstance.timeRemaining() }
+    };
+  };
+
+  const revoke = async (_inputs: unknown, entityId: string) => {
+    return { entityId };
+  };
+
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  const renew = async (_inputs: unknown, entityId: string) => {
+    // No renewal necessary
+    return { entityId };
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};

backend/src/ee/services/hsm/hsm-fns.ts

@@ -27,7 +27,7 @@ export const initializeHsmModule = () => {
 
       logger.info("PKCS#11 module initialized");
     } catch (err) {
-      logger.error("Failed to initialize PKCS#11 module:", err);
+      logger.error(err, "Failed to initialize PKCS#11 module");
       throw err;
     }
   };
@@ -39,7 +39,7 @@ export const initializeHsmModule = () => {
         isInitialized = false;
         logger.info("PKCS#11 module finalized");
       } catch (err) {
-        logger.error("Failed to finalize PKCS#11 module:", err);
+        logger.error(err, "Failed to finalize PKCS#11 module");
         throw err;
       }
     }

backend/src/ee/services/ldap-config/ldap-fns.ts

@@ -36,8 +36,7 @@ export const testLDAPConfig = async (ldapConfig: TLDAPConfig): Promise<boolean>
     });
 
     ldapClient.on("error", (err) => {
-      logger.error("LDAP client error:", err);
-      logger.error(err);
+      logger.error(err, "LDAP client error");
       resolve(false);
     });
 

backend/src/ee/services/license/license-service.ts

@@ -161,8 +161,8 @@ export const licenseServiceFactory = ({
       }
     } catch (error) {
       logger.error(
-        `getPlan: encountered an error when fetching pan [orgId=${orgId}] [projectId=${projectId}] [error]`,
-        error
+        error,
+        `getPlan: encountered an error when fetching pan [orgId=${orgId}] [projectId=${projectId}] [error]`
       );
       await keyStore.setItemWithExpiry(
         FEATURE_CACHE_KEY(orgId),

backend/src/ee/services/permission/org-permission.ts

@@ -31,7 +31,6 @@ export enum OrgPermissionSubjects {
 }
 
 export type OrgPermissionSet =
-  | [OrgPermissionActions.Read, OrgPermissionSubjects.Workspace]
   | [OrgPermissionActions.Create, OrgPermissionSubjects.Workspace]
   | [OrgPermissionActions, OrgPermissionSubjects.Role]
   | [OrgPermissionActions, OrgPermissionSubjects.Member]
@@ -52,7 +51,6 @@ export type OrgPermissionSet =
 const buildAdminPermission = () => {
   const { can, rules } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
   // ws permissions
-  can(OrgPermissionActions.Read, OrgPermissionSubjects.Workspace);
   can(OrgPermissionActions.Create, OrgPermissionSubjects.Workspace);
   // role permission
   can(OrgPermissionActions.Read, OrgPermissionSubjects.Role);
@@ -135,7 +133,6 @@ export const orgAdminPermissions = buildAdminPermission();
 const buildMemberPermission = () => {
   const { can, rules } = new AbilityBuilder<MongoAbility<OrgPermissionSet>>(createMongoAbility);
 
-  can(OrgPermissionActions.Read, OrgPermissionSubjects.Workspace);
   can(OrgPermissionActions.Create, OrgPermissionSubjects.Workspace);
   can(OrgPermissionActions.Read, OrgPermissionSubjects.Member);
   can(OrgPermissionActions.Read, OrgPermissionSubjects.Groups);

backend/src/ee/services/permission/permission-dal.ts

@@ -127,14 +127,15 @@ export const permissionDALFactory = (db: TDbClient) => {
 
   const getProjectPermission = async (userId: string, projectId: string) => {
     try {
+      const subQueryUserGroups = db(TableName.UserGroupMembership).where("userId", userId).select("groupId");
       const docs = await db
         .replicaNode()(TableName.Users)
         .where(`${TableName.Users}.id`, userId)
-        .leftJoin(TableName.UserGroupMembership, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
         .leftJoin(TableName.GroupProjectMembership, (queryBuilder) => {
           void queryBuilder
             .on(`${TableName.GroupProjectMembership}.projectId`, db.raw("?", [projectId]))
-            .andOn(`${TableName.GroupProjectMembership}.groupId`, `${TableName.UserGroupMembership}.groupId`);
+            // @ts-expect-error akhilmhdh: this is valid knexjs query. Its just ts type argument is missing it
+            .andOnIn(`${TableName.GroupProjectMembership}.groupId`, subQueryUserGroups);
         })
         .leftJoin(
           TableName.GroupProjectMembershipRole,

backend/src/ee/services/permission/permission-types.ts

@@ -1,14 +1,7 @@
 import picomatch from "picomatch";
 import { z } from "zod";
 
-export enum PermissionConditionOperators {
-  $IN = "$in",
-  $ALL = "$all",
-  $REGEX = "$regex",
-  $EQ = "$eq",
-  $NEQ = "$ne",
-  $GLOB = "$glob"
-}
+import { PermissionConditionOperators } from "@app/lib/casl";
 
 export const PermissionConditionSchema = {
   [PermissionConditionOperators.$IN]: z.string().trim().min(1).array(),

backend/src/ee/services/permission/project-permission.ts

@@ -1,10 +1,10 @@
 import { AbilityBuilder, createMongoAbility, ForcedSubject, MongoAbility } from "@casl/ability";
 import { z } from "zod";
 
-import { conditionsMatcher } from "@app/lib/casl";
+import { conditionsMatcher, PermissionConditionOperators } from "@app/lib/casl";
 import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
 
-import { PermissionConditionOperators, PermissionConditionSchema } from "./permission-types";
+import { PermissionConditionSchema } from "./permission-types";
 
 export enum ProjectPermissionActions {
   Read = "read",

backend/src/ee/services/rate-limit/rate-limit-service.ts

@@ -46,7 +46,7 @@ export const rateLimitServiceFactory = ({ rateLimitDAL, licenseService }: TRateL
       }
       return rateLimit;
     } catch (err) {
-      logger.error("Error fetching rate limits %o", err);
+      logger.error(err, "Error fetching rate limits");
       return undefined;
     }
   };
@@ -69,12 +69,12 @@ export const rateLimitServiceFactory = ({ rateLimitDAL, licenseService }: TRateL
           mfaRateLimit: rateLimit.mfaRateLimit
         };
 
-        logger.info(`syncRateLimitConfiguration: rate limit configuration: %o`, newRateLimitMaxConfiguration);
+        logger.info(newRateLimitMaxConfiguration, "syncRateLimitConfiguration: rate limit configuration");
         Object.freeze(newRateLimitMaxConfiguration);
         rateLimitMaxConfiguration = newRateLimitMaxConfiguration;
       }
     } catch (error) {
-      logger.error(`Error syncing rate limit configurations: %o`, error);
+      logger.error(error, "Error syncing rate limit configurations");
     }
   };
 

backend/src/ee/services/scim/scim-service.ts

@@ -18,6 +18,7 @@ import { TGroupProjectDALFactory } from "@app/services/group-project/group-proje
 import { TOrgDALFactory } from "@app/services/org/org-dal";
 import { deleteOrgMembershipFn } from "@app/services/org/org-fns";
 import { getDefaultOrgMembershipRole } from "@app/services/org/org-role-fns";
+import { OrgAuthMethod } from "@app/services/org/org-types";
 import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
@@ -71,6 +72,7 @@ type TScimServiceFactoryDep = {
     | "deleteMembershipById"
     | "transaction"
     | "updateMembershipById"
+    | "findOrgById"
   >;
   orgMembershipDAL: Pick<
     TOrgMembershipDALFactory,
@@ -288,8 +290,7 @@ export const scimServiceFactory = ({
   const createScimUser = async ({ externalId, email, firstName, lastName, orgId }: TCreateScimUserDTO) => {
     if (!email) throw new ScimRequestError({ detail: "Invalid request. Missing email.", status: 400 });
 
-    const org = await orgDAL.findById(orgId);
-
+    const org = await orgDAL.findOrgById(orgId);
     if (!org)
       throw new ScimRequestError({
         detail: "Organization not found",
@@ -302,13 +303,24 @@ export const scimServiceFactory = ({
         status: 403
       });
 
+    if (!org.orgAuthMethod) {
+      throw new ScimRequestError({
+        detail: "Neither SAML or OIDC SSO is configured",
+        status: 400
+      });
+    }
+
     const appCfg = getConfig();
     const serverCfg = await getServerCfg();
 
+    const aliasType = org.orgAuthMethod === OrgAuthMethod.OIDC ? UserAliasType.OIDC : UserAliasType.SAML;
+    const trustScimEmails =
+      org.orgAuthMethod === OrgAuthMethod.OIDC ? serverCfg.trustOidcEmails : serverCfg.trustSamlEmails;
+
     const userAlias = await userAliasDAL.findOne({
       externalId,
       orgId,
-      aliasType: UserAliasType.SAML
+      aliasType
     });
 
     const { user: createdUser, orgMembership: createdOrgMembership } = await userDAL.transaction(async (tx) => {
@@ -349,7 +361,7 @@ export const scimServiceFactory = ({
           );
         }
       } else {
-        if (serverCfg.trustSamlEmails) {
+        if (trustScimEmails) {
           user = await userDAL.findOne(
             {
               email,
@@ -367,9 +379,9 @@ export const scimServiceFactory = ({
           );
           user = await userDAL.create(
             {
-              username: serverCfg.trustSamlEmails ? email : uniqueUsername,
+              username: trustScimEmails ? email : uniqueUsername,
               email,
-              isEmailVerified: serverCfg.trustSamlEmails,
+              isEmailVerified: trustScimEmails,
               firstName,
               lastName,
               authMethods: [],
@@ -382,7 +394,7 @@ export const scimServiceFactory = ({
         await userAliasDAL.create(
           {
             userId: user.id,
-            aliasType: UserAliasType.SAML,
+            aliasType,
             externalId,
             emails: email ? [email] : [],
             orgId
@@ -437,7 +449,7 @@ export const scimServiceFactory = ({
         recipients: [email],
         substitutions: {
           organizationName: org.name,
-          callback_url: `${appCfg.SITE_URL}/api/v1/sso/redirect/saml2/organizations/${org.slug}`
+          callback_url: `${appCfg.SITE_URL}/api/v1/sso/redirect/organizations/${org.slug}`
         }
       });
     }
@@ -456,6 +468,14 @@ export const scimServiceFactory = ({
 
   // partial
   const updateScimUser = async ({ orgMembershipId, orgId, operations }: TUpdateScimUserDTO) => {
+    const org = await orgDAL.findOrgById(orgId);
+    if (!org.orgAuthMethod) {
+      throw new ScimRequestError({
+        detail: "Neither SAML or OIDC SSO is configured",
+        status: 400
+      });
+    }
+
     const [membership] = await orgDAL
       .findMembership({
         [`${TableName.OrgMembership}.id` as "id"]: orgMembershipId,
@@ -493,6 +513,9 @@ export const scimServiceFactory = ({
     scimPatch(scimUser, operations);
 
     const serverCfg = await getServerCfg();
+    const trustScimEmails =
+      org.orgAuthMethod === OrgAuthMethod.OIDC ? serverCfg.trustOidcEmails : serverCfg.trustSamlEmails;
+
     await userDAL.transaction(async (tx) => {
       await orgMembershipDAL.updateById(
         membership.id,
@@ -508,7 +531,7 @@ export const scimServiceFactory = ({
           firstName: scimUser.name.givenName,
           email: scimUser.emails[0].value,
           lastName: scimUser.name.familyName,
-          isEmailVerified: hasEmailChanged ? serverCfg.trustSamlEmails : true
+          isEmailVerified: hasEmailChanged ? trustScimEmails : true
         },
         tx
       );
@@ -526,6 +549,14 @@ export const scimServiceFactory = ({
     email,
     externalId
   }: TReplaceScimUserDTO) => {
+    const org = await orgDAL.findOrgById(orgId);
+    if (!org.orgAuthMethod) {
+      throw new ScimRequestError({
+        detail: "Neither SAML or OIDC SSO is configured",
+        status: 400
+      });
+    }
+
     const [membership] = await orgDAL
       .findMembership({
         [`${TableName.OrgMembership}.id` as "id"]: orgMembershipId,
@@ -555,7 +586,7 @@ export const scimServiceFactory = ({
       await userAliasDAL.update(
         {
           orgId,
-          aliasType: UserAliasType.SAML,
+          aliasType: org.orgAuthMethod === OrgAuthMethod.OIDC ? UserAliasType.OIDC : UserAliasType.SAML,
           userId: membership.userId
         },
         {
@@ -576,7 +607,8 @@ export const scimServiceFactory = ({
           firstName,
           email,
           lastName,
-          isEmailVerified: serverCfg.trustSamlEmails
+          isEmailVerified:
+            org.orgAuthMethod === OrgAuthMethod.OIDC ? serverCfg.trustOidcEmails : serverCfg.trustSamlEmails
         },
         tx
       );

backend/src/ee/services/secret-scanning/secret-scanning-queue/secret-scanning-queue.ts

@@ -238,11 +238,11 @@ export const secretScanningQueueFactory = ({
   });
 
   queueService.listen(QueueName.SecretPushEventScan, "failed", (job, err) => {
-    logger.error("Failed to secret scan on push", job?.data, err);
+    logger.error(err, "Failed to secret scan on push", job?.data);
   });
 
   queueService.listen(QueueName.SecretFullRepoScan, "failed", (job, err) => {
-    logger.error("Failed to do full repo secret scan", job?.data, err);
+    logger.error(err, "Failed to do full repo secret scan", job?.data);
   });
 
   return { startFullRepoScan, startPushEventScan };

backend/src/lib/api-docs/constants.ts

@@ -391,6 +391,7 @@ export const PROJECTS = {
   CREATE: {
     organizationSlug: "The slug of the organization to create the project in.",
     projectName: "The name of the project to create.",
+    projectDescription: "An optional description label for the project.",
     slug: "An optional slug for the project.",
     template: "The name of the project template, if specified, to apply to this project."
   },
@@ -403,6 +404,7 @@ export const PROJECTS = {
   UPDATE: {
     workspaceId: "The ID of the project to update.",
     name: "The new name of the project.",
+    projectDescription: "An optional description label for the project.",
     autoCapitalization: "Disable or enable auto-capitalization for the project."
   },
   GET_KEY: {
@@ -1080,7 +1082,8 @@ export const INTEGRATION = {
       shouldDisableDelete: "The flag to disable deletion of secrets in AWS Parameter Store.",
       shouldMaskSecrets: "Specifies if the secrets synced from Infisical to Gitlab should be marked as 'Masked'.",
       shouldProtectSecrets: "Specifies if the secrets synced from Infisical to Gitlab should be marked as 'Protected'.",
-      shouldEnableDelete: "The flag to enable deletion of secrets."
+      shouldEnableDelete: "The flag to enable deletion of secrets.",
+      octopusDeployScopeValues: "Specifies the scope values to set on synced secrets to Octopus Deploy."
     }
   },
   UPDATE: {

backend/src/lib/casl/index.ts

@@ -54,3 +54,12 @@ export const isAtLeastAsPrivileged = (permissions1: MongoAbility, permissions2:
 
   return set1.size >= set2.size;
 };
+
+export enum PermissionConditionOperators {
+  $IN = "$in",
+  $ALL = "$all",
+  $REGEX = "$regex",
+  $EQ = "$eq",
+  $NEQ = "$ne",
+  $GLOB = "$glob"
+}

backend/src/lib/config/env.ts

@@ -1,7 +1,7 @@
-import { Logger } from "pino";
 import { z } from "zod";
 
 import { removeTrailingSlash } from "../fn";
+import { CustomLogger } from "../logger/logger";
 import { zpStr } from "../zod";
 
 export const GITLAB_URL = "https://gitlab.com";
@@ -10,7 +10,7 @@ export const GITLAB_URL = "https://gitlab.com";
 export const IS_PACKAGED = (process as any)?.pkg !== undefined;
 
 const zodStrBool = z
-  .enum(["true", "false"])
+  .string()
   .optional()
   .transform((val) => val === "true");
 
@@ -157,6 +157,15 @@ const envSchema = z
     INFISICAL_CLOUD: zodStrBool.default("false"),
     MAINTENANCE_MODE: zodStrBool.default("false"),
     CAPTCHA_SECRET: zpStr(z.string().optional()),
+
+    // TELEMETRY
+    OTEL_TELEMETRY_COLLECTION_ENABLED: zodStrBool.default("false"),
+    OTEL_EXPORT_OTLP_ENDPOINT: zpStr(z.string().optional()),
+    OTEL_OTLP_PUSH_INTERVAL: z.coerce.number().default(30000),
+    OTEL_COLLECTOR_BASIC_AUTH_USERNAME: zpStr(z.string().optional()),
+    OTEL_COLLECTOR_BASIC_AUTH_PASSWORD: zpStr(z.string().optional()),
+    OTEL_EXPORT_TYPE: z.enum(["prometheus", "otlp"]).optional(),
+
     PLAIN_API_KEY: zpStr(z.string().optional()),
     PLAIN_WISH_LABEL_IDS: zpStr(z.string().optional()),
     DISABLE_AUDIT_LOG_GENERATION: zodStrBool.default("false"),
@@ -203,11 +212,11 @@ let envCfg: Readonly<z.infer<typeof envSchema>>;
 
 export const getConfig = () => envCfg;
 // cannot import singleton logger directly as it needs config to load various transport
-export const initEnvConfig = (logger: Logger) => {
+export const initEnvConfig = (logger?: CustomLogger) => {
   const parsedEnv = envSchema.safeParse(process.env);
   if (!parsedEnv.success) {
-    logger.error("Invalid environment variables. Check the error below");
-    logger.error(parsedEnv.error.issues);
+    (logger ?? console).error("Invalid environment variables. Check the error below");
+    (logger ?? console).error(parsedEnv.error.issues);
     process.exit(-1);
   }
 

backend/src/lib/logger/logger.ts

@@ -1,6 +1,8 @@
+/* eslint-disable @typescript-eslint/no-unsafe-argument */
 /* eslint-disable @typescript-eslint/no-unsafe-assignment */
 // logger follows a singleton pattern
 // easier to use it that's all.
+import { requestContext } from "@fastify/request-context";
 import pino, { Logger } from "pino";
 import { z } from "zod";
 
@@ -13,14 +15,37 @@ const logLevelToSeverityLookup: Record<string, string> = {
   "60": "CRITICAL"
 };
 
-// eslint-disable-next-line import/no-mutable-exports
-export let logger: Readonly<Logger>;
 // akhilmhdh:
 // The logger is not placed in the main app config to avoid a circular dependency.
 // The config requires the logger to display errors when an invalid environment is supplied.
 // On the other hand, the logger needs the config to obtain credentials for AWS or other transports.
 // By keeping the logger separate, it becomes an independent package.
 
+// We define our own custom logger interface to enforce structure to the logging methods.
+
+export interface CustomLogger extends Omit<Logger, "info" | "error" | "warn" | "debug"> {
+  info: {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    (obj: unknown, msg?: string, ...args: any[]): void;
+  };
+
+  error: {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    (obj: unknown, msg?: string, ...args: any[]): void;
+  };
+  warn: {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    (obj: unknown, msg?: string, ...args: any[]): void;
+  };
+  debug: {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    (obj: unknown, msg?: string, ...args: any[]): void;
+  };
+}
+
+// eslint-disable-next-line import/no-mutable-exports
+export let logger: Readonly<CustomLogger>;
+
 const loggerConfig = z.object({
   AWS_CLOUDWATCH_LOG_GROUP_NAME: z.string().default("infisical-log-stream"),
   AWS_CLOUDWATCH_LOG_REGION: z.string().default("us-east-1"),
@@ -62,6 +87,17 @@ const redactedKeys = [
   "config"
 ];
 
+const UNKNOWN_REQUEST_ID = "UNKNOWN_REQUEST_ID";
+
+const extractRequestId = () => {
+  try {
+    return requestContext.get("requestId") || UNKNOWN_REQUEST_ID;
+  } catch (err) {
+    console.log("failed to get request context", err);
+    return UNKNOWN_REQUEST_ID;
+  }
+};
+
 export const initLogger = async () => {
   const cfg = loggerConfig.parse(process.env);
   const targets: pino.TransportMultiOptions["targets"][number][] = [
@@ -94,6 +130,30 @@ export const initLogger = async () => {
     targets
   });
 
+  const wrapLogger = (originalLogger: Logger): CustomLogger => {
+    // eslint-disable-next-line no-param-reassign, @typescript-eslint/no-explicit-any
+    originalLogger.info = (obj: unknown, msg?: string, ...args: any[]) => {
+      return originalLogger.child({ requestId: extractRequestId() }).info(obj, msg, ...args);
+    };
+
+    // eslint-disable-next-line no-param-reassign, @typescript-eslint/no-explicit-any
+    originalLogger.error = (obj: unknown, msg?: string, ...args: any[]) => {
+      return originalLogger.child({ requestId: extractRequestId() }).error(obj, msg, ...args);
+    };
+
+    // eslint-disable-next-line no-param-reassign, @typescript-eslint/no-explicit-any
+    originalLogger.warn = (obj: unknown, msg?: string, ...args: any[]) => {
+      return originalLogger.child({ requestId: extractRequestId() }).warn(obj, msg, ...args);
+    };
+
+    // eslint-disable-next-line no-param-reassign, @typescript-eslint/no-explicit-any
+    originalLogger.debug = (obj: unknown, msg?: string, ...args: any[]) => {
+      return originalLogger.child({ requestId: extractRequestId() }).debug(obj, msg, ...args);
+    };
+
+    return originalLogger;
+  };
+
   logger = pino(
     {
       mixin(_context, level) {
@@ -113,5 +173,6 @@ export const initLogger = async () => {
     // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
     transport
   );
-  return logger;
+
+  return wrapLogger(logger);
 };

backend/src/lib/telemetry/instrumentation.ts

@@ -0,0 +1,91 @@
+import opentelemetry, { diag, DiagConsoleLogger, DiagLogLevel } from "@opentelemetry/api";
+import { getNodeAutoInstrumentations } from "@opentelemetry/auto-instrumentations-node";
+import { OTLPMetricExporter } from "@opentelemetry/exporter-metrics-otlp-proto";
+import { PrometheusExporter } from "@opentelemetry/exporter-prometheus";
+import { registerInstrumentations } from "@opentelemetry/instrumentation";
+import { Resource } from "@opentelemetry/resources";
+import { AggregationTemporality, MeterProvider, PeriodicExportingMetricReader } from "@opentelemetry/sdk-metrics";
+import { ATTR_SERVICE_NAME, ATTR_SERVICE_VERSION } from "@opentelemetry/semantic-conventions";
+import dotenv from "dotenv";
+
+import { initEnvConfig } from "../config/env";
+
+dotenv.config();
+
+const initTelemetryInstrumentation = ({
+  exportType,
+  otlpURL,
+  otlpUser,
+  otlpPassword,
+  otlpPushInterval
+}: {
+  exportType?: string;
+  otlpURL?: string;
+  otlpUser?: string;
+  otlpPassword?: string;
+  otlpPushInterval?: number;
+}) => {
+  diag.setLogger(new DiagConsoleLogger(), DiagLogLevel.DEBUG);
+
+  const resource = Resource.default().merge(
+    new Resource({
+      [ATTR_SERVICE_NAME]: "infisical-core",
+      [ATTR_SERVICE_VERSION]: "0.1.0"
+    })
+  );
+
+  const metricReaders = [];
+  switch (exportType) {
+    case "prometheus": {
+      const promExporter = new PrometheusExporter();
+      metricReaders.push(promExporter);
+      break;
+    }
+    case "otlp": {
+      const otlpExporter = new OTLPMetricExporter({
+        url: `${otlpURL}/v1/metrics`,
+        headers: {
+          Authorization: `Basic ${btoa(`${otlpUser}:${otlpPassword}`)}`
+        },
+        temporalityPreference: AggregationTemporality.DELTA
+      });
+      metricReaders.push(
+        new PeriodicExportingMetricReader({
+          exporter: otlpExporter,
+          exportIntervalMillis: otlpPushInterval
+        })
+      );
+      break;
+    }
+    default:
+      throw new Error("Invalid OTEL export type");
+  }
+
+  const meterProvider = new MeterProvider({
+    resource,
+    readers: metricReaders
+  });
+
+  opentelemetry.metrics.setGlobalMeterProvider(meterProvider);
+
+  registerInstrumentations({
+    instrumentations: [getNodeAutoInstrumentations()]
+  });
+};
+
+const setupTelemetry = () => {
+  const appCfg = initEnvConfig();
+
+  if (appCfg.OTEL_TELEMETRY_COLLECTION_ENABLED) {
+    console.log("Initializing telemetry instrumentation");
+    initTelemetryInstrumentation({
+      otlpURL: appCfg.OTEL_EXPORT_OTLP_ENDPOINT,
+      otlpUser: appCfg.OTEL_COLLECTOR_BASIC_AUTH_USERNAME,
+      otlpPassword: appCfg.OTEL_COLLECTOR_BASIC_AUTH_PASSWORD,
+      otlpPushInterval: appCfg.OTEL_OTLP_PUSH_INTERVAL,
+      exportType: appCfg.OTEL_EXPORT_TYPE
+    });
+  }
+};
+
+void setupTelemetry();

backend/src/main.ts

@@ -1,3 +1,5 @@
+import "./lib/telemetry/instrumentation";
+
 import dotenv from "dotenv";
 import path from "path";
 
@@ -18,6 +20,7 @@ dotenv.config();
 const run = async () => {
   const logger = await initLogger();
   const appCfg = initEnvConfig(logger);
+
   const db = initDbConnection({
     dbConnectionUri: appCfg.DB_CONNECTION_URI,
     dbRootCert: appCfg.DB_ROOT_CERT,

backend/src/server/app.ts

@@ -10,18 +10,21 @@ import fastifyFormBody from "@fastify/formbody";
 import helmet from "@fastify/helmet";
 import type { FastifyRateLimitOptions } from "@fastify/rate-limit";
 import ratelimiter from "@fastify/rate-limit";
+import { fastifyRequestContext } from "@fastify/request-context";
 import fastify from "fastify";
 import { Knex } from "knex";
-import { Logger } from "pino";
 
 import { HsmModule } from "@app/ee/services/hsm/hsm-types";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig, IS_PACKAGED } from "@app/lib/config/env";
+import { CustomLogger } from "@app/lib/logger/logger";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TQueueServiceFactory } from "@app/queue";
 import { TSmtpService } from "@app/services/smtp/smtp-service";
 
 import { globalRateLimiterCfg } from "./config/rateLimiter";
 import { addErrorsToResponseSchemas } from "./plugins/add-errors-to-response-schemas";
+import { apiMetrics } from "./plugins/api-metrics";
 import { fastifyErrHandler } from "./plugins/error-handler";
 import { registerExternalNextjs } from "./plugins/external-nextjs";
 import { serializerCompiler, validatorCompiler, ZodTypeProvider } from "./plugins/fastify-zod";
@@ -34,7 +37,7 @@ type TMain = {
   auditLogDb?: Knex;
   db: Knex;
   smtp: TSmtpService;
-  logger?: Logger;
+  logger?: CustomLogger;
   queue: TQueueServiceFactory;
   keyStore: TKeyStoreFactory;
   hsmModule: HsmModule;
@@ -46,7 +49,9 @@ export const main = async ({ db, hsmModule, auditLogDb, smtp, logger, queue, key
 
   const server = fastify({
     logger: appCfg.NODE_ENV === "test" ? false : logger,
+    genReqId: () => `req-${alphaNumericNanoId(14)}`,
     trustProxy: true,
+
     connectionTimeout: appCfg.isHsmConfigured ? 90_000 : 30_000,
     ignoreTrailingSlash: true,
     pluginTimeout: 40_000
@@ -86,6 +91,10 @@ export const main = async ({ db, hsmModule, auditLogDb, smtp, logger, queue, key
     // pull ip based on various proxy headers
     await server.register(fastifyIp);
 
+    if (appCfg.OTEL_TELEMETRY_COLLECTION_ENABLED) {
+      await server.register(apiMetrics);
+    }
+
     await server.register(fastifySwagger);
     await server.register(fastifyFormBody);
     await server.register(fastifyErrHandler);
@@ -99,6 +108,13 @@ export const main = async ({ db, hsmModule, auditLogDb, smtp, logger, queue, key
 
     await server.register(maintenanceMode);
 
+    await server.register(fastifyRequestContext, {
+      defaultStoreValues: (request) => ({
+        requestId: request.id,
+        log: request.log.child({ requestId: request.id })
+      })
+    });
+
     await server.register(registerRoutes, { smtp, queue, db, auditLogDb, keyStore, hsmModule });
 
     if (appCfg.isProductionMode) {

backend/src/server/plugins/api-metrics.ts

@@ -0,0 +1,21 @@
+import opentelemetry from "@opentelemetry/api";
+import fp from "fastify-plugin";
+
+export const apiMetrics = fp(async (fastify) => {
+  const apiMeter = opentelemetry.metrics.getMeter("API");
+  const latencyHistogram = apiMeter.createHistogram("API_latency", {
+    unit: "ms"
+  });
+
+  fastify.addHook("onResponse", async (request, reply) => {
+    const { method } = request;
+    const route = request.routerPath;
+    const { statusCode } = reply;
+
+    latencyHistogram.record(reply.elapsedTime, {
+      route,
+      method,
+      statusCode
+    });
+  });
+});

backend/src/server/plugins/error-handler.ts

@@ -1,4 +1,4 @@
-import { ForbiddenError } from "@casl/ability";
+import { ForbiddenError, PureAbility } from "@casl/ability";
 import fastifyPlugin from "fastify-plugin";
 import jwt from "jsonwebtoken";
 import { ZodError } from "zod";
@@ -39,77 +39,102 @@ export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider
     if (error instanceof BadRequestError) {
       void res
         .status(HttpStatusCodes.BadRequest)
-        .send({ statusCode: HttpStatusCodes.BadRequest, message: error.message, error: error.name });
+        .send({ requestId: req.id, statusCode: HttpStatusCodes.BadRequest, message: error.message, error: error.name });
     } else if (error instanceof NotFoundError) {
       void res
         .status(HttpStatusCodes.NotFound)
-        .send({ statusCode: HttpStatusCodes.NotFound, message: error.message, error: error.name });
+        .send({ requestId: req.id, statusCode: HttpStatusCodes.NotFound, message: error.message, error: error.name });
     } else if (error instanceof UnauthorizedError) {
-      void res
-        .status(HttpStatusCodes.Unauthorized)
-        .send({ statusCode: HttpStatusCodes.Unauthorized, message: error.message, error: error.name });
+      void res.status(HttpStatusCodes.Unauthorized).send({
+        requestId: req.id,
+        statusCode: HttpStatusCodes.Unauthorized,
+        message: error.message,
+        error: error.name
+      });
     } else if (error instanceof DatabaseError || error instanceof InternalServerError) {
-      void res
-        .status(HttpStatusCodes.InternalServerError)
-        .send({ statusCode: HttpStatusCodes.InternalServerError, message: "Something went wrong", error: error.name });
+      void res.status(HttpStatusCodes.InternalServerError).send({
+        requestId: req.id,
+        statusCode: HttpStatusCodes.InternalServerError,
+        message: "Something went wrong",
+        error: error.name
+      });
     } else if (error instanceof GatewayTimeoutError) {
-      void res
-        .status(HttpStatusCodes.GatewayTimeout)
-        .send({ statusCode: HttpStatusCodes.GatewayTimeout, message: error.message, error: error.name });
+      void res.status(HttpStatusCodes.GatewayTimeout).send({
+        requestId: req.id,
+        statusCode: HttpStatusCodes.GatewayTimeout,
+        message: error.message,
+        error: error.name
+      });
     } else if (error instanceof ZodError) {
-      void res
-        .status(HttpStatusCodes.Unauthorized)
-        .send({ statusCode: HttpStatusCodes.Unauthorized, error: "ValidationFailure", message: error.issues });
+      void res.status(HttpStatusCodes.Unauthorized).send({
+        requestId: req.id,
+        statusCode: HttpStatusCodes.Unauthorized,
+        error: "ValidationFailure",
+        message: error.issues
+      });
     } else if (error instanceof ForbiddenError) {
       void res.status(HttpStatusCodes.Forbidden).send({
+        requestId: req.id,
         statusCode: HttpStatusCodes.Forbidden,
         error: "PermissionDenied",
-        message: `You are not allowed to ${error.action} on ${error.subjectType} - ${JSON.stringify(error.subject)}`
+        message: `You are not allowed to ${error.action} on ${error.subjectType}`,
+        details: (error.ability as PureAbility).rulesFor(error.action as string, error.subjectType).map((el) => ({
+          action: el.action,
+          inverted: el.inverted,
+          subject: el.subject,
+          conditions: el.conditions
+        }))
       });
     } else if (error instanceof ForbiddenRequestError) {
       void res.status(HttpStatusCodes.Forbidden).send({
+        requestId: req.id,
         statusCode: HttpStatusCodes.Forbidden,
         message: error.message,
         error: error.name
       });
     } else if (error instanceof RateLimitError) {
       void res.status(HttpStatusCodes.TooManyRequests).send({
+        requestId: req.id,
         statusCode: HttpStatusCodes.TooManyRequests,
         message: error.message,
         error: error.name
       });
     } else if (error instanceof ScimRequestError) {
       void res.status(error.status).send({
+        requestId: req.id,
         schemas: error.schemas,
         status: error.status,
         detail: error.detail
       });
     } else if (error instanceof OidcAuthError) {
-      void res
-        .status(HttpStatusCodes.InternalServerError)
-        .send({ statusCode: HttpStatusCodes.InternalServerError, message: error.message, error: error.name });
+      void res.status(HttpStatusCodes.InternalServerError).send({
+        requestId: req.id,
+        statusCode: HttpStatusCodes.InternalServerError,
+        message: error.message,
+        error: error.name
+      });
     } else if (error instanceof jwt.JsonWebTokenError) {
-      const message = (() => {
-        if (error.message === JWTErrors.JwtExpired) {
-          return "Your token has expired. Please re-authenticate.";
-        }
-        if (error.message === JWTErrors.JwtMalformed) {
-          return "The provided access token is malformed. Please use a valid token or generate a new one and try again.";
-        }
-        if (error.message === JWTErrors.InvalidAlgorithm) {
-          return "The access token is signed with an invalid algorithm. Please provide a valid token and try again.";
-        }
+      let errorMessage = error.message;
 
-        return error.message;
-      })();
+      if (error.message === JWTErrors.JwtExpired) {
+        errorMessage = "Your token has expired. Please re-authenticate.";
+      } else if (error.message === JWTErrors.JwtMalformed) {
+        errorMessage =
+          "The provided access token is malformed. Please use a valid token or generate a new one and try again.";
+      } else if (error.message === JWTErrors.InvalidAlgorithm) {
+        errorMessage =
+          "The access token is signed with an invalid algorithm. Please provide a valid token and try again.";
+      }
 
       void res.status(HttpStatusCodes.Forbidden).send({
+        requestId: req.id,
         statusCode: HttpStatusCodes.Forbidden,
         error: "TokenError",
-        message
+        message: errorMessage
       });
     } else {
       void res.status(HttpStatusCodes.InternalServerError).send({
+        requestId: req.id,
         statusCode: HttpStatusCodes.InternalServerError,
         error: "InternalServerError",
         message: "Something went wrong"

backend/src/server/plugins/secret-scanner.ts

@@ -19,7 +19,7 @@ export const registerSecretScannerGhApp = async (server: FastifyZodProvider) =>
 
     app.on("installation", async (context) => {
       const { payload } = context;
-      logger.info("Installed secret scanner to:", { repositories: payload.repositories });
+      logger.info({ repositories: payload.repositories }, "Installed secret scanner to");
     });
 
     app.on("push", async (context) => {

backend/src/server/routes/sanitizedSchemas.ts

@@ -30,26 +30,32 @@ export const integrationAuthPubSchema = IntegrationAuthsSchema.pick({
 
 export const DefaultResponseErrorsSchema = {
   400: z.object({
+    requestId: z.string(),
     statusCode: z.literal(400),
     message: z.string(),
     error: z.string()
   }),
   404: z.object({
+    requestId: z.string(),
     statusCode: z.literal(404),
     message: z.string(),
     error: z.string()
   }),
   401: z.object({
+    requestId: z.string(),
     statusCode: z.literal(401),
     message: z.any(),
     error: z.string()
   }),
   403: z.object({
+    requestId: z.string(),
     statusCode: z.literal(403),
     message: z.string(),
+    details: z.any().optional(),
     error: z.string()
   }),
   500: z.object({
+    requestId: z.string(),
     statusCode: z.literal(500),
     message: z.string(),
     error: z.string()
@@ -206,6 +212,7 @@ export const SanitizedAuditLogStreamSchema = z.object({
 export const SanitizedProjectSchema = ProjectsSchema.pick({
   id: true,
   name: true,
+  description: true,
   slug: true,
   autoCapitalization: true,
   orgId: true,

backend/src/server/routes/v1/integration-auth-router.ts

@@ -5,6 +5,7 @@ import { INTEGRATION_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
+import { OctopusDeployScope } from "@app/services/integration-auth/integration-auth-types";
 
 import { integrationAuthPubSchema } from "../sanitizedSchemas";
 
@@ -1008,4 +1009,118 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
       return { buildConfigs };
     }
   });
+
+  server.route({
+    method: "GET",
+    url: "/:integrationAuthId/octopus-deploy/scope-values",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        integrationAuthId: z.string().trim()
+      }),
+      querystring: z.object({
+        scope: z.nativeEnum(OctopusDeployScope),
+        spaceId: z.string().trim(),
+        resourceId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          Environments: z
+            .object({
+              Name: z.string(),
+              Id: z.string()
+            })
+            .array(),
+          Machines: z
+            .object({
+              Name: z.string(),
+              Id: z.string()
+            })
+            .array(),
+          Actions: z
+            .object({
+              Name: z.string(),
+              Id: z.string()
+            })
+            .array(),
+          Roles: z
+            .object({
+              Name: z.string(),
+              Id: z.string()
+            })
+            .array(),
+          Channels: z
+            .object({
+              Name: z.string(),
+              Id: z.string()
+            })
+            .array(),
+          TenantTags: z
+            .object({
+              Name: z.string(),
+              Id: z.string()
+            })
+            .array(),
+          Processes: z
+            .object({
+              ProcessType: z.string(),
+              Name: z.string(),
+              Id: z.string()
+            })
+            .array()
+        })
+      }
+    },
+    handler: async (req) => {
+      const scopeValues = await server.services.integrationAuth.getOctopusDeployScopeValues({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.integrationAuthId,
+        scope: req.query.scope,
+        spaceId: req.query.spaceId,
+        resourceId: req.query.resourceId
+      });
+      return scopeValues;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:integrationAuthId/octopus-deploy/spaces",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        integrationAuthId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          spaces: z
+            .object({
+              Name: z.string(),
+              Id: z.string(),
+              IsDefault: z.boolean()
+            })
+            .array()
+        })
+      }
+    },
+    handler: async (req) => {
+      const spaces = await server.services.integrationAuth.getOctopusDeploySpaces({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.integrationAuthId
+      });
+      return { spaces };
+    }
+  });
 };

backend/src/server/routes/v1/integration-router.ts

@@ -9,6 +9,7 @@ import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { IntegrationMetadataSchema } from "@app/services/integration/integration-schema";
+import { Integrations } from "@app/services/integration-auth/integration-list";
 import { PostHogEventTypes, TIntegrationCreatedEvent } from "@app/services/telemetry/telemetry-types";
 
 import {} from "../sanitizedSchemas";
@@ -206,6 +207,33 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
         id: req.params.integrationId
       });
 
+      if (integration.region) {
+        integration.metadata = {
+          ...(integration.metadata || {}),
+          region: integration.region
+        };
+      }
+
+      if (
+        integration.integration === Integrations.AWS_SECRET_MANAGER ||
+        integration.integration === Integrations.AWS_PARAMETER_STORE
+      ) {
+        const awsRoleDetails = await server.services.integration.getIntegrationAWSIamRole({
+          actorId: req.permission.id,
+          actor: req.permission.type,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          id: req.params.integrationId
+        });
+
+        if (awsRoleDetails) {
+          integration.metadata = {
+            ...(integration.metadata || {}),
+            awsIamRole: awsRoleDetails.role
+          };
+        }
+      }
+
       return { integration };
     }
   });

backend/src/server/routes/v1/project-router.ts

@@ -296,6 +296,12 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
           .max(64, { message: "Name must be 64 or fewer characters" })
           .optional()
           .describe(PROJECTS.UPDATE.name),
+        description: z
+          .string()
+          .trim()
+          .max(256, { message: "Description must be 256 or fewer characters" })
+          .optional()
+          .describe(PROJECTS.UPDATE.projectDescription),
         autoCapitalization: z.boolean().optional().describe(PROJECTS.UPDATE.autoCapitalization)
       }),
       response: {
@@ -313,6 +319,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         },
         update: {
           name: req.body.name,
+          description: req.body.description,
           autoCapitalization: req.body.autoCapitalization
         },
         actorAuthMethod: req.permission.authMethod,

backend/src/server/routes/v1/sso-router.ts

@@ -14,10 +14,12 @@ import { Strategy as GoogleStrategy } from "passport-google-oauth20";
 import { z } from "zod";
 
 import { getConfig } from "@app/lib/config/env";
-import { NotFoundError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { fetchGithubEmails } from "@app/lib/requests/github";
+import { authRateLimit } from "@app/server/config/rateLimiter";
 import { AuthMethod } from "@app/services/auth/auth-type";
+import { OrgAuthMethod } from "@app/services/org/org-types";
 
 export const registerSsoRouter = async (server: FastifyZodProvider) => {
   const appCfg = getConfig();
@@ -196,6 +198,44 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
     handler: () => {}
   });
 
+  server.route({
+    url: "/redirect/organizations/:orgSlug",
+    method: "GET",
+    config: {
+      rateLimit: authRateLimit
+    },
+    schema: {
+      params: z.object({
+        orgSlug: z.string().trim()
+      }),
+      querystring: z.object({
+        callback_port: z.string().optional()
+      })
+    },
+    handler: async (req, res) => {
+      const org = await server.services.org.findOrgBySlug(req.params.orgSlug);
+      if (org.orgAuthMethod === OrgAuthMethod.SAML) {
+        return res.redirect(
+          `${appCfg.SITE_URL}/api/v1/sso/redirect/saml2/organizations/${org.slug}?${
+            req.query.callback_port ? `callback_port=${req.query.callback_port}` : ""
+          }`
+        );
+      }
+
+      if (org.orgAuthMethod === OrgAuthMethod.OIDC) {
+        return res.redirect(
+          `${appCfg.SITE_URL}/api/v1/sso/oidc/login?orgSlug=${org.slug}${
+            req.query.callback_port ? `&callbackPort=${req.query.callback_port}` : ""
+          }`
+        );
+      }
+
+      throw new BadRequestError({
+        message: "The organization does not have any SSO configured."
+      });
+    }
+  });
+
   server.route({
     url: "/github",
     method: "GET",

backend/src/server/routes/v2/project-router.ts

@@ -161,6 +161,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       ],
       body: z.object({
         projectName: z.string().trim().describe(PROJECTS.CREATE.projectName),
+        projectDescription: z.string().trim().optional().describe(PROJECTS.CREATE.projectDescription),
         slug: z
           .string()
           .min(5)
@@ -194,6 +195,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         actorOrgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
         workspaceName: req.body.projectName,
+        workspaceDescription: req.body.projectDescription,
         slug: req.body.slug,
         kmsKeyId: req.body.kmsKeyId,
         template: req.body.template
@@ -312,8 +314,9 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         slug: slugSchema.describe("The slug of the project to update.")
       }),
       body: z.object({
-        name: z.string().trim().optional().describe("The new name of the project."),
-        autoCapitalization: z.boolean().optional().describe("The new auto-capitalization setting.")
+        name: z.string().trim().optional().describe(PROJECTS.UPDATE.name),
+        description: z.string().trim().optional().describe(PROJECTS.UPDATE.projectDescription),
+        autoCapitalization: z.boolean().optional().describe(PROJECTS.UPDATE.autoCapitalization)
       }),
       response: {
         200: SanitizedProjectSchema
@@ -330,6 +333,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         },
         update: {
           name: req.body.name,
+          description: req.body.description,
           autoCapitalization: req.body.autoCapitalization
         },
         actorId: req.permission.id,

backend/src/server/routes/v3/signup-router.ts

@@ -119,13 +119,6 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
       if (!userAgent) throw new Error("user agent header is required");
       const appCfg = getConfig();
 
-      const serverCfg = await getServerCfg();
-      if (!serverCfg.allowSignUp) {
-        throw new ForbiddenRequestError({
-          message: "Signup's are disabled"
-        });
-      }
-
       const { user, accessToken, refreshToken, organizationId } =
         await server.services.signup.completeEmailAccountSignup({
           ...req.body,

backend/src/services/auth/auth-signup-service.ts

@@ -9,7 +9,7 @@ import { isAuthMethodSaml } from "@app/ee/services/permission/permission-fns";
 import { getConfig } from "@app/lib/config/env";
 import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { generateUserSrpKeys, getUserPrivateKey } from "@app/lib/crypto/srp";
-import { NotFoundError } from "@app/lib/errors";
+import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { isDisposableEmail } from "@app/lib/validator";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -23,6 +23,7 @@ import { TOrgServiceFactory } from "../org/org-service";
 import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
 import { TProjectUserMembershipRoleDALFactory } from "../project-membership/project-user-membership-role-dal";
 import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
+import { getServerCfg } from "../super-admin/super-admin-service";
 import { TUserDALFactory } from "../user/user-dal";
 import { UserEncryption } from "../user/user-types";
 import { TAuthDALFactory } from "./auth-dal";
@@ -151,6 +152,8 @@ export const authSignupServiceFactory = ({
     authorization
   }: TCompleteAccountSignupDTO) => {
     const appCfg = getConfig();
+    const serverCfg = await getServerCfg();
+
     const user = await userDAL.findOne({ username: email });
     if (!user || (user && user.isAccepted)) {
       throw new Error("Failed to complete account for complete user");
@@ -163,6 +166,12 @@ export const authSignupServiceFactory = ({
       authMethod = userAuthMethod;
       organizationId = orgId;
     } else {
+      // disallow signup if disabled. we are not doing this for providerAuthToken because we allow signups via saml or sso
+      if (!serverCfg.allowSignUp) {
+        throw new ForbiddenRequestError({
+          message: "Signup's are disabled"
+        });
+      }
       validateSignUpAuthorization(authorization, user.id);
     }
 

backend/src/services/identity-aws-auth/identity-aws-auth-service.ts

@@ -29,7 +29,7 @@ import {
 } from "./identity-aws-auth-types";
 
 type TIdentityAwsAuthServiceFactoryDep = {
-  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create" | "delete">;
   identityAwsAuthDAL: Pick<TIdentityAwsAuthDALFactory, "findOne" | "transaction" | "create" | "updateById" | "delete">;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
@@ -346,6 +346,8 @@ export const identityAwsAuthServiceFactory = ({
 
     const revokedIdentityAwsAuth = await identityAwsAuthDAL.transaction(async (tx) => {
       const deletedAwsAuth = await identityAwsAuthDAL.delete({ identityId }, tx);
+      await identityAccessTokenDAL.delete({ identityId, authMethod: IdentityAuthMethod.AWS_AUTH }, tx);
+
       return { ...deletedAwsAuth?.[0], orgId: identityMembershipOrg.orgId };
     });
     return revokedIdentityAwsAuth;

backend/src/services/identity-azure-auth/identity-azure-auth-service.ts

@@ -30,7 +30,7 @@ type TIdentityAzureAuthServiceFactoryDep = {
     "findOne" | "transaction" | "create" | "updateById" | "delete"
   >;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
-  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create" | "delete">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };
@@ -319,6 +319,8 @@ export const identityAzureAuthServiceFactory = ({
 
     const revokedIdentityAzureAuth = await identityAzureAuthDAL.transaction(async (tx) => {
       const deletedAzureAuth = await identityAzureAuthDAL.delete({ identityId }, tx);
+      await identityAccessTokenDAL.delete({ identityId, authMethod: IdentityAuthMethod.AZURE_AUTH }, tx);
+
       return { ...deletedAzureAuth?.[0], orgId: identityMembershipOrg.orgId };
     });
     return revokedIdentityAzureAuth;

backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts

@@ -28,7 +28,7 @@ import {
 type TIdentityGcpAuthServiceFactoryDep = {
   identityGcpAuthDAL: Pick<TIdentityGcpAuthDALFactory, "findOne" | "transaction" | "create" | "updateById" | "delete">;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
-  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create" | "delete">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };
@@ -365,6 +365,8 @@ export const identityGcpAuthServiceFactory = ({
 
     const revokedIdentityGcpAuth = await identityGcpAuthDAL.transaction(async (tx) => {
       const deletedGcpAuth = await identityGcpAuthDAL.delete({ identityId }, tx);
+      await identityAccessTokenDAL.delete({ identityId, authMethod: IdentityAuthMethod.GCP_AUTH }, tx);
+
       return { ...deletedGcpAuth?.[0], orgId: identityMembershipOrg.orgId };
     });
     return revokedIdentityGcpAuth;

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts

@@ -41,7 +41,7 @@ type TIdentityKubernetesAuthServiceFactoryDep = {
     TIdentityKubernetesAuthDALFactory,
     "create" | "findOne" | "transaction" | "updateById" | "delete"
   >;
-  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create" | "delete">;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne" | "findById">;
   orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "transaction" | "create">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
@@ -120,7 +120,8 @@ export const identityKubernetesAuthServiceFactory = ({
           apiVersion: "authentication.k8s.io/v1",
           kind: "TokenReview",
           spec: {
-            token: serviceAccountJwt
+            token: serviceAccountJwt,
+            ...(identityKubernetesAuth.allowedAudience ? { audiences: [identityKubernetesAuth.allowedAudience] } : {})
           }
         },
         {
@@ -622,6 +623,7 @@ export const identityKubernetesAuthServiceFactory = ({
 
     const revokedIdentityKubernetesAuth = await identityKubernetesAuthDAL.transaction(async (tx) => {
       const deletedKubernetesAuth = await identityKubernetesAuthDAL.delete({ identityId }, tx);
+      await identityAccessTokenDAL.delete({ identityId, authMethod: IdentityAuthMethod.KUBERNETES_AUTH }, tx);
       return { ...deletedKubernetesAuth?.[0], orgId: identityMembershipOrg.orgId };
     });
     return revokedIdentityKubernetesAuth;

backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts

@@ -39,7 +39,7 @@ import {
 type TIdentityOidcAuthServiceFactoryDep = {
   identityOidcAuthDAL: TIdentityOidcAuthDALFactory;
   identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
-  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create" | "delete">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "transaction" | "create">;
@@ -539,6 +539,8 @@ export const identityOidcAuthServiceFactory = ({
 
     const revokedIdentityOidcAuth = await identityOidcAuthDAL.transaction(async (tx) => {
       const deletedOidcAuth = await identityOidcAuthDAL.delete({ identityId }, tx);
+      await identityAccessTokenDAL.delete({ identityId, authMethod: IdentityAuthMethod.OIDC_AUTH }, tx);
+
       return { ...deletedOidcAuth?.[0], orgId: identityMembershipOrg.orgId };
     });
 

backend/src/services/identity-project/identity-project-service.ts

@@ -182,7 +182,12 @@ export const identityProjectServiceFactory = ({
 
     // validate custom roles input
     const customInputRoles = roles.filter(
-      ({ role }) => !Object.values(ProjectMembershipRole).includes(role as ProjectMembershipRole)
+      ({ role }) =>
+        !Object.values(ProjectMembershipRole)
+          // we don't want to include custom in this check;
+          // this unintentionally enables setting slug to custom which is reserved
+          .filter((r) => r !== ProjectMembershipRole.Custom)
+          .includes(role as ProjectMembershipRole)
     );
     const hasCustomRole = Boolean(customInputRoles.length);
     const customRoles = hasCustomRole

backend/src/services/identity-token-auth/identity-token-auth-service.ts

@@ -385,8 +385,8 @@ export const identityTokenAuthServiceFactory = ({
     actorOrgId
   }: TUpdateTokenAuthTokenDTO) => {
     const foundToken = await identityAccessTokenDAL.findOne({
-      id: tokenId,
-      authMethod: IdentityAuthMethod.TOKEN_AUTH
+      [`${TableName.IdentityAccessToken}.id` as "id"]: tokenId,
+      [`${TableName.IdentityAccessToken}.authMethod` as "authMethod"]: IdentityAuthMethod.TOKEN_AUTH
     });
     if (!foundToken) throw new NotFoundError({ message: `Token with ID ${tokenId} not found` });
 
@@ -444,8 +444,8 @@ export const identityTokenAuthServiceFactory = ({
   }: TRevokeTokenAuthTokenDTO) => {
     const identityAccessToken = await identityAccessTokenDAL.findOne({
       [`${TableName.IdentityAccessToken}.id` as "id"]: tokenId,
-      isAccessTokenRevoked: false,
-      authMethod: IdentityAuthMethod.TOKEN_AUTH
+      [`${TableName.IdentityAccessToken}.isAccessTokenRevoked` as "isAccessTokenRevoked"]: false,
+      [`${TableName.IdentityAccessToken}.authMethod` as "authMethod"]: IdentityAuthMethod.TOKEN_AUTH
     });
     if (!identityAccessToken)
       throw new NotFoundError({

backend/src/services/integration-auth/integration-app-list.ts

@@ -1,6 +1,7 @@
 /* eslint-disable no-await-in-loop */
 import { createAppAuth } from "@octokit/auth-app";
 import { Octokit } from "@octokit/rest";
+import { Client as OctopusDeployClient, ProjectRepository as OctopusDeployRepository } from "@octopusdeploy/api-client";
 
 import { TIntegrationAuths } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
@@ -1087,6 +1088,33 @@ const getAppsAzureDevOps = async ({ accessToken, orgName }: { accessToken: strin
   return apps;
 };
 
+const getAppsOctopusDeploy = async ({
+  apiKey,
+  instanceURL,
+  spaceName = "Default"
+}: {
+  apiKey: string;
+  instanceURL: string;
+  spaceName?: string;
+}) => {
+  const client = await OctopusDeployClient.create({
+    instanceURL,
+    apiKey,
+    userAgentApp: "Infisical Integration"
+  });
+
+  const repository = new OctopusDeployRepository(client, spaceName);
+
+  const projects = await repository.list({
+    take: 1000
+  });
+
+  return projects.Items.map((project) => ({
+    name: project.Name,
+    appId: project.Id
+  }));
+};
+
 export const getApps = async ({
   integration,
   integrationAuth,
@@ -1260,6 +1288,13 @@ export const getApps = async ({
         orgName: azureDevOpsOrgName as string
       });
 
+    case Integrations.OCTOPUS_DEPLOY:
+      return getAppsOctopusDeploy({
+        apiKey: accessToken,
+        instanceURL: url!,
+        spaceName: workspaceSlug
+      });
+
     default:
       throw new NotFoundError({ message: `Integration '${integration}' not found` });
   }

backend/src/services/integration-auth/integration-auth-service.ts

@@ -1,6 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import { createAppAuth } from "@octokit/auth-app";
 import { Octokit } from "@octokit/rest";
+import { Client as OctopusClient, SpaceRepository as OctopusSpaceRepository } from "@octopusdeploy/api-client";
 import AWS from "aws-sdk";
 
 import { SecretEncryptionAlgo, SecretKeyEncoding, TIntegrationAuths, TIntegrationAuthsInsert } from "@app/db/schemas";
@@ -9,7 +10,7 @@ import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
 import { decryptSymmetric128BitHexKeyUTF8, encryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
 import { TGenericPermission, TProjectPermission } from "@app/lib/types";
 
 import { TIntegrationDALFactory } from "../integration/integration-dal";
@@ -20,6 +21,7 @@ import { getApps } from "./integration-app-list";
 import { TIntegrationAuthDALFactory } from "./integration-auth-dal";
 import { IntegrationAuthMetadataSchema, TIntegrationAuthMetadata } from "./integration-auth-schema";
 import {
+  OctopusDeployScope,
   TBitbucketEnvironment,
   TBitbucketWorkspace,
   TChecklyGroups,
@@ -38,6 +40,8 @@ import {
   TIntegrationAuthGithubOrgsDTO,
   TIntegrationAuthHerokuPipelinesDTO,
   TIntegrationAuthNorthflankSecretGroupDTO,
+  TIntegrationAuthOctopusDeployProjectScopeValuesDTO,
+  TIntegrationAuthOctopusDeploySpacesDTO,
   TIntegrationAuthQoveryEnvironmentsDTO,
   TIntegrationAuthQoveryOrgsDTO,
   TIntegrationAuthQoveryProjectDTO,
@@ -48,6 +52,7 @@ import {
   TIntegrationAuthVercelBranchesDTO,
   TNorthflankSecretGroup,
   TOauthExchangeDTO,
+  TOctopusDeployVariableSet,
   TSaveIntegrationAccessTokenDTO,
   TTeamCityBuildConfig,
   TVercelBranches
@@ -1521,6 +1526,88 @@ export const integrationAuthServiceFactory = ({
     return integrationAuthDAL.create(newIntegrationAuth);
   };
 
+  const getOctopusDeploySpaces = async ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    id
+  }: TIntegrationAuthOctopusDeploySpacesDTO) => {
+    const integrationAuth = await integrationAuthDAL.findById(id);
+    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      integrationAuth.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
+    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
+    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
+
+    const client = await OctopusClient.create({
+      apiKey: accessToken,
+      instanceURL: integrationAuth.url!,
+      userAgentApp: "Infisical Integration"
+    });
+
+    const spaceRepository = new OctopusSpaceRepository(client);
+
+    const spaces = await spaceRepository.list({
+      partialName: "", // throws error if no string is present...
+      take: 1000
+    });
+
+    return spaces.Items;
+  };
+
+  const getOctopusDeployScopeValues = async ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    id,
+    scope,
+    spaceId,
+    resourceId
+  }: TIntegrationAuthOctopusDeployProjectScopeValuesDTO) => {
+    const integrationAuth = await integrationAuthDAL.findById(id);
+    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      integrationAuth.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
+    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
+    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
+
+    let url: string;
+    switch (scope) {
+      case OctopusDeployScope.Project:
+        url = `${integrationAuth.url}/api/${spaceId}/projects/${resourceId}/variables`;
+        break;
+      // future support tenant, variable set etc.
+      default:
+        throw new InternalServerError({ message: `Unhandled Octopus Deploy scope` });
+    }
+
+    // SDK doesn't support variable set...
+    const { data: variableSet } = await request.get<TOctopusDeployVariableSet>(url, {
+      headers: {
+        "X-NuGet-ApiKey": accessToken,
+        Accept: "application/json"
+      }
+    });
+
+    return variableSet.ScopeValues;
+  };
+
   return {
     listIntegrationAuthByProjectId,
     listOrgIntegrationAuth,
@@ -1552,6 +1639,8 @@ export const integrationAuthServiceFactory = ({
     getBitbucketWorkspaces,
     getBitbucketEnvironments,
     getIntegrationAccessToken,
-    duplicateIntegrationAuth
+    duplicateIntegrationAuth,
+    getOctopusDeploySpaces,
+    getOctopusDeployScopeValues
   };
 };

backend/src/services/integration-auth/integration-auth-types.ts

@@ -193,3 +193,72 @@ export type TIntegrationsWithEnvironment = TIntegrations & {
     | null
     | undefined;
 };
+
+export type TIntegrationAuthOctopusDeploySpacesDTO = {
+  id: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TIntegrationAuthOctopusDeployProjectScopeValuesDTO = {
+  id: string;
+  spaceId: string;
+  resourceId: string;
+  scope: OctopusDeployScope;
+} & Omit<TProjectPermission, "projectId">;
+
+export enum OctopusDeployScope {
+  Project = "project"
+  // add tenant, variable set, etc.
+}
+
+export type TOctopusDeployVariableSet = {
+  Id: string;
+  OwnerId: string;
+  Version: number;
+  Variables: {
+    Id: string;
+    Name: string;
+    Value: string;
+    Description: string;
+    Scope: {
+      Environment?: string[];
+      Machine?: string[];
+      Role?: string[];
+      TargetRole?: string[];
+      Action?: string[];
+      User?: string[];
+      Trigger?: string[];
+      ParentDeployment?: string[];
+      Private?: string[];
+      Channel?: string[];
+      TenantTag?: string[];
+      Tenant?: string[];
+      ProcessOwner?: string[];
+    };
+    IsEditable: boolean;
+    Prompt: {
+      Description: string;
+      DisplaySettings: Record<string, string>;
+      Label: string;
+      Required: boolean;
+    } | null;
+    Type: "String";
+    IsSensitive: boolean;
+  }[];
+  ScopeValues: {
+    Environments: { Id: string; Name: string }[];
+    Machines: { Id: string; Name: string }[];
+    Actions: { Id: string; Name: string }[];
+    Roles: { Id: string; Name: string }[];
+    Channels: { Id: string; Name: string }[];
+    TenantTags: { Id: string; Name: string }[];
+    Processes: {
+      ProcessType: string;
+      Id: string;
+      Name: string;
+    }[];
+  };
+  SpaceId: string;
+  Links: {
+    Self: string;
+  };
+};

backend/src/services/integration-auth/integration-list.ts

@@ -34,7 +34,8 @@ export enum Integrations {
   HASURA_CLOUD = "hasura-cloud",
   RUNDECK = "rundeck",
   AZURE_DEVOPS = "azure-devops",
-  AZURE_APP_CONFIGURATION = "azure-app-configuration"
+  AZURE_APP_CONFIGURATION = "azure-app-configuration",
+  OCTOPUS_DEPLOY = "octopus-deploy"
 }
 
 export enum IntegrationType {
@@ -413,6 +414,15 @@ export const getIntegrationOptions = async () => {
       type: "pat",
       clientId: "",
       docsLink: ""
+    },
+    {
+      name: "Octopus Deploy",
+      slug: "octopus-deploy",
+      image: "Octopus Deploy.png",
+      isAvailable: true,
+      type: "sat",
+      clientId: "",
+      docsLink: ""
     }
   ];
 

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -32,14 +32,14 @@ import { z } from "zod";
 import { SecretType, TIntegrationAuths, TIntegrations } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
-import { BadRequestError } from "@app/lib/errors";
+import { BadRequestError, InternalServerError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { TCreateManySecretsRawFn, TUpdateManySecretsRawFn } from "@app/services/secret/secret-types";
 
 import { TIntegrationDALFactory } from "../integration/integration-dal";
 import { IntegrationMetadataSchema } from "../integration/integration-schema";
 import { IntegrationAuthMetadataSchema } from "./integration-auth-schema";
-import { TIntegrationsWithEnvironment } from "./integration-auth-types";
+import { OctopusDeployScope, TIntegrationsWithEnvironment, TOctopusDeployVariableSet } from "./integration-auth-types";
 import {
   IntegrationInitialSyncBehavior,
   IntegrationMappingBehavior,
@@ -473,7 +473,7 @@ const syncSecretsAzureKeyVault = async ({
     id: string; // secret URI
     value: string;
     attributes: {
-      enabled: true;
+      enabled: boolean;
       created: number;
       updated: number;
       recoveryLevel: string;
@@ -509,10 +509,19 @@ const syncSecretsAzureKeyVault = async ({
 
   const getAzureKeyVaultSecrets = await paginateAzureKeyVaultSecrets(`${integration.app}/secrets?api-version=7.3`);
 
+  const enabledAzureKeyVaultSecrets = getAzureKeyVaultSecrets.filter((secret) => secret.attributes.enabled);
+
+  // disabled keys to skip sending updates to
+  const disabledAzureKeyVaultSecretKeys = getAzureKeyVaultSecrets
+    .filter(({ attributes }) => !attributes.enabled)
+    .map((getAzureKeyVaultSecret) => {
+      return getAzureKeyVaultSecret.id.substring(getAzureKeyVaultSecret.id.lastIndexOf("/") + 1);
+    });
+
   let lastSlashIndex: number;
   const res = (
     await Promise.all(
-      getAzureKeyVaultSecrets.map(async (getAzureKeyVaultSecret) => {
+      enabledAzureKeyVaultSecrets.map(async (getAzureKeyVaultSecret) => {
         if (!lastSlashIndex) {
           lastSlashIndex = getAzureKeyVaultSecret.id.lastIndexOf("/");
         }
@@ -658,6 +667,7 @@ const syncSecretsAzureKeyVault = async ({
   }) => {
     let isSecretSet = false;
     let maxTries = 6;
+    if (disabledAzureKeyVaultSecretKeys.includes(key)) return;
 
     while (!isSecretSet && maxTries > 0) {
       // try to set secret
@@ -3075,7 +3085,7 @@ const syncSecretsTerraformCloud = async ({
 }) => {
   // get secrets from Terraform Cloud
   const terraformSecrets = (
-    await request.get<{ data: { attributes: { key: string; value: string }; id: string }[] }>(
+    await request.get<{ data: { attributes: { key: string; value: string; sensitive: boolean }; id: string }[] }>(
       `${IntegrationUrls.TERRAFORM_CLOUD_API_URL}/api/v2/workspaces/${integration.appId}/vars`,
       {
         headers: {
@@ -3089,7 +3099,7 @@ const syncSecretsTerraformCloud = async ({
       ...obj,
       [secret.attributes.key]: secret
     }),
-    {} as Record<string, { attributes: { key: string; value: string }; id: string }>
+    {} as Record<string, { attributes: { key: string; value: string; sensitive: boolean }; id: string }>
   );
 
   const secretsToAdd: { [key: string]: string } = {};
@@ -3170,7 +3180,8 @@ const syncSecretsTerraformCloud = async ({
             attributes: {
               key,
               value: secrets[key]?.value,
-              category: integration.targetService
+              category: integration.targetService,
+              sensitive: true
             }
           }
         },
@@ -3183,7 +3194,11 @@ const syncSecretsTerraformCloud = async ({
         }
       );
       // case: secret exists in Terraform Cloud
-    } else if (secrets[key]?.value !== terraformSecrets[key].attributes.value) {
+    } else if (
+      // we now set secrets to sensitive in Terraform Cloud, this checks if existing secrets are not sensitive and updates them accordingly
+      !terraformSecrets[key].attributes.sensitive ||
+      secrets[key]?.value !== terraformSecrets[key].attributes.value
+    ) {
       // -> update secret
       await request.patch(
         `${IntegrationUrls.TERRAFORM_CLOUD_API_URL}/api/v2/workspaces/${integration.appId}/vars/${terraformSecrets[key].id}`,
@@ -3193,7 +3208,8 @@ const syncSecretsTerraformCloud = async ({
             id: terraformSecrets[key].id,
             attributes: {
               ...terraformSecrets[key],
-              value: secrets[key]?.value
+              value: secrets[key]?.value,
+              sensitive: true
             }
           }
         },
@@ -4195,6 +4211,61 @@ const syncSecretsRundeck = async ({
   }
 };
 
+const syncSecretsOctopusDeploy = async ({
+  integration,
+  integrationAuth,
+  secrets,
+  accessToken
+}: {
+  integration: TIntegrations;
+  integrationAuth: TIntegrationAuths;
+  secrets: Record<string, { value: string; comment?: string }>;
+  accessToken: string;
+}) => {
+  let url: string;
+  switch (integration.scope) {
+    case OctopusDeployScope.Project:
+      url = `${integrationAuth.url}/api/${integration.targetEnvironmentId}/projects/${integration.appId}/variables`;
+      break;
+    // future support tenant, variable set, etc.
+    default:
+      throw new InternalServerError({ message: `Unhandled Octopus Deploy scope: ${integration.scope}` });
+  }
+
+  // SDK doesn't support variable set...
+  const { data: variableSet } = await request.get<TOctopusDeployVariableSet>(url, {
+    headers: {
+      "X-NuGet-ApiKey": accessToken,
+      Accept: "application/json"
+    }
+  });
+
+  await request.put(
+    url,
+    {
+      ...variableSet,
+      Variables: Object.entries(secrets).map(([key, value]) => ({
+        Name: key,
+        Value: value.value,
+        Description: value.comment ?? "",
+        Scope:
+          (integration.metadata as { octopusDeployScopeValues: TOctopusDeployVariableSet["ScopeValues"] })
+            ?.octopusDeployScopeValues ?? {},
+        IsEditable: false,
+        Prompt: null,
+        Type: "String",
+        IsSensitive: true
+      }))
+    } as unknown as TOctopusDeployVariableSet,
+    {
+      headers: {
+        "X-NuGet-ApiKey": accessToken,
+        Accept: "application/json"
+      }
+    }
+  );
+};
+
 /**
  * Sync/push [secrets] to [app] in integration named [integration]
  *
@@ -4507,6 +4578,14 @@ export const syncIntegrationSecrets = async ({
         accessToken
       });
       break;
+    case Integrations.OCTOPUS_DEPLOY:
+      await syncSecretsOctopusDeploy({
+        integration,
+        integrationAuth,
+        secrets,
+        accessToken
+      });
+      break;
     default:
       throw new BadRequestError({ message: "Invalid integration" });
   }

backend/src/services/integration/integration-schema.ts

@@ -46,5 +46,18 @@ export const IntegrationMetadataSchema = z.object({
   shouldDisableDelete: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldDisableDelete),
   shouldEnableDelete: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldEnableDelete),
   shouldMaskSecrets: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldMaskSecrets),
-  shouldProtectSecrets: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldProtectSecrets)
+  shouldProtectSecrets: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldProtectSecrets),
+
+  octopusDeployScopeValues: z
+    .object({
+      // in Octopus Deploy Scope Value Format
+      Environment: z.string().array().optional(),
+      Action: z.string().array().optional(),
+      Channel: z.string().array().optional(),
+      Machine: z.string().array().optional(),
+      ProcessOwner: z.string().array().optional(),
+      Role: z.string().array().optional()
+    })
+    .optional()
+    .describe(INTEGRATION.CREATE.metadata.octopusDeployScopeValues)
 });

backend/src/services/integration/integration-service.ts

@@ -9,6 +9,7 @@ import { TIntegrationAuthDALFactory } from "../integration-auth/integration-auth
 import { TIntegrationAuthServiceFactory } from "../integration-auth/integration-auth-service";
 import { deleteIntegrationSecrets } from "../integration-auth/integration-delete-secret";
 import { TKmsServiceFactory } from "../kms/kms-service";
+import { KmsDataKey } from "../kms/kms-types";
 import { TProjectBotServiceFactory } from "../project-bot/project-bot-service";
 import { TSecretDALFactory } from "../secret/secret-dal";
 import { TSecretQueueFactory } from "../secret/secret-queue";
@@ -237,6 +238,46 @@ export const integrationServiceFactory = ({
     return { ...integration, envId: integration.environment.id };
   };
 
+  const getIntegrationAWSIamRole = async ({ id, actor, actorAuthMethod, actorId, actorOrgId }: TGetIntegrationDTO) => {
+    const integration = await integrationDAL.findById(id);
+
+    if (!integration) {
+      throw new NotFoundError({
+        message: `Integration with ID '${id}' not found`
+      });
+    }
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      integration?.projectId || "",
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
+
+    const integrationAuth = await integrationAuthDAL.findById(integration.integrationAuthId);
+
+    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.SecretManager,
+      projectId: integration.projectId
+    });
+    let awsIamRole: string | null = null;
+    if (integrationAuth.encryptedAwsAssumeIamRoleArn) {
+      const awsAssumeRoleArn = secretManagerDecryptor({
+        cipherTextBlob: Buffer.from(integrationAuth.encryptedAwsAssumeIamRoleArn)
+      }).toString();
+      if (awsAssumeRoleArn) {
+        const [, role] = awsAssumeRoleArn.split(":role/");
+        awsIamRole = role;
+      }
+    }
+
+    return {
+      role: awsIamRole
+    };
+  };
+
   const deleteIntegration = async ({
     actorId,
     id,
@@ -329,6 +370,7 @@ export const integrationServiceFactory = ({
     deleteIntegration,
     listIntegrationByProject,
     getIntegration,
+    getIntegrationAWSIamRole,
     syncIntegration
   };
 };

backend/src/services/org/org-dal.ts

@@ -14,6 +14,8 @@ import { DatabaseError } from "@app/lib/errors";
 import { buildFindFilter, ormify, selectAllTableCols, TFindFilter, TFindOpt, withTransaction } from "@app/lib/knex";
 import { generateKnexQueryFromScim } from "@app/lib/knex/scim";
 
+import { OrgAuthMethod } from "./org-types";
+
 export type TOrgDALFactory = ReturnType<typeof orgDALFactory>;
 
 export const orgDALFactory = (db: TDbClient) => {
@@ -21,13 +23,78 @@ export const orgDALFactory = (db: TDbClient) => {
 
   const findOrgById = async (orgId: string) => {
     try {
-      const org = await db.replicaNode()(TableName.Organization).where({ id: orgId }).first();
+      const org = (await db
+        .replicaNode()(TableName.Organization)
+        .where({ [`${TableName.Organization}.id` as "id"]: orgId })
+        .leftJoin(TableName.SamlConfig, (qb) => {
+          qb.on(`${TableName.SamlConfig}.orgId`, "=", `${TableName.Organization}.id`).andOn(
+            `${TableName.SamlConfig}.isActive`,
+            "=",
+            db.raw("true")
+          );
+        })
+        .leftJoin(TableName.OidcConfig, (qb) => {
+          qb.on(`${TableName.OidcConfig}.orgId`, "=", `${TableName.Organization}.id`).andOn(
+            `${TableName.OidcConfig}.isActive`,
+            "=",
+            db.raw("true")
+          );
+        })
+        .select(selectAllTableCols(TableName.Organization))
+        .select(
+          db.raw(`
+            CASE 
+              WHEN ${TableName.SamlConfig}."orgId" IS NOT NULL THEN '${OrgAuthMethod.SAML}'
+              WHEN ${TableName.OidcConfig}."orgId" IS NOT NULL THEN '${OrgAuthMethod.OIDC}'
+              ELSE ''
+            END as "orgAuthMethod"
+        `)
+        )
+        .first()) as TOrganizations & { orgAuthMethod?: string };
+
       return org;
     } catch (error) {
       throw new DatabaseError({ error, name: "Find org by id" });
     }
   };
 
+  const findOrgBySlug = async (orgSlug: string) => {
+    try {
+      const org = (await db
+        .replicaNode()(TableName.Organization)
+        .where({ [`${TableName.Organization}.slug` as "slug"]: orgSlug })
+        .leftJoin(TableName.SamlConfig, (qb) => {
+          qb.on(`${TableName.SamlConfig}.orgId`, "=", `${TableName.Organization}.id`).andOn(
+            `${TableName.SamlConfig}.isActive`,
+            "=",
+            db.raw("true")
+          );
+        })
+        .leftJoin(TableName.OidcConfig, (qb) => {
+          qb.on(`${TableName.OidcConfig}.orgId`, "=", `${TableName.Organization}.id`).andOn(
+            `${TableName.OidcConfig}.isActive`,
+            "=",
+            db.raw("true")
+          );
+        })
+        .select(selectAllTableCols(TableName.Organization))
+        .select(
+          db.raw(`
+            CASE 
+              WHEN ${TableName.SamlConfig}."orgId" IS NOT NULL THEN '${OrgAuthMethod.SAML}'
+              WHEN ${TableName.OidcConfig}."orgId" IS NOT NULL THEN '${OrgAuthMethod.OIDC}'
+              ELSE ''
+            END as "orgAuthMethod"
+        `)
+        )
+        .first()) as TOrganizations & { orgAuthMethod?: string };
+
+      return org;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find org by slug" });
+    }
+  };
+
   // special query
   const findAllOrgsByUserId = async (userId: string): Promise<(TOrganizations & { orgAuthMethod: string })[]> => {
     try {
@@ -398,6 +465,7 @@ export const orgDALFactory = (db: TDbClient) => {
     findAllOrgMembers,
     countAllOrgMembers,
     findOrgById,
+    findOrgBySlug,
     findAllOrgsByUserId,
     ghostUserExists,
     findOrgMembersByUsername,

backend/src/services/org/org-service.ts

@@ -187,6 +187,15 @@ export const orgServiceFactory = ({
     return members;
   };
 
+  const findOrgBySlug = async (slug: string) => {
+    const org = await orgDAL.findOrgBySlug(slug);
+    if (!org) {
+      throw new NotFoundError({ message: `Organization with slug '${slug}' not found` });
+    }
+
+    return org;
+  };
+
   const findAllWorkspaces = async ({ actor, actorId, orgId }: TFindAllWorkspacesDTO) => {
     const organizationWorkspaceIds = new Set((await projectDAL.find({ orgId })).map((workspace) => workspace.id));
 
@@ -275,6 +284,7 @@ export const orgServiceFactory = ({
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Settings);
 
     const plan = await licenseService.getPlan(orgId);
+    const currentOrg = await orgDAL.findOrgById(actorOrgId);
 
     if (enforceMfa !== undefined) {
       if (!plan.enforceMfa) {
@@ -305,6 +315,11 @@ export const orgServiceFactory = ({
             "Failed to enable/disable SCIM provisioning due to plan restriction. Upgrade plan to enable/disable SCIM provisioning."
         });
       ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Scim);
+      if (scimEnabled && !currentOrg.orgAuthMethod) {
+        throw new BadRequestError({
+          message: "Cannot enable SCIM when neither SAML or OIDC is configured."
+        });
+      }
     }
 
     if (authEnforced) {
@@ -1132,6 +1147,7 @@ export const orgServiceFactory = ({
     createIncidentContact,
     deleteIncidentContact,
     getOrgGroups,
-    listProjectMembershipsByOrgMembershipId
+    listProjectMembershipsByOrgMembershipId,
+    findOrgBySlug
   };
 };

backend/src/services/org/org-types.ts

@@ -74,3 +74,8 @@ export type TGetOrgGroupsDTO = TOrgPermission;
 export type TListProjectMembershipsByOrgMembershipIdDTO = {
   orgMembershipId: string;
 } & TOrgPermission;
+
+export enum OrgAuthMethod {
+  OIDC = "oidc",
+  SAML = "saml"
+}

backend/src/services/project-membership/project-membership-service.ts

@@ -280,7 +280,12 @@ export const projectMembershipServiceFactory = ({
 
     // validate custom roles input
     const customInputRoles = roles.filter(
-      ({ role }) => !Object.values(ProjectMembershipRole).includes(role as ProjectMembershipRole)
+      ({ role }) =>
+        !Object.values(ProjectMembershipRole)
+          // we don't want to include custom in this check;
+          // this unintentionally enables setting slug to custom which is reserved
+          .filter((r) => r !== ProjectMembershipRole.Custom)
+          .includes(role as ProjectMembershipRole)
     );
     const hasCustomRole = Boolean(customInputRoles.length);
     if (hasCustomRole) {

backend/src/services/project/project-dal.ts

@@ -191,6 +191,10 @@ export const projectDALFactory = (db: TDbClient) => {
 
       return project;
     } catch (error) {
+      if (error instanceof NotFoundError) {
+        throw error;
+      }
+
       throw new DatabaseError({ error, name: "Find all projects" });
     }
   };
@@ -240,6 +244,10 @@ export const projectDALFactory = (db: TDbClient) => {
 
       return project;
     } catch (error) {
+      if (error instanceof NotFoundError || error instanceof UnauthorizedError) {
+        throw error;
+      }
+
       throw new DatabaseError({ error, name: "Find project by slug" });
     }
   };
@@ -260,7 +268,7 @@ export const projectDALFactory = (db: TDbClient) => {
       }
       throw new BadRequestError({ message: "Invalid filter type" });
     } catch (error) {
-      if (error instanceof BadRequestError) {
+      if (error instanceof BadRequestError || error instanceof NotFoundError || error instanceof UnauthorizedError) {
         throw error;
       }
       throw new DatabaseError({ error, name: `Failed to find project by ${filter.type}` });

backend/src/services/project/project-queue.ts

@@ -285,11 +285,14 @@ export const projectQueueFactory = ({
 
           if (!orgMembership) {
             // This can happen. Since we don't remove project memberships and project keys when a user is removed from an org, this is a valid case.
-            logger.info("User is not in organization", {
-              userId: key.receiverId,
-              orgId: project.orgId,
-              projectId: project.id
-            });
+            logger.info(
+              {
+                userId: key.receiverId,
+                orgId: project.orgId,
+                projectId: project.id
+              },
+              "User is not in organization"
+            );
             // eslint-disable-next-line no-continue
             continue;
           }
@@ -551,10 +554,10 @@ export const projectQueueFactory = ({
         .catch(() => [null]);
 
       if (!project) {
-        logger.error("Failed to upgrade project, because no project was found", data);
+        logger.error(data, "Failed to upgrade project, because no project was found");
       } else {
         await projectDAL.setProjectUpgradeStatus(data.projectId, ProjectUpgradeStatus.Failed);
-        logger.error("Failed to upgrade project", err, {
+        logger.error(err, "Failed to upgrade project", {
           extra: {
             project,
             jobData: data

backend/src/services/project/project-service.ts

@@ -149,6 +149,7 @@ export const projectServiceFactory = ({
     actorOrgId,
     actorAuthMethod,
     workspaceName,
+    workspaceDescription,
     slug: projectSlug,
     kmsKeyId,
     tx: trx,
@@ -206,6 +207,7 @@ export const projectServiceFactory = ({
       const project = await projectDAL.create(
         {
           name: workspaceName,
+          description: workspaceDescription,
           orgId: organization.id,
           slug: projectSlug || slugify(`${workspaceName}-${alphaNumericNanoId(4)}`),
           kmsSecretManagerKeyId: kmsKeyId,
@@ -496,6 +498,7 @@ export const projectServiceFactory = ({
 
     const updatedProject = await projectDAL.updateById(project.id, {
       name: update.name,
+      description: update.description,
       autoCapitalization: update.autoCapitalization
     });
     return updatedProject;

backend/src/services/project/project-types.ts

@@ -29,6 +29,7 @@ export type TCreateProjectDTO = {
   actorId: string;
   actorOrgId?: string;
   workspaceName: string;
+  workspaceDescription?: string;
   slug?: string;
   kmsKeyId?: string;
   createDefaultEnvs?: boolean;
@@ -69,6 +70,7 @@ export type TUpdateProjectDTO = {
   filter: Filter;
   update: {
     name?: string;
+    description?: string;
     autoCapitalization?: boolean;
   };
 } & Omit<TProjectPermission, "projectId">;

backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts

@@ -365,9 +365,8 @@ export const recursivelyGetSecretPaths = async ({
     folderId: p.folderId
   }));
 
-  const pathsInCurrentDirectory = paths.filter((folder) =>
-    folder.path.startsWith(currentPath === "/" ? "" : currentPath)
-  );
+  // path relative will start with ../ if its outside directory
+  const pathsInCurrentDirectory = paths.filter((folder) => !path.relative(currentPath, folder.path).startsWith(".."));
 
   return pathsInCurrentDirectory;
 };

backend/src/services/webhook/webhook-fns.ts

@@ -142,7 +142,7 @@ export const fnTriggerWebhook = async ({
       !isDisabled && picomatch.isMatch(secretPath, hookSecretPath, { strictSlashes: false })
   );
   if (!toBeTriggeredHooks.length) return;
-  logger.info("Secret webhook job started", { environment, secretPath, projectId });
+  logger.info({ environment, secretPath, projectId }, "Secret webhook job started");
   const project = await projectDAL.findById(projectId);
   const webhooksTriggered = await Promise.allSettled(
     toBeTriggeredHooks.map((hook) =>
@@ -195,5 +195,5 @@ export const fnTriggerWebhook = async ({
       );
     }
   });
-  logger.info("Secret webhook job ended", { environment, secretPath, projectId });
+  logger.info({ environment, secretPath, projectId }, "Secret webhook job ended");
 };

cli/go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/fatih/semgroup v1.2.0
 	github.com/gitleaks/go-gitdiff v0.8.0
 	github.com/h2non/filetype v1.1.3
-	github.com/infisical/go-sdk v0.3.8
+	github.com/infisical/go-sdk v0.4.3
 	github.com/mattn/go-isatty v0.0.20
 	github.com/muesli/ansi v0.0.0-20221106050444-61f0cd9a192a
 	github.com/muesli/mango-cobra v1.2.0

cli/go.sum

@@ -265,8 +265,8 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
 github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/infisical/go-sdk v0.3.8 h1:0dGOhF3cwt0q5QzpnUs4lxwBiEza+DQYOyvEn7AfrM0=
-github.com/infisical/go-sdk v0.3.8/go.mod h1:HHW7DgUqoolyQIUw/9HdpkZ3bDLwWyZ0HEtYiVaDKQw=
+github.com/infisical/go-sdk v0.4.3 h1:O5ZJ2eCBAZDE9PIAfBPq9Utb2CgQKrhmj9R0oFTRu4U=
+github.com/infisical/go-sdk v0.4.3/go.mod h1:6fWzAwTPIoKU49mQ2Oxu+aFnJu9n7k2JcNrZjzhHM2M=
 github.com/jedib0t/go-pretty v4.3.0+incompatible h1:CGs8AVhEKg/n9YbUenWmNStRW2PHJzaeDodcfvRAbIo=
 github.com/jedib0t/go-pretty v4.3.0+incompatible/go.mod h1:XemHduiw8R651AF9Pt4FwCTKeG3oo7hrHJAoznj9nag=
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=

cli/packages/api/api.go

@@ -205,6 +205,25 @@ func CallGetAllWorkSpacesUserBelongsTo(httpClient *resty.Client) (GetWorkSpacesR
 	return workSpacesResponse, nil
 }
 
+func CallGetProjectById(httpClient *resty.Client, id string) (Project, error) {
+	var projectResponse GetProjectByIdResponse
+	response, err := httpClient.
+		R().
+		SetResult(&projectResponse).
+		SetHeader("User-Agent", USER_AGENT).
+		Get(fmt.Sprintf("%v/v1/workspace/%s", config.INFISICAL_URL, id))
+
+	if err != nil {
+		return Project{}, err
+	}
+
+	if response.IsError() {
+		return Project{}, fmt.Errorf("CallGetProjectById: Unsuccessful response:  [response=%v]", response)
+	}
+
+	return projectResponse.Project, nil
+}
+
 func CallIsAuthenticated(httpClient *resty.Client) bool {
 	var workSpacesResponse GetWorkSpacesResponse
 	response, err := httpClient.

cli/packages/api/model.go

@@ -128,6 +128,10 @@ type GetWorkSpacesResponse struct {
 	} `json:"workspaces"`
 }
 
+type GetProjectByIdResponse struct {
+	Project Project `json:"workspace"`
+}
+
 type GetOrganizationsResponse struct {
 	Organizations []struct {
 		ID   string `json:"id"`
@@ -163,6 +167,12 @@ type Secret struct {
 	PlainTextKey            string `json:"plainTextKey"`
 }
 
+type Project struct {
+	ID   string `json:"id"`
+	Name string `json:"name"`
+	Slug string `json:"slug"`
+}
+
 type RawSecret struct {
 	SecretKey     string `json:"secretKey,omitempty"`
 	SecretValue   string `json:"secretValue,omitempty"`

cli/packages/cmd/dynamic_secrets.go

@@ -0,0 +1,571 @@
+/*
+Copyright (c) 2023 Infisical Inc.
+*/
+package cmd
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/Infisical/infisical-merge/packages/api"
+	"github.com/Infisical/infisical-merge/packages/config"
+	"github.com/Infisical/infisical-merge/packages/visualize"
+
+	// "github.com/Infisical/infisical-merge/packages/models"
+	"github.com/Infisical/infisical-merge/packages/util"
+	// "github.com/Infisical/infisical-merge/packages/visualize"
+	"github.com/go-resty/resty/v2"
+	"github.com/posthog/posthog-go"
+	"github.com/spf13/cobra"
+
+	infisicalSdk "github.com/infisical/go-sdk"
+	infisicalSdkModels "github.com/infisical/go-sdk/packages/models"
+)
+
+var dynamicSecretCmd = &cobra.Command{
+	Example:               `infisical dynamic-secrets`,
+	Short:                 "Used to list dynamic secrets",
+	Use:                   "dynamic-secrets",
+	DisableFlagsInUseLine: true,
+	Args:                  cobra.NoArgs,
+	Run:                   getDynamicSecretList,
+}
+
+func getDynamicSecretList(cmd *cobra.Command, args []string) {
+	environmentName, _ := cmd.Flags().GetString("env")
+	if !cmd.Flags().Changed("env") {
+		environmentFromWorkspace := util.GetEnvFromWorkspaceFile()
+		if environmentFromWorkspace != "" {
+			environmentName = environmentFromWorkspace
+		}
+	}
+
+	token, err := util.GetInfisicalToken(cmd)
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	projectId, err := cmd.Flags().GetString("projectId")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	secretsPath, err := cmd.Flags().GetString("path")
+	if err != nil {
+		util.HandleError(err, "Unable to parse path flag")
+	}
+
+	var infisicalToken string
+	httpClient := resty.New()
+
+	if projectId == "" {
+		workspaceFile, err := util.GetWorkSpaceFromFile()
+		if err != nil {
+			util.HandleError(err, "Unable to get local project details")
+		}
+		projectId = workspaceFile.WorkspaceId
+	}
+
+	if token != nil && (token.Type == util.SERVICE_TOKEN_IDENTIFIER || token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER) {
+		infisicalToken = token.Token
+	} else {
+		util.RequireLogin()
+		util.RequireLocalWorkspaceFile()
+
+		loggedInUserDetails, err := util.GetCurrentLoggedInUserDetails(true)
+		if err != nil {
+			util.HandleError(err, "Unable to authenticate")
+		}
+
+		if loggedInUserDetails.LoginExpired {
+			util.PrintErrorMessageAndExit("Your login session has expired, please run [infisical login] and try again")
+		}
+		infisicalToken = loggedInUserDetails.UserCredentials.JTWToken
+	}
+
+	httpClient.SetAuthToken(infisicalToken)
+
+	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
+		SiteUrl:          config.INFISICAL_URL,
+		UserAgent:        api.USER_AGENT,
+		AutoTokenRefresh: false,
+	})
+	infisicalClient.Auth().SetAccessToken(infisicalToken)
+
+	projectDetails, err := api.CallGetProjectById(httpClient, projectId)
+	if err != nil {
+		util.HandleError(err, "To fetch project details")
+	}
+
+	dynamicSecretRootCredentials, err := infisicalClient.DynamicSecrets().List(infisicalSdk.ListDynamicSecretsRootCredentialsOptions{
+		ProjectSlug:     projectDetails.Slug,
+		SecretPath:      secretsPath,
+		EnvironmentSlug: environmentName,
+	})
+
+	if err != nil {
+		util.HandleError(err, "To fetch dynamic secret root credentials details")
+	}
+
+	visualize.PrintAllDynamicRootCredentials(dynamicSecretRootCredentials)
+	Telemetry.CaptureEvent("cli-command:dynamic-secrets", posthog.NewProperties().Set("count", len(dynamicSecretRootCredentials)).Set("version", util.CLI_VERSION))
+}
+
+var dynamicSecretLeaseCmd = &cobra.Command{
+	Example:               `lease`,
+	Short:                 "Manage leases for dynamic secrets",
+	Use:                   "lease",
+	DisableFlagsInUseLine: true,
+}
+
+var dynamicSecretLeaseCreateCmd = &cobra.Command{
+	Example:               `lease create <dynamic secret name>"`,
+	Short:                 "Used to lease dynamic secret by name",
+	Use:                   "create [dynamic-secret]",
+	DisableFlagsInUseLine: true,
+	Args:                  cobra.ExactArgs(1),
+	Run:                   createDynamicSecretLeaseByName,
+}
+
+func createDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
+	dynamicSecretRootCredentialName := args[0]
+
+	environmentName, _ := cmd.Flags().GetString("env")
+	if !cmd.Flags().Changed("env") {
+		environmentFromWorkspace := util.GetEnvFromWorkspaceFile()
+		if environmentFromWorkspace != "" {
+			environmentName = environmentFromWorkspace
+		}
+	}
+
+	token, err := util.GetInfisicalToken(cmd)
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	projectId, err := cmd.Flags().GetString("projectId")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	ttl, err := cmd.Flags().GetString("ttl")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	secretsPath, err := cmd.Flags().GetString("path")
+	if err != nil {
+		util.HandleError(err, "Unable to parse path flag")
+	}
+
+	plainOutput, err := cmd.Flags().GetBool("plain")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	var infisicalToken string
+	httpClient := resty.New()
+
+	if projectId == "" {
+		workspaceFile, err := util.GetWorkSpaceFromFile()
+		if err != nil {
+			util.HandleError(err, "Unable to get local project details")
+		}
+		projectId = workspaceFile.WorkspaceId
+	}
+
+	if token != nil && (token.Type == util.SERVICE_TOKEN_IDENTIFIER || token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER) {
+		infisicalToken = token.Token
+	} else {
+		util.RequireLogin()
+		util.RequireLocalWorkspaceFile()
+
+		loggedInUserDetails, err := util.GetCurrentLoggedInUserDetails(true)
+		if err != nil {
+			util.HandleError(err, "Unable to authenticate")
+		}
+
+		if loggedInUserDetails.LoginExpired {
+			util.PrintErrorMessageAndExit("Your login session has expired, please run [infisical login] and try again")
+		}
+		infisicalToken = loggedInUserDetails.UserCredentials.JTWToken
+	}
+
+	httpClient.SetAuthToken(infisicalToken)
+
+	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
+		SiteUrl:          config.INFISICAL_URL,
+		UserAgent:        api.USER_AGENT,
+		AutoTokenRefresh: false,
+	})
+	infisicalClient.Auth().SetAccessToken(infisicalToken)
+
+	projectDetails, err := api.CallGetProjectById(httpClient, projectId)
+	if err != nil {
+		util.HandleError(err, "To fetch project details")
+	}
+
+	dynamicSecretRootCredential, err := infisicalClient.DynamicSecrets().GetByName(infisicalSdk.GetDynamicSecretRootCredentialByNameOptions{
+		DynamicSecretName: dynamicSecretRootCredentialName,
+		ProjectSlug:       projectDetails.Slug,
+		SecretPath:        secretsPath,
+		EnvironmentSlug:   environmentName,
+	})
+
+	if err != nil {
+		util.HandleError(err, "To fetch dynamic secret root credentials details")
+	}
+
+	leaseCredentials, _, leaseDetails, err := infisicalClient.DynamicSecrets().Leases().Create(infisicalSdk.CreateDynamicSecretLeaseOptions{
+		DynamicSecretName: dynamicSecretRootCredential.Name,
+		ProjectSlug:       projectDetails.Slug,
+		TTL:               ttl,
+		SecretPath:        secretsPath,
+		EnvironmentSlug:   environmentName,
+	})
+	if err != nil {
+		util.HandleError(err, "To lease dynamic secret")
+	}
+
+	if plainOutput {
+		for key, value := range leaseCredentials {
+			if cred, ok := value.(string); ok {
+				fmt.Printf("%s=%s\n", key, cred)
+			}
+		}
+	} else {
+		fmt.Println("Dynamic Secret Leasing")
+		fmt.Printf("Name: %s\n", dynamicSecretRootCredential.Name)
+		fmt.Printf("Provider: %s\n", dynamicSecretRootCredential.Type)
+		fmt.Printf("Lease ID: %s\n", leaseDetails.Id)
+		fmt.Printf("Expire At: %s\n", leaseDetails.ExpireAt.Local().Format("02-Jan-2006 03:04:05 PM"))
+		visualize.PrintAllDyamicSecretLeaseCredentials(leaseCredentials)
+	}
+
+	Telemetry.CaptureEvent("cli-command:dynamic-secrets lease", posthog.NewProperties().Set("type", dynamicSecretRootCredential.Type).Set("version", util.CLI_VERSION))
+}
+
+var dynamicSecretLeaseRenewCmd = &cobra.Command{
+	Example:               `lease renew <dynamic secret name>"`,
+	Short:                 "Used to renew dynamic secret lease by name",
+	Use:                   "renew [lease-id]",
+	DisableFlagsInUseLine: true,
+	Args:                  cobra.ExactArgs(1),
+	Run:                   renewDynamicSecretLeaseByName,
+}
+
+func renewDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
+	dynamicSecretLeaseId := args[0]
+
+	environmentName, _ := cmd.Flags().GetString("env")
+	if !cmd.Flags().Changed("env") {
+		environmentFromWorkspace := util.GetEnvFromWorkspaceFile()
+		if environmentFromWorkspace != "" {
+			environmentName = environmentFromWorkspace
+		}
+	}
+
+	token, err := util.GetInfisicalToken(cmd)
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	projectId, err := cmd.Flags().GetString("projectId")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	ttl, err := cmd.Flags().GetString("ttl")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	secretsPath, err := cmd.Flags().GetString("path")
+	if err != nil {
+		util.HandleError(err, "Unable to parse path flag")
+	}
+
+	var infisicalToken string
+	httpClient := resty.New()
+
+	if projectId == "" {
+		workspaceFile, err := util.GetWorkSpaceFromFile()
+		if err != nil {
+			util.HandleError(err, "Unable to get local project details")
+		}
+		projectId = workspaceFile.WorkspaceId
+	}
+
+	if token != nil && (token.Type == util.SERVICE_TOKEN_IDENTIFIER || token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER) {
+		infisicalToken = token.Token
+	} else {
+		util.RequireLogin()
+		util.RequireLocalWorkspaceFile()
+
+		loggedInUserDetails, err := util.GetCurrentLoggedInUserDetails(true)
+		if err != nil {
+			util.HandleError(err, "Unable to authenticate")
+		}
+
+		if loggedInUserDetails.LoginExpired {
+			util.PrintErrorMessageAndExit("Your login session has expired, please run [infisical login] and try again")
+		}
+		infisicalToken = loggedInUserDetails.UserCredentials.JTWToken
+	}
+
+	httpClient.SetAuthToken(infisicalToken)
+
+	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
+		SiteUrl:          config.INFISICAL_URL,
+		UserAgent:        api.USER_AGENT,
+		AutoTokenRefresh: false,
+	})
+	infisicalClient.Auth().SetAccessToken(infisicalToken)
+
+	projectDetails, err := api.CallGetProjectById(httpClient, projectId)
+	if err != nil {
+		util.HandleError(err, "To fetch project details")
+	}
+
+	if err != nil {
+		util.HandleError(err, "To fetch dynamic secret root credentials details")
+	}
+
+	leaseDetails, err := infisicalClient.DynamicSecrets().Leases().RenewById(infisicalSdk.RenewDynamicSecretLeaseOptions{
+		ProjectSlug:     projectDetails.Slug,
+		TTL:             ttl,
+		SecretPath:      secretsPath,
+		EnvironmentSlug: environmentName,
+		LeaseId:         dynamicSecretLeaseId,
+	})
+	if err != nil {
+		util.HandleError(err, "To renew dynamic secret lease")
+	}
+
+	fmt.Println("Successfully renewed dynamic secret lease")
+	visualize.PrintAllDynamicSecretLeases([]infisicalSdkModels.DynamicSecretLease{leaseDetails})
+
+	Telemetry.CaptureEvent("cli-command:dynamic-secrets lease renew", posthog.NewProperties().Set("version", util.CLI_VERSION))
+}
+
+var dynamicSecretLeaseRevokeCmd = &cobra.Command{
+	Example:               `lease delete <dynamic secret name>"`,
+	Short:                 "Used to delete dynamic secret lease by name",
+	Use:                   "delete [lease-id]",
+	DisableFlagsInUseLine: true,
+	Args:                  cobra.ExactArgs(1),
+	Run:                   revokeDynamicSecretLeaseByName,
+}
+
+func revokeDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
+	dynamicSecretLeaseId := args[0]
+
+	environmentName, _ := cmd.Flags().GetString("env")
+	if !cmd.Flags().Changed("env") {
+		environmentFromWorkspace := util.GetEnvFromWorkspaceFile()
+		if environmentFromWorkspace != "" {
+			environmentName = environmentFromWorkspace
+		}
+	}
+
+	token, err := util.GetInfisicalToken(cmd)
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	projectId, err := cmd.Flags().GetString("projectId")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	secretsPath, err := cmd.Flags().GetString("path")
+	if err != nil {
+		util.HandleError(err, "Unable to parse path flag")
+	}
+
+	var infisicalToken string
+	httpClient := resty.New()
+
+	if projectId == "" {
+		workspaceFile, err := util.GetWorkSpaceFromFile()
+		if err != nil {
+			util.HandleError(err, "Unable to get local project details")
+		}
+		projectId = workspaceFile.WorkspaceId
+	}
+
+	if token != nil && (token.Type == util.SERVICE_TOKEN_IDENTIFIER || token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER) {
+		infisicalToken = token.Token
+	} else {
+		util.RequireLogin()
+		util.RequireLocalWorkspaceFile()
+
+		loggedInUserDetails, err := util.GetCurrentLoggedInUserDetails(true)
+		if err != nil {
+			util.HandleError(err, "Unable to authenticate")
+		}
+
+		if loggedInUserDetails.LoginExpired {
+			util.PrintErrorMessageAndExit("Your login session has expired, please run [infisical login] and try again")
+		}
+		infisicalToken = loggedInUserDetails.UserCredentials.JTWToken
+	}
+
+	httpClient.SetAuthToken(infisicalToken)
+
+	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
+		SiteUrl:          config.INFISICAL_URL,
+		UserAgent:        api.USER_AGENT,
+		AutoTokenRefresh: false,
+	})
+	infisicalClient.Auth().SetAccessToken(infisicalToken)
+
+	projectDetails, err := api.CallGetProjectById(httpClient, projectId)
+	if err != nil {
+		util.HandleError(err, "To fetch project details")
+	}
+
+	if err != nil {
+		util.HandleError(err, "To fetch dynamic secret root credentials details")
+	}
+
+	leaseDetails, err := infisicalClient.DynamicSecrets().Leases().DeleteById(infisicalSdk.DeleteDynamicSecretLeaseOptions{
+		ProjectSlug:     projectDetails.Slug,
+		SecretPath:      secretsPath,
+		EnvironmentSlug: environmentName,
+		LeaseId:         dynamicSecretLeaseId,
+	})
+	if err != nil {
+		util.HandleError(err, "To revoke  dynamic secret lease")
+	}
+
+	fmt.Println("Successfully revoked dynamic secret lease")
+	visualize.PrintAllDynamicSecretLeases([]infisicalSdkModels.DynamicSecretLease{leaseDetails})
+
+	Telemetry.CaptureEvent("cli-command:dynamic-secrets lease revoke", posthog.NewProperties().Set("version", util.CLI_VERSION))
+}
+
+var dynamicSecretLeaseListCmd = &cobra.Command{
+	Example:               `lease list <dynamic secret name>"`,
+	Short:                 "Used to list leases of a dynamic secret by name",
+	Use:                   "list [dynamic-secret]",
+	DisableFlagsInUseLine: true,
+	Args:                  cobra.ExactArgs(1),
+	Run:                   listDynamicSecretLeaseByName,
+}
+
+func listDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
+	dynamicSecretRootCredentialName := args[0]
+
+	environmentName, _ := cmd.Flags().GetString("env")
+	if !cmd.Flags().Changed("env") {
+		environmentFromWorkspace := util.GetEnvFromWorkspaceFile()
+		if environmentFromWorkspace != "" {
+			environmentName = environmentFromWorkspace
+		}
+	}
+
+	token, err := util.GetInfisicalToken(cmd)
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	projectId, err := cmd.Flags().GetString("projectId")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	secretsPath, err := cmd.Flags().GetString("path")
+	if err != nil {
+		util.HandleError(err, "Unable to parse path flag")
+	}
+
+	var infisicalToken string
+	httpClient := resty.New()
+
+	if projectId == "" {
+		workspaceFile, err := util.GetWorkSpaceFromFile()
+		if err != nil {
+			util.HandleError(err, "Unable to get local project details")
+		}
+		projectId = workspaceFile.WorkspaceId
+	}
+
+	if token != nil && (token.Type == util.SERVICE_TOKEN_IDENTIFIER || token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER) {
+		infisicalToken = token.Token
+	} else {
+		util.RequireLogin()
+		util.RequireLocalWorkspaceFile()
+
+		loggedInUserDetails, err := util.GetCurrentLoggedInUserDetails(true)
+		if err != nil {
+			util.HandleError(err, "Unable to authenticate")
+		}
+
+		if loggedInUserDetails.LoginExpired {
+			util.PrintErrorMessageAndExit("Your login session has expired, please run [infisical login] and try again")
+		}
+		infisicalToken = loggedInUserDetails.UserCredentials.JTWToken
+	}
+
+	httpClient.SetAuthToken(infisicalToken)
+
+	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
+		SiteUrl:          config.INFISICAL_URL,
+		UserAgent:        api.USER_AGENT,
+		AutoTokenRefresh: false,
+	})
+	infisicalClient.Auth().SetAccessToken(infisicalToken)
+
+	projectDetails, err := api.CallGetProjectById(httpClient, projectId)
+	if err != nil {
+		util.HandleError(err, "To fetch project details")
+	}
+
+	dynamicSecretLeases, err := infisicalClient.DynamicSecrets().Leases().List(infisicalSdk.ListDynamicSecretLeasesOptions{
+		DynamicSecretName: dynamicSecretRootCredentialName,
+		ProjectSlug:       projectDetails.Slug,
+		SecretPath:        secretsPath,
+		EnvironmentSlug:   environmentName,
+	})
+
+	if err != nil {
+		util.HandleError(err, "To fetch dynamic secret leases list")
+	}
+
+	visualize.PrintAllDynamicSecretLeases(dynamicSecretLeases)
+	Telemetry.CaptureEvent("cli-command:dynamic-secrets lease list", posthog.NewProperties().Set("lease-count", len(dynamicSecretLeases)).Set("version", util.CLI_VERSION))
+}
+
+func init() {
+	dynamicSecretLeaseCreateCmd.Flags().StringP("path", "p", "/", "The path from where dynamic secret should be leased from")
+	dynamicSecretLeaseCreateCmd.Flags().String("token", "", "Create dynamic secret leases using machine identity access token")
+	dynamicSecretLeaseCreateCmd.Flags().String("projectId", "", "Manually set the projectId to fetch leased from when using machine identity based auth")
+	dynamicSecretLeaseCreateCmd.Flags().String("ttl", "", "The lease lifetime TTL. If not provided the default TTL of dynamic secret will be used.")
+	dynamicSecretLeaseCreateCmd.Flags().Bool("plain", false, "Print leased credentials without formatting, one per line")
+	dynamicSecretLeaseCmd.AddCommand(dynamicSecretLeaseCreateCmd)
+
+	dynamicSecretLeaseListCmd.Flags().StringP("path", "p", "/", "The path from where dynamic secret should be leased from")
+	dynamicSecretLeaseListCmd.Flags().String("token", "", "Fetch dynamic secret leases machine identity access token")
+	dynamicSecretLeaseListCmd.Flags().String("projectId", "", "Manually set the projectId to fetch leased from when using machine identity based auth")
+	dynamicSecretLeaseCmd.AddCommand(dynamicSecretLeaseListCmd)
+
+	dynamicSecretLeaseRenewCmd.Flags().StringP("path", "p", "/", "The path from where dynamic secret should be leased from")
+	dynamicSecretLeaseRenewCmd.Flags().String("token", "", "Renew dynamic secrets machine identity access token")
+	dynamicSecretLeaseRenewCmd.Flags().String("projectId", "", "Manually set the projectId to fetch leased from when using machine identity based auth")
+	dynamicSecretLeaseRenewCmd.Flags().String("ttl", "", "The lease lifetime TTL. If not provided the default TTL of dynamic secret will be used.")
+	dynamicSecretLeaseCmd.AddCommand(dynamicSecretLeaseRenewCmd)
+
+	dynamicSecretLeaseRevokeCmd.Flags().StringP("path", "p", "/", "The path from where dynamic secret should be leased from")
+	dynamicSecretLeaseRevokeCmd.Flags().String("token", "", "Delete dynamic secrets using machine identity access token")
+	dynamicSecretLeaseRevokeCmd.Flags().String("projectId", "", "Manually set the projectId to fetch leased from when using machine identity based auth")
+	dynamicSecretLeaseCmd.AddCommand(dynamicSecretLeaseRevokeCmd)
+
+	dynamicSecretCmd.AddCommand(dynamicSecretLeaseCmd)
+
+	dynamicSecretCmd.Flags().String("token", "", "Fetch secrets using service token or machine identity access token")
+	dynamicSecretCmd.Flags().String("projectId", "", "Manually set the projectId to fetch dynamic-secret when using machine identity based auth")
+	dynamicSecretCmd.PersistentFlags().String("env", "dev", "Used to select the environment name on which actions should be taken on")
+	dynamicSecretCmd.Flags().String("path", "/", "get dynamic secret within a folder path")
+	rootCmd.AddCommand(dynamicSecretCmd)
+}

cli/packages/cmd/export.go

@@ -111,7 +111,7 @@ var exportCmd = &cobra.Command{
 				accessToken = token.Token
 			} else {
 				log.Debug().Msg("GetAllEnvironmentVariables: Trying to fetch secrets using logged in details")
-				loggedInUserDetails, err := util.GetCurrentLoggedInUserDetails()
+				loggedInUserDetails, err := util.GetCurrentLoggedInUserDetails(true)
 				if err != nil {
 					util.HandleError(err)
 				}

cli/packages/cmd/init.go

@@ -41,7 +41,7 @@ var initCmd = &cobra.Command{
 			}
 		}
 
-		userCreds, err := util.GetCurrentLoggedInUserDetails()
+		userCreds, err := util.GetCurrentLoggedInUserDetails(true)
 		if err != nil {
 			util.HandleError(err, "Unable to get your login details")
 		}

cli/packages/cmd/login.go

@@ -154,6 +154,8 @@ var loginCmd = &cobra.Command{
 	DisableFlagsInUseLine: true,
 	Run: func(cmd *cobra.Command, args []string) {
 
+		presetDomain := config.INFISICAL_URL
+
 		clearSelfHostedDomains, err := cmd.Flags().GetBool("clear-domains")
 		if err != nil {
 			util.HandleError(err)
@@ -198,7 +200,7 @@ var loginCmd = &cobra.Command{
 
 		// standalone user auth
 		if loginMethod == "user" {
-			currentLoggedInUserDetails, err := util.GetCurrentLoggedInUserDetails()
+			currentLoggedInUserDetails, err := util.GetCurrentLoggedInUserDetails(true)
 			// if the key can't be found or there is an error getting current credentials from key ring, allow them to override
 			if err != nil && (strings.Contains(err.Error(), "we couldn't find your logged in details")) {
 				log.Debug().Err(err)
@@ -216,11 +218,19 @@ var loginCmd = &cobra.Command{
 					return
 				}
 			}
+
+			usePresetDomain, err := usePresetDomain(presetDomain)
+
+			if err != nil {
+				util.HandleError(err)
+			}
+
 			//override domain
 			domainQuery := true
 			if config.INFISICAL_URL_MANUAL_OVERRIDE != "" &&
 				config.INFISICAL_URL_MANUAL_OVERRIDE != fmt.Sprintf("%s/api", util.INFISICAL_DEFAULT_EU_URL) &&
-				config.INFISICAL_URL_MANUAL_OVERRIDE != fmt.Sprintf("%s/api", util.INFISICAL_DEFAULT_US_URL) {
+				config.INFISICAL_URL_MANUAL_OVERRIDE != fmt.Sprintf("%s/api", util.INFISICAL_DEFAULT_US_URL) &&
+				!usePresetDomain {
 				overrideDomain, err := DomainOverridePrompt()
 				if err != nil {
 					util.HandleError(err)
@@ -228,7 +238,7 @@ var loginCmd = &cobra.Command{
 
 				//if not override set INFISICAL_URL to exported var
 				//set domainQuery to false
-				if !overrideDomain {
+				if !overrideDomain && !usePresetDomain {
 					domainQuery = false
 					config.INFISICAL_URL = util.AppendAPIEndpoint(config.INFISICAL_URL_MANUAL_OVERRIDE)
 					config.INFISICAL_LOGIN_URL = fmt.Sprintf("%s/login", strings.TrimSuffix(config.INFISICAL_URL, "/api"))
@@ -237,7 +247,7 @@ var loginCmd = &cobra.Command{
 			}
 
 			//prompt user to select domain between Infisical cloud and self-hosting
-			if domainQuery {
+			if domainQuery && !usePresetDomain {
 				err = askForDomain()
 				if err != nil {
 					util.HandleError(err, "Unable to parse domain url")
@@ -526,6 +536,45 @@ func DomainOverridePrompt() (bool, error) {
 	return selectedOption == OVERRIDE, err
 }
 
+func usePresetDomain(presetDomain string) (bool, error) {
+	infisicalConfig, err := util.GetConfigFile()
+	if err != nil {
+		return false, fmt.Errorf("askForDomain: unable to get config file because [err=%s]", err)
+	}
+
+	preconfiguredUrl := strings.TrimSuffix(presetDomain, "/api")
+
+	if preconfiguredUrl != "" && preconfiguredUrl != util.INFISICAL_DEFAULT_US_URL && preconfiguredUrl != util.INFISICAL_DEFAULT_EU_URL {
+		parsedDomain := strings.TrimSuffix(strings.Trim(preconfiguredUrl, "/"), "/api")
+
+		_, err := url.ParseRequestURI(parsedDomain)
+		if err != nil {
+			return false, errors.New(fmt.Sprintf("Invalid domain URL: '%s'", parsedDomain))
+		}
+
+		config.INFISICAL_URL = fmt.Sprintf("%s/api", parsedDomain)
+		config.INFISICAL_LOGIN_URL = fmt.Sprintf("%s/login", parsedDomain)
+
+		if !slices.Contains(infisicalConfig.Domains, parsedDomain) {
+			infisicalConfig.Domains = append(infisicalConfig.Domains, parsedDomain)
+			err = util.WriteConfigFile(&infisicalConfig)
+
+			if err != nil {
+				return false, fmt.Errorf("askForDomain: unable to write domains to config file because [err=%s]", err)
+			}
+		}
+
+		whilte := color.New(color.FgGreen)
+		boldWhite := whilte.Add(color.Bold)
+		time.Sleep(time.Second * 1)
+		boldWhite.Printf("[INFO] Using domain '%s' from domain flag or INFISICAL_API_URL environment variable\n", parsedDomain)
+
+		return true, nil
+	}
+
+	return false, nil
+}
+
 func askForDomain() error {
 
 	// query user to choose between Infisical cloud or self-hosting

cli/packages/cmd/root.go

@@ -54,7 +54,7 @@ func init() {
 			util.CheckForUpdate()
 		}
 
-		loggedInDetails, err := util.GetCurrentLoggedInUserDetails()
+		loggedInDetails, err := util.GetCurrentLoggedInUserDetails(false)
 
 		if !silent && err == nil && loggedInDetails.IsUserLoggedIn && !loggedInDetails.LoginExpired {
 			token, err := util.GetInfisicalToken(cmd)

cli/packages/cmd/secrets.go

@@ -194,7 +194,7 @@ var secretsSetCmd = &cobra.Command{
 				projectId = workspaceFile.WorkspaceId
 			}
 
-			loggedInUserDetails, err := util.GetCurrentLoggedInUserDetails()
+			loggedInUserDetails, err := util.GetCurrentLoggedInUserDetails(true)
 			if err != nil {
 				util.HandleError(err, "unable to authenticate [err=%v]")
 			}
@@ -278,7 +278,7 @@ var secretsDeleteCmd = &cobra.Command{
 			util.RequireLogin()
 			util.RequireLocalWorkspaceFile()
 
-			loggedInUserDetails, err := util.GetCurrentLoggedInUserDetails()
+			loggedInUserDetails, err := util.GetCurrentLoggedInUserDetails(true)
 			if err != nil {
 				util.HandleError(err, "Unable to authenticate")
 			}

cli/packages/cmd/tokens.go

@@ -41,7 +41,7 @@ var tokensCreateCmd = &cobra.Command{
 	},
 	Run: func(cmd *cobra.Command, args []string) {
 		// get plain text workspace key
-		loggedInUserDetails, err := util.GetCurrentLoggedInUserDetails()
+		loggedInUserDetails, err := util.GetCurrentLoggedInUserDetails(true)
 
 		if err != nil {
 			util.HandleError(err, "Unable to retrieve your logged in your details. Please login in then try again")

cli/packages/util/credentials.go

@@ -55,7 +55,7 @@ func GetUserCredsFromKeyRing(userEmail string) (credentials models.UserCredentia
 	return userCredentials, err
 }
 
-func GetCurrentLoggedInUserDetails() (LoggedInUserDetails, error) {
+func GetCurrentLoggedInUserDetails(setConfigVariables bool) (LoggedInUserDetails, error) {
 	if ConfigFileExists() {
 		configFile, err := GetConfigFile()
 		if err != nil {
@@ -75,18 +75,20 @@ func GetCurrentLoggedInUserDetails() (LoggedInUserDetails, error) {
 			}
 		}
 
+		if setConfigVariables {
+			config.INFISICAL_URL_MANUAL_OVERRIDE = config.INFISICAL_URL
+			//configFile.LoggedInUserDomain
+			//if not empty set as infisical url
+			if configFile.LoggedInUserDomain != "" {
+				config.INFISICAL_URL = AppendAPIEndpoint(configFile.LoggedInUserDomain)
+			}
+		}
+
 		// check to to see if the JWT is still valid
 		httpClient := resty.New().
 			SetAuthToken(userCreds.JTWToken).
 			SetHeader("Accept", "application/json")
 
-		config.INFISICAL_URL_MANUAL_OVERRIDE = config.INFISICAL_URL
-		//configFile.LoggedInUserDomain
-		//if not empty set as infisical url
-		if configFile.LoggedInUserDomain != "" {
-			config.INFISICAL_URL = AppendAPIEndpoint(configFile.LoggedInUserDomain)
-		}
-
 		isAuthenticated := api.CallIsAuthenticated(httpClient)
 		// TODO: add refresh token
 		// if !isAuthenticated {