Update project-env.spec.ts

Remove service token notice

.github/pull_request_template.md

@@ -6,6 +6,7 @@
 
 - [ ] Bug fix
 - [ ] New feature
+- [ ] Improvement
 - [ ] Breaking change
 - [ ] Documentation
 

README.md

@@ -73,6 +73,11 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical PKI Issuer for Kubernetes](https://infisical.com/docs/documentation/platform/pki/pki-issuer)**: Deliver TLS certificates to your Kubernetes workloads with automatic renewal.
 - **[Enrollment over Secure Transport](https://infisical.com/docs/documentation/platform/pki/est)**: Enroll and manage certificates via EST protocol.
 
+### Key Management (KMS):
+
+- **[Cryptograhic Keys](https://infisical.com/docs/documentation/platform/kms)**: Centrally manage keys across projects through a user-friendly interface or via the API.
+- **[Encrypt and Decrypt Data](https://infisical.com/docs/documentation/platform/kms#guide-to-encrypting-data)**: Use symmetric keys to encrypt and decrypt data.
+
 ### General Platform:
 - **Authentication Methods**: Authenticate machine identities with Infisical using a cloud-native or platform agnostic authentication method ([Kubernetes Auth](https://infisical.com/docs/documentation/platform/identities/kubernetes-auth), [GCP Auth](https://infisical.com/docs/documentation/platform/identities/gcp-auth), [Azure Auth](https://infisical.com/docs/documentation/platform/identities/azure-auth), [AWS Auth](https://infisical.com/docs/documentation/platform/identities/aws-auth), [OIDC Auth](https://infisical.com/docs/documentation/platform/identities/oidc-auth/general), [Universal Auth](https://infisical.com/docs/documentation/platform/identities/universal-auth)).
 - **[Access Controls](https://infisical.com/docs/documentation/platform/access-controls/overview)**: Define advanced authorization controls for users and machine identities with [RBAC](https://infisical.com/docs/documentation/platform/access-controls/role-based-access-controls), [additional privileges](https://infisical.com/docs/documentation/platform/access-controls/additional-privileges), [temporary access](https://infisical.com/docs/documentation/platform/access-controls/temporary-access), [access requests](https://infisical.com/docs/documentation/platform/access-controls/access-requests), [approval workflows](https://infisical.com/docs/documentation/platform/pr-workflows), and more.

backend/e2e-test/routes/v1/project-env.spec.ts

@@ -123,7 +123,7 @@ describe("Project Environment Router", async () => {
         id: deletedProjectEnvironment.id,
         name: mockProjectEnv.name,
         slug: mockProjectEnv.slug,
-        position: 4,
+        position: 5,
         createdAt: expect.any(String),
         updatedAt: expect.any(String)
       })

backend/package-lock.json

@@ -61,6 +61,7 @@
         "jwks-rsa": "^3.1.0",
         "knex": "^3.0.1",
         "ldapjs": "^3.0.7",
+        "ldif": "^0.5.1",
         "libsodium-wrappers": "^0.7.13",
         "lodash.isequal": "^4.5.0",
         "mongodb": "^6.8.1",
@@ -85,6 +86,7 @@
         "safe-regex": "^2.1.1",
         "scim-patch": "^0.8.3",
         "scim2-parse-filter": "^0.2.10",
+        "sjcl": "^1.0.8",
         "smee-client": "^2.0.0",
         "tedious": "^18.2.1",
         "tweetnacl": "^1.0.3",
@@ -117,6 +119,7 @@
         "@types/prompt-sync": "^4.2.3",
         "@types/resolve": "^1.20.6",
         "@types/safe-regex": "^1.1.6",
+        "@types/sjcl": "^1.0.34",
         "@types/uuid": "^9.0.7",
         "@typescript-eslint/eslint-plugin": "^6.20.0",
         "@typescript-eslint/parser": "^6.20.0",
@@ -7296,6 +7299,13 @@
         "@types/node": "*"
       }
     },
+    "node_modules/@types/sjcl": {
+      "version": "1.0.34",
+      "resolved": "https://registry.npmjs.org/@types/sjcl/-/sjcl-1.0.34.tgz",
+      "integrity": "sha512-bQHEeK5DTQRunIfQeUMgtpPsNNCcZyQ9MJuAfW1I7iN0LDunTc78Fu17STbLMd7KiEY/g2zHVApippa70h6HoQ==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/@types/uuid": {
       "version": "9.0.7",
       "resolved": "https://registry.npmjs.org/@types/uuid/-/uuid-9.0.7.tgz",
@@ -13008,6 +13018,12 @@
         "verror": "^1.10.1"
       }
     },
+    "node_modules/ldif": {
+      "version": "0.5.1",
+      "resolved": "https://registry.npmjs.org/ldif/-/ldif-0.5.1.tgz",
+      "integrity": "sha512-8s46m/r2lSFO2+DqMxqWiJ10iiL4tuR5LC/KndV+E5//OAOzOx5s3HS5O34PJ5+kyaCA+K2oCaEPaDRfXUnQow==",
+      "license": "MIT"
+    },
     "node_modules/leven": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/leven/-/leven-2.1.0.tgz",
@@ -16397,6 +16413,15 @@
         "node": ">=10"
       }
     },
+    "node_modules/sjcl": {
+      "version": "1.0.8",
+      "resolved": "https://registry.npmjs.org/sjcl/-/sjcl-1.0.8.tgz",
+      "integrity": "sha512-LzIjEQ0S0DpIgnxMEayM1rq9aGwGRG4OnZhCdjx7glTaJtf4zRfpg87ImfjSJjoW9vKpagd82McDOwbRT5kQKQ==",
+      "license": "(BSD-2-Clause OR GPL-2.0-only)",
+      "engines": {
+        "node": "*"
+      }
+    },
     "node_modules/slash": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/slash/-/slash-3.0.0.tgz",
@@ -17874,12 +17899,14 @@
     "node_modules/tweetnacl": {
       "version": "1.0.3",
       "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-1.0.3.tgz",
-      "integrity": "sha512-6rt+RN7aOi1nGMyC4Xa5DdYiukl2UWCbcJft7YhxReBGQD7OAM8Pbxw6YMo4r2diNEA8FEmu32YOn9rhaiE5yw=="
+      "integrity": "sha512-6rt+RN7aOi1nGMyC4Xa5DdYiukl2UWCbcJft7YhxReBGQD7OAM8Pbxw6YMo4r2diNEA8FEmu32YOn9rhaiE5yw==",
+      "license": "Unlicense"
     },
     "node_modules/tweetnacl-util": {
       "version": "0.15.1",
       "resolved": "https://registry.npmjs.org/tweetnacl-util/-/tweetnacl-util-0.15.1.tgz",
-      "integrity": "sha512-RKJBIj8lySrShN4w6i/BonWp2Z/uxwC3h4y7xsRrpP59ZboCd0GpEVsOnMDYLMmKBpYhb5TgHzZXy7wTfYFBRw=="
+      "integrity": "sha512-RKJBIj8lySrShN4w6i/BonWp2Z/uxwC3h4y7xsRrpP59ZboCd0GpEVsOnMDYLMmKBpYhb5TgHzZXy7wTfYFBRw==",
+      "license": "Unlicense"
     },
     "node_modules/type-check": {
       "version": "0.4.0",

backend/package.json

@@ -80,6 +80,7 @@
     "@types/prompt-sync": "^4.2.3",
     "@types/resolve": "^1.20.6",
     "@types/safe-regex": "^1.1.6",
+    "@types/sjcl": "^1.0.34",
     "@types/uuid": "^9.0.7",
     "@typescript-eslint/eslint-plugin": "^6.20.0",
     "@typescript-eslint/parser": "^6.20.0",
@@ -158,6 +159,7 @@
     "jwks-rsa": "^3.1.0",
     "knex": "^3.0.1",
     "ldapjs": "^3.0.7",
+    "ldif": "0.5.1",
     "libsodium-wrappers": "^0.7.13",
     "lodash.isequal": "^4.5.0",
     "mongodb": "^6.8.1",
@@ -182,6 +184,7 @@
     "safe-regex": "^2.1.1",
     "scim-patch": "^0.8.3",
     "scim2-parse-filter": "^0.2.10",
+    "sjcl": "^1.0.8",
     "smee-client": "^2.0.0",
     "tedious": "^18.2.1",
     "tweetnacl": "^1.0.3",

backend/src/@types/fastify.d.ts

@@ -38,6 +38,8 @@ import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-se
 import { TCertificateServiceFactory } from "@app/services/certificate/certificate-service";
 import { TCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
 import { TCertificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
+import { TCmekServiceFactory } from "@app/services/cmek/cmek-service";
+import { TExternalMigrationServiceFactory } from "@app/services/external-migration/external-migration-service";
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
@@ -181,6 +183,8 @@ declare module "fastify" {
       orgAdmin: TOrgAdminServiceFactory;
       slack: TSlackServiceFactory;
       workflowIntegration: TWorkflowIntegrationServiceFactory;
+      cmek: TCmekServiceFactory;
+      migration: TExternalMigrationServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -101,6 +101,9 @@ import {
   TIdentityKubernetesAuths,
   TIdentityKubernetesAuthsInsert,
   TIdentityKubernetesAuthsUpdate,
+  TIdentityMetadata,
+  TIdentityMetadataInsert,
+  TIdentityMetadataUpdate,
   TIdentityOidcAuths,
   TIdentityOidcAuthsInsert,
   TIdentityOidcAuthsUpdate,
@@ -546,6 +549,11 @@ declare module "knex/types/tables" {
       TIdentityUniversalAuthsInsert,
       TIdentityUniversalAuthsUpdate
     >;
+    [TableName.IdentityMetadata]: KnexOriginal.CompositeTableType<
+      TIdentityMetadata,
+      TIdentityMetadataInsert,
+      TIdentityMetadataUpdate
+    >;
     [TableName.IdentityKubernetesAuth]: KnexOriginal.CompositeTableType<
       TIdentityKubernetesAuths,
       TIdentityKubernetesAuthsInsert,

backend/src/@types/ldif.d.ts

@@ -0,0 +1,4 @@
+declare module "ldif" {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Untyped, the function returns `any`.
+  function parse(input: string, ...args: any[]): any;
+}

backend/src/db/migrations/20240918005344_add-group-approvals.ts

@@ -3,34 +3,74 @@ import { Knex } from "knex";
 import { TableName } from "../schemas";
 
 export async function up(knex: Knex): Promise<void> {
+  const hasAccessApproverGroupId = await knex.schema.hasColumn(
+    TableName.AccessApprovalPolicyApprover,
+    "approverGroupId"
+  );
+  const hasAccessApproverUserId = await knex.schema.hasColumn(TableName.AccessApprovalPolicyApprover, "approverUserId");
+  const hasSecretApproverGroupId = await knex.schema.hasColumn(
+    TableName.SecretApprovalPolicyApprover,
+    "approverGroupId"
+  );
+  const hasSecretApproverUserId = await knex.schema.hasColumn(TableName.SecretApprovalPolicyApprover, "approverUserId");
   if (await knex.schema.hasTable(TableName.AccessApprovalPolicyApprover)) {
-    // add column approverGroupId to AccessApprovalPolicyApprover
     await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (table) => {
-      // make nullable
+      // add column approverGroupId to AccessApprovalPolicyApprover
+      if (!hasAccessApproverGroupId) {
         table.uuid("approverGroupId").nullable().references("id").inTable(TableName.Groups).onDelete("CASCADE");
+      }
+
       // make approverUserId nullable
+      if (hasAccessApproverUserId) {
         table.uuid("approverUserId").nullable().alter();
+      }
     });
-    // add column approverGroupId to SecretApprovalPolicyApprover
     await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (table) => {
-      table.uuid("approverGroupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
+      // add column approverGroupId to SecretApprovalPolicyApprover
+      if (!hasSecretApproverGroupId) {
+        table.uuid("approverGroupId").nullable().references("id").inTable(TableName.Groups).onDelete("CASCADE");
+      }
+
+      // make approverUserId nullable
+      if (hasSecretApproverUserId) {
         table.uuid("approverUserId").nullable().alter();
+      }
     });
   }
 }
 
 export async function down(knex: Knex): Promise<void> {
+  const hasAccessApproverGroupId = await knex.schema.hasColumn(
+    TableName.AccessApprovalPolicyApprover,
+    "approverGroupId"
+  );
+  const hasAccessApproverUserId = await knex.schema.hasColumn(TableName.AccessApprovalPolicyApprover, "approverUserId");
+  const hasSecretApproverGroupId = await knex.schema.hasColumn(
+    TableName.SecretApprovalPolicyApprover,
+    "approverGroupId"
+  );
+  const hasSecretApproverUserId = await knex.schema.hasColumn(TableName.SecretApprovalPolicyApprover, "approverUserId");
+
   if (await knex.schema.hasTable(TableName.AccessApprovalPolicyApprover)) {
-    // remove
     await knex.schema.alterTable(TableName.AccessApprovalPolicyApprover, (table) => {
+      if (hasAccessApproverGroupId) {
         table.dropColumn("approverGroupId");
+      }
+      // make approverUserId not nullable
+      if (hasAccessApproverUserId) {
         table.uuid("approverUserId").notNullable().alter();
+      }
     });
 
     // remove
     await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (table) => {
+      if (hasSecretApproverGroupId) {
         table.dropColumn("approverGroupId");
+      }
+      // make approverUserId not nullable
+      if (hasSecretApproverUserId) {
         table.uuid("approverUserId").notNullable().alter();
+      }
     });
   }
 }

backend/src/db/migrations/20240924100329_identity-metadata.ts

@@ -0,0 +1,24 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityMetadata))) {
+    await knex.schema.createTable(TableName.IdentityMetadata, (tb) => {
+      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      tb.string("key").notNullable();
+      tb.string("value").notNullable();
+      tb.uuid("orgId").notNullable();
+      tb.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      tb.uuid("userId");
+      tb.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      tb.uuid("identityId");
+      tb.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      tb.timestamps(true, true, true);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityMetadata);
+}

backend/src/db/migrations/20240925100349_managed-secret-sharing.ts

@@ -0,0 +1,30 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+      t.string("iv").nullable().alter();
+      t.string("tag").nullable().alter();
+      t.string("encryptedValue").nullable().alter();
+
+      t.binary("encryptedSecret").nullable();
+      t.string("hashedHex").nullable().alter();
+
+      t.string("identifier", 64).nullable();
+      t.unique("identifier");
+      t.index("identifier");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+      t.dropColumn("encryptedSecret");
+
+      t.dropColumn("identifier");
+    });
+  }
+}

backend/src/db/migrations/20240930072738_add-oidc-auth-enforced-to-org.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.OidcConfig, "lastUsed"))) {
+    await knex.schema.alterTable(TableName.OidcConfig, (tb) => {
+      tb.datetime("lastUsed");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.OidcConfig, "lastUsed")) {
+    await knex.schema.alterTable(TableName.OidcConfig, (tb) => {
+      tb.dropColumn("lastUsed");
+    });
+  }
+}

backend/src/db/migrations/20241003220151_kms-key-cmek-alterations.ts

@@ -0,0 +1,46 @@
+import { Knex } from "knex";
+
+import { dropConstraintIfExists } from "@app/db/migrations/utils/dropConstraintIfExists";
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.KmsKey)) {
+    const hasOrgId = await knex.schema.hasColumn(TableName.KmsKey, "orgId");
+    const hasSlug = await knex.schema.hasColumn(TableName.KmsKey, "slug");
+
+    // drop constraint if exists (won't exist if rolled back, see below)
+    await dropConstraintIfExists(TableName.KmsKey, "kms_keys_orgid_slug_unique", knex);
+
+    // projectId for CMEK functionality
+    await knex.schema.alterTable(TableName.KmsKey, (table) => {
+      table.string("projectId").nullable().references("id").inTable(TableName.Project).onDelete("CASCADE");
+
+      if (hasOrgId) {
+        table.unique(["orgId", "projectId", "slug"]);
+      }
+
+      if (hasSlug) {
+        table.renameColumn("slug", "name");
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.KmsKey)) {
+    const hasOrgId = await knex.schema.hasColumn(TableName.KmsKey, "orgId");
+    const hasName = await knex.schema.hasColumn(TableName.KmsKey, "name");
+
+    // remove projectId for CMEK functionality
+    await knex.schema.alterTable(TableName.KmsKey, (table) => {
+      if (hasName) {
+        table.renameColumn("name", "slug");
+      }
+
+      if (hasOrgId) {
+        table.dropUnique(["orgId", "projectId", "slug"]);
+      }
+      table.dropColumn("projectId");
+    });
+  }
+}

backend/src/db/migrations/20241005170802_kms-keys-temp-slug-col.ts

@@ -0,0 +1,30 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.KmsKey)) {
+    const hasSlug = await knex.schema.hasColumn(TableName.KmsKey, "slug");
+
+    if (!hasSlug) {
+      // add slug back temporarily and set value equal to name
+      await knex.schema
+        .alterTable(TableName.KmsKey, (table) => {
+          table.string("slug", 32);
+        })
+        .then(() => knex(TableName.KmsKey).update("slug", knex.ref("name")));
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.KmsKey)) {
+    const hasSlug = await knex.schema.hasColumn(TableName.KmsKey, "slug");
+
+    if (hasSlug) {
+      await knex.schema.alterTable(TableName.KmsKey, (table) => {
+        table.dropColumn("slug");
+      });
+    }
+  }
+}

backend/src/db/migrations/utils/dropConstraintIfExists.ts

@@ -0,0 +1,6 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export const dropConstraintIfExists = (tableName: TableName, constraintName: string, knex: Knex) =>
+  knex.raw(`ALTER TABLE ${tableName} DROP CONSTRAINT IF EXISTS ${constraintName};`);

backend/src/db/migrations/utils/kms.ts

@@ -54,7 +54,7 @@ export const getSecretManagerDataKey = async (knex: Knex, projectId: string) =>
   } else {
     const [kmsDoc] = await knex(TableName.KmsKey)
       .insert({
-        slug: slugify(alphaNumericNanoId(8).toLowerCase()),
+        name: slugify(alphaNumericNanoId(8).toLowerCase()),
         orgId: project.orgId,
         isReserved: false
       })

backend/src/db/schemas/identity-metadata.ts

@@ -0,0 +1,23 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityMetadataSchema = z.object({
+  id: z.string().uuid(),
+  key: z.string(),
+  value: z.string(),
+  orgId: z.string().uuid(),
+  userId: z.string().uuid().nullable().optional(),
+  identityId: z.string().uuid().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TIdentityMetadata = z.infer<typeof IdentityMetadataSchema>;
+export type TIdentityMetadataInsert = Omit<z.input<typeof IdentityMetadataSchema>, TImmutableDBKeys>;
+export type TIdentityMetadataUpdate = Partial<Omit<z.input<typeof IdentityMetadataSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/index.ts

@@ -31,6 +31,7 @@ export * from "./identity-aws-auths";
 export * from "./identity-azure-auths";
 export * from "./identity-gcp-auths";
 export * from "./identity-kubernetes-auths";
+export * from "./identity-metadata";
 export * from "./identity-oidc-auths";
 export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";

backend/src/db/schemas/kms-keys.ts

@@ -13,9 +13,11 @@ export const KmsKeysSchema = z.object({
   isDisabled: z.boolean().default(false).nullable().optional(),
   isReserved: z.boolean().default(true).nullable().optional(),
   orgId: z.string().uuid(),
-  slug: z.string(),
+  name: z.string(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  projectId: z.string().nullable().optional(),
+  slug: z.string().nullable().optional()
 });
 
 export type TKmsKeys = z.infer<typeof KmsKeysSchema>;

backend/src/db/schemas/models.ts

@@ -70,6 +70,8 @@ export enum TableName {
   IdentityProjectMembership = "identity_project_memberships",
   IdentityProjectMembershipRole = "identity_project_membership_role",
   IdentityProjectAdditionalPrivilege = "identity_project_additional_privilege",
+  // used by both identity and users
+  IdentityMetadata = "identity_metadata",
   ScimToken = "scim_tokens",
   AccessApprovalPolicy = "access_approval_policies",
   AccessApprovalPolicyApprover = "access_approval_policies_approvers",

backend/src/db/schemas/oidc-configs.ts

@@ -26,7 +26,8 @@ export const OidcConfigsSchema = z.object({
   isActive: z.boolean(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  orgId: z.string().uuid()
+  orgId: z.string().uuid(),
+  lastUsed: z.date().nullable().optional()
 });
 
 export type TOidcConfigs = z.infer<typeof OidcConfigsSchema>;

backend/src/db/schemas/secret-sharing.ts

@@ -5,14 +5,16 @@
 
 import { z } from "zod";
 
+import { zodBuffer } from "@app/lib/zod";
+
 import { TImmutableDBKeys } from "./models";
 
 export const SecretSharingSchema = z.object({
   id: z.string().uuid(),
-  encryptedValue: z.string(),
+  encryptedValue: z.string().nullable().optional(),
-  iv: z.string(),
+  iv: z.string().nullable().optional(),
-  tag: z.string(),
+  tag: z.string().nullable().optional(),
-  hashedHex: z.string(),
+  hashedHex: z.string().nullable().optional(),
   expiresAt: z.date(),
   userId: z.string().uuid().nullable().optional(),
   orgId: z.string().uuid().nullable().optional(),
@@ -22,7 +24,9 @@ export const SecretSharingSchema = z.object({
   accessType: z.string().default("anyone"),
   name: z.string().nullable().optional(),
   lastViewedAt: z.date().nullable().optional(),
-  password: z.string().nullable().optional()
+  password: z.string().nullable().optional(),
+  encryptedSecret: zodBuffer.nullable().optional(),
+  identifier: z.string().nullable().optional()
 });
 
 export type TSecretSharing = z.infer<typeof SecretSharingSchema>;

backend/src/ee/routes/v1/external-kms-router.ts

@@ -26,7 +26,7 @@ const sanitizedExternalSchemaForGetAll = KmsKeysSchema.pick({
   isDisabled: true,
   createdAt: true,
   updatedAt: true,
-  slug: true
+  name: true
 })
   .extend({
     externalKms: ExternalKmsSchema.pick({
@@ -57,7 +57,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
     },
     schema: {
       body: z.object({
-        slug: z.string().min(1).trim().toLowerCase(),
+        name: z.string().min(1).trim().toLowerCase(),
         description: z.string().trim().optional(),
         provider: ExternalKmsInputSchema
       }),
@@ -74,7 +74,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        slug: req.body.slug,
+        name: req.body.name,
         provider: req.body.provider,
         description: req.body.description
       });
@@ -87,7 +87,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
           metadata: {
             kmsId: externalKms.id,
             provider: req.body.provider.type,
-            slug: req.body.slug,
+            name: req.body.name,
             description: req.body.description
           }
         }
@@ -108,7 +108,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
         id: z.string().trim().min(1)
       }),
       body: z.object({
-        slug: z.string().min(1).trim().toLowerCase().optional(),
+        name: z.string().min(1).trim().toLowerCase().optional(),
         description: z.string().trim().optional(),
         provider: ExternalKmsInputUpdateSchema
       }),
@@ -125,7 +125,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        slug: req.body.slug,
+        name: req.body.name,
         provider: req.body.provider,
         description: req.body.description,
         id: req.params.id
@@ -139,7 +139,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
           metadata: {
             kmsId: externalKms.id,
             provider: req.body.provider.type,
-            slug: req.body.slug,
+            name: req.body.name,
             description: req.body.description
           }
         }
@@ -182,7 +182,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
           type: EventType.DELETE_KMS,
           metadata: {
             kmsId: externalKms.id,
-            slug: externalKms.slug
+            name: externalKms.name
           }
         }
       });
@@ -224,7 +224,7 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
           type: EventType.GET_KMS,
           metadata: {
             kmsId: externalKms.id,
-            slug: externalKms.slug
+            name: externalKms.name
           }
         }
       });
@@ -260,13 +260,13 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
 
   server.route({
     method: "GET",
-    url: "/slug/:slug",
+    url: "/name/:name",
     config: {
       rateLimit: readLimit
     },
     schema: {
       params: z.object({
-        slug: z.string().trim().min(1)
+        name: z.string().trim().min(1)
       }),
       response: {
         200: z.object({
@@ -276,12 +276,12 @@ export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const externalKms = await server.services.externalKms.findBySlug({
+      const externalKms = await server.services.externalKms.findByName({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        slug: req.params.slug
+        name: req.params.name
       });
       return { externalKms };
     }

backend/src/ee/routes/v1/project-role-router.ts

@@ -3,10 +3,11 @@ import slugify from "@sindresorhus/slugify";
 import { z } from "zod";
 
 import { ProjectMembershipRole, ProjectMembershipsSchema, ProjectRolesSchema } from "@app/db/schemas";
+import { ProjectPermissionSchema } from "@app/ee/services/permission/project-permission";
 import { PROJECT_ROLE } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { ProjectPermissionSchema, SanitizedRoleSchema } from "@app/server/routes/sanitizedSchemas";
+import { SanitizedRoleSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {

backend/src/ee/routes/v1/project-router.ts

@@ -203,7 +203,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         200: z.object({
           secretManagerKmsKey: z.object({
             id: z.string(),
-            slug: z.string(),
+            name: z.string(),
             isExternal: z.boolean()
           })
         })
@@ -243,7 +243,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         200: z.object({
           secretManagerKmsKey: z.object({
             id: z.string(),
-            slug: z.string(),
+            name: z.string(),
             isExternal: z.boolean()
           })
         })
@@ -268,7 +268,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
           metadata: {
             secretManagerKmsKey: {
               id: secretManagerKmsKey.id,
-              slug: secretManagerKmsKey.slug
+              name: secretManagerKmsKey.name
             }
           }
         }
@@ -336,7 +336,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         200: z.object({
           secretManagerKmsKey: z.object({
             id: z.string(),
-            slug: z.string(),
+            name: z.string(),
             isExternal: z.boolean()
           })
         })

backend/src/ee/routes/v1/saml-router.ts

@@ -100,6 +100,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
       async (req, profile, cb) => {
         try {
           if (!profile) throw new BadRequestError({ message: "Missing profile" });
+
           const email =
             profile?.email ??
             // entra sends data in this format
@@ -123,6 +124,14 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
             );
           }
 
+          const userMetadata = Object.keys(profile.attributes || {})
+            .map((key) => {
+              // for the ones like in format: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email
+              const formatedKey = key.startsWith("http") ? key.split("/").at(-1) || "" : key;
+              return { key: formatedKey, value: String((profile.attributes as Record<string, string>)[key]) };
+            })
+            .filter((el) => el.key && !["email", "firstName", "lastName"].includes(el.key));
+
           const { isUserCompleted, providerAuthToken } = await server.services.saml.samlLogin({
             externalId: profile.nameID,
             email,
@@ -130,7 +139,8 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
             lastName: lastName as string,
             relayState: (req.body as { RelayState?: string }).RelayState,
             authProvider: (req as unknown as FastifyRequest).ssoConfig?.authProvider as string,
-            orgId: (req as unknown as FastifyRequest).ssoConfig?.orgId as string
+            orgId: (req as unknown as FastifyRequest).ssoConfig?.orgId as string,
+            metadata: userMetadata
           });
           cb(null, { isUserCompleted, providerAuthToken });
         } catch (error) {

backend/src/ee/services/access-approval-policy/access-approval-policy-fns.ts

@@ -1,23 +1,21 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
-import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
 
 import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
-import { TVerifyApprovers, VerifyApproversError } from "./access-approval-policy-types";
+import { TIsApproversValid } from "./access-approval-policy-types";
 
-export const verifyApprovers = async ({
+export const isApproversValid = async ({
   userIds,
   projectId,
   orgId,
   envSlug,
   actorAuthMethod,
   secretPath,
-  permissionService,
+  permissionService
-  error
+}: TIsApproversValid) => {
-}: TVerifyApprovers) => {
-  for await (const userId of userIds) {
   try {
+    for await (const userId of userIds) {
       const { permission: approverPermission } = await permissionService.getProjectPermission(
         ActorType.USER,
         userId,
@@ -30,17 +28,9 @@ export const verifyApprovers = async ({
         ProjectPermissionActions.Create,
         subject(ProjectPermissionSub.Secrets, { environment: envSlug, secretPath })
       );
-    } catch (err) {
-      if (error === VerifyApproversError.BadRequestError) {
-        throw new BadRequestError({
-          message: "One or more approvers doesn't have access to be specified secret path"
-        });
-      }
-      if (error === VerifyApproversError.ForbiddenError) {
-        throw new ForbiddenRequestError({
-          message: "You don't have access to approve this request"
-        });
-      }
     }
+  } catch {
+    return false;
   }
+  return true;
 };

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -2,7 +2,7 @@ import { ForbiddenError } from "@casl/ability";
 
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
@@ -11,7 +11,7 @@ import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TGroupDALFactory } from "../group/group-dal";
 import { TAccessApprovalPolicyApproverDALFactory } from "./access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
-import { verifyApprovers } from "./access-approval-policy-fns";
+import { isApproversValid } from "./access-approval-policy-fns";
 import {
   ApproverType,
   TCreateAccessApprovalPolicy,
@@ -19,8 +19,7 @@ import {
   TGetAccessApprovalPolicyByIdDTO,
   TGetAccessPolicyCountByEnvironmentDTO,
   TListAccessApprovalPoliciesDTO,
-  TUpdateAccessApprovalPolicy,
+  TUpdateAccessApprovalPolicy
-  VerifyApproversError
 } from "./access-approval-policy-types";
 
 type TSecretApprovalPolicyServiceFactoryDep = {
@@ -133,17 +132,22 @@ export const accessApprovalPolicyServiceFactory = ({
       .map((user) => user.id);
     verifyAllApprovers.push(...verifyGroupApprovers);
 
-    await verifyApprovers({
+    const approversValid = await isApproversValid({
       projectId: project.id,
       orgId: actorOrgId,
       envSlug: environment,
       secretPath,
       actorAuthMethod,
       permissionService,
-      userIds: verifyAllApprovers,
+      userIds: verifyAllApprovers
-      error: VerifyApproversError.BadRequestError
     });
 
+    if (!approversValid) {
+      throw new BadRequestError({
+        message: "One or more approvers doesn't have access to be specified secret path"
+      });
+    }
+
     const accessApproval = await accessApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await accessApprovalPolicyDAL.create(
         {
@@ -285,17 +289,22 @@ export const accessApprovalPolicyServiceFactory = ({
           userApproverIds = userApproverIds.concat(approverUsers.map((user) => user.id));
         }
 
-        await verifyApprovers({
+        const approversValid = await isApproversValid({
           projectId: accessApprovalPolicy.projectId,
           orgId: actorOrgId,
           envSlug: accessApprovalPolicy.environment.slug,
           secretPath: doc.secretPath!,
           actorAuthMethod,
           permissionService,
-          userIds: userApproverIds,
+          userIds: userApproverIds
-          error: VerifyApproversError.BadRequestError
         });
 
+        if (!approversValid) {
+          throw new BadRequestError({
+            message: "One or more approvers doesn't have access to be specified secret path"
+          });
+        }
+
         await accessApprovalPolicyApproverDAL.insertMany(
           userApproverIds.map((userId) => ({
             approverUserId: userId,
@@ -325,16 +334,22 @@ export const accessApprovalPolicyServiceFactory = ({
           .filter((user) => user.isPartOfGroup)
           .map((user) => user.id);
 
-        await verifyApprovers({
+        const approversValid = await isApproversValid({
           projectId: accessApprovalPolicy.projectId,
           orgId: actorOrgId,
           envSlug: accessApprovalPolicy.environment.slug,
           secretPath: doc.secretPath!,
           actorAuthMethod,
           permissionService,
-          userIds: verifyGroupApprovers,
+          userIds: verifyGroupApprovers
-          error: VerifyApproversError.BadRequestError
         });
+
+        if (!approversValid) {
+          throw new BadRequestError({
+            message: "One or more approvers doesn't have access to be specified secret path"
+          });
+        }
+
         await accessApprovalPolicyApproverDAL.insertMany(
           groupApprovers.map((groupId) => ({
             approverGroupId: groupId,
@@ -398,7 +413,9 @@ export const accessApprovalPolicyServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    if (!membership) throw new NotFoundError({ message: "User not found in project" });
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }
 
     const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });
     if (!environment) throw new NotFoundError({ message: "Environment not found" });

backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@@ -3,12 +3,7 @@ import { ActorAuthMethod } from "@app/services/auth/auth-type";
 
 import { TPermissionServiceFactory } from "../permission/permission-service";
 
-export enum VerifyApproversError {
+export type TIsApproversValid = {
-  ForbiddenError = "ForbiddenError",
-  BadRequestError = "BadRequestError"
-}
-
-export type TVerifyApprovers = {
   userIds: string[];
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   envSlug: string;
@@ -16,7 +11,6 @@ export type TVerifyApprovers = {
   secretPath: string;
   projectId: string;
   orgId: string;
-  error: VerifyApproversError;
 };
 
 export enum ApproverType {

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -17,8 +17,7 @@ import { TUserDALFactory } from "@app/services/user/user-dal";
 
 import { TAccessApprovalPolicyApproverDALFactory } from "../access-approval-policy/access-approval-policy-approver-dal";
 import { TAccessApprovalPolicyDALFactory } from "../access-approval-policy/access-approval-policy-dal";
-import { verifyApprovers } from "../access-approval-policy/access-approval-policy-fns";
+import { isApproversValid } from "../access-approval-policy/access-approval-policy-fns";
-import { VerifyApproversError } from "../access-approval-policy/access-approval-policy-types";
 import { TGroupDALFactory } from "../group/group-dal";
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
@@ -100,7 +99,7 @@ export const accessApprovalRequestServiceFactory = ({
   }: TCreateAccessApprovalRequestDTO) => {
     const cfg = getConfig();
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new ForbiddenRequestError({ message: "Project not found" });
+    if (!project) throw new NotFoundError({ message: "Project not found" });
 
     // Anyone can create an access approval request.
     const { membership } = await permissionService.getProjectPermission(
@@ -110,7 +109,9 @@ export const accessApprovalRequestServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    if (!membership) throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }
 
     const requestedByUser = await userDAL.findById(actorId);
     if (!requestedByUser) throw new ForbiddenRequestError({ message: "User not found" });
@@ -272,7 +273,9 @@ export const accessApprovalRequestServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    if (!membership) throw new NotFoundError({ message: "You don't have a membership for the specified project" });
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }
 
     const policies = await accessApprovalPolicyDAL.find({ projectId: project.id });
     let requests = await accessApprovalRequestDAL.findRequestsWithPrivilegeByPolicyIds(policies.map((p) => p.id));
@@ -308,7 +311,9 @@ export const accessApprovalRequestServiceFactory = ({
       actorOrgId
     );
 
-    if (!membership) throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }
 
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
@@ -320,17 +325,20 @@ export const accessApprovalRequestServiceFactory = ({
 
     const reviewerProjectMembership = await projectMembershipDAL.findById(membership.id);
 
-    await verifyApprovers({
+    const approversValid = await isApproversValid({
       projectId: accessApprovalRequest.projectId,
       orgId: actorOrgId,
       envSlug: accessApprovalRequest.environment,
       secretPath: accessApprovalRequest.policy.secretPath!,
       actorAuthMethod,
       permissionService,
-      userIds: [reviewerProjectMembership.userId],
+      userIds: [reviewerProjectMembership.userId]
-      error: VerifyApproversError.ForbiddenError
     });
 
+    if (!approversValid) {
+      throw new ForbiddenRequestError({ message: "You don't have access to approve this request" });
+    }
+
     const existingReviews = await accessApprovalRequestReviewerDAL.find({ requestId: accessApprovalRequest.id });
     if (existingReviews.some((review) => review.status === ApprovalStatus.REJECTED)) {
       throw new BadRequestError({ message: "The request has already been rejected by another reviewer" });
@@ -422,7 +430,9 @@ export const accessApprovalRequestServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    if (!membership) throw new NotFoundError({ message: "You don't have a membership for the specified project" });
+    if (!membership) {
+      throw new ForbiddenRequestError({ message: "You are not a member of this project" });
+    }
 
     const count = await accessApprovalRequestDAL.getCount({ projectId: project.id });
 

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -1,3 +1,4 @@
+import { SymmetricEncryption } from "@app/lib/crypto/cipher";
 import { TProjectPermission } from "@app/lib/types";
 import { ActorType } from "@app/services/auth/auth-type";
 import { CaStatus } from "@app/services/certificate-authority/certificate-authority-types";
@@ -122,6 +123,7 @@ export enum EventType {
   UPDATE_WEBHOOK_STATUS = "update-webhook-status",
   DELETE_WEBHOOK = "delete-webhook",
   GET_SECRET_IMPORTS = "get-secret-imports",
+  GET_SECRET_IMPORT = "get-secret-import",
   CREATE_SECRET_IMPORT = "create-secret-import",
   UPDATE_SECRET_IMPORT = "update-secret-import",
   DELETE_SECRET_IMPORT = "delete-secret-import",
@@ -182,7 +184,13 @@ export enum EventType {
   DELETE_SLACK_INTEGRATION = "delete-slack-integration",
   GET_PROJECT_SLACK_CONFIG = "get-project-slack-config",
   UPDATE_PROJECT_SLACK_CONFIG = "update-project-slack-config",
-  INTEGRATION_SYNCED = "integration-synced"
+  INTEGRATION_SYNCED = "integration-synced",
+  CREATE_CMEK = "create-cmek",
+  UPDATE_CMEK = "update-cmek",
+  DELETE_CMEK = "delete-cmek",
+  GET_CMEKS = "get-cmeks",
+  CMEK_ENCRYPT = "cmek-encrypt",
+  CMEK_DECRYPT = "cmek-decrypt"
 }
 
 interface UserActorMetadata {
@@ -1004,6 +1012,14 @@ interface GetSecretImportsEvent {
   };
 }
 
+interface GetSecretImportEvent {
+  type: EventType.GET_SECRET_IMPORT;
+  metadata: {
+    secretImportId: string;
+    folderId: string;
+  };
+}
+
 interface CreateSecretImportEvent {
   type: EventType.CREATE_SECRET_IMPORT;
   metadata: {
@@ -1350,7 +1366,7 @@ interface CreateKmsEvent {
   metadata: {
     kmsId: string;
     provider: string;
-    slug: string;
+    name: string;
     description?: string;
   };
 }
@@ -1359,7 +1375,7 @@ interface DeleteKmsEvent {
   type: EventType.DELETE_KMS;
   metadata: {
     kmsId: string;
-    slug: string;
+    name: string;
   };
 }
 
@@ -1368,7 +1384,7 @@ interface UpdateKmsEvent {
   metadata: {
     kmsId: string;
     provider: string;
-    slug?: string;
+    name?: string;
     description?: string;
   };
 }
@@ -1377,7 +1393,7 @@ interface GetKmsEvent {
   type: EventType.GET_KMS;
   metadata: {
     kmsId: string;
-    slug: string;
+    name: string;
   };
 }
 
@@ -1386,7 +1402,7 @@ interface UpdateProjectKmsEvent {
   metadata: {
     secretManagerKmsKey: {
       id: string;
-      slug: string;
+      name: string;
     };
   };
 }
@@ -1541,6 +1557,53 @@ interface IntegrationSyncedEvent {
   };
 }
 
+interface CreateCmekEvent {
+  type: EventType.CREATE_CMEK;
+  metadata: {
+    keyId: string;
+    name: string;
+    description?: string;
+    encryptionAlgorithm: SymmetricEncryption;
+  };
+}
+
+interface DeleteCmekEvent {
+  type: EventType.DELETE_CMEK;
+  metadata: {
+    keyId: string;
+  };
+}
+
+interface UpdateCmekEvent {
+  type: EventType.UPDATE_CMEK;
+  metadata: {
+    keyId: string;
+    name?: string;
+    description?: string;
+  };
+}
+
+interface GetCmeksEvent {
+  type: EventType.GET_CMEKS;
+  metadata: {
+    keyIds: string[];
+  };
+}
+
+interface CmekEncryptEvent {
+  type: EventType.CMEK_ENCRYPT;
+  metadata: {
+    keyId: string;
+  };
+}
+
+interface CmekDecryptEvent {
+  type: EventType.CMEK_DECRYPT;
+  metadata: {
+    keyId: string;
+  };
+}
+
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -1620,6 +1683,7 @@ export type Event =
   | UpdateWebhookStatusEvent
   | DeleteWebhookEvent
   | GetSecretImportsEvent
+  | GetSecretImportEvent
   | CreateSecretImportEvent
   | UpdateSecretImportEvent
   | DeleteSecretImportEvent
@@ -1680,4 +1744,10 @@ export type Event =
   | GetSlackIntegration
   | UpdateProjectSlackConfig
   | GetProjectSlackConfig
-  | IntegrationSyncedEvent;
+  | IntegrationSyncedEvent
+  | CreateCmekEvent
+  | UpdateCmekEvent
+  | DeleteCmekEvent
+  | GetCmeksEvent
+  | CmekEncryptEvent
+  | CmekDecryptEvent;

backend/src/ee/services/dynamic-secret/providers/index.ts

@@ -3,6 +3,7 @@ import { AwsIamProvider } from "./aws-iam";
 import { AzureEntraIDProvider } from "./azure-entra-id";
 import { CassandraProvider } from "./cassandra";
 import { ElasticSearchProvider } from "./elastic-search";
+import { LdapProvider } from "./ldap";
 import { DynamicSecretProviders } from "./models";
 import { MongoAtlasProvider } from "./mongo-atlas";
 import { MongoDBProvider } from "./mongo-db";
@@ -20,5 +21,6 @@ export const buildDynamicSecretProviders = () => ({
   [DynamicSecretProviders.MongoDB]: MongoDBProvider(),
   [DynamicSecretProviders.ElasticSearch]: ElasticSearchProvider(),
   [DynamicSecretProviders.RabbitMq]: RabbitMqProvider(),
-  [DynamicSecretProviders.AzureEntraID]: AzureEntraIDProvider()
+  [DynamicSecretProviders.AzureEntraID]: AzureEntraIDProvider(),
+  [DynamicSecretProviders.Ldap]: LdapProvider()
 });

backend/src/ee/services/dynamic-secret/providers/ldap.ts

@@ -0,0 +1,235 @@
+import handlebars from "handlebars";
+import ldapjs from "ldapjs";
+import ldif from "ldif";
+import { customAlphabet } from "nanoid";
+import { z } from "zod";
+
+import { BadRequestError } from "@app/lib/errors";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { LdapSchema, TDynamicProviderFns } from "./models";
+
+const generatePassword = () => {
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
+  return customAlphabet(charset, 64)();
+};
+
+const encodePassword = (password?: string) => {
+  const quotedPassword = `"${password}"`;
+  const utf16lePassword = Buffer.from(quotedPassword, "utf16le");
+  const base64Password = utf16lePassword.toString("base64");
+  return base64Password;
+};
+
+const generateUsername = () => {
+  return alphaNumericNanoId(20);
+};
+
+const generateLDIF = ({
+  username,
+  password,
+  ldifTemplate
+}: {
+  username: string;
+  password?: string;
+  ldifTemplate: string;
+}): string => {
+  const data = {
+    Username: username,
+    Password: password,
+    EncodedPassword: encodePassword(password)
+  };
+
+  const renderTemplate = handlebars.compile(ldifTemplate);
+  const renderedLdif = renderTemplate(data);
+
+  return renderedLdif;
+};
+
+export const LdapProvider = (): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await LdapSchema.parseAsync(inputs);
+    return providerInputs;
+  };
+
+  const getClient = async (providerInputs: z.infer<typeof LdapSchema>): Promise<ldapjs.Client> => {
+    return new Promise((resolve, reject) => {
+      const client = ldapjs.createClient({
+        url: providerInputs.url,
+        tlsOptions: {
+          ca: providerInputs.ca ? providerInputs.ca : null,
+          rejectUnauthorized: !!providerInputs.ca
+        },
+        reconnect: true,
+        bindDN: providerInputs.binddn,
+        bindCredentials: providerInputs.bindpass
+      });
+
+      client.on("error", (err: Error) => {
+        client.unbind();
+        reject(new BadRequestError({ message: err.message }));
+      });
+
+      client.bind(providerInputs.binddn, providerInputs.bindpass, (err) => {
+        if (err) {
+          client.unbind();
+          reject(new BadRequestError({ message: err.message }));
+        } else {
+          resolve(client);
+        }
+      });
+    });
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const client = await getClient(providerInputs);
+    return client.connected;
+  };
+
+  const executeLdif = async (client: ldapjs.Client, ldif_file: string) => {
+    type TEntry = {
+      dn: string;
+      type: string;
+
+      changes: {
+        operation?: string;
+        attribute: {
+          attribute: string;
+        };
+        value: {
+          value: string;
+        };
+        values: {
+          // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Untyped, can be any for ldapjs.Change.modification.values
+          value: any;
+        }[];
+      }[];
+    };
+
+    let parsedEntries: TEntry[];
+
+    try {
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+      parsedEntries = ldif.parse(ldif_file).entries as TEntry[];
+    } catch (err) {
+      throw new BadRequestError({
+        message: "Invalid LDIF format, refer to the documentation at Dynamic secrets > LDAP > LDIF Entries."
+      });
+    }
+
+    const dnArray: string[] = [];
+
+    for await (const entry of parsedEntries) {
+      const { dn } = entry;
+      let responseDn: string;
+
+      if (entry.type === "add") {
+        const attributes: Record<string, string | string[]> = {};
+
+        entry.changes.forEach((change) => {
+          const attrName = change.attribute.attribute;
+          const attrValue = change.value.value;
+
+          attributes[attrName] = Array.isArray(attrValue) ? attrValue : [attrValue];
+        });
+
+        responseDn = await new Promise((resolve, reject) => {
+          client.add(dn, attributes, (err) => {
+            if (err) {
+              reject(new BadRequestError({ message: err.message }));
+            } else {
+              resolve(dn);
+            }
+          });
+        });
+      } else if (entry.type === "modify") {
+        const changes: ldapjs.Change[] = [];
+
+        entry.changes.forEach((change) => {
+          changes.push(
+            new ldapjs.Change({
+              operation: change.operation || "replace",
+              modification: {
+                type: change.attribute.attribute,
+                // eslint-disable-next-line @typescript-eslint/no-unsafe-return
+                values: change.values.map((value) => value.value)
+              }
+            })
+          );
+        });
+
+        responseDn = await new Promise((resolve, reject) => {
+          client.modify(dn, changes, (err) => {
+            if (err) {
+              reject(new BadRequestError({ message: err.message }));
+            } else {
+              resolve(dn);
+            }
+          });
+        });
+      } else if (entry.type === "delete") {
+        responseDn = await new Promise((resolve, reject) => {
+          client.del(dn, (err) => {
+            if (err) {
+              reject(new BadRequestError({ message: err.message }));
+            } else {
+              resolve(dn);
+            }
+          });
+        });
+      } else {
+        client.unbind();
+        throw new BadRequestError({ message: `Unsupported operation type ${entry.type}` });
+      }
+
+      dnArray.push(responseDn);
+    }
+    client.unbind();
+    return dnArray;
+  };
+
+  const create = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const client = await getClient(providerInputs);
+
+    const username = generateUsername();
+    const password = generatePassword();
+    const generatedLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.creationLdif });
+
+    try {
+      const dnArray = await executeLdif(client, generatedLdif);
+
+      return { entityId: username, data: { DN_ARRAY: dnArray, USERNAME: username, PASSWORD: password } };
+    } catch (err) {
+      if (providerInputs.rollbackLdif) {
+        const rollbackLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.rollbackLdif });
+        await executeLdif(client, rollbackLdif);
+      }
+      throw new BadRequestError({ message: (err as Error).message });
+    }
+  };
+
+  const revoke = async (inputs: unknown, entityId: string) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const connection = await getClient(providerInputs);
+    const revocationLdif = generateLDIF({ username: entityId, ldifTemplate: providerInputs.revocationLdif });
+
+    await executeLdif(connection, revocationLdif);
+
+    return { entityId };
+  };
+
+  const renew = async (inputs: unknown, entityId: string) => {
+    // Do nothing
+    return { entityId };
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -174,6 +174,17 @@ export const AzureEntraIDSchema = z.object({
   clientSecret: z.string().trim().min(1)
 });
 
+export const LdapSchema = z.object({
+  url: z.string().trim().min(1),
+  binddn: z.string().trim().min(1),
+  bindpass: z.string().trim().min(1),
+  ca: z.string().optional(),
+
+  creationLdif: z.string().min(1),
+  revocationLdif: z.string().min(1),
+  rollbackLdif: z.string().optional()
+});
+
 export enum DynamicSecretProviders {
   SqlDatabase = "sql-database",
   Cassandra = "cassandra",
@@ -184,7 +195,8 @@ export enum DynamicSecretProviders {
   ElasticSearch = "elastic-search",
   MongoDB = "mongo-db",
   RabbitMq = "rabbit-mq",
-  AzureEntraID = "azure-entra-id"
+  AzureEntraID = "azure-entra-id",
+  Ldap = "ldap"
 }
 
 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
@@ -197,7 +209,8 @@ export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
   z.object({ type: z.literal(DynamicSecretProviders.ElasticSearch), inputs: DynamicSecretElasticSearchSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.MongoDB), inputs: DynamicSecretMongoDBSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.RabbitMq), inputs: DynamicSecretRabbitMqSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.AzureEntraID), inputs: AzureEntraIDSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.AzureEntraID), inputs: AzureEntraIDSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.Ldap), inputs: LdapSchema })
 ]);
 
 export type TDynamicProviderFns = {

backend/src/ee/services/external-kms/external-kms-dal.ts

@@ -30,7 +30,7 @@ export const externalKmsDALFactory = (db: TDbClient) => {
         isDisabled: el.isDisabled,
         isReserved: el.isReserved,
         orgId: el.orgId,
-        slug: el.slug,
+        name: el.name,
         createdAt: el.createdAt,
         updatedAt: el.updatedAt,
         externalKms: {

backend/src/ee/services/external-kms/external-kms-service.ts

@@ -43,7 +43,7 @@ export const externalKmsServiceFactory = ({
     provider,
     description,
     actor,
-    slug,
+    name,
     actorId,
     actorOrgId,
     actorAuthMethod
@@ -64,7 +64,7 @@ export const externalKmsServiceFactory = ({
       });
     }
 
-    const kmsSlug = slug ? slugify(slug) : slugify(alphaNumericNanoId(8).toLowerCase());
+    const kmsName = name ? slugify(name) : slugify(alphaNumericNanoId(8).toLowerCase());
 
     let sanitizedProviderInput = "";
     switch (provider.type) {
@@ -96,7 +96,7 @@ export const externalKmsServiceFactory = ({
         {
           isReserved: false,
           description,
-          slug: kmsSlug,
+          name: kmsName,
           orgId: actorOrgId
         },
         tx
@@ -120,7 +120,7 @@ export const externalKmsServiceFactory = ({
     description,
     actor,
     id: kmsId,
-    slug,
+    name,
     actorId,
     actorOrgId,
     actorAuthMethod
@@ -142,7 +142,7 @@ export const externalKmsServiceFactory = ({
       });
     }
 
-    const kmsSlug = slug ? slugify(slug) : undefined;
+    const kmsName = name ? slugify(name) : undefined;
 
     const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
     if (!externalKmsDoc) throw new NotFoundError({ message: "External kms not found" });
@@ -188,7 +188,7 @@ export const externalKmsServiceFactory = ({
         kmsDoc.id,
         {
           description,
-          slug: kmsSlug
+          name: kmsName
         },
         tx
       );
@@ -280,14 +280,14 @@ export const externalKmsServiceFactory = ({
     }
   };
 
-  const findBySlug = async ({
+  const findByName = async ({
     actor,
     actorId,
     actorOrgId,
     actorAuthMethod,
-    slug: kmsSlug
+    name: kmsName
   }: TGetExternalKmsBySlugDTO) => {
-    const kmsDoc = await kmsDAL.findOne({ slug: kmsSlug, orgId: actorOrgId });
+    const kmsDoc = await kmsDAL.findOne({ name: kmsName, orgId: actorOrgId });
     const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
@@ -327,6 +327,6 @@ export const externalKmsServiceFactory = ({
     deleteById,
     list,
     findById,
-    findBySlug
+    findByName
   };
 };

backend/src/ee/services/external-kms/external-kms-types.ts

@@ -3,14 +3,14 @@ import { TOrgPermission } from "@app/lib/types";
 import { TExternalKmsInputSchema, TExternalKmsInputUpdateSchema } from "./providers/model";
 
 export type TCreateExternalKmsDTO = {
-  slug?: string;
+  name?: string;
   description?: string;
   provider: TExternalKmsInputSchema;
 } & Omit<TOrgPermission, "orgId">;
 
 export type TUpdateExternalKmsDTO = {
   id: string;
-  slug?: string;
+  name?: string;
   description?: string;
   provider?: TExternalKmsInputUpdateSchema;
 } & Omit<TOrgPermission, "orgId">;
@@ -26,5 +26,5 @@ export type TGetExternalKmsByIdDTO = {
 } & Omit<TOrgPermission, "orgId">;
 
 export type TGetExternalKmsBySlugDTO = {
-  slug: string;
+  name: string;
 } & Omit<TOrgPermission, "orgId">;

backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts

@@ -34,18 +34,12 @@ export type TIdentityProjectAdditionalPrivilegeServiceFactory = ReturnType<
 
 // TODO(akhilmhdh): move this to more centralized
 export const UnpackedPermissionSchema = z.object({
-  subject: z.union([z.string().min(1), z.string().array()]).optional(),
+  subject: z
-  action: z.union([z.string().min(1), z.string().array()]),
+    .union([z.string().min(1), z.string().array()])
-  conditions: z
+    .transform((el) => (typeof el !== "string" ? el[0] : el))
-    .object({
+    .optional(),
-      environment: z.string().optional(),
+  action: z.union([z.string().min(1), z.string().array()]).transform((el) => (typeof el === "string" ? [el] : el)),
-      secretPath: z
+  conditions: z.unknown().optional()
-        .object({
-          $glob: z.string().min(1)
-        })
-        .optional()
-    })
-    .optional()
 });
 
 const unpackPermissions = (permissions: unknown) =>

backend/src/ee/services/oidc/oidc-config-dal.ts

@@ -1,5 +1,6 @@
 import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
 import { ormify } from "@app/lib/knex";
 
 export type TOidcConfigDALFactory = ReturnType<typeof oidcConfigDALFactory>;
@@ -7,5 +8,22 @@ export type TOidcConfigDALFactory = ReturnType<typeof oidcConfigDALFactory>;
 export const oidcConfigDALFactory = (db: TDbClient) => {
   const oidcCfgOrm = ormify(db, TableName.OidcConfig);
 
-  return { ...oidcCfgOrm };
+  const findEnforceableOidcCfg = async (orgId: string) => {
+    try {
+      const oidcCfg = await db
+        .replicaNode()(TableName.OidcConfig)
+        .where({
+          orgId,
+          isActive: true
+        })
+        .whereNotNull("lastUsed")
+        .first();
+
+      return oidcCfg;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find org by id" });
+    }
+  };
+
+  return { ...oidcCfgOrm, findEnforceableOidcCfg };
 };

backend/src/ee/services/oidc/oidc-config-service.ts

@@ -314,6 +314,8 @@ export const oidcConfigServiceFactory = ({
       }
     );
 
+    await oidcConfigDAL.update({ orgId }, { lastUsed: new Date() });
+
     if (user.email && !user.isEmailVerified) {
       const token = await tokenService.createTokenForUser({
         type: TokenType.TOKEN_EMAIL_VERIFICATION,
@@ -395,7 +397,8 @@ export const oidcConfigServiceFactory = ({
       tokenEndpoint,
       userinfoEndpoint,
       jwksUri,
-      isActive
+      isActive,
+      lastUsed: null
     };
 
     if (clientId !== undefined) {
@@ -418,6 +421,7 @@ export const oidcConfigServiceFactory = ({
     }
 
     const [ssoConfig] = await oidcConfigDAL.update({ orgId: org.id }, updateQuery);
+    await orgDAL.updateById(org.id, { authEnforced: false, scimEnabled: false });
     return ssoConfig;
   };
 

backend/src/ee/services/permission/permission-dal.ts

@@ -168,8 +168,14 @@ export const permissionDALFactory = (db: TDbClient) => {
         })
         .join<TProjects>(TableName.Project, `${TableName.Project}.id`, db.raw("?", [projectId]))
         .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
+        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
+          void queryBuilder
+            .on(`${TableName.Users}.id`, `${TableName.IdentityMetadata}.userId`)
+            .andOn(`${TableName.Organization}.id`, `${TableName.IdentityMetadata}.orgId`);
+        })
         .select(
           db.ref("id").withSchema(TableName.Users).as("userId"),
+          db.ref("username").withSchema(TableName.Users).as("username"),
           // groups specific
           db.ref("id").withSchema(TableName.GroupProjectMembership).as("groupMembershipId"),
           db.ref("createdAt").withSchema(TableName.GroupProjectMembership).as("groupMembershipCreatedAt"),
@@ -257,6 +263,9 @@ export const permissionDALFactory = (db: TDbClient) => {
             .withSchema(TableName.ProjectUserAdditionalPrivilege)
             .as("userAdditionalPrivilegesTemporaryAccessEndTime"),
           // general
+          db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
+          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
+          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue"),
           db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
           db.ref("orgId").withSchema(TableName.Project),
           db.ref("id").withSchema(TableName.Project).as("projectId")
@@ -267,6 +276,7 @@ export const permissionDALFactory = (db: TDbClient) => {
         key: "projectId",
         parentMapper: ({
           orgId,
+          username,
           orgAuthEnforced,
           membershipId,
           groupMembershipId,
@@ -279,6 +289,7 @@ export const permissionDALFactory = (db: TDbClient) => {
           orgAuthEnforced,
           userId,
           projectId,
+          username,
           id: membershipId || groupMembershipId,
           createdAt: membershipCreatedAt || groupMembershipCreatedAt,
           updatedAt: membershipUpdatedAt || groupMembershipUpdatedAt
@@ -354,6 +365,15 @@ export const permissionDALFactory = (db: TDbClient) => {
               temporaryAccessEndTime: userAdditionalPrivilegesTemporaryAccessEndTime,
               isTemporary: userAdditionalPrivilegesIsTemporary
             })
+          },
+          {
+            key: "metadataId",
+            label: "metadata" as const,
+            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+              id: metadataId,
+              key: metadataKey,
+              value: metadataValue
+            })
           }
         ]
       });
@@ -399,6 +419,7 @@ export const permissionDALFactory = (db: TDbClient) => {
           `${TableName.IdentityProjectMembershipRole}.projectMembershipId`,
           `${TableName.IdentityProjectMembership}.id`
         )
+        .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.IdentityProjectMembership}.identityId`)
         .leftJoin(
           TableName.ProjectRoles,
           `${TableName.IdentityProjectMembershipRole}.customRoleId`,
@@ -415,11 +436,17 @@ export const permissionDALFactory = (db: TDbClient) => {
           `${TableName.IdentityProjectMembership}.projectId`,
           `${TableName.Project}.id`
         )
-        .where("identityId", identityId)
+        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
+          void queryBuilder
+            .on(`${TableName.Identity}.id`, `${TableName.IdentityMetadata}.identityId`)
+            .andOn(`${TableName.Project}.orgId`, `${TableName.IdentityMetadata}.orgId`);
+        })
+        .where(`${TableName.IdentityProjectMembership}.identityId`, identityId)
         .where(`${TableName.IdentityProjectMembership}.projectId`, projectId)
         .select(selectAllTableCols(TableName.IdentityProjectMembershipRole))
         .select(
           db.ref("id").withSchema(TableName.IdentityProjectMembership).as("membershipId"),
+          db.ref("name").withSchema(TableName.Identity).as("identityName"),
           db.ref("orgId").withSchema(TableName.Project).as("orgId"), // Now you can select orgId from Project
           db.ref("createdAt").withSchema(TableName.IdentityProjectMembership).as("membershipCreatedAt"),
           db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership).as("membershipUpdatedAt"),
@@ -443,15 +470,19 @@ export const permissionDALFactory = (db: TDbClient) => {
           db
             .ref("temporaryAccessEndTime")
             .withSchema(TableName.IdentityProjectAdditionalPrivilege)
-            .as("identityApTemporaryAccessEndTime")
+            .as("identityApTemporaryAccessEndTime"),
+          db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
+          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
+          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue")
         );
 
       const permission = sqlNestRelationships({
         data: docs,
         key: "membershipId",
-        parentMapper: ({ membershipId, membershipCreatedAt, membershipUpdatedAt, orgId }) => ({
+        parentMapper: ({ membershipId, membershipCreatedAt, membershipUpdatedAt, orgId, identityName }) => ({
           id: membershipId,
           identityId,
+          username: identityName,
           projectId,
           createdAt: membershipCreatedAt,
           updatedAt: membershipUpdatedAt,
@@ -489,6 +520,15 @@ export const permissionDALFactory = (db: TDbClient) => {
               temporaryAccessStartTime: identityApTemporaryAccessStartTime,
               isTemporary: identityApIsTemporary
             })
+          },
+          {
+            key: "metadataId",
+            label: "metadata" as const,
+            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+              id: metadataId,
+              key: metadataKey,
+              value: metadataValue
+            })
           }
         ]
       });

backend/src/ee/services/permission/permission-fns.ts

@@ -14,14 +14,19 @@ function isAuthMethodSaml(actorAuthMethod: ActorAuthMethod) {
   ].includes(actorAuthMethod);
 }
 
-function validateOrgSAML(actorAuthMethod: ActorAuthMethod, isSamlEnforced: TOrganizations["authEnforced"]) {
+function validateOrgSSO(actorAuthMethod: ActorAuthMethod, isOrgSsoEnforced: TOrganizations["authEnforced"]) {
   if (actorAuthMethod === undefined) {
     throw new UnauthorizedError({ name: "No auth method defined" });
   }
 
-  if (isSamlEnforced && actorAuthMethod !== null && !isAuthMethodSaml(actorAuthMethod)) {
+  if (
-    throw new ForbiddenRequestError({ name: "SAML auth enforced, cannot access org-scoped resource" });
+    isOrgSsoEnforced &&
+    actorAuthMethod !== null &&
+    !isAuthMethodSaml(actorAuthMethod) &&
+    actorAuthMethod !== AuthMethod.OIDC
+  ) {
+    throw new ForbiddenRequestError({ name: "Org auth enforced. Cannot access org-scoped resource" });
   }
 }
 
-export { isAuthMethodSaml, validateOrgSAML };
+export { isAuthMethodSaml, validateOrgSSO };

backend/src/ee/services/permission/permission-service-types.ts

@@ -0,0 +1,9 @@
+export type TBuildProjectPermissionDTO = {
+  permissions?: unknown;
+  role: string;
+}[];
+
+export type TBuildOrgPermissionDTO = {
+  permissions?: unknown;
+  role: string;
+}[];

backend/src/ee/services/permission/permission-service.ts

@@ -1,6 +1,7 @@
 import { createMongoAbility, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, unpackRules } from "@casl/ability/extra";
 import { MongoQuery } from "@ucast/mongo2js";
+import handlebars from "handlebars";
 
 import {
   OrgMembershipRole,
@@ -11,6 +12,7 @@ import {
 } from "@app/db/schemas";
 import { conditionsMatcher } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { objectify } from "@app/lib/fn";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TOrgRoleDALFactory } from "@app/services/org/org-role-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -19,8 +21,8 @@ import { TServiceTokenDALFactory } from "@app/services/service-token/service-tok
 
 import { orgAdminPermissions, orgMemberPermissions, orgNoAccessPermissions, OrgPermissionSet } from "./org-permission";
 import { TPermissionDALFactory } from "./permission-dal";
-import { validateOrgSAML } from "./permission-fns";
+import { validateOrgSSO } from "./permission-fns";
-import { TBuildOrgPermissionDTO, TBuildProjectPermissionDTO } from "./permission-types";
+import { TBuildOrgPermissionDTO, TBuildProjectPermissionDTO } from "./permission-service-types";
 import {
   buildServiceTokenProjectPermission,
   projectAdminPermissions,
@@ -72,7 +74,7 @@ export const permissionServiceFactory = ({
     });
   };
 
-  const buildProjectPermission = (projectUserRoles: TBuildProjectPermissionDTO) => {
+  const buildProjectPermissionRules = (projectUserRoles: TBuildProjectPermissionDTO) => {
     const rules = projectUserRoles
       .map(({ role, permissions }) => {
         switch (role) {
@@ -98,9 +100,7 @@ export const permissionServiceFactory = ({
       })
       .reduce((curr, prev) => prev.concat(curr), []);
 
-    return createMongoAbility<ProjectPermissionSet>(rules, {
+    return rules;
-      conditionsMatcher
-    });
   };
 
   /*
@@ -116,7 +116,7 @@ export const permissionServiceFactory = ({
     if (userOrgId && userOrgId !== orgId)
       throw new ForbiddenRequestError({ message: "Invalid user token. Scoped to different organization." });
     const membership = await permissionDAL.getOrgPermission(userId, orgId);
-    if (!membership) throw new ForbiddenRequestError({ name: "User is not a part of the specified organization" });
+    if (!membership) throw new ForbiddenRequestError({ name: "You are not apart of this organization" });
     if (membership.role === OrgMembershipRole.Custom && !membership.permissions) {
       throw new BadRequestError({ name: "Custom organization permission not found" });
     }
@@ -130,7 +130,7 @@ export const permissionServiceFactory = ({
       throw new ForbiddenRequestError({ name: "You are not logged into this organization" });
     }
 
-    validateOrgSAML(authMethod, membership.orgAuthEnforced);
+    validateOrgSSO(authMethod, membership.orgAuthEnforced);
 
     const finalPolicyRoles = [{ role: membership.role, permissions: membership.permissions }].concat(
       membership?.groups?.map(({ role, customRolePermission }) => ({
@@ -143,7 +143,7 @@ export const permissionServiceFactory = ({
 
   const getIdentityOrgPermission = async (identityId: string, orgId: string) => {
     const membership = await permissionDAL.getOrgIdentityPermission(identityId, orgId);
-    if (!membership) throw new ForbiddenRequestError({ name: "Identity is not a part of the specified organization" });
+    if (!membership) throw new ForbiddenRequestError({ name: "Identity is not apart of this organization" });
     if (membership.role === OrgMembershipRole.Custom && !membership.permissions) {
       throw new NotFoundError({ name: "Custom organization permission not found" });
     }
@@ -213,7 +213,7 @@ export const permissionServiceFactory = ({
       throw new ForbiddenRequestError({ name: "You are not logged into this organization" });
     }
 
-    validateOrgSAML(authMethod, userProjectPermission.orgAuthEnforced);
+    validateOrgSSO(authMethod, userProjectPermission.orgAuthEnforced);
 
     // join two permissions and pass to build the final permission set
     const rolePermissions = userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
@@ -223,8 +223,32 @@ export const permissionServiceFactory = ({
         permissions
       })) || [];
 
+    const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
+    const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false, strict: true });
+    const metadataKeyValuePair = objectify(
+      userProjectPermission.metadata,
+      (i) => i.key,
+      (i) => i.value
+    );
+    const interpolateRules = templatedRules(
+      {
+        identity: {
+          id: userProjectPermission.userId,
+          username: userProjectPermission.username,
+          metadata: metadataKeyValuePair
+        }
+      },
+      { data: false }
+    );
+    const permission = createMongoAbility<ProjectPermissionSet>(
+      JSON.parse(interpolateRules) as RawRuleOf<MongoAbility<ProjectPermissionSet>>[],
+      {
+        conditionsMatcher
+      }
+    );
+
     return {
-      permission: buildProjectPermission(rolePermissions.concat(additionalPrivileges)),
+      permission,
       membership: userProjectPermission,
       hasRole: (role: string) =>
         userProjectPermission.roles.findIndex(
@@ -262,8 +286,32 @@ export const permissionServiceFactory = ({
         permissions
       })) || [];
 
+    const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
+    const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false, strict: true });
+    const metadataKeyValuePair = objectify(
+      identityProjectPermission.metadata,
+      (i) => i.key,
+      (i) => i.value
+    );
+    const interpolateRules = templatedRules(
+      {
+        identity: {
+          id: identityProjectPermission.identityId,
+          username: identityProjectPermission.username,
+          metadata: metadataKeyValuePair
+        }
+      },
+      { data: false }
+    );
+    const permission = createMongoAbility<ProjectPermissionSet>(
+      JSON.parse(interpolateRules) as RawRuleOf<MongoAbility<ProjectPermissionSet>>[],
+      {
+        conditionsMatcher
+      }
+    );
+
     return {
-      permission: buildProjectPermission(rolePermissions.concat(additionalPrivileges)),
+      permission,
       membership: identityProjectPermission,
       hasRole: (role: string) =>
         identityProjectPermission.roles.findIndex(
@@ -346,14 +394,22 @@ export const permissionServiceFactory = ({
     if (isCustomRole) {
       const projectRole = await projectRoleDAL.findOne({ slug: role, projectId });
       if (!projectRole) throw new NotFoundError({ message: `Specified role was not found: ${role}` });
-      return {
+      const rules = buildProjectPermissionRules([
-        permission: buildProjectPermission([
         { role: ProjectMembershipRole.Custom, permissions: projectRole.permissions }
-        ]),
+      ]);
+      return {
+        permission: createMongoAbility<ProjectPermissionSet>(rules, {
+          conditionsMatcher
+        }),
         role: projectRole
       };
     }
-    return { permission: buildProjectPermission([{ role, permissions: [] }]) };
+
+    const rules = buildProjectPermissionRules([{ role, permissions: [] }]);
+    const permission = createMongoAbility<ProjectPermissionSet>(rules, {
+      conditionsMatcher
+    });
+    return { permission };
   };
 
   return {
@@ -364,6 +420,6 @@ export const permissionServiceFactory = ({
     getOrgPermissionByRole,
     getProjectPermissionByRole,
     buildOrgPermission,
-    buildProjectPermission
+    buildProjectPermissionRules
   };
 };

backend/src/ee/services/permission/permission-types.ts

@@ -1,9 +1,47 @@
-export type TBuildProjectPermissionDTO = {
+import picomatch from "picomatch";
-  permissions?: unknown;
+import { z } from "zod";
-  role: string;
-}[];
 
-export type TBuildOrgPermissionDTO = {
+export enum PermissionConditionOperators {
-  permissions?: unknown;
+  $IN = "$in",
-  role: string;
+  $ALL = "$all",
-}[];
+  $REGEX = "$regex",
+  $EQ = "$eq",
+  $NEQ = "$ne",
+  $GLOB = "$glob"
+}
+
+export const PermissionConditionSchema = {
+  [PermissionConditionOperators.$IN]: z.string().min(1).array(),
+  [PermissionConditionOperators.$ALL]: z.string().min(1).array(),
+  [PermissionConditionOperators.$REGEX]: z
+    .string()
+    .min(1)
+    .refine(
+      (el) => {
+        try {
+          // eslint-disable-next-line no-new
+          new RegExp(el);
+          return true;
+        } catch {
+          return false;
+        }
+      },
+      { message: "Invalid regex pattern" }
+    ),
+  [PermissionConditionOperators.$EQ]: z.string().min(1),
+  [PermissionConditionOperators.$NEQ]: z.string().min(1),
+  [PermissionConditionOperators.$GLOB]: z
+    .string()
+    .min(1)
+    .refine(
+      (el) => {
+        try {
+          picomatch.parse([el]);
+          return true;
+        } catch {
+          return false;
+        }
+      },
+      { message: "Invalid glob pattern" }
+    )
+};

backend/src/ee/services/permission/project-permission.ts

@@ -1,8 +1,12 @@
 import { AbilityBuilder, createMongoAbility, ForcedSubject, MongoAbility } from "@casl/ability";
+import { z } from "zod";
 
+import { TableName } from "@app/db/schemas";
 import { conditionsMatcher } from "@app/lib/casl";
 import { BadRequestError } from "@app/lib/errors";
 
+import { PermissionConditionOperators, PermissionConditionSchema } from "./permission-types";
+
 export enum ProjectPermissionActions {
   Read = "read",
   Create = "create",
@@ -10,6 +14,15 @@ export enum ProjectPermissionActions {
   Delete = "delete"
 }
 
+export enum ProjectPermissionCmekActions {
+  Read = "read",
+  Create = "create",
+  Edit = "edit",
+  Delete = "delete",
+  Encrypt = "encrypt",
+  Decrypt = "decrypt"
+}
+
 export enum ProjectPermissionSub {
   Role = "role",
   Member = "member",
@@ -34,10 +47,29 @@ export enum ProjectPermissionSub {
   CertificateTemplates = "certificate-templates",
   PkiAlerts = "pki-alerts",
   PkiCollections = "pki-collections",
-  Kms = "kms"
+  Kms = "kms",
+  Cmek = "cmek"
 }
 
-type SubjectFields = {
+export type SecretSubjectFields = {
+  environment: string;
+  secretPath: string;
+  // secretName: string;
+  // secretTags: string[];
+};
+
+export const CaslSecretsV2SubjectKnexMapper = (field: string) => {
+  switch (field) {
+    case "secretName":
+      return `${TableName.SecretV2}.key`;
+    case "secretTags":
+      return `${TableName.SecretTag}.slug`;
+    default:
+      break;
+  }
+};
+
+export type SecretFolderSubjectFields = {
   environment: string;
   secretPath: string;
 };
@@ -45,11 +77,14 @@ type SubjectFields = {
 export type ProjectPermissionSet =
   | [
       ProjectPermissionActions,
-      ProjectPermissionSub.Secrets | (ForcedSubject<ProjectPermissionSub.Secrets> & SubjectFields)
+      ProjectPermissionSub.Secrets | (ForcedSubject<ProjectPermissionSub.Secrets> & SecretSubjectFields)
     ]
   | [
       ProjectPermissionActions,
-      ProjectPermissionSub.SecretFolders | (ForcedSubject<ProjectPermissionSub.SecretFolders> & SubjectFields)
+      (
+        | ProjectPermissionSub.SecretFolders
+        | (ForcedSubject<ProjectPermissionSub.SecretFolders> & SecretFolderSubjectFields)
+      )
     ]
   | [ProjectPermissionActions, ProjectPermissionSub.Role]
   | [ProjectPermissionActions, ProjectPermissionSub.Tags]
@@ -70,134 +105,254 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions, ProjectPermissionSub.CertificateTemplates]
   | [ProjectPermissionActions, ProjectPermissionSub.PkiAlerts]
   | [ProjectPermissionActions, ProjectPermissionSub.PkiCollections]
+  | [ProjectPermissionCmekActions, ProjectPermissionSub.Cmek]
   | [ProjectPermissionActions.Delete, ProjectPermissionSub.Project]
   | [ProjectPermissionActions.Edit, ProjectPermissionSub.Project]
   | [ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback]
   | [ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback]
   | [ProjectPermissionActions.Edit, ProjectPermissionSub.Kms];
 
-export const fullProjectPermissionSet: [ProjectPermissionActions, ProjectPermissionSub][] = [
+const CASL_ACTION_SCHEMA_NATIVE_ENUM = <ACTION extends z.EnumLike>(actions: ACTION) =>
-  [ProjectPermissionActions.Read, ProjectPermissionSub.Secrets],
+  z
-  [ProjectPermissionActions.Create, ProjectPermissionSub.Secrets],
+    .union([z.nativeEnum(actions), z.nativeEnum(actions).array().min(1)])
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Secrets],
+    .transform((el) => (typeof el === "string" ? [el] : el));
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Secrets],
 
-  [ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval],
+const CASL_ACTION_SCHEMA_ENUM = <ACTION extends z.EnumValues>(actions: ACTION) =>
-  [ProjectPermissionActions.Create, ProjectPermissionSub.SecretApproval],
+  z.union([z.enum(actions), z.enum(actions).array().min(1)]).transform((el) => (typeof el === "string" ? [el] : el));
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval],
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.SecretApproval],
 
-  [ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation],
+const SecretConditionSchema = z
-  [ProjectPermissionActions.Create, ProjectPermissionSub.SecretRotation],
+  .object({
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.SecretRotation],
+    environment: z.union([
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.SecretRotation],
+      z.string(),
+      z
+        .object({
+          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
+          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
+          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN]
+        })
+        .partial()
+    ]),
+    secretPath: z.union([
+      z.string(),
+      z
+        .object({
+          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
+          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
+          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN],
+          [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB]
+        })
+        .partial()
+    ])
+  })
+  .partial();
 
-  [ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback],
+export const ProjectPermissionSchema = z.discriminatedUnion("subject", [
-  [ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback],
+  z.object({
-
+    subject: z.literal(ProjectPermissionSub.Secrets).describe("The entity this permission pertains to."),
-  [ProjectPermissionActions.Read, ProjectPermissionSub.Member],
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Create, ProjectPermissionSub.Member],
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Member],
+    ),
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Member],
+    conditions: SecretConditionSchema.describe(
-
+      "When specified, only matching conditions will be allowed to access given resource."
-  [ProjectPermissionActions.Read, ProjectPermissionSub.Groups],
+    ).optional()
-  [ProjectPermissionActions.Create, ProjectPermissionSub.Groups],
+  }),
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Groups],
+  z.object({
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Groups],
+    subject: z.literal(ProjectPermissionSub.SecretApproval).describe("The entity this permission pertains to."),
-
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Read, ProjectPermissionSub.Role],
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Create, ProjectPermissionSub.Role],
+    )
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Role],
+  }),
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Role],
+  z.object({
-
+    subject: z.literal(ProjectPermissionSub.SecretRotation).describe("The entity this permission pertains to."),
-  [ProjectPermissionActions.Read, ProjectPermissionSub.Integrations],
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Create, ProjectPermissionSub.Integrations],
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations],
+    )
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations],
+  }),
-
+  z.object({
-  [ProjectPermissionActions.Read, ProjectPermissionSub.Webhooks],
+    subject: z.literal(ProjectPermissionSub.SecretRollback).describe("The entity this permission pertains to."),
-  [ProjectPermissionActions.Create, ProjectPermissionSub.Webhooks],
+    action: CASL_ACTION_SCHEMA_ENUM([ProjectPermissionActions.Read, ProjectPermissionActions.Create]).describe(
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Webhooks],
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Webhooks],
+    )
-
+  }),
-  [ProjectPermissionActions.Read, ProjectPermissionSub.Identity],
+  z.object({
-  [ProjectPermissionActions.Create, ProjectPermissionSub.Identity],
+    subject: z.literal(ProjectPermissionSub.Member).describe("The entity this permission pertains to."),
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Identity],
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Identity],
+      "Describe what action an entity can take."
-
+    )
-  [ProjectPermissionActions.Read, ProjectPermissionSub.ServiceTokens],
+  }),
-  [ProjectPermissionActions.Create, ProjectPermissionSub.ServiceTokens],
+  z.object({
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.ServiceTokens],
+    subject: z.literal(ProjectPermissionSub.Groups).describe("The entity this permission pertains to."),
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.ServiceTokens],
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Read, ProjectPermissionSub.Settings],
+    )
-  [ProjectPermissionActions.Create, ProjectPermissionSub.Settings],
+  }),
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Settings],
+  z.object({
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Settings],
+    subject: z.literal(ProjectPermissionSub.Role).describe("The entity this permission pertains to."),
-
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Read, ProjectPermissionSub.Environments],
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Create, ProjectPermissionSub.Environments],
+    )
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Environments],
+  }),
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Environments],
+  z.object({
-
+    subject: z.literal(ProjectPermissionSub.Integrations).describe("The entity this permission pertains to."),
-  [ProjectPermissionActions.Read, ProjectPermissionSub.Tags],
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Create, ProjectPermissionSub.Tags],
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Tags],
+    )
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Tags],
+  }),
-
+  z.object({
-  // TODO(Daniel): Remove the audit logs permissions from project-level permissions.
+    subject: z.literal(ProjectPermissionSub.Webhooks).describe("The entity this permission pertains to."),
-  // TODO: We haven't done this yet because it might break existing roles, since those roles will become "invalid" since the audit log permission defined on those roles, no longer exist in the project-level defined permissions.
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs],
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Create, ProjectPermissionSub.AuditLogs],
+    )
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.AuditLogs],
+  }),
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.AuditLogs],
+  z.object({
-
+    subject: z.literal(ProjectPermissionSub.Identity).describe("The entity this permission pertains to."),
-  [ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList],
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList],
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.IpAllowList],
+    )
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.IpAllowList],
+  }),
-
+  z.object({
-  // double check if all CRUD are needed for CA and Certificates
+    subject: z.literal(ProjectPermissionSub.ServiceTokens).describe("The entity this permission pertains to."),
-  [ProjectPermissionActions.Read, ProjectPermissionSub.CertificateAuthorities],
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Create, ProjectPermissionSub.CertificateAuthorities],
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.CertificateAuthorities],
+    )
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.CertificateAuthorities],
+  }),
-
+  z.object({
-  [ProjectPermissionActions.Read, ProjectPermissionSub.Certificates],
+    subject: z.literal(ProjectPermissionSub.Settings).describe("The entity this permission pertains to."),
-  [ProjectPermissionActions.Create, ProjectPermissionSub.Certificates],
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Certificates],
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Certificates],
+    )
-
+  }),
-  [ProjectPermissionActions.Read, ProjectPermissionSub.CertificateTemplates],
+  z.object({
-  [ProjectPermissionActions.Create, ProjectPermissionSub.CertificateTemplates],
+    subject: z.literal(ProjectPermissionSub.Environments).describe("The entity this permission pertains to."),
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.CertificateTemplates],
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.CertificateTemplates],
+      "Describe what action an entity can take."
-
+    )
-  [ProjectPermissionActions.Read, ProjectPermissionSub.PkiAlerts],
+  }),
-  [ProjectPermissionActions.Create, ProjectPermissionSub.PkiAlerts],
+  z.object({
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.PkiAlerts],
+    subject: z.literal(ProjectPermissionSub.Tags).describe("The entity this permission pertains to."),
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.PkiAlerts],
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Read, ProjectPermissionSub.PkiCollections],
+    )
-  [ProjectPermissionActions.Create, ProjectPermissionSub.PkiCollections],
+  }),
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.PkiCollections],
+  z.object({
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.PkiCollections],
+    subject: z.literal(ProjectPermissionSub.AuditLogs).describe("The entity this permission pertains to."),
-
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Project],
+      "Describe what action an entity can take."
-  [ProjectPermissionActions.Delete, ProjectPermissionSub.Project],
+    )
-
+  }),
-  [ProjectPermissionActions.Edit, ProjectPermissionSub.Kms]
+  z.object({
-];
+    subject: z.literal(ProjectPermissionSub.IpAllowList).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
+      "Describe what action an entity can take."
+    )
+  }),
+  z.object({
+    subject: z.literal(ProjectPermissionSub.CertificateAuthorities).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
+      "Describe what action an entity can take."
+    )
+  }),
+  z.object({
+    subject: z.literal(ProjectPermissionSub.Certificates).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
+      "Describe what action an entity can take."
+    )
+  }),
+  z.object({
+    subject: z.literal(ProjectPermissionSub.CertificateTemplates).describe("The entity this permission pertains to. "),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
+      "Describe what action an entity can take."
+    )
+  }),
+  z.object({
+    subject: z.literal(ProjectPermissionSub.PkiAlerts).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
+      "Describe what action an entity can take."
+    )
+  }),
+  z.object({
+    subject: z.literal(ProjectPermissionSub.PkiCollections).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
+      "Describe what action an entity can take."
+    )
+  }),
+  z.object({
+    subject: z.literal(ProjectPermissionSub.Project).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_ENUM([ProjectPermissionActions.Edit, ProjectPermissionActions.Delete]).describe(
+      "Describe what action an entity can take."
+    )
+  }),
+  z.object({
+    subject: z.literal(ProjectPermissionSub.Kms).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_ENUM([ProjectPermissionActions.Edit]).describe(
+      "Describe what action an entity can take."
+    )
+  }),
+  z.object({
+    subject: z.literal(ProjectPermissionSub.SecretFolders).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_ENUM([ProjectPermissionActions.Read]).describe(
+      "Describe what action an entity can take."
+    )
+  }),
+  z.object({
+    subject: z.literal(ProjectPermissionSub.Cmek).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionCmekActions).describe(
+      "Describe what action an entity can take."
+    )
+  })
+]);
 
 const buildAdminPermissionRules = () => {
   const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
 
   // Admins get full access to everything
-  fullProjectPermissionSet.forEach((permission) => {
+  [
-    const [action, subject] = permission;
+    ProjectPermissionSub.Secrets,
-    can(action, subject);
+    ProjectPermissionSub.SecretApproval,
+    ProjectPermissionSub.SecretRotation,
+    ProjectPermissionSub.Member,
+    ProjectPermissionSub.Groups,
+    ProjectPermissionSub.Role,
+    ProjectPermissionSub.Integrations,
+    ProjectPermissionSub.Webhooks,
+    ProjectPermissionSub.Identity,
+    ProjectPermissionSub.ServiceTokens,
+    ProjectPermissionSub.Settings,
+    ProjectPermissionSub.Environments,
+    ProjectPermissionSub.Tags,
+    ProjectPermissionSub.AuditLogs,
+    ProjectPermissionSub.IpAllowList,
+    ProjectPermissionSub.CertificateAuthorities,
+    ProjectPermissionSub.Certificates,
+    ProjectPermissionSub.CertificateTemplates,
+    ProjectPermissionSub.PkiAlerts,
+    ProjectPermissionSub.PkiCollections
+  ].forEach((el) => {
+    can(
+      [
+        ProjectPermissionActions.Read,
+        ProjectPermissionActions.Edit,
+        ProjectPermissionActions.Create,
+        ProjectPermissionActions.Delete
+      ],
+      el as ProjectPermissionSub
+    );
   });
 
+  can([ProjectPermissionActions.Edit, ProjectPermissionActions.Delete], ProjectPermissionSub.Project);
+  can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.SecretRollback);
+  can([ProjectPermissionActions.Edit], ProjectPermissionSub.Kms);
+  can(
+    [
+      ProjectPermissionCmekActions.Create,
+      ProjectPermissionCmekActions.Edit,
+      ProjectPermissionCmekActions.Delete,
+      ProjectPermissionCmekActions.Read,
+      ProjectPermissionCmekActions.Encrypt,
+      ProjectPermissionCmekActions.Decrypt
+    ],
+    ProjectPermissionSub.Cmek
+  );
   return rules;
 };
 
@@ -206,73 +361,128 @@ export const projectAdminPermissions = buildAdminPermissionRules();
 const buildMemberPermissionRules = () => {
   const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
 
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets);
+  can(
-  can(ProjectPermissionActions.Create, ProjectPermissionSub.Secrets);
+    [
-  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Secrets);
+      ProjectPermissionActions.Read,
-  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Secrets);
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
+    ],
+    ProjectPermissionSub.Secrets
+  );
 
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.SecretApproval);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.SecretRotation);
 
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
+  can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.SecretRollback);
-  can(ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback);
 
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
+  can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.Member);
-  can(ProjectPermissionActions.Create, ProjectPermissionSub.Member);
 
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Groups);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.Groups);
 
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
+  can(
-  can(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);
+    [
-  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations);
+      ProjectPermissionActions.Read,
-  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
+    ],
+    ProjectPermissionSub.Integrations
+  );
 
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Webhooks);
+  can(
-  can(ProjectPermissionActions.Create, ProjectPermissionSub.Webhooks);
+    [
-  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Webhooks);
+      ProjectPermissionActions.Read,
-  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Webhooks);
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
+    ],
+    ProjectPermissionSub.Webhooks
+  );
 
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);
+  can(
-  can(ProjectPermissionActions.Create, ProjectPermissionSub.Identity);
+    [
-  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Identity);
+      ProjectPermissionActions.Read,
-  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Identity);
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
+    ],
+    ProjectPermissionSub.Identity
+  );
 
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.ServiceTokens);
+  can(
-  can(ProjectPermissionActions.Create, ProjectPermissionSub.ServiceTokens);
+    [
-  can(ProjectPermissionActions.Edit, ProjectPermissionSub.ServiceTokens);
+      ProjectPermissionActions.Read,
-  can(ProjectPermissionActions.Delete, ProjectPermissionSub.ServiceTokens);
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
+    ],
+    ProjectPermissionSub.ServiceTokens
+  );
 
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Settings);
+  can(
-  can(ProjectPermissionActions.Create, ProjectPermissionSub.Settings);
+    [
-  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Settings);
+      ProjectPermissionActions.Read,
-  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Settings);
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
+    ],
+    ProjectPermissionSub.Settings
+  );
 
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Environments);
+  can(
-  can(ProjectPermissionActions.Create, ProjectPermissionSub.Environments);
+    [
-  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Environments);
+      ProjectPermissionActions.Read,
-  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Environments);
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
+    ],
+    ProjectPermissionSub.Environments
+  );
 
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Tags);
+  can(
-  can(ProjectPermissionActions.Create, ProjectPermissionSub.Tags);
+    [
-  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Tags);
+      ProjectPermissionActions.Read,
-  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Tags);
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
+    ],
+    ProjectPermissionSub.Tags
+  );
 
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.Role);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.AuditLogs);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.IpAllowList);
 
   // double check if all CRUD are needed for CA and Certificates
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.CertificateAuthorities);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.CertificateAuthorities);
 
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.Certificates);
+  can(
-  can(ProjectPermissionActions.Create, ProjectPermissionSub.Certificates);
+    [
-  can(ProjectPermissionActions.Edit, ProjectPermissionSub.Certificates);
+      ProjectPermissionActions.Read,
-  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Certificates);
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
+    ],
+    ProjectPermissionSub.Certificates
+  );
 
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.CertificateTemplates);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.CertificateTemplates);
 
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.PkiAlerts);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiAlerts);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.PkiCollections);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.PkiCollections);
+
+  can(
+    [
+      ProjectPermissionCmekActions.Create,
+      ProjectPermissionCmekActions.Edit,
+      ProjectPermissionCmekActions.Delete,
+      ProjectPermissionCmekActions.Read,
+      ProjectPermissionCmekActions.Encrypt,
+      ProjectPermissionCmekActions.Decrypt
+    ],
+    ProjectPermissionSub.Cmek
+  );
 
   return rules;
 };
@@ -300,6 +510,7 @@ const buildViewerPermissionRules = () => {
   can(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.CertificateAuthorities);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.Certificates);
+  can(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
 
   return rules;
 };
@@ -382,32 +593,19 @@ export const isAtLeastAsPrivilegedWorkspace = (
 
   return set1.size >= set2.size;
 };
+/* eslint-enable */
 
-/*
+export const SecretV2SubjectFieldMapper = (arg: string) => {
- * Case: The user requests to create a role with permissions that are not valid and not supposed to be used ever.
+  switch (arg) {
- * If we don't check for this, we can run into issues where functions like the `isAtLeastAsPrivileged` will not work as expected, because we compare the size of each permission set.
+    case "environment":
- * If the permission set contains invalid permissions, the size will be different, and result in incorrect results.
+      return null;
- */
+    case "secretPath":
-export const validateProjectPermissions = (permissions: unknown) => {
+      return null;
-  const parsedPermissions =
+    case "secretName":
-    typeof permissions === "string" ? (JSON.parse(permissions) as string[]) : (permissions as string[]);
+      return `${TableName.SecretV2}.key`;
-
+    case "secretTags":
-  const flattenedPermissions = [...parsedPermissions];
+      return `${TableName.SecretTag}.slug`;
-
+    default:
-  for (const perm of flattenedPermissions) {
+      throw new BadRequestError({ message: `Invalid dynamic knex operator field: ${arg}` });
-    const [action, subject] = perm;
-
-    if (
-      !fullProjectPermissionSet.find(
-        (currentPermission) => currentPermission[0] === action && currentPermission[1] === subject
-      )
-    ) {
-      throw new BadRequestError({
-        message: `Permission action ${action} on subject ${subject} is not valid`,
-        name: "Create Role"
-      });
-    }
   }
 };
-
-/* eslint-enable */

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -23,6 +23,7 @@ import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/
 import { AuthTokenType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TokenType } from "@app/services/auth-token/auth-token-types";
+import { TIdentityMetadataDALFactory } from "@app/services/identity/identity-metadata-dal";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
 import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
@@ -51,6 +52,8 @@ type TSamlConfigServiceFactoryDep = {
     TOrgDALFactory,
     "createMembership" | "updateMembershipById" | "findMembership" | "findOrgById" | "findOne" | "updateById"
   >;
+
+  identityMetadataDAL: Pick<TIdentityMetadataDALFactory, "delete" | "insertMany" | "transaction">;
   orgMembershipDAL: Pick<TOrgMembershipDALFactory, "create">;
   orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "create" | "transaction">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
@@ -71,7 +74,8 @@ export const samlConfigServiceFactory = ({
   permissionService,
   licenseService,
   tokenService,
-  smtpService
+  smtpService,
+  identityMetadataDAL
 }: TSamlConfigServiceFactoryDep) => {
   const createSamlCfg = async ({
     cert,
@@ -332,7 +336,8 @@ export const samlConfigServiceFactory = ({
     lastName,
     authProvider,
     orgId,
-    relayState
+    relayState,
+    metadata
   }: TSamlLoginDTO) => {
     const appCfg = getConfig();
     const serverCfg = await getServerCfg();
@@ -386,6 +391,21 @@ export const samlConfigServiceFactory = ({
           );
         }
 
+        if (metadata && foundUser.id) {
+          await identityMetadataDAL.delete({ userId: foundUser.id, orgId }, tx);
+          if (metadata.length) {
+            await identityMetadataDAL.insertMany(
+              metadata.map(({ key, value }) => ({
+                userId: foundUser.id,
+                orgId,
+                key,
+                value
+              })),
+              tx
+            );
+          }
+        }
+
         return foundUser;
       });
     } else {
@@ -474,6 +494,20 @@ export const samlConfigServiceFactory = ({
           );
         }
 
+        if (metadata && newUser.id) {
+          await identityMetadataDAL.delete({ userId: newUser.id, orgId }, tx);
+          if (metadata.length) {
+            await identityMetadataDAL.insertMany(
+              metadata.map(({ key, value }) => ({
+                userId: newUser?.id,
+                orgId,
+                key,
+                value
+              })),
+              tx
+            );
+          }
+        }
         return newUser;
       });
     }

backend/src/ee/services/saml-config/saml-config-types.ts

@@ -53,4 +53,5 @@ export type TSamlLoginDTO = {
   orgId: string;
   // saml thingy
   relayState?: string;
+  metadata?: { key: string; value: string }[];
 };

backend/src/keystore/keystore.ts

@@ -16,6 +16,9 @@ export const KeyStorePrefixes = {
   WaitUntilReadyKmsOrgKeyCreation: "wait-until-ready-kms-org-key-creation-",
   WaitUntilReadyKmsOrgDataKeyCreation: "wait-until-ready-kms-org-data-key-creation-",
 
+  WaitUntilReadyProjectEnvironmentOperation: (projectId: string) =>
+    `wait-until-ready-project-environments-operation-${projectId}`,
+  ProjectEnvironmentLock: (projectId: string) => `project-environment-lock-${projectId}` as const,
   SyncSecretIntegrationLock: (projectId: string, environmentSlug: string, secretPath: string) =>
     `sync-integration-mutex-${projectId}-${environmentSlug}-${secretPath}` as const,
   SyncSecretIntegrationLastRunTimestamp: (projectId: string, environmentSlug: string, secretPath: string) =>

backend/src/lib/api-docs/constants.ts

@@ -360,7 +360,11 @@ export const ORGANIZATIONS = {
     organizationId: "The ID of the organization to update the membership for.",
     membershipId: "The ID of the membership to update.",
     role: "The new role of the membership.",
-    isActive: "The active status of the membership"
+    isActive: "The active status of the membership",
+    metadata: {
+      key: "The key for user metadata tag.",
+      value: "The value for user metadata tag."
+    }
   },
   DELETE_USER_MEMBERSHIP: {
     organizationId: "The ID of the organization to delete the membership from.",
@@ -529,7 +533,8 @@ export const ENVIRONMENTS = {
   CREATE: {
     workspaceId: "The ID of the project to create the environment in.",
     name: "The name of the environment to create.",
-    slug: "The slug of the environment to create."
+    slug: "The slug of the environment to create.",
+    position: "The position of the environment. The lowest number will be displayed as the first environment."
   },
   UPDATE: {
     workspaceId: "The ID of the project to update the environment in.",
@@ -671,6 +676,9 @@ export const SECRET_IMPORTS = {
     environment: "The slug of the environment to list secret imports from.",
     path: "The path to list secret imports from."
   },
+  GET: {
+    secretImportId: "The ID of the secret import to fetch."
+  },
   CREATE: {
     environment: "The slug of the environment to import into.",
     path: "The path to import into.",
@@ -1343,3 +1351,37 @@ export const PROJECT_ROLE = {
     projectSlug: "The slug of the project to list the roles of."
   }
 };
+
+export const KMS = {
+  CREATE_KEY: {
+    projectId: "The ID of the project to create the key in.",
+    name: "The name of the key to be created. Must be slug-friendly.",
+    description: "An optional description of the key.",
+    encryptionAlgorithm: "The algorithm to use when performing cryptographic operations with the key."
+  },
+  UPDATE_KEY: {
+    keyId: "The ID of the key to be updated.",
+    name: "The updated name of this key. Must be slug-friendly.",
+    description: "The updated description of this key.",
+    isDisabled: "The flag to enable or disable this key."
+  },
+  DELETE_KEY: {
+    keyId: "The ID of the key to be deleted."
+  },
+  LIST_KEYS: {
+    projectId: "The ID of the project to list keys from.",
+    offset: "The offset to start from. If you enter 10, it will start from the 10th key.",
+    limit: "The number of keys to return.",
+    orderBy: "The column to order keys by.",
+    orderDirection: "The direction to order keys in.",
+    search: "The text string to filter key names by."
+  },
+  ENCRYPT: {
+    keyId: "The ID of the key to encrypt the data with.",
+    plaintext: "The plaintext to be encrypted (base64 encoded)."
+  },
+  DECRYPT: {
+    keyId: "The ID of the key to decrypt the data with.",
+    ciphertext: "The ciphertext to be decrypted (base64 encoded)."
+  }
+};

backend/src/lib/base64/index.ts

@@ -0,0 +1,28 @@
+// Credit: https://github.com/miguelmota/is-base64
+export const isBase64 = (
+  v: string,
+  opts = { allowEmpty: false, mimeRequired: false, allowMime: true, paddingRequired: false }
+) => {
+  if (opts.allowEmpty === false && v === "") {
+    return false;
+  }
+
+  let regex = "(?:[A-Za-z0-9+\\/]{4})*(?:[A-Za-z0-9+\\/]{2}==|[A-Za-z0-9+/]{3}=)?";
+  const mimeRegex = "(data:\\w+\\/[a-zA-Z\\+\\-\\.]+;base64,)";
+
+  if (opts.mimeRequired === true) {
+    regex = mimeRegex + regex;
+  } else if (opts.allowMime === true) {
+    regex = `${mimeRegex}?${regex}`;
+  }
+
+  if (opts.paddingRequired === false) {
+    regex = "(?:[A-Za-z0-9+\\/]{4})*(?:[A-Za-z0-9+\\/]{2}(==)?|[A-Za-z0-9+\\/]{3}=?)?";
+  }
+
+  return new RegExp(`^${regex}$`, "gi").test(v);
+};
+
+export const getBase64SizeInBytes = (base64String: string) => {
+  return Buffer.from(base64String, "base64").length;
+};

backend/src/lib/casl/index.ts

@@ -23,8 +23,19 @@ export const conditionsMatcher = buildMongoQueryMatcher({ $glob }, { glob });
 /**
  * Extracts and formats permissions from a CASL Ability object or a raw permission set.
  */
-const extractPermissions = (ability: MongoAbility) =>
+const extractPermissions = (ability: MongoAbility) => {
-  ability.rules.map((permission) => `${permission.action as string}_${permission.subject as string}`);
+  const permissions: string[] = [];
+  ability.rules.forEach((permission) => {
+    if (typeof permission.action === "string") {
+      permissions.push(`${permission.action}_${permission.subject as string}`);
+    } else {
+      permission.action.forEach((permissionAction) => {
+        permissions.push(`${permissionAction}_${permission.subject as string}`);
+      });
+    }
+  });
+  return permissions;
+};
 
 /**
  * Compares two sets of permissions to determine if the first set is at least as privileged as the second set.

backend/src/lib/casl/knex.ts

@@ -0,0 +1,111 @@
+import { AnyAbility, ExtractSubjectType } from "@casl/ability";
+import { AbilityQuery, rulesToQuery } from "@casl/ability/extra";
+import { Tables } from "knex/types/tables";
+
+import { BadRequestError, UnauthorizedError } from "../errors";
+import { TKnexDynamicOperator } from "../knex/dynamic";
+
+type TBuildKnexQueryFromCaslDTO<K extends AnyAbility> = {
+  ability: K;
+  subject: ExtractSubjectType<Parameters<K["rulesFor"]>[1]>;
+  action: Parameters<K["rulesFor"]>[0];
+};
+
+export const buildKnexQueryFromCaslOperators = <K extends AnyAbility>({
+  ability,
+  subject,
+  action
+}: TBuildKnexQueryFromCaslDTO<K>) => {
+  const query = rulesToQuery(ability, action, subject, (rule) => {
+    if (!rule.ast) throw new Error("Ast not defined");
+    return rule.ast;
+  });
+
+  if (query === null) throw new UnauthorizedError({ message: `You don't have permission to do ${action} ${subject}` });
+  return query;
+};
+
+type TFieldMapper<T extends keyof Tables> = {
+  [K in T]: `${K}.${Exclude<keyof Tables[K]["base"], symbol>}`;
+}[T];
+
+type TFormatCaslFieldsWithTableNames<T extends keyof Tables> = {
+  // handle if any missing operator else throw error let the app break because this is executing again the db
+  missingOperatorCallback?: (operator: string) => void;
+  fieldMapping: (arg: string) => TFieldMapper<T> | null;
+  dynamicQuery: TKnexDynamicOperator;
+};
+
+export const formatCaslOperatorFieldsWithTableNames = <T extends keyof Tables>({
+  missingOperatorCallback = (arg) => {
+    throw new BadRequestError({ message: `Unknown permission operator: ${arg}` });
+  },
+  dynamicQuery: dynamicQueryAst,
+  fieldMapping
+}: TFormatCaslFieldsWithTableNames<T>) => {
+  const stack: [TKnexDynamicOperator, TKnexDynamicOperator | null][] = [[dynamicQueryAst, null]];
+
+  while (stack.length) {
+    const [filterAst, parentAst] = stack.pop()!;
+
+    if (filterAst.operator === "and" || filterAst.operator === "or" || filterAst.operator === "not") {
+      filterAst.value.forEach((el) => {
+        stack.push([el, filterAst]);
+      });
+
+      // eslint-disable-next-line no-continue
+      continue;
+    }
+
+    if (
+      filterAst.operator === "eq" ||
+      filterAst.operator === "ne" ||
+      filterAst.operator === "in" ||
+      filterAst.operator === "endsWith" ||
+      filterAst.operator === "startsWith"
+    ) {
+      const attrPath = fieldMapping(filterAst.field);
+      if (attrPath) {
+        filterAst.field = attrPath;
+      } else if (parentAst && Array.isArray(parentAst.value)) {
+        parentAst.value = parentAst.value.filter((childAst) => childAst !== filterAst) as string[];
+      } else throw new Error("Unknown casl field");
+      // eslint-disable-next-line no-continue
+      continue;
+    }
+
+    if (parentAst && Array.isArray(parentAst.value)) {
+      parentAst.value = parentAst.value.filter((childAst) => childAst !== filterAst) as string[];
+    } else {
+      missingOperatorCallback?.(filterAst.operator);
+    }
+  }
+  return dynamicQueryAst;
+};
+
+export const convertCaslOperatorToKnexOperator = <T extends keyof Tables>(
+  caslKnexOperators: AbilityQuery,
+  fieldMapping: (arg: string) => TFieldMapper<T> | null
+) => {
+  const value = [];
+  if (caslKnexOperators.$and) {
+    value.push({
+      operator: "not" as const,
+      value: caslKnexOperators.$and as TKnexDynamicOperator[]
+    });
+  }
+  if (caslKnexOperators.$or) {
+    value.push({
+      operator: "or" as const,
+      value: caslKnexOperators.$or as TKnexDynamicOperator[]
+    });
+  }
+
+  return formatCaslOperatorFieldsWithTableNames({
+    dynamicQuery: {
+      operator: "and",
+      value
+    },
+    fieldMapping
+  });
+};

backend/src/lib/fn/array.ts

@@ -52,3 +52,21 @@ export const unique = <T, K extends string | number | symbol>(array: readonly T[
   );
   return Object.values(valueMap);
 };
+
+/**
+ * Convert an array to a dictionary by mapping each item
+ * into a dictionary key & value
+ */
+export const objectify = <T, Key extends string | number | symbol, Value = T>(
+  array: readonly T[],
+  getKey: (item: T) => Key,
+  getValue: (item: T) => Value = (item) => item as unknown as Value
+): Record<Key, Value> => {
+  return array.reduce(
+    (acc, item) => {
+      acc[getKey(item)] = getValue(item);
+      return acc;
+    },
+    {} as Record<Key, Value>
+  );
+};

backend/src/lib/knex/dynamic.ts

@@ -0,0 +1,89 @@
+import { Knex } from "knex";
+
+import { UnauthorizedError } from "../errors";
+
+type TKnexDynamicPrimitiveOperator = {
+  operator: "eq" | "ne" | "startsWith" | "endsWith";
+  value: string;
+  field: string;
+};
+
+type TKnexDynamicInOperator = {
+  operator: "in";
+  value: string[] | number[];
+  field: string;
+};
+
+type TKnexNonGroupOperator = TKnexDynamicInOperator | TKnexDynamicPrimitiveOperator;
+
+type TKnexGroupOperator = {
+  operator: "and" | "or" | "not";
+  value: (TKnexNonGroupOperator | TKnexGroupOperator)[];
+};
+
+// akhilmhdh: This is still in pending state and not yet ready. If you want to use it ping me.
+// used when you need to write a complex query with the orm
+// use it when you need complex or and and condition - most of the time not needed
+// majorly used with casl permission to filter data based on permission
+export type TKnexDynamicOperator = TKnexGroupOperator | TKnexNonGroupOperator;
+
+export const buildDynamicKnexQuery = (dynamicQuery: TKnexDynamicOperator, rootQueryBuild: Knex.QueryBuilder) => {
+  const stack = [{ filterAst: dynamicQuery, queryBuilder: rootQueryBuild }];
+
+  while (stack.length) {
+    const { filterAst, queryBuilder } = stack.pop()!;
+    switch (filterAst.operator) {
+      case "eq": {
+        void queryBuilder.where(filterAst.field, "=", filterAst.value);
+        break;
+      }
+      case "ne": {
+        void queryBuilder.whereNot(filterAst.field, filterAst.value);
+        break;
+      }
+      case "startsWith": {
+        void queryBuilder.whereILike(filterAst.field, `${filterAst.value}%`);
+        break;
+      }
+      case "endsWith": {
+        void queryBuilder.whereILike(filterAst.field, `%${filterAst.value}`);
+        break;
+      }
+      case "and": {
+        void queryBuilder.andWhere((subQueryBuilder) => {
+          filterAst.value.forEach((el) => {
+            stack.push({
+              queryBuilder: subQueryBuilder,
+              filterAst: el
+            });
+          });
+        });
+        break;
+      }
+      case "or": {
+        void queryBuilder.orWhere((subQueryBuilder) => {
+          filterAst.value.forEach((el) => {
+            stack.push({
+              queryBuilder: subQueryBuilder,
+              filterAst: el
+            });
+          });
+        });
+        break;
+      }
+      case "not": {
+        void queryBuilder.whereNot((subQueryBuilder) => {
+          filterAst.value.forEach((el) => {
+            stack.push({
+              queryBuilder: subQueryBuilder,
+              filterAst: el
+            });
+          });
+        });
+        break;
+      }
+      default:
+        throw new UnauthorizedError({ message: `Invalid knex dynamic operator: ${filterAst.operator}` });
+    }
+  }
+};

backend/src/server/plugins/error-handler.ts

@@ -19,28 +19,47 @@ enum JWTErrors {
   InvalidAlgorithm = "invalid algorithm"
 }
 
+enum HttpStatusCodes {
+  BadRequest = 400,
+  NotFound = 404,
+  Unauthorized = 401,
+  Forbidden = 403,
+  // eslint-disable-next-line @typescript-eslint/no-shadow
+  InternalServerError = 500
+}
+
 export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider) => {
   server.setErrorHandler((error, req, res) => {
     req.log.error(error);
     if (error instanceof BadRequestError) {
-      void res.status(400).send({ statusCode: 400, message: error.message, error: error.name });
+      void res
+        .status(HttpStatusCodes.BadRequest)
+        .send({ statusCode: HttpStatusCodes.BadRequest, message: error.message, error: error.name });
     } else if (error instanceof NotFoundError) {
-      void res.status(404).send({ statusCode: 404, message: error.message, error: error.name });
+      void res
+        .status(HttpStatusCodes.NotFound)
+        .send({ statusCode: HttpStatusCodes.NotFound, message: error.message, error: error.name });
     } else if (error instanceof UnauthorizedError) {
-      void res.status(401).send({ statusCode: 401, message: error.message, error: error.name });
+      void res
+        .status(HttpStatusCodes.Unauthorized)
+        .send({ statusCode: HttpStatusCodes.Unauthorized, message: error.message, error: error.name });
     } else if (error instanceof DatabaseError || error instanceof InternalServerError) {
-      void res.status(500).send({ statusCode: 500, message: "Something went wrong", error: error.name });
+      void res
+        .status(HttpStatusCodes.InternalServerError)
+        .send({ statusCode: HttpStatusCodes.InternalServerError, message: "Something went wrong", error: error.name });
     } else if (error instanceof ZodError) {
-      void res.status(401).send({ statusCode: 401, error: "ValidationFailure", message: error.issues });
+      void res
+        .status(HttpStatusCodes.Unauthorized)
+        .send({ statusCode: HttpStatusCodes.Unauthorized, error: "ValidationFailure", message: error.issues });
     } else if (error instanceof ForbiddenError) {
-      void res.status(403).send({
+      void res.status(HttpStatusCodes.Forbidden).send({
-        statusCode: 403,
+        statusCode: HttpStatusCodes.Forbidden,
         error: "PermissionDenied",
         message: `You are not allowed to ${error.action} on ${error.subjectType}`
       });
     } else if (error instanceof ForbiddenRequestError) {
-      void res.status(403).send({
+      void res.status(HttpStatusCodes.Forbidden).send({
-        statusCode: 403,
+        statusCode: HttpStatusCodes.Forbidden,
         message: error.message,
         error: error.name
       });
@@ -66,8 +85,8 @@ export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider
         return error.message;
       })();
 
-      void res.status(403).send({
+      void res.status(HttpStatusCodes.Forbidden).send({
-        statusCode: 403,
+        statusCode: HttpStatusCodes.Forbidden,
         error: "TokenError",
         message
       });

backend/src/server/routes/index.ts

@@ -1,5 +1,5 @@
 import { CronJob } from "cron";
-import { Redis } from "ioredis";
+// import { Redis } from "ioredis";
 import { Knex } from "knex";
 import { z } from "zod";
 
@@ -74,7 +74,6 @@ import { trustedIpDALFactory } from "@app/ee/services/trusted-ip/trusted-ip-dal"
 import { trustedIpServiceFactory } from "@app/ee/services/trusted-ip/trusted-ip-service";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
-import { logger } from "@app/lib/logger";
 import { TQueueServiceFactory } from "@app/queue";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { accessTokenQueueServiceFactory } from "@app/services/access-token-queue/access-token-queue";
@@ -97,10 +96,13 @@ import { certificateAuthorityServiceFactory } from "@app/services/certificate-au
 import { certificateTemplateDALFactory } from "@app/services/certificate-template/certificate-template-dal";
 import { certificateTemplateEstConfigDALFactory } from "@app/services/certificate-template/certificate-template-est-config-dal";
 import { certificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
+import { cmekServiceFactory } from "@app/services/cmek/cmek-service";
+import { externalMigrationServiceFactory } from "@app/services/external-migration/external-migration-service";
 import { groupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { groupProjectMembershipRoleDALFactory } from "@app/services/group-project/group-project-membership-role-dal";
 import { groupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { identityDALFactory } from "@app/services/identity/identity-dal";
+import { identityMetadataDALFactory } from "@app/services/identity/identity-metadata-dal";
 import { identityOrgDALFactory } from "@app/services/identity/identity-org-dal";
 import { identityServiceFactory } from "@app/services/identity/identity-service";
 import { identityAccessTokenDALFactory } from "@app/services/identity-access-token/identity-access-token-dal";
@@ -265,6 +267,7 @@ export const registerRoutes = async (
   const serviceTokenDAL = serviceTokenDALFactory(db);
 
   const identityDAL = identityDALFactory(db);
+  const identityMetadataDAL = identityMetadataDALFactory(db);
   const identityAccessTokenDAL = identityAccessTokenDALFactory(db);
   const identityOrgMembershipDAL = identityOrgDALFactory(db);
   const identityProjectDAL = identityProjectDALFactory(db);
@@ -386,6 +389,7 @@ export const registerRoutes = async (
   const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL, orgMembershipDAL });
 
   const samlService = samlConfigServiceFactory({
+    identityMetadataDAL,
     permissionService,
     orgBotDAL,
     orgDAL,
@@ -489,6 +493,7 @@ export const registerRoutes = async (
   });
   const orgService = orgServiceFactory({
     userAliasDAL,
+    identityMetadataDAL,
     licenseService,
     samlConfigDAL,
     orgRoleDAL,
@@ -507,7 +512,8 @@ export const registerRoutes = async (
     smtpService,
     userDAL,
     groupDAL,
-    orgBotDAL
+    orgBotDAL,
+    oidcConfigDAL
   });
   const signupService = authSignupServiceFactory({
     tokenService,
@@ -743,6 +749,7 @@ export const registerRoutes = async (
   const projectEnvService = projectEnvServiceFactory({
     permissionService,
     projectEnvDAL,
+    keyStore,
     licenseService,
     projectDAL,
     folderDAL
@@ -918,7 +925,8 @@ export const registerRoutes = async (
   const secretSharingService = secretSharingServiceFactory({
     permissionService,
     secretSharingDAL,
-    orgDAL
+    orgDAL,
+    kmsService
   });
 
   const accessApprovalPolicyService = accessApprovalPolicyServiceFactory({
@@ -1027,7 +1035,8 @@ export const registerRoutes = async (
     identityDAL,
     identityOrgMembershipDAL,
     identityProjectDAL,
-    licenseService
+    licenseService,
+    identityMetadataDAL
   });
 
   const identityAccessTokenService = identityAccessTokenServiceFactory({
@@ -1186,6 +1195,20 @@ export const registerRoutes = async (
     workflowIntegrationDAL
   });
 
+  const cmekService = cmekServiceFactory({
+    kmsDAL,
+    kmsService,
+    permissionService
+  });
+
+  const migrationService = externalMigrationServiceFactory({
+    projectService,
+    orgService,
+    projectEnvService,
+    permissionService,
+    secretService
+  });
+
   await superAdminService.initServerCfg();
   //
   // setup the communication with license key server
@@ -1267,9 +1290,11 @@ export const registerRoutes = async (
     secretSharing: secretSharingService,
     userEngagement: userEngagementService,
     externalKms: externalKmsService,
+    cmek: cmekService,
     orgAdmin: orgAdminService,
     slack: slackService,
-    workflowIntegration: workflowIntegrationService
+    workflowIntegration: workflowIntegrationService,
+    migration: migrationService
   });
 
   const cronJobs: CronJob[] = [];
@@ -1308,33 +1333,33 @@ export const registerRoutes = async (
         })
       }
     },
-    handler: async (request, reply) => {
+    handler: async () => {
       const cfg = getConfig();
       const serverCfg = await getServerCfg();
 
-      try {
+      // try {
-        await db.raw("SELECT NOW()");
+      //   await db.raw("SELECT NOW()");
-      } catch (err) {
+      // } catch (err) {
-        logger.error("Health check: database connection failed", err);
+      //   logger.error("Health check: database connection failed", err);
-        return reply.code(503).send({
+      //   return reply.code(503).send({
-          date: new Date(),
+      //     date: new Date(),
-          message: "Service unavailable"
+      //     message: "Service unavailable"
-        });
+      //   });
-      }
+      // }
 
-      if (cfg.isRedisConfigured) {
+      // if (cfg.isRedisConfigured) {
-        const redis = new Redis(cfg.REDIS_URL);
+      //   const redis = new Redis(cfg.REDIS_URL);
-        try {
+      //   try {
-          await redis.ping();
+      //     await redis.ping();
-          redis.disconnect();
+      //     redis.disconnect();
-        } catch (err) {
+      //   } catch (err) {
-          logger.error("Health check: redis connection failed", err);
+      //     logger.error("Health check: redis connection failed", err);
-          return reply.code(503).send({
+      //     return reply.code(503).send({
-            date: new Date(),
+      //       date: new Date(),
-            message: "Service unavailable"
+      //       message: "Service unavailable"
-          });
+      //     });
-        }
+      //   }
-      }
+      // }
 
       return {
         date: new Date(),

backend/src/server/routes/sanitizedSchemas.ts

@@ -40,12 +40,12 @@ export const DefaultResponseErrorsSchema = {
   }),
   401: z.object({
     statusCode: z.literal(401),
-    message: z.string(),
+    message: z.any(),
     error: z.string()
   }),
   403: z.object({
     statusCode: z.literal(403),
-    message: z.any(),
+    message: z.string(),
     error: z.string()
   }),
   500: z.object({

backend/src/server/routes/v1/cmek-router.ts

@@ -0,0 +1,331 @@
+import slugify from "@sindresorhus/slugify";
+import { z } from "zod";
+
+import { InternalKmsSchema, KmsKeysSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { KMS } from "@app/lib/api-docs";
+import { getBase64SizeInBytes, isBase64 } from "@app/lib/base64";
+import { SymmetricEncryption } from "@app/lib/crypto/cipher";
+import { OrderByDirection } from "@app/lib/types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { CmekOrderBy } from "@app/services/cmek/cmek-types";
+
+const keyNameSchema = z
+  .string()
+  .trim()
+  .min(1)
+  .max(32)
+  .toLowerCase()
+  .refine((v) => slugify(v) === v, {
+    message: "Name must be slug friendly"
+  });
+const keyDescriptionSchema = z.string().trim().max(500).optional();
+
+const base64Schema = z.string().superRefine((val, ctx) => {
+  if (!isBase64(val)) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: "plaintext must be base64 encoded"
+    });
+  }
+
+  if (getBase64SizeInBytes(val) > 4096) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: "data cannot exceed 4096 bytes"
+    });
+  }
+});
+
+export const registerCmekRouter = async (server: FastifyZodProvider) => {
+  // create encryption key
+  server.route({
+    method: "POST",
+    url: "/keys",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Create KMS key",
+      body: z.object({
+        projectId: z.string().describe(KMS.CREATE_KEY.projectId),
+        name: keyNameSchema.describe(KMS.CREATE_KEY.name),
+        description: keyDescriptionSchema.describe(KMS.CREATE_KEY.description),
+        encryptionAlgorithm: z
+          .nativeEnum(SymmetricEncryption)
+          .optional()
+          .default(SymmetricEncryption.AES_GCM_256)
+          .describe(KMS.CREATE_KEY.encryptionAlgorithm) // eventually will support others
+      }),
+      response: {
+        200: z.object({
+          key: KmsKeysSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        body: { projectId, name, description, encryptionAlgorithm },
+        permission
+      } = req;
+
+      const cmek = await server.services.cmek.createCmek(
+        { orgId: permission.orgId, projectId, name, description, encryptionAlgorithm },
+        permission
+      );
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.CREATE_CMEK,
+          metadata: {
+            keyId: cmek.id,
+            name,
+            description,
+            encryptionAlgorithm
+          }
+        }
+      });
+
+      return { key: cmek };
+    }
+  });
+
+  // update KMS key
+  server.route({
+    method: "PATCH",
+    url: "/keys/:keyId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Update KMS key",
+      params: z.object({
+        keyId: z.string().uuid().describe(KMS.UPDATE_KEY.keyId)
+      }),
+      body: z.object({
+        name: keyNameSchema.optional().describe(KMS.UPDATE_KEY.name),
+        isDisabled: z.boolean().optional().describe(KMS.UPDATE_KEY.isDisabled),
+        description: keyDescriptionSchema.describe(KMS.UPDATE_KEY.description)
+      }),
+      response: {
+        200: z.object({
+          key: KmsKeysSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        params: { keyId },
+        body,
+        permission
+      } = req;
+
+      const cmek = await server.services.cmek.updateCmekById({ keyId, ...body }, permission);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: permission.orgId,
+        event: {
+          type: EventType.UPDATE_CMEK,
+          metadata: {
+            keyId,
+            ...body
+          }
+        }
+      });
+
+      return { key: cmek };
+    }
+  });
+
+  // delete KMS key
+  server.route({
+    method: "DELETE",
+    url: "/keys/:keyId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Delete KMS key",
+      params: z.object({
+        keyId: z.string().uuid().describe(KMS.DELETE_KEY.keyId)
+      }),
+      response: {
+        200: z.object({
+          key: KmsKeysSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        params: { keyId },
+        permission
+      } = req;
+
+      const cmek = await server.services.cmek.deleteCmekById(keyId, permission);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: permission.orgId,
+        event: {
+          type: EventType.DELETE_CMEK,
+          metadata: {
+            keyId
+          }
+        }
+      });
+
+      return { key: cmek };
+    }
+  });
+
+  // list KMS keys
+  server.route({
+    method: "GET",
+    url: "/keys",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "List KMS keys",
+      querystring: z.object({
+        projectId: z.string().describe(KMS.LIST_KEYS.projectId),
+        offset: z.coerce.number().min(0).optional().default(0).describe(KMS.LIST_KEYS.offset),
+        limit: z.coerce.number().min(1).max(100).optional().default(100).describe(KMS.LIST_KEYS.limit),
+        orderBy: z.nativeEnum(CmekOrderBy).optional().default(CmekOrderBy.Name).describe(KMS.LIST_KEYS.orderBy),
+        orderDirection: z
+          .nativeEnum(OrderByDirection)
+          .optional()
+          .default(OrderByDirection.ASC)
+          .describe(KMS.LIST_KEYS.orderDirection),
+        search: z.string().trim().optional().describe(KMS.LIST_KEYS.search)
+      }),
+      response: {
+        200: z.object({
+          keys: KmsKeysSchema.merge(InternalKmsSchema.pick({ version: true, encryptionAlgorithm: true })).array(),
+          totalCount: z.number()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        query: { projectId, ...dto },
+        permission
+      } = req;
+
+      const { cmeks, totalCount } = await server.services.cmek.listCmeksByProjectId({ projectId, ...dto }, permission);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId,
+        event: {
+          type: EventType.GET_CMEKS,
+          metadata: {
+            keyIds: cmeks.map((key) => key.id)
+          }
+        }
+      });
+
+      return { keys: cmeks, totalCount };
+    }
+  });
+
+  // encrypt data
+  server.route({
+    method: "POST",
+    url: "/keys/:keyId/encrypt",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Encrypt data with KMS key",
+      params: z.object({
+        keyId: z.string().uuid().describe(KMS.ENCRYPT.keyId)
+      }),
+      body: z.object({
+        plaintext: base64Schema.describe(KMS.ENCRYPT.plaintext)
+      }),
+      response: {
+        200: z.object({
+          ciphertext: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        params: { keyId },
+        body: { plaintext },
+        permission
+      } = req;
+
+      const ciphertext = await server.services.cmek.cmekEncrypt({ keyId, plaintext }, permission);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: permission.orgId,
+        event: {
+          type: EventType.CMEK_ENCRYPT,
+          metadata: {
+            keyId
+          }
+        }
+      });
+
+      return { ciphertext };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/keys/:keyId/decrypt",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Decrypt data with KMS key",
+      params: z.object({
+        keyId: z.string().uuid().describe(KMS.ENCRYPT.keyId)
+      }),
+      body: z.object({
+        ciphertext: base64Schema.describe(KMS.ENCRYPT.plaintext)
+      }),
+      response: {
+        200: z.object({
+          plaintext: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        params: { keyId },
+        body: { ciphertext },
+        permission
+      } = req;
+
+      const plaintext = await server.services.cmek.cmekDecrypt({ keyId, ciphertext }, permission);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: permission.orgId,
+        event: {
+          type: EventType.CMEK_DECRYPT,
+          metadata: {
+            keyId
+          }
+        }
+      });
+
+      return { plaintext };
+    }
+  });
+};

backend/src/server/routes/v1/dashboard-router.ts

@@ -17,6 +17,20 @@ import { AuthMode } from "@app/services/auth/auth-type";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
+// handle querystring boolean values
+const booleanSchema = z
+  .union([z.boolean(), z.string().trim()])
+  .transform((value) => {
+    if (typeof value === "string") {
+      // ie if not empty, 0 or false, return true
+      return Boolean(value) && Number(value) !== 0 && value.toLowerCase() !== "false";
+    }
+
+    return value;
+  })
+  .optional()
+  .default(true);
+
 export const registerDashboardRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "GET",
@@ -57,21 +71,9 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           .describe(DASHBOARD.SECRET_OVERVIEW_LIST.orderDirection)
           .optional(),
         search: z.string().trim().describe(DASHBOARD.SECRET_OVERVIEW_LIST.search).optional(),
-        includeSecrets: z.coerce
+        includeSecrets: booleanSchema.describe(DASHBOARD.SECRET_OVERVIEW_LIST.includeSecrets),
-          .boolean()
+        includeFolders: booleanSchema.describe(DASHBOARD.SECRET_OVERVIEW_LIST.includeFolders),
-          .optional()
+        includeDynamicSecrets: booleanSchema.describe(DASHBOARD.SECRET_OVERVIEW_LIST.includeDynamicSecrets)
-          .default(true)
-          .describe(DASHBOARD.SECRET_OVERVIEW_LIST.includeSecrets),
-        includeFolders: z.coerce
-          .boolean()
-          .optional()
-          .default(true)
-          .describe(DASHBOARD.SECRET_OVERVIEW_LIST.includeFolders),
-        includeDynamicSecrets: z.coerce
-          .boolean()
-          .optional()
-          .default(true)
-          .describe(DASHBOARD.SECRET_OVERVIEW_LIST.includeDynamicSecrets)
       }),
       response: {
         200: z.object({
@@ -198,7 +200,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           )
         );
 
-      if (includeDynamicSecrets) {
+      if (includeDynamicSecrets && permissiveEnvs.length) {
         // this is the unique count, ie duplicate secrets across envs only count as 1
         totalDynamicSecretCount = await server.services.dynamicSecret.getCountMultiEnv({
           actor: req.permission.type,
@@ -239,7 +241,7 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
         }
       }
 
-      if (includeSecrets) {
+      if (includeSecrets && permissiveEnvs.length) {
         // this is the unique count, ie duplicate secrets across envs only count as 1
         totalSecretCount = await server.services.secret.getSecretsCountMultiEnv({
           actorId: req.permission.id,
@@ -354,26 +356,10 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           .optional(),
         search: z.string().trim().describe(DASHBOARD.SECRET_DETAILS_LIST.search).optional(),
         tags: z.string().trim().transform(decodeURIComponent).describe(DASHBOARD.SECRET_DETAILS_LIST.tags).optional(),
-        includeSecrets: z.coerce
+        includeSecrets: booleanSchema.describe(DASHBOARD.SECRET_DETAILS_LIST.includeSecrets),
-          .boolean()
+        includeFolders: booleanSchema.describe(DASHBOARD.SECRET_DETAILS_LIST.includeFolders),
-          .optional()
+        includeDynamicSecrets: booleanSchema.describe(DASHBOARD.SECRET_DETAILS_LIST.includeDynamicSecrets),
-          .default(true)
+        includeImports: booleanSchema.describe(DASHBOARD.SECRET_DETAILS_LIST.includeImports)
-          .describe(DASHBOARD.SECRET_DETAILS_LIST.includeSecrets),
-        includeFolders: z.coerce
-          .boolean()
-          .optional()
-          .default(true)
-          .describe(DASHBOARD.SECRET_DETAILS_LIST.includeFolders),
-        includeDynamicSecrets: z.coerce
-          .boolean()
-          .optional()
-          .default(true)
-          .describe(DASHBOARD.SECRET_DETAILS_LIST.includeDynamicSecrets),
-        includeImports: z.coerce
-          .boolean()
-          .optional()
-          .default(true)
-          .describe(DASHBOARD.SECRET_DETAILS_LIST.includeImports)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/identity-aws-iam-auth-router.ts

@@ -22,7 +22,7 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
     schema: {
       description: "Login with AWS Auth",
       body: z.object({
-        identityId: z.string().describe(AWS_AUTH.LOGIN.identityId),
+        identityId: z.string().trim().describe(AWS_AUTH.LOGIN.identityId),
         iamHttpRequestMethod: z.string().default("POST").describe(AWS_AUTH.LOGIN.iamHttpRequestMethod),
         iamRequestBody: z.string().describe(AWS_AUTH.LOGIN.iamRequestBody),
         iamRequestHeaders: z.string().describe(AWS_AUTH.LOGIN.iamRequestHeaders)

backend/src/server/routes/v1/identity-azure-auth-router.ts

@@ -21,7 +21,7 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
     schema: {
       description: "Login with Azure Auth",
       body: z.object({
-        identityId: z.string().describe(AZURE_AUTH.LOGIN.identityId),
+        identityId: z.string().trim().describe(AZURE_AUTH.LOGIN.identityId),
         jwt: z.string()
       }),
       response: {

backend/src/server/routes/v1/identity-gcp-auth-router.ts

@@ -19,7 +19,7 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
     schema: {
       description: "Login with GCP Auth",
       body: z.object({
-        identityId: z.string().describe(GCP_AUTH.LOGIN.identityId),
+        identityId: z.string().trim().describe(GCP_AUTH.LOGIN.identityId).trim(),
         jwt: z.string()
       }),
       response: {

backend/src/server/routes/v1/identity-router.ts

@@ -29,7 +29,11 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
       body: z.object({
         name: z.string().trim().describe(IDENTITIES.CREATE.name),
         organizationId: z.string().trim().describe(IDENTITIES.CREATE.organizationId),
-        role: z.string().trim().min(1).default(OrgMembershipRole.NoAccess).describe(IDENTITIES.CREATE.role)
+        role: z.string().trim().min(1).default(OrgMembershipRole.NoAccess).describe(IDENTITIES.CREATE.role),
+        metadata: z
+          .object({ key: z.string().trim().min(1), value: z.string().trim().min(1) })
+          .array()
+          .optional()
       }),
       response: {
         200: z.object({
@@ -93,7 +97,11 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
       }),
       body: z.object({
         name: z.string().trim().optional().describe(IDENTITIES.UPDATE.name),
-        role: z.string().trim().min(1).optional().describe(IDENTITIES.UPDATE.role)
+        role: z.string().trim().min(1).optional().describe(IDENTITIES.UPDATE.role),
+        metadata: z
+          .object({ key: z.string().trim().min(1), value: z.string().trim().min(1) })
+          .array()
+          .optional()
       }),
       response: {
         200: z.object({
@@ -193,6 +201,14 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
       response: {
         200: z.object({
           identity: IdentityOrgMembershipsSchema.extend({
+            metadata: z
+              .object({
+                key: z.string().trim().min(1),
+                id: z.string().trim().min(1),
+                value: z.string().trim().min(1)
+              })
+              .array()
+              .optional(),
             customRole: OrgRolesSchema.pick({
               id: true,
               name: true,

backend/src/server/routes/v1/index.ts

@@ -1,3 +1,6 @@
+import { registerCmekRouter } from "@app/server/routes/v1/cmek-router";
+import { registerDashboardRouter } from "@app/server/routes/v1/dashboard-router";
+
 import { registerAdminRouter } from "./admin-router";
 import { registerAuthRoutes } from "./auth-router";
 import { registerProjectBotRouter } from "./bot-router";
@@ -101,4 +104,6 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
   await server.register(registerIdentityRouter, { prefix: "/identities" });
   await server.register(registerSecretSharingRouter, { prefix: "/secret-sharing" });
   await server.register(registerUserEngagementRouter, { prefix: "/user-engagement" });
+  await server.register(registerDashboardRouter, { prefix: "/dashboard" });
+  await server.register(registerCmekRouter, { prefix: "/kms" });
 };

backend/src/server/routes/v1/integration-router.ts

@@ -131,9 +131,9 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
           .default("/")
           .transform(removeTrailingSlash)
           .describe(INTEGRATION.UPDATE.secretPath),
-        targetEnvironment: z.string().trim().describe(INTEGRATION.UPDATE.targetEnvironment),
+        targetEnvironment: z.string().trim().optional().describe(INTEGRATION.UPDATE.targetEnvironment),
-        owner: z.string().trim().describe(INTEGRATION.UPDATE.owner),
+        owner: z.string().trim().optional().describe(INTEGRATION.UPDATE.owner),
-        environment: z.string().trim().describe(INTEGRATION.UPDATE.environment),
+        environment: z.string().trim().optional().describe(INTEGRATION.UPDATE.environment),
         metadata: IntegrationMetadataSchema.optional()
       }),
       response: {

backend/src/server/routes/v1/organization-router.ts

@@ -28,7 +28,9 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
     schema: {
       response: {
         200: z.object({
-          organizations: OrganizationsSchema.array()
+          organizations: OrganizationsSchema.extend({
+            orgAuthMethod: z.string()
+          }).array()
         })
       }
     },

backend/src/server/routes/v1/project-env-router.ts

@@ -4,7 +4,7 @@ import { z } from "zod";
 import { ProjectEnvironmentsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ENVIRONMENTS } from "@app/lib/api-docs";
-import { writeLimit } from "@app/server/config/rateLimiter";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -23,6 +23,7 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
+        // NOTE(daniel): workspaceId isn't used, but we need to keep it for backwards compatibility. The endpoint defined below, uses no project ID, and is takes a pure environment ID.
         workspaceId: z.string().trim().describe(ENVIRONMENTS.GET.workspaceId),
         envId: z.string().trim().describe(ENVIRONMENTS.GET.id)
       }),
@@ -39,7 +40,53 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
         actor: req.permission.type,
         actorOrgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
-        projectId: req.params.workspaceId,
+        id: req.params.envId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: environment.projectId,
+        event: {
+          type: EventType.GET_ENVIRONMENT,
+          metadata: {
+            id: environment.id
+          }
+        }
+      });
+
+      return { environment };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/environments/:envId",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Get Environment by ID",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        envId: z.string().trim().describe(ENVIRONMENTS.GET.id)
+      }),
+      response: {
+        200: z.object({
+          environment: ProjectEnvironmentsSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const environment = await server.services.projectEnv.getEnvironmentById({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
         id: req.params.envId
       });
 
@@ -76,6 +123,7 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
       }),
       body: z.object({
         name: z.string().trim().describe(ENVIRONMENTS.CREATE.name),
+        position: z.number().min(1).optional().describe(ENVIRONMENTS.CREATE.position),
         slug: z
           .string()
           .trim()

backend/src/server/routes/v1/secret-folder-router.ts

@@ -365,7 +365,15 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
       }),
       response: {
         200: z.object({
-          folder: SecretFoldersSchema
+          folder: SecretFoldersSchema.extend({
+            environment: z.object({
+              envId: z.string(),
+              envName: z.string(),
+              envSlug: z.string()
+            }),
+            path: z.string(),
+            projectId: z.string()
+          })
         })
       }
     },

backend/src/server/routes/v1/secret-import-router.ts

@@ -312,6 +312,64 @@ export const registerSecretImportRouter = async (server: FastifyZodProvider) =>
     }
   });
 
+  server.route({
+    url: "/:secretImportId",
+    method: "GET",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Get single secret import",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        secretImportId: z.string().trim().describe(SECRET_IMPORTS.GET.secretImportId)
+      }),
+      response: {
+        200: z.object({
+          secretImport: SecretImportsSchema.omit({ importEnv: true }).extend({
+            environment: z.object({
+              id: z.string(),
+              name: z.string(),
+              slug: z.string()
+            }),
+            projectId: z.string(),
+            importEnv: z.object({ name: z.string(), slug: z.string(), id: z.string() }),
+            secretPath: z.string()
+          })
+        })
+      }
+    },
+
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const secretImport = await server.services.secretImport.getImportById({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.secretImportId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: secretImport.projectId,
+        event: {
+          type: EventType.GET_SECRET_IMPORT,
+          metadata: {
+            secretImportId: secretImport.id,
+            folderId: secretImport.folderId
+          }
+        }
+      });
+
+      return { secretImport };
+    }
+  });
+
   server.route({
     url: "/secrets",
     method: "GET",

backend/src/server/routes/v1/secret-sharing-router.ts

@@ -55,10 +55,10 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
     },
     schema: {
       params: z.object({
-        id: z.string().uuid()
+        id: z.string()
       }),
       body: z.object({
-        hashedHex: z.string().min(1),
+        hashedHex: z.string().min(1).optional(),
         password: z.string().optional()
       }),
       response: {
@@ -73,7 +73,8 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
             accessType: true
           })
             .extend({
-              orgName: z.string().optional()
+              orgName: z.string().optional(),
+              secretValue: z.string().optional()
             })
             .optional()
         })
@@ -99,17 +100,14 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
     },
     schema: {
       body: z.object({
-        encryptedValue: z.string(),
+        secretValue: z.string().max(10_000),
         password: z.string().optional(),
-        hashedHex: z.string(),
-        iv: z.string(),
-        tag: z.string(),
         expiresAt: z.string(),
         expiresAfterViews: z.number().min(1).optional()
       }),
       response: {
         200: z.object({
-          id: z.string().uuid()
+          id: z.string()
         })
       }
     },
@@ -132,17 +130,14 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
       body: z.object({
         name: z.string().max(50).optional(),
         password: z.string().optional(),
-        encryptedValue: z.string(),
+        secretValue: z.string(),
-        hashedHex: z.string(),
-        iv: z.string(),
-        tag: z.string(),
         expiresAt: z.string(),
         expiresAfterViews: z.number().min(1).optional(),
         accessType: z.nativeEnum(SecretSharingAccessType).default(SecretSharingAccessType.Organization)
       }),
       response: {
         200: z.object({
-          id: z.string().uuid()
+          id: z.string()
         })
       }
     },
@@ -168,7 +163,7 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
     },
     schema: {
       params: z.object({
-        sharedSecretId: z.string().uuid()
+        sharedSecretId: z.string()
       }),
       response: {
         200: SecretSharingSchema

backend/src/server/routes/v2/organization-router.ts

@@ -130,8 +130,15 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          membership: OrgMembershipsSchema.merge(
+          membership: OrgMembershipsSchema.extend({
-            z.object({
+            metadata: z
+              .object({
+                key: z.string().trim().min(1),
+                id: z.string().trim().min(1),
+                value: z.string().trim().min(1)
+              })
+              .array()
+              .optional(),
             user: UsersSchema.pick({
               username: true,
               email: true,
@@ -139,9 +146,8 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
               firstName: true,
               lastName: true,
               id: true
-              }).merge(z.object({ publicKey: z.string().nullable() }))
+            }).extend({ publicKey: z.string().nullable() })
-            })
+          }).omit({ createdAt: true, updatedAt: true })
-          ).omit({ createdAt: true, updatedAt: true })
         })
       }
     },
@@ -178,7 +184,14 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
       }),
       body: z.object({
         role: z.string().trim().optional().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.role),
-        isActive: z.boolean().optional().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.isActive)
+        isActive: z.boolean().optional().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.isActive),
+        metadata: z
+          .object({
+            key: z.string().trim().min(1).describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.metadata.key),
+            value: z.string().trim().min(1).describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.metadata.value)
+          })
+          .array()
+          .optional()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v3/external-migration-router.ts

@@ -0,0 +1,35 @@
+import { z } from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+export const registerExternalMigrationRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/env-key",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      body: z.object({
+        decryptionKey: z.string().trim().min(1),
+        encryptedJson: z.object({
+          nonce: z.string().trim().min(1),
+          data: z.string().trim().min(1)
+        })
+      })
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      await server.services.migration.importEnvKeyData({
+        decryptionKey: req.body.decryptionKey,
+        encryptedJson: req.body.encryptedJson,
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+    }
+  });
+};

backend/src/server/routes/v3/index.ts

@@ -1,4 +1,4 @@
-import { registerDashboardRouter } from "./dashboard-router";
+import { registerExternalMigrationRouter } from "./external-migration-router";
 import { registerLoginRouter } from "./login-router";
 import { registerSecretBlindIndexRouter } from "./secret-blind-index-router";
 import { registerSecretRouter } from "./secret-router";
@@ -11,5 +11,5 @@ export const registerV3Routes = async (server: FastifyZodProvider) => {
   await server.register(registerUserRouter, { prefix: "/users" });
   await server.register(registerSecretRouter, { prefix: "/secrets" });
   await server.register(registerSecretBlindIndexRouter, { prefix: "/workspaces" });
-  await server.register(registerDashboardRouter, { prefix: "/dashboard" });
+  await server.register(registerExternalMigrationRouter, { prefix: "/migrate" });
 };

backend/src/services/cmek/cmek-service.ts

@@ -0,0 +1,169 @@
+import { ForbiddenError } from "@casl/ability";
+import { FastifyRequest } from "fastify";
+
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { ProjectPermissionCmekActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import {
+  TCmekDecryptDTO,
+  TCmekEncryptDTO,
+  TCreateCmekDTO,
+  TListCmeksByProjectIdDTO,
+  TUpdabteCmekByIdDTO
+} from "@app/services/cmek/cmek-types";
+import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+
+type TCmekServiceFactoryDep = {
+  kmsService: TKmsServiceFactory;
+  kmsDAL: TKmsKeyDALFactory;
+  permissionService: TPermissionServiceFactory;
+};
+
+export type TCmekServiceFactory = ReturnType<typeof cmekServiceFactory>;
+
+export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TCmekServiceFactoryDep) => {
+  const createCmek = async ({ projectId, ...dto }: TCreateCmekDTO, actor: FastifyRequest["permission"]) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Create, ProjectPermissionSub.Cmek);
+
+    const cmek = await kmsService.generateKmsKey({
+      ...dto,
+      projectId,
+      isReserved: false
+    });
+
+    return cmek;
+  };
+
+  const updateCmekById = async ({ keyId, ...data }: TUpdabteCmekByIdDTO, actor: FastifyRequest["permission"]) => {
+    const key = await kmsDAL.findById(keyId);
+
+    if (!key) throw new NotFoundError({ message: "Key not found" });
+
+    if (!key.projectId || key.isReserved) throw new BadRequestError({ message: "Key is not customer managed" });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      key.projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Edit, ProjectPermissionSub.Cmek);
+
+    const cmek = await kmsDAL.updateById(keyId, data);
+
+    return cmek;
+  };
+
+  const deleteCmekById = async (keyId: string, actor: FastifyRequest["permission"]) => {
+    const key = await kmsDAL.findById(keyId);
+
+    if (!key) throw new NotFoundError({ message: "Key not found" });
+
+    if (!key.projectId || key.isReserved) throw new BadRequestError({ message: "Key is not customer managed" });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      key.projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Delete, ProjectPermissionSub.Cmek);
+
+    const cmek = kmsDAL.deleteById(keyId);
+
+    return cmek;
+  };
+
+  const listCmeksByProjectId = async (
+    { projectId, ...filters }: TListCmeksByProjectIdDTO,
+    actor: FastifyRequest["permission"]
+  ) => {
+    const { permission } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
+
+    const { keys: cmeks, totalCount } = await kmsDAL.findKmsKeysByProjectId({ projectId, ...filters });
+
+    return { cmeks, totalCount };
+  };
+
+  const cmekEncrypt = async ({ keyId, plaintext }: TCmekEncryptDTO, actor: FastifyRequest["permission"]) => {
+    const key = await kmsDAL.findById(keyId);
+
+    if (!key) throw new NotFoundError({ message: "Key not found" });
+
+    if (!key.projectId || key.isReserved) throw new BadRequestError({ message: "Key is not customer managed" });
+
+    if (key.isDisabled) throw new BadRequestError({ message: "Key is disabled" });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      key.projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Encrypt, ProjectPermissionSub.Cmek);
+
+    const encrypt = await kmsService.encryptWithKmsKey({ kmsId: keyId });
+
+    const { cipherTextBlob } = await encrypt({ plainText: Buffer.from(plaintext, "base64") });
+
+    return cipherTextBlob.toString("base64");
+  };
+
+  const cmekDecrypt = async ({ keyId, ciphertext }: TCmekDecryptDTO, actor: FastifyRequest["permission"]) => {
+    const key = await kmsDAL.findById(keyId);
+
+    if (!key) throw new NotFoundError({ message: "Key not found" });
+
+    if (!key.projectId || key.isReserved) throw new BadRequestError({ message: "Key is not customer managed" });
+
+    if (key.isDisabled) throw new BadRequestError({ message: "Key is disabled" });
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      key.projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Decrypt, ProjectPermissionSub.Cmek);
+
+    const decrypt = await kmsService.decryptWithKmsKey({ kmsId: keyId });
+
+    const plaintextBlob = await decrypt({ cipherTextBlob: Buffer.from(ciphertext, "base64") });
+
+    return plaintextBlob.toString("base64");
+  };
+
+  return {
+    createCmek,
+    updateCmekById,
+    deleteCmekById,
+    listCmeksByProjectId,
+    cmekEncrypt,
+    cmekDecrypt
+  };
+};

backend/src/services/cmek/cmek-types.ts

@@ -0,0 +1,40 @@
+import { SymmetricEncryption } from "@app/lib/crypto/cipher";
+import { OrderByDirection } from "@app/lib/types";
+
+export type TCreateCmekDTO = {
+  orgId: string;
+  projectId: string;
+  name: string;
+  description?: string;
+  encryptionAlgorithm: SymmetricEncryption;
+};
+
+export type TUpdabteCmekByIdDTO = {
+  keyId: string;
+  name?: string;
+  isDisabled?: boolean;
+  description?: string;
+};
+
+export type TListCmeksByProjectIdDTO = {
+  projectId: string;
+  offset?: number;
+  limit?: number;
+  orderBy?: CmekOrderBy;
+  orderDirection?: OrderByDirection;
+  search?: string;
+};
+
+export type TCmekEncryptDTO = {
+  keyId: string;
+  plaintext: string;
+};
+
+export type TCmekDecryptDTO = {
+  keyId: string;
+  ciphertext: string;
+};
+
+export enum CmekOrderBy {
+  Name = "name"
+}

backend/src/services/external-migration/external-migration-fns.ts

@@ -0,0 +1,197 @@
+import slugify from "@sindresorhus/slugify";
+import { randomUUID } from "crypto";
+import sjcl from "sjcl";
+import tweetnacl from "tweetnacl";
+import tweetnaclUtil from "tweetnacl-util";
+
+import { OrgMembershipRole, ProjectMembershipRole, SecretType } from "@app/db/schemas";
+import { BadRequestError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { TOrgServiceFactory } from "../org/org-service";
+import { TProjectServiceFactory } from "../project/project-service";
+import { TProjectEnvServiceFactory } from "../project-env/project-env-service";
+import { TSecretServiceFactory } from "../secret/secret-service";
+import { InfisicalImportData, TEnvKeyExportJSON, TImportInfisicalDataCreate } from "./external-migration-types";
+
+export type TImportDataIntoInfisicalDTO = {
+  projectService: TProjectServiceFactory;
+  orgService: TOrgServiceFactory;
+  projectEnvService: TProjectEnvServiceFactory;
+  secretService: TSecretServiceFactory;
+
+  input: TImportInfisicalDataCreate;
+};
+
+const { codec, hash } = sjcl;
+const { secretbox } = tweetnacl;
+
+export const decryptEnvKeyDataFn = async (decryptionKey: string, encryptedJson: { nonce: string; data: string }) => {
+  const key = tweetnaclUtil.decodeBase64(codec.base64.fromBits(hash.sha256.hash(decryptionKey)));
+  const nonce = tweetnaclUtil.decodeBase64(encryptedJson.nonce);
+  const encryptedData = tweetnaclUtil.decodeBase64(encryptedJson.data);
+
+  const decrypted = secretbox.open(encryptedData, nonce, key);
+
+  if (!decrypted) {
+    throw new BadRequestError({ message: "Decryption failed, please check the entered encryption key" });
+  }
+
+  const decryptedJson = tweetnaclUtil.encodeUTF8(decrypted);
+  return decryptedJson;
+};
+
+export const parseEnvKeyDataFn = async (decryptedJson: string): Promise<InfisicalImportData> => {
+  const parsedJson: TEnvKeyExportJSON = JSON.parse(decryptedJson) as TEnvKeyExportJSON;
+
+  const infisicalImportData: InfisicalImportData = {
+    projects: new Map<string, { name: string; id: string }>(),
+    environments: new Map<string, { name: string; id: string; projectId: string }>(),
+    secrets: new Map<string, { name: string; id: string; projectId: string; environmentId: string; value: string }>()
+  };
+
+  parsedJson.apps.forEach((app: { name: string; id: string }) => {
+    infisicalImportData.projects.set(app.id, { name: app.name, id: app.id });
+  });
+
+  // string to string map for env templates
+  const envTemplates = new Map<string, string>();
+  for (const env of parsedJson.defaultEnvironmentRoles) {
+    envTemplates.set(env.id, env.defaultName);
+  }
+
+  // environments
+  for (const env of parsedJson.baseEnvironments) {
+    infisicalImportData.environments?.set(env.id, {
+      id: env.id,
+      name: envTemplates.get(env.environmentRoleId)!,
+      projectId: env.envParentId
+    });
+  }
+
+  // secrets
+  for (const env of Object.keys(parsedJson.envs)) {
+    if (!env.includes("|")) {
+      const envData = parsedJson.envs[env];
+      for (const secret of Object.keys(envData.variables)) {
+        const id = randomUUID();
+        infisicalImportData.secrets?.set(id, {
+          id,
+          name: secret,
+          environmentId: env,
+          value: envData.variables[secret].val
+        });
+      }
+    }
+  }
+
+  return infisicalImportData;
+};
+
+export const importDataIntoInfisicalFn = async ({
+  projectService,
+  orgService,
+  projectEnvService,
+  secretService,
+  input: { data, actor, actorId, actorOrgId, actorAuthMethod }
+}: TImportDataIntoInfisicalDTO) => {
+  // Import data to infisical
+  if (!data || !data.projects) {
+    throw new BadRequestError({ message: "No projects found in data" });
+  }
+
+  const originalToNewProjectId = new Map<string, string>();
+  const originalToNewEnvironmentId = new Map<string, string>();
+
+  for await (const [id, project] of data.projects) {
+    const newProject = await projectService
+      .createProject({
+        actor,
+        actorId,
+        actorOrgId,
+        actorAuthMethod,
+        workspaceName: project.name,
+        createDefaultEnvs: false
+      })
+      .catch(() => {
+        throw new BadRequestError({ message: `Failed to import to project [name:${project.name}] [id:${id}]` });
+      });
+
+    originalToNewProjectId.set(project.id, newProject.id);
+  }
+
+  // Invite user importing projects
+  const invites = await orgService.inviteUserToOrganization({
+    actorAuthMethod,
+    actorId,
+    actorOrgId,
+    actor,
+    inviteeEmails: [],
+    orgId: actorOrgId,
+    organizationRoleSlug: OrgMembershipRole.NoAccess,
+    projects: Array.from(originalToNewProjectId.values()).map((project) => ({
+      id: project,
+      projectRoleSlug: [ProjectMembershipRole.Member]
+    }))
+  });
+  if (!invites) {
+    throw new BadRequestError({ message: `Failed to invite user to projects: [userId:${actorId}]` });
+  }
+
+  // Import environments
+  if (data.environments) {
+    for await (const [id, environment] of data.environments) {
+      try {
+        const newEnvironment = await projectEnvService.createEnvironment({
+          actor,
+          actorId,
+          actorOrgId,
+          actorAuthMethod,
+          name: environment.name,
+          projectId: originalToNewProjectId.get(environment.projectId)!,
+          slug: slugify(`${environment.name}-${alphaNumericNanoId(4)}`)
+        });
+
+        if (!newEnvironment) {
+          logger.error(`Failed to import environment: [name:${environment.name}] [id:${id}]`);
+          throw new BadRequestError({
+            message: `Failed to import environment: [name:${environment.name}] [id:${id}]`
+          });
+        }
+        originalToNewEnvironmentId.set(id, newEnvironment.slug);
+      } catch (error) {
+        throw new BadRequestError({
+          message: `Failed to import environment: ${environment.name}]`,
+          name: "EnvKeyMigrationImportEnvironment"
+        });
+      }
+    }
+  }
+
+  // Import secrets
+  if (data.secrets) {
+    for await (const [id, secret] of data.secrets) {
+      const dataProjectId = data.environments?.get(secret.environmentId)?.projectId;
+      if (!dataProjectId) {
+        throw new BadRequestError({ message: `Failed to import secret "${secret.name}", project not found` });
+      }
+      const projectId = originalToNewProjectId.get(dataProjectId);
+      const newSecret = await secretService.createSecretRaw({
+        actorId,
+        actor,
+        actorOrgId,
+        environment: originalToNewEnvironmentId.get(secret.environmentId)!,
+        actorAuthMethod,
+        projectId: projectId!,
+        secretPath: "/",
+        secretName: secret.name,
+        type: SecretType.Shared,
+        secretValue: secret.value
+      });
+      if (!newSecret) {
+        throw new BadRequestError({ message: `Failed to import secret: [name:${secret.name}] [id:${id}]` });
+      }
+    }
+  }
+};

backend/src/services/external-migration/external-migration-service.ts

@@ -0,0 +1,64 @@
+import { OrgMembershipRole } from "@app/db/schemas";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { ForbiddenRequestError } from "@app/lib/errors";
+
+import { TOrgServiceFactory } from "../org/org-service";
+import { TProjectServiceFactory } from "../project/project-service";
+import { TProjectEnvServiceFactory } from "../project-env/project-env-service";
+import { TSecretServiceFactory } from "../secret/secret-service";
+import { decryptEnvKeyDataFn, importDataIntoInfisicalFn, parseEnvKeyDataFn } from "./external-migration-fns";
+import { TImportEnvKeyDataCreate } from "./external-migration-types";
+
+type TExternalMigrationServiceFactoryDep = {
+  projectService: TProjectServiceFactory;
+  orgService: TOrgServiceFactory;
+  projectEnvService: TProjectEnvServiceFactory;
+  secretService: TSecretServiceFactory;
+  permissionService: TPermissionServiceFactory;
+};
+
+export type TExternalMigrationServiceFactory = ReturnType<typeof externalMigrationServiceFactory>;
+
+export const externalMigrationServiceFactory = ({
+  projectService,
+  orgService,
+  projectEnvService,
+  permissionService,
+  secretService
+}: TExternalMigrationServiceFactoryDep) => {
+  const importEnvKeyData = async ({
+    decryptionKey,
+    encryptedJson,
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod
+  }: TImportEnvKeyDataCreate) => {
+    const { membership } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    if (membership.role !== OrgMembershipRole.Admin) {
+      throw new ForbiddenRequestError({ message: "Only admins can import data" });
+    }
+
+    const json = await decryptEnvKeyDataFn(decryptionKey, encryptedJson);
+    const envKeyData = await parseEnvKeyDataFn(json);
+    const response = await importDataIntoInfisicalFn({
+      input: { data: envKeyData, actor, actorId, actorOrgId, actorAuthMethod },
+      projectService,
+      orgService,
+      projectEnvService,
+      secretService
+    });
+    return response;
+  };
+
+  return {
+    importEnvKeyData
+  };
+};

backend/src/services/external-migration/external-migration-types.ts

@@ -0,0 +1,106 @@
+import { ActorAuthMethod, ActorType } from "../auth/auth-type";
+
+export type InfisicalImportData = {
+  projects: Map<string, { name: string; id: string }>;
+
+  environments?: Map<
+    string,
+    {
+      name: string;
+      id: string;
+      projectId: string;
+    }
+  >;
+
+  secrets?: Map<
+    string,
+    {
+      name: string;
+      id: string;
+      environmentId: string;
+      value: string;
+    }
+  >;
+};
+
+export type TImportEnvKeyDataCreate = {
+  decryptionKey: string;
+  encryptedJson: { nonce: string; data: string };
+  actor: ActorType;
+  actorId: string;
+  actorOrgId: string;
+  actorAuthMethod: ActorAuthMethod;
+};
+
+export type TImportInfisicalDataCreate = {
+  data: InfisicalImportData;
+  actor: ActorType;
+  actorId: string;
+  actorOrgId: string;
+  actorAuthMethod: ActorAuthMethod;
+};
+
+export type TEnvKeyExportJSON = {
+  schemaVersion: string;
+  org: {
+    id: string;
+    name: string;
+    settings: {
+      auth: {
+        inviteExpirationMs: number;
+        deviceGrantExpirationMs: number;
+        tokenExpirationMs: number;
+      };
+      crypto: {
+        requiresPassphrase: boolean;
+        requiresLockout: boolean;
+      };
+      envs: {
+        autoCaps: boolean;
+        autoCommitLocals: boolean;
+      };
+    };
+  };
+  apps: {
+    id: string;
+    name: string;
+    settings: Record<string, unknown>;
+  }[];
+  defaultOrgRoles: {
+    id: string;
+    defaultName: string;
+  }[];
+  defaultAppRoles: {
+    id: string;
+    defaultName: string;
+  }[];
+  defaultEnvironmentRoles: {
+    id: string;
+    defaultName: string;
+    settings: {
+      autoCommit: boolean;
+    };
+  }[];
+  baseEnvironments: {
+    id: string;
+    envParentId: string;
+    environmentRoleId: string;
+    settings: Record<string, unknown>;
+  }[];
+  orgUsers: {
+    id: string;
+    firstName: string;
+    lastName: string;
+    email: string;
+    provider: string;
+    orgRoleId: string;
+    uid: string;
+  }[];
+  envs: Record<
+    string,
+    {
+      variables: Record<string, { val: string }>;
+      inherits: Record<string, unknown>;
+    }
+  >;
+};

backend/src/services/identity-access-token/identity-access-token-service.ts

@@ -2,7 +2,7 @@ import jwt, { JwtPayload } from "jsonwebtoken";
 
 import { TableName, TIdentityAccessTokens } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { checkIPAgainstBlocklist, TIp } from "@app/lib/ip";
 
 import { TAccessTokenQueueServiceFactory } from "../access-token-queue/access-token-queue";
@@ -39,7 +39,7 @@ export const identityAccessTokenServiceFactory = ({
 
     if (accessTokenNumUsesLimit > 0 && accessTokenNumUses > 0 && accessTokenNumUses >= accessTokenNumUsesLimit) {
       await identityAccessTokenDAL.deleteById(tokenId);
-      throw new ForbiddenRequestError({
+      throw new UnauthorizedError({
         message: "Unable to renew because access token number of uses limit reached"
       });
     }
@@ -55,7 +55,7 @@ export const identityAccessTokenServiceFactory = ({
 
         if (currentDate > expirationDate) {
           await identityAccessTokenDAL.deleteById(tokenId);
-          throw new ForbiddenRequestError({
+          throw new UnauthorizedError({
             message: "Failed to renew MI access token due to TTL expiration"
           });
         }
@@ -67,7 +67,7 @@ export const identityAccessTokenServiceFactory = ({
 
         if (currentDate > expirationDate) {
           await identityAccessTokenDAL.deleteById(tokenId);
-          throw new ForbiddenRequestError({
+          throw new UnauthorizedError({
             message: "Failed to renew MI access token due to TTL expiration"
           });
         }
@@ -82,7 +82,7 @@ export const identityAccessTokenServiceFactory = ({
       identityAccessTokenId: string;
     };
     if (decodedToken.authTokenType !== AuthTokenType.IDENTITY_ACCESS_TOKEN) {
-      throw new ForbiddenRequestError({ message: "Only identity access tokens can be renewed" });
+      throw new BadRequestError({ message: "Only identity access tokens can be renewed" });
     }
 
     const identityAccessToken = await identityAccessTokenDAL.findOne({
@@ -109,7 +109,7 @@ export const identityAccessTokenServiceFactory = ({
 
       if (currentDate > expirationDate) {
         await identityAccessTokenDAL.deleteById(identityAccessToken.id);
-        throw new ForbiddenRequestError({
+        throw new UnauthorizedError({
           message: "Failed to renew MI access token due to Max TTL expiration"
         });
       }
@@ -117,7 +117,7 @@ export const identityAccessTokenServiceFactory = ({
       const extendToDate = new Date(currentDate.getTime() + Number(accessTokenTTL * 1000));
       if (extendToDate > expirationDate) {
         await identityAccessTokenDAL.deleteById(identityAccessToken.id);
-        throw new ForbiddenRequestError({
+        throw new UnauthorizedError({
           message: "Failed to renew MI access token past its Max TTL expiration"
         });
       }
@@ -137,7 +137,7 @@ export const identityAccessTokenServiceFactory = ({
       identityAccessTokenId: string;
     };
     if (decodedToken.authTokenType !== AuthTokenType.IDENTITY_ACCESS_TOKEN) {
-      throw new ForbiddenRequestError({ message: "Only identity access tokens can be revoked" });
+      throw new UnauthorizedError({ message: "Only identity access tokens can be revoked" });
     }
 
     const identityAccessToken = await identityAccessTokenDAL.findOne({
@@ -160,7 +160,7 @@ export const identityAccessTokenServiceFactory = ({
     });
     if (!identityAccessToken) throw new UnauthorizedError({ message: "No identity access token found" });
     if (identityAccessToken.isAccessTokenRevoked)
-      throw new ForbiddenRequestError({
+      throw new UnauthorizedError({
         message: "Failed to authorize revoked access token, access token is revoked"
       });
 

backend/src/services/identity-aws-auth/identity-aws-auth-service.ts

@@ -9,7 +9,7 @@ import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/pe
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 
 import { ActorType, AuthTokenType } from "../auth/auth-type";
@@ -81,7 +81,7 @@ export const identityAwsAuthServiceFactory = ({
         .some((accountId) => accountId === Account);
 
       if (!isAccountAllowed)
-        throw new ForbiddenRequestError({
+        throw new UnauthorizedError({
           message: "Access denied: AWS account ID not allowed."
         });
     }
@@ -100,7 +100,7 @@ export const identityAwsAuthServiceFactory = ({
         });
 
       if (!isArnAllowed)
-        throw new ForbiddenRequestError({
+        throw new UnauthorizedError({
           message: "Access denied: AWS principal ARN not allowed."
         });
     }

backend/src/services/identity-azure-auth/identity-azure-auth-service.ts

@@ -73,7 +73,7 @@ export const identityAzureAuthServiceFactory = ({
         .map((servicePrincipalId) => servicePrincipalId.trim())
         .some((servicePrincipalId) => servicePrincipalId === azureIdentity.oid);
 
-      if (!isServicePrincipalAllowed) throw new ForbiddenRequestError({ message: "Service principal not allowed" });
+      if (!isServicePrincipalAllowed) throw new UnauthorizedError({ message: "Service principal not allowed" });
     }
 
     const identityAccessToken = await identityAzureAuthDAL.transaction(async (tx) => {
@@ -314,8 +314,7 @@ export const identityAzureAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!isAtLeastAsPrivileged(permission, rolePermission))
-    if (!hasPriviledge)
       throw new ForbiddenRequestError({
         message: "Failed to revoke azure auth of identity with more privileged role"
       });

backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts

@@ -86,7 +86,7 @@ export const identityGcpAuthServiceFactory = ({
         .some((serviceAccount) => serviceAccount === gcpIdentityDetails.email);
 
       if (!isServiceAccountAllowed)
-        throw new ForbiddenRequestError({
+        throw new UnauthorizedError({
           message: "Access denied: GCP service account not allowed."
         });
     }
@@ -100,7 +100,7 @@ export const identityGcpAuthServiceFactory = ({
         .some((project) => project === gcpIdentityDetails.computeEngineDetails?.project_id);
 
       if (!isProjectAllowed)
-        throw new ForbiddenRequestError({
+        throw new UnauthorizedError({
           message: "Access denied: GCP project not allowed."
         });
     }
@@ -112,7 +112,7 @@ export const identityGcpAuthServiceFactory = ({
         .some((zone) => zone === gcpIdentityDetails.computeEngineDetails?.zone);
 
       if (!isZoneAllowed)
-        throw new ForbiddenRequestError({
+        throw new UnauthorizedError({
           message: "Access denied: GCP zone not allowed."
         });
     }
@@ -359,8 +359,7 @@ export const identityGcpAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!isAtLeastAsPrivileged(permission, rolePermission))
-    if (!hasPriviledge)
       throw new ForbiddenRequestError({
         message: "Failed to revoke gcp auth of identity with more privileged role"
       });

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts

@@ -1,5 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
-import axios from "axios";
+import axios, { AxiosError } from "axios";
 import https from "https";
 import jwt from "jsonwebtoken";
 
@@ -107,7 +107,8 @@ export const identityKubernetesAuthServiceFactory = ({
       });
     }
 
-    const { data }: { data: TCreateTokenReviewResponse } = await axios.post(
+    const { data } = await axios
+      .post<TCreateTokenReviewResponse>(
         `${identityKubernetesAuth.kubernetesHost}/apis/authentication.k8s.io/v1/tokenreviews`,
         {
           apiVersion: "authentication.k8s.io/v1",
@@ -121,18 +122,39 @@ export const identityKubernetesAuthServiceFactory = ({
             "Content-Type": "application/json",
             Authorization: `Bearer ${tokenReviewerJwt}`
           },
+
+          // if ca cert, rejectUnauthorized: true
           httpsAgent: new https.Agent({
             ca: caCert,
             rejectUnauthorized: !!caCert
           })
         }
-    );
+      )
+      .catch((err) => {
+        if (err instanceof AxiosError) {
+          if (err.response) {
+            const { message } = err?.response?.data as unknown as { message?: string };
 
-    if ("error" in data.status) throw new UnauthorizedError({ message: data.status.error });
+            if (message) {
+              throw new UnauthorizedError({
+                message,
+                name: "KubernetesTokenReviewRequestError"
+              });
+            }
+          }
+        }
+        throw err;
+      });
+
+    if ("error" in data.status)
+      throw new UnauthorizedError({ message: data.status.error, name: "KubernetesTokenReviewError" });
 
     // check the response to determine if the token is valid
     if (!(data.status && data.status.authenticated))
-      throw new ForbiddenRequestError({ message: "Kubernetes token not authenticated" });
+      throw new UnauthorizedError({
+        message: "Kubernetes token not authenticated",
+        name: "KubernetesTokenReviewError"
+      });
 
     const { namespace: targetNamespace, name: targetName } = extractK8sUsername(data.status.user.username);
 
@@ -145,7 +167,7 @@ export const identityKubernetesAuthServiceFactory = ({
         .some((namespace) => namespace === targetNamespace);
 
       if (!isNamespaceAllowed)
-        throw new ForbiddenRequestError({
+        throw new UnauthorizedError({
           message: "Access denied: K8s namespace not allowed."
         });
     }
@@ -159,7 +181,7 @@ export const identityKubernetesAuthServiceFactory = ({
         .some((name) => name === targetName);
 
       if (!isNameAllowed)
-        throw new ForbiddenRequestError({
+        throw new UnauthorizedError({
           message: "Access denied: K8s name not allowed."
         });
     }
@@ -171,7 +193,7 @@ export const identityKubernetesAuthServiceFactory = ({
       );
 
       if (!isAudienceAllowed)
-        throw new ForbiddenRequestError({
+        throw new UnauthorizedError({
           message: "Access denied: K8s audience not allowed."
         });
     }

backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts

@@ -148,7 +148,7 @@ export const identityOidcAuthServiceFactory = ({
           .split(", ")
           .some((policyValue) => doesFieldValueMatchOidcPolicy(tokenData.aud, policyValue))
       ) {
-        throw new ForbiddenRequestError({
+        throw new UnauthorizedError({
           message: "Access denied: OIDC audience not allowed."
         });
       }
@@ -161,7 +161,7 @@ export const identityOidcAuthServiceFactory = ({
         if (
           !claimValue.split(", ").some((claimEntry) => doesFieldValueMatchOidcPolicy(tokenData[claimKey], claimEntry))
         ) {
-          throw new ForbiddenRequestError({
+          throw new UnauthorizedError({
             message: "Access denied: OIDC claim not allowed."
           });
         }
@@ -532,8 +532,7 @@ export const identityOidcAuthServiceFactory = ({
       actorOrgId
     );
 
-    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!isAtLeastAsPrivileged(permission, rolePermission)) {
-    if (!hasPriviledge) {
       throw new ForbiddenRequestError({
         message: "Failed to revoke OIDC auth of identity with more privileged role"
       });

backend/src/services/identity-ua/identity-ua-service.ts

@@ -88,7 +88,7 @@ export const identityUaServiceFactory = ({
           isClientSecretRevoked: true
         });
 
-        throw new ForbiddenRequestError({
+        throw new UnauthorizedError({
           message: "Access denied due to expired client secret"
         });
       }
@@ -100,7 +100,7 @@ export const identityUaServiceFactory = ({
       await identityUaClientSecretDAL.updateById(validClientSecretInfo.id, {
         isClientSecretRevoked: true
       });
-      throw new ForbiddenRequestError({
+      throw new UnauthorizedError({
         message: "Access denied due to client secret usage limit reached"
       });
     }
@@ -368,8 +368,7 @@ export const identityUaServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!isAtLeastAsPrivileged(permission, rolePermission))
-    if (!hasPriviledge)
       throw new ForbiddenRequestError({
         message: "Failed to revoke universal auth of identity with more privileged role"
       });
@@ -474,8 +473,8 @@ export const identityUaServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+
-    if (!hasPriviledge)
+    if (!isAtLeastAsPrivileged(permission, rolePermission))
       throw new ForbiddenRequestError({
         message: "Failed to add identity to project with more privileged role"
       });
@@ -521,8 +520,7 @@ export const identityUaServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!isAtLeastAsPrivileged(permission, rolePermission))
-    if (!hasPriviledge)
       throw new ForbiddenRequestError({
         message: "Failed to read identity client secret of project with more privileged role"
       });
@@ -561,8 +559,8 @@ export const identityUaServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+
-    if (!hasPriviledge)
+    if (!isAtLeastAsPrivileged(permission, rolePermission))
       throw new ForbiddenRequestError({
         message: "Failed to revoke identity client secret with more privileged role"
       });

backend/src/services/identity/identity-metadata-dal.ts

@@ -0,0 +1,10 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TIdentityMetadataDALFactory = ReturnType<typeof identityMetadataDALFactory>;
+
+export const identityMetadataDALFactory = (db: TDbClient) => {
+  const orm = ormify(db, TableName.IdentityMetadata);
+  return orm;
+};

backend/src/services/identity/identity-org-dal.ts

@@ -1,11 +1,11 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { TableName, TIdentityOrgMemberships } from "@app/db/schemas";
+import { TableName, TIdentityOrgMemberships, TOrgRoles } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { ormify, selectAllTableCols } from "@app/lib/knex";
+import { ormify, selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";
 import { OrderByDirection } from "@app/lib/types";
-import { TListOrgIdentitiesByOrgIdDTO } from "@app/services/identity/identity-types";
+import { OrgIdentityOrderBy, TListOrgIdentitiesByOrgIdDTO } from "@app/services/identity/identity-types";
 
 export type TIdentityOrgDALFactory = ReturnType<typeof identityOrgDALFactory>;
 
@@ -33,7 +33,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
     {
       limit,
       offset = 0,
-      orderBy,
+      orderBy = OrgIdentityOrderBy.Name,
       orderDirection = OrderByDirection.ASC,
       search,
       ...filter
@@ -42,11 +42,50 @@ export const identityOrgDALFactory = (db: TDbClient) => {
     tx?: Knex
   ) => {
     try {
-      const query = (tx || db.replicaNode())(TableName.IdentityOrgMembership)
+      const paginatedIdentity = (tx || db.replicaNode())(TableName.Identity)
+        .join(
+          TableName.IdentityOrgMembership,
+          `${TableName.IdentityOrgMembership}.identityId`,
+          `${TableName.Identity}.id`
+        )
+        .orderBy(`${TableName.Identity}.${orderBy}`, orderDirection)
+        .select(
+          selectAllTableCols(TableName.IdentityOrgMembership),
+          db.ref("name").withSchema(TableName.Identity).as("identityName"),
+          db.ref("authMethod").withSchema(TableName.Identity).as("identityAuthMethod")
+        )
         .where(filter)
-        .join(TableName.Identity, `${TableName.IdentityOrgMembership}.identityId`, `${TableName.Identity}.id`)
+        .as("paginatedIdentity");
-        .leftJoin(TableName.OrgRoles, `${TableName.IdentityOrgMembership}.roleId`, `${TableName.OrgRoles}.id`)
+
-        .select(selectAllTableCols(TableName.IdentityOrgMembership))
+      if (search?.length) {
+        void paginatedIdentity.whereILike(`${TableName.Identity}.name`, `%${search}%`);
+      }
+
+      if (limit) {
+        void paginatedIdentity.offset(offset).limit(limit);
+      }
+
+      // akhilmhdh: refer this for pagination with multiple left queries
+      type TSubquery = Awaited<typeof paginatedIdentity>;
+      const query = (tx || db.replicaNode())
+        .from<TSubquery[number], TSubquery>(paginatedIdentity)
+        .leftJoin<TOrgRoles>(TableName.OrgRoles, `paginatedIdentity.roleId`, `${TableName.OrgRoles}.id`)
+        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
+          void queryBuilder
+            .on(`paginatedIdentity.identityId`, `${TableName.IdentityMetadata}.identityId`)
+            .andOn(`paginatedIdentity.orgId`, `${TableName.IdentityMetadata}.orgId`);
+        })
+        .select(
+          db.ref("id").withSchema("paginatedIdentity"),
+          db.ref("role").withSchema("paginatedIdentity"),
+          db.ref("roleId").withSchema("paginatedIdentity"),
+          db.ref("orgId").withSchema("paginatedIdentity"),
+          db.ref("createdAt").withSchema("paginatedIdentity"),
+          db.ref("updatedAt").withSchema("paginatedIdentity"),
+          db.ref("identityId").withSchema("paginatedIdentity"),
+          db.ref("identityName").withSchema("paginatedIdentity"),
+          db.ref("identityAuthMethod").withSchema("paginatedIdentity")
+        )
         // cr stands for custom role
         .select(db.ref("id").as("crId").withSchema(TableName.OrgRoles))
         .select(db.ref("name").as("crName").withSchema(TableName.OrgRoles))
@@ -54,35 +93,20 @@ export const identityOrgDALFactory = (db: TDbClient) => {
         .select(db.ref("description").as("crDescription").withSchema(TableName.OrgRoles))
         .select(db.ref("permissions").as("crPermission").withSchema(TableName.OrgRoles))
         .select(db.ref("permissions").as("crPermission").withSchema(TableName.OrgRoles))
-        .select(db.ref("id").as("identityId").withSchema(TableName.Identity))
+        .select(
-        .select(db.ref("name").as("identityName").withSchema(TableName.Identity))
+          db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
-        .select(db.ref("authMethod").as("identityAuthMethod").withSchema(TableName.Identity));
+          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
-
+          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue")
-      if (limit) {
+        );
-        void query.offset(offset).limit(limit);
+      if (orderBy === OrgIdentityOrderBy.Name) {
-      }
+        void query.orderBy("identityName", orderDirection);
-
-      if (orderBy) {
-        switch (orderBy) {
-          case "name":
-            void query.orderBy(`${TableName.Identity}.${orderBy}`, orderDirection);
-            break;
-          case "role":
-            void query.orderBy(`${TableName.IdentityOrgMembership}.${orderBy}`, orderDirection);
-            break;
-          default:
-          // do nothing
-        }
-      }
-
-      if (search?.length) {
-        void query.whereILike(`${TableName.Identity}.name`, `%${search}%`);
       }
 
       const docs = await query;
-
+      const formattedDocs = sqlNestRelationships({
-      return docs.map(
+        data: docs,
-        ({
+        key: "id",
+        parentMapper: ({
           crId,
           crDescription,
           crSlug,
@@ -91,16 +115,21 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           identityId,
           identityName,
           identityAuthMethod,
-          ...el
+          role,
+          roleId,
+          id,
+          orgId,
+          createdAt,
+          updatedAt
         }) => ({
-          ...el,
+          role,
+          roleId,
           identityId,
-          identity: {
+          id,
-            id: identityId,
+          orgId,
-            name: identityName,
+          createdAt,
-            authMethod: identityAuthMethod
+          updatedAt,
-          },
+          customRole: roleId
-          customRole: el.roleId
             ? {
                 id: crId,
                 name: crName,
@@ -108,9 +137,27 @@ export const identityOrgDALFactory = (db: TDbClient) => {
                 permissions: crPermission,
                 description: crDescription
               }
-            : undefined
+            : undefined,
+          identity: {
+            id: identityId,
+            name: identityName,
+            authMethod: identityAuthMethod as string
+          }
+        }),
+        childrenMapper: [
+          {
+            key: "metadataId",
+            label: "metadata" as const,
+            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+              id: metadataId,
+              key: metadataKey,
+              value: metadataValue
             })
-      );
+          }
+        ]
+      });
+
+      return formattedDocs;
     } catch (error) {
       throw new DatabaseError({ error, name: "FindByOrgId" });
     }

backend/src/services/identity/identity-service.ts

@@ -10,6 +10,7 @@ import { TIdentityProjectDALFactory } from "@app/services/identity-project/ident
 
 import { ActorType } from "../auth/auth-type";
 import { TIdentityDALFactory } from "./identity-dal";
+import { TIdentityMetadataDALFactory } from "./identity-metadata-dal";
 import { TIdentityOrgDALFactory } from "./identity-org-dal";
 import {
   TCreateIdentityDTO,
@@ -22,6 +23,7 @@ import {
 
 type TIdentityServiceFactoryDep = {
   identityDAL: TIdentityDALFactory;
+  identityMetadataDAL: TIdentityMetadataDALFactory;
   identityOrgMembershipDAL: TIdentityOrgDALFactory;
   identityProjectDAL: Pick<TIdentityProjectDALFactory, "findByIdentityId">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission" | "getOrgPermissionByRole">;
@@ -32,6 +34,7 @@ export type TIdentityServiceFactory = ReturnType<typeof identityServiceFactory>;
 
 export const identityServiceFactory = ({
   identityDAL,
+  identityMetadataDAL,
   identityOrgMembershipDAL,
   identityProjectDAL,
   permissionService,
@@ -44,7 +47,8 @@ export const identityServiceFactory = ({
     orgId,
     actorId,
     actorAuthMethod,
-    actorOrgId
+    actorOrgId,
+    metadata
   }: TCreateIdentityDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
@@ -78,6 +82,17 @@ export const identityServiceFactory = ({
         },
         tx
       );
+      if (metadata && metadata.length) {
+        await identityMetadataDAL.insertMany(
+          metadata.map(({ key, value }) => ({
+            identityId: newIdentity.id,
+            orgId,
+            key,
+            value
+          })),
+          tx
+        );
+      }
       return newIdentity;
     });
     await licenseService.updateSubscriptionOrgMemberCount(orgId);
@@ -92,7 +107,8 @@ export const identityServiceFactory = ({
     actor,
     actorId,
     actorAuthMethod,
-    actorOrgId
+    actorOrgId,
+    metadata
   }: TUpdateIdentityDTO) => {
     const identityOrgMembership = await identityOrgMembershipDAL.findOne({ identityId: id });
     if (!identityOrgMembership) throw new NotFoundError({ message: `Failed to find identity with id ${id}` });
@@ -134,8 +150,8 @@ export const identityServiceFactory = ({
     const identity = await identityDAL.transaction(async (tx) => {
       const newIdentity = name ? await identityDAL.updateById(id, { name }, tx) : await identityDAL.findById(id, tx);
       if (role) {
-        await identityOrgMembershipDAL.update(
+        await identityOrgMembershipDAL.updateById(
-          { identityId: id },
+          identityOrgMembership.id,
           {
             role: customRole ? OrgMembershipRole.Custom : role,
             roleId: customRole?.id || null
@@ -143,6 +159,20 @@ export const identityServiceFactory = ({
           tx
         );
       }
+      if (metadata) {
+        await identityMetadataDAL.delete({ orgId: identityOrgMembership.orgId, identityId: id }, tx);
+        if (metadata.length) {
+          await identityMetadataDAL.insertMany(
+            metadata.map(({ key, value }) => ({
+              identityId: newIdentity.id,
+              orgId: identityOrgMembership.orgId,
+              key,
+              value
+            })),
+            tx
+          );
+        }
+      }
       return newIdentity;
     });
 

backend/src/services/identity/identity-types.ts

@@ -4,12 +4,14 @@ import { OrderByDirection, TOrgPermission } from "@app/lib/types";
 export type TCreateIdentityDTO = {
   role: string;
   name: string;
+  metadata?: { key: string; value: string }[];
 } & TOrgPermission;
 
 export type TUpdateIdentityDTO = {
   id: string;
   role?: string;
   name?: string;
+  metadata?: { key: string; value: string }[];
 } & Omit<TOrgPermission, "orgId">;
 
 export type TDeleteIdentityDTO = {
@@ -39,6 +41,6 @@ export type TListOrgIdentitiesByOrgIdDTO = {
 } & TOrgPermission;
 
 export enum OrgIdentityOrderBy {
-  Name = "name",
+  Name = "name"
-  Role = "role"
+  // Role = "role"
 }

backend/src/services/integration-auth/integration-app-list.ts

@@ -455,6 +455,31 @@ const getAppsCircleCI = async ({ accessToken }: { accessToken: string }) => {
   return apps;
 };
 
+/**
+ * Return list of projects for Databricks integration
+ */
+const getAppsDatabricks = async ({ url, accessToken }: { url?: string | null; accessToken: string }) => {
+  const databricksApiUrl = `${url}/api`;
+
+  const res = await request.get<{ scopes: { name: string; backend_type: string }[] }>(
+    `${databricksApiUrl}/2.0/secrets/scopes/list`,
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json"
+      }
+    }
+  );
+
+  const scopes =
+    res.data?.scopes?.map((a) => ({
+      name: a.name, // name maps to unique scope name in Databricks
+      backend_type: a.backend_type
+    })) ?? [];
+
+  return scopes;
+};
+
 const getAppsTravisCI = async ({ accessToken }: { accessToken: string }) => {
   const res = (
     await request.get<{ id: string; slug: string }[]>(`${IntegrationUrls.TRAVISCI_API_URL}/repos`, {
@@ -1104,6 +1129,12 @@ export const getApps = async ({
         accessToken
       });
 
+    case Integrations.DATABRICKS:
+      return getAppsDatabricks({
+        url,
+        accessToken
+      });
+
     case Integrations.LARAVELFORGE:
       return getAppsLaravelForge({
         accessToken,

backend/src/services/integration-auth/integration-list.ts

@@ -15,6 +15,7 @@ export enum Integrations {
   FLYIO = "flyio",
   LARAVELFORGE = "laravel-forge",
   CIRCLECI = "circleci",
+  DATABRICKS = "databricks",
   TRAVISCI = "travisci",
   TEAMCITY = "teamcity",
   SUPABASE = "supabase",
@@ -73,6 +74,7 @@ export enum IntegrationUrls {
   RAILWAY_API_URL = "https://backboard.railway.app/graphql/v2",
   FLYIO_API_URL = "https://api.fly.io/graphql",
   CIRCLECI_API_URL = "https://circleci.com/api",
+  DATABRICKS_API_URL = "https:/xxxx.com/api",
   TRAVISCI_API_URL = "https://api.travis-ci.com",
   SUPABASE_API_URL = "https://api.supabase.com",
   LARAVELFORGE_API_URL = "https://forge.laravel.com",
@@ -210,6 +212,15 @@ export const getIntegrationOptions = async () => {
       clientId: "",
       docsLink: ""
     },
+    {
+      name: "Databricks",
+      slug: "databricks",
+      image: "Databricks.png",
+      isAvailable: true,
+      type: "pat",
+      clientId: "",
+      docsLink: ""
+    },
     {
       name: "GitLab",
       slug: "gitlab",

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -2085,6 +2085,80 @@ const syncSecretsCircleCI = async ({
   );
 };
 
+/**
+ * Sync/push [secrets] to Databricks project
+ */
+const syncSecretsDatabricks = async ({
+  integration,
+  integrationAuth,
+  secrets,
+  accessToken
+}: {
+  integration: TIntegrations;
+  integrationAuth: TIntegrationAuths;
+  secrets: Record<string, { value: string; comment?: string }>;
+  accessToken: string;
+}) => {
+  const databricksApiUrl = `${integrationAuth.url}/api`;
+
+  // sync secrets to Databricks
+  await Promise.all(
+    Object.keys(secrets).map(async (key) =>
+      request.post(
+        `${databricksApiUrl}/2.0/secrets/put`,
+        {
+          scope: integration.app,
+          key,
+          string_value: secrets[key].value
+        },
+        {
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            "Accept-Encoding": "application/json"
+          }
+        }
+      )
+    )
+  );
+
+  // get secrets from Databricks
+  const getSecretsRes = (
+    await request.get<{ secrets: { key: string; last_updated_timestamp: number }[] }>(
+      `${databricksApiUrl}/2.0/secrets/list`,
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          "Content-Type": "application/json"
+        },
+        params: {
+          scope: integration.app
+        }
+      }
+    )
+  ).data.secrets;
+
+  // delete secrets from Databricks
+  await Promise.all(
+    getSecretsRes.map(async (sec) => {
+      if (!(sec.key in secrets)) {
+        return request.post(
+          `${databricksApiUrl}/2.0/secrets/delete`,
+          {
+            scope: integration.app,
+            key: sec.key
+          },
+          {
+            headers: {
+              Authorization: `Bearer ${accessToken}`,
+              "Content-Type": "application/json"
+            }
+          }
+        );
+      }
+    })
+  );
+};
+
 /**
  * Sync/push [secrets] to TravisCI project
  */
@@ -4021,6 +4095,14 @@ export const syncIntegrationSecrets = async ({
         accessToken
       });
       break;
+    case Integrations.DATABRICKS:
+      await syncSecretsDatabricks({
+        integration,
+        integrationAuth,
+        secrets,
+        accessToken
+      });
+      break;
     case Integrations.LARAVELFORGE:
       await syncSecretsLaravelForge({
         integration,

backend/src/services/integration/integration-service.ts

@@ -150,12 +150,17 @@ export const integrationServiceFactory = ({
     );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations);
 
+    const newEnvironment = environment || integration.environment.slug;
+    const newSecretPath = secretPath || integration.secretPath;
+
+    if (environment || secretPath) {
       ForbiddenError.from(permission).throwUnlessCan(
         ProjectPermissionActions.Read,
-      subject(ProjectPermissionSub.Secrets, { environment, secretPath })
+        subject(ProjectPermissionSub.Secrets, { environment: newEnvironment, secretPath: newSecretPath })
       );
+    }
 
-    const folder = await folderDAL.findBySecretPath(integration.projectId, environment, secretPath);
+    const folder = await folderDAL.findBySecretPath(integration.projectId, newEnvironment, newSecretPath);
     if (!folder) throw new NotFoundError({ message: "Folder path not found" });
 
     const updatedIntegration = await integrationDAL.updateById(id, {
@@ -174,7 +179,7 @@ export const integrationServiceFactory = ({
 
     await secretQueueService.syncIntegrations({
       environment: folder.environment.slug,
-      secretPath,
+      secretPath: newSecretPath,
       projectId: folder.projectId
     });
 
@@ -184,6 +189,12 @@ export const integrationServiceFactory = ({
   const getIntegration = async ({ id, actor, actorAuthMethod, actorId, actorOrgId }: TGetIntegrationDTO) => {
     const integration = await integrationDAL.findById(id);
 
+    if (!integration) {
+      throw new NotFoundError({
+        message: "Integration not found"
+      });
+    }
+
     const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,

backend/src/services/integration/integration-types.ts

@@ -48,10 +48,10 @@ export type TUpdateIntegrationDTO = {
   app?: string;
   appId?: string;
   isActive?: boolean;
-  secretPath: string;
+  secretPath?: string;
-  targetEnvironment: string;
+  targetEnvironment?: string;
-  owner: string;
+  owner?: string;
-  environment: string;
+  environment?: string;
   metadata?: {
     secretPrefix?: string;
     secretSuffix?: string;

backend/src/services/kms/kms-fns.ts

@@ -0,0 +1,11 @@
+import { SymmetricEncryption } from "@app/lib/crypto/cipher";
+
+export const getByteLengthForAlgorithm = (encryptionAlgorithm: SymmetricEncryption) => {
+  switch (encryptionAlgorithm) {
+    case SymmetricEncryption.AES_GCM_128:
+      return 16;
+    case SymmetricEncryption.AES_GCM_256:
+    default:
+      return 32;
+  }
+};

backend/src/services/kms/kms-key-dal.ts

@@ -1,9 +1,11 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { KmsKeysSchema, TableName } from "@app/db/schemas";
+import { KmsKeysSchema, TableName, TInternalKms, TKmsKeys } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols } from "@app/lib/knex";
+import { OrderByDirection } from "@app/lib/types";
+import { CmekOrderBy, TListCmeksByProjectIdDTO } from "@app/services/cmek/cmek-types";
 
 export type TKmsKeyDALFactory = ReturnType<typeof kmskeyDALFactory>;
 
@@ -71,5 +73,50 @@ export const kmskeyDALFactory = (db: TDbClient) => {
     }
   };
 
-  return { ...kmsOrm, findByIdWithAssociatedKms };
+  const findKmsKeysByProjectId = async (
+    {
+      projectId,
+      offset = 0,
+      limit,
+      orderBy = CmekOrderBy.Name,
+      orderDirection = OrderByDirection.ASC,
+      search
+    }: TListCmeksByProjectIdDTO,
+    tx?: Knex
+  ) => {
+    try {
+      const query = (tx || db.replicaNode())(TableName.KmsKey)
+        .where("projectId", projectId)
+        .where((qb) => {
+          if (search) {
+            void qb.whereILike("name", `%${search}%`);
+          }
+        })
+        .join(TableName.InternalKms, `${TableName.InternalKms}.kmsKeyId`, `${TableName.KmsKey}.id`)
+        .select<
+          (TKmsKeys &
+            Pick<TInternalKms, "version" | "encryptionAlgorithm"> & {
+              total_count: number;
+            })[]
+        >(
+          selectAllTableCols(TableName.KmsKey),
+          db.raw(`count(*) OVER() as total_count`),
+          db.ref("encryptionAlgorithm").withSchema(TableName.InternalKms),
+          db.ref("version").withSchema(TableName.InternalKms)
+        )
+        .orderBy(orderBy, orderDirection);
+
+      if (limit) {
+        void query.limit(limit).offset(offset);
+      }
+
+      const data = await query;
+
+      return { keys: data, totalCount: Number(data?.[0]?.total_count ?? 0) };
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find kms keys by project id" });
+    }
+  };
+
+  return { ...kmsOrm, findByIdWithAssociatedKms, findKmsKeysByProjectId };
 };

backend/src/services/kms/kms-service.ts

@@ -17,6 +17,7 @@ import { generateHash } from "@app/lib/crypto/encryption";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { getByteLengthForAlgorithm } from "@app/services/kms/kms-fns";
 
 import { TOrgDALFactory } from "../org/org-dal";
 import { TProjectDALFactory } from "../project/project-dal";
@@ -71,17 +72,29 @@ export const kmsServiceFactory = ({
    * This function is responsibile for generating the infisical internal KMS for various entities
    * Like for secret manager, cert manager or for organization
    */
-  const generateKmsKey = async ({ orgId, isReserved = true, tx, slug }: TGenerateKMSDTO) => {
+  const generateKmsKey = async ({
+    orgId,
+    isReserved = true,
+    tx,
+    name,
+    projectId,
+    encryptionAlgorithm = SymmetricEncryption.AES_GCM_256,
+    description
+  }: TGenerateKMSDTO) => {
     const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
-    const kmsKeyMaterial = randomSecureBytes(32);
+
+    const kmsKeyMaterial = randomSecureBytes(getByteLengthForAlgorithm(encryptionAlgorithm));
+
     const encryptedKeyMaterial = cipher.encrypt(kmsKeyMaterial, ROOT_ENCRYPTION_KEY);
-    const sanitizedSlug = slug ? slugify(slug) : slugify(alphaNumericNanoId(8).toLowerCase());
+    const sanitizedName = name ? slugify(name) : slugify(alphaNumericNanoId(8).toLowerCase());
     const dbQuery = async (db: Knex) => {
       const kmsDoc = await kmsDAL.create(
         {
-          slug: sanitizedSlug,
+          name: sanitizedName,
           orgId,
-          isReserved
+          isReserved,
+          projectId,
+          description
         },
         db
       );
@@ -90,7 +103,7 @@ export const kmsServiceFactory = ({
         {
           version: 1,
           encryptedKey: encryptedKeyMaterial,
-          encryptionAlgorithm: SymmetricEncryption.AES_GCM_256,
+          encryptionAlgorithm,
           kmsKeyId: kmsDoc.id
         },
         db
@@ -208,20 +221,20 @@ export const kmsServiceFactory = ({
     return org.kmsDefaultKeyId;
   };
 
-  const encryptWithRootKey = async () => {
+  const encryptWithRootKey = () => {
     const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
-    return ({ plainText }: { plainText: Buffer }) => {
-      const encryptedPlainTextBlob = cipher.encrypt(plainText, ROOT_ENCRYPTION_KEY);
 
-      return Promise.resolve({ cipherTextBlob: encryptedPlainTextBlob });
+    return (plainTextBuffer: Buffer) => {
+      const encryptedBuffer = cipher.encrypt(plainTextBuffer, ROOT_ENCRYPTION_KEY);
+      return encryptedBuffer;
     };
   };
 
-  const decryptWithRootKey = async () => {
+  const decryptWithRootKey = () => {
     const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
-    return ({ cipherTextBlob }: { cipherTextBlob: Buffer }) => {
+
-      const decryptedBlob = cipher.decrypt(cipherTextBlob, ROOT_ENCRYPTION_KEY);
+    return (cipherTextBuffer: Buffer) => {
-      return Promise.resolve(decryptedBlob);
+      return cipher.decrypt(cipherTextBuffer, ROOT_ENCRYPTION_KEY);
     };
   };
 
@@ -286,12 +299,13 @@ export const kmsServiceFactory = ({
     }
 
     // internal KMS
-    const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+    const keyCipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
-    const kmsKey = cipher.decrypt(kmsDoc.internalKms?.encryptedKey as Buffer, ROOT_ENCRYPTION_KEY);
+    const dataCipher = symmetricCipherService(kmsDoc.internalKms?.encryptionAlgorithm as SymmetricEncryption);
+    const kmsKey = keyCipher.decrypt(kmsDoc.internalKms?.encryptedKey as Buffer, ROOT_ENCRYPTION_KEY);
 
     return ({ cipherTextBlob: versionedCipherTextBlob }: Pick<TDecryptWithKmsDTO, "cipherTextBlob">) => {
       const cipherTextBlob = versionedCipherTextBlob.subarray(0, -KMS_VERSION_BLOB_LENGTH);
-      const decryptedBlob = cipher.decrypt(cipherTextBlob, kmsKey);
+      const decryptedBlob = dataCipher.decrypt(cipherTextBlob, kmsKey);
       return Promise.resolve(decryptedBlob);
     };
   };
@@ -347,11 +361,11 @@ export const kmsServiceFactory = ({
     }
 
     // internal KMS
-    // akhilmhdh: as more encryption are added do a check here on kmsDoc.encryptionAlgorithm
+    const keyCipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
-    const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+    const dataCipher = symmetricCipherService(kmsDoc.internalKms?.encryptionAlgorithm as SymmetricEncryption);
     return ({ plainText }: Pick<TEncryptWithKmsDTO, "plainText">) => {
-      const kmsKey = cipher.decrypt(kmsDoc.internalKms?.encryptedKey as Buffer, ROOT_ENCRYPTION_KEY);
+      const kmsKey = keyCipher.decrypt(kmsDoc.internalKms?.encryptedKey as Buffer, ROOT_ENCRYPTION_KEY);
-      const encryptedPlainTextBlob = cipher.encrypt(plainText, kmsKey);
+      const encryptedPlainTextBlob = dataCipher.encrypt(plainText, kmsKey);
 
       // Buffer#1 encrypted text + Buffer#2 version number
       const versionBlob = Buffer.from(KMS_VERSION, "utf8"); // length is 3
@@ -767,8 +781,8 @@ export const kmsServiceFactory = ({
         message: "KMS not found"
       });
     }
-    const { id, slug, orgId, isExternal } = kms;
+    const { id, name, orgId, isExternal } = kms;
-    return { id, slug, orgId, isExternal };
+    return { id, name, orgId, isExternal };
   };
 
   // akhilmhdh: a copy of this is made in migrations/utils/kms

backend/src/services/kms/kms-types.ts

@@ -1,5 +1,7 @@
 import { Knex } from "knex";
 
+import { SymmetricEncryption } from "@app/lib/crypto/cipher";
+
 export enum KmsDataKey {
   Organization,
   SecretManager
@@ -22,8 +24,11 @@ export type TEncryptWithKmsDataKeyDTO =
 
 export type TGenerateKMSDTO = {
   orgId: string;
+  projectId?: string;
+  encryptionAlgorithm?: SymmetricEncryption;
   isReserved?: boolean;
-  slug?: string;
+  name?: string;
+  description?: string;
   tx?: Knex;
 };
 

backend/src/services/org-membership/org-membership-dal.ts

@@ -1,7 +1,7 @@
 import { TDbClient } from "@app/db";
 import { TableName, TUserEncryptionKeys } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { ormify } from "@app/lib/knex";
+import { ormify, sqlNestRelationships } from "@app/lib/knex";
 
 export type TOrgMembershipDALFactory = ReturnType<typeof orgMembershipDALFactory>;
 
@@ -19,6 +19,11 @@ export const orgMembershipDALFactory = (db: TDbClient) => {
           `${TableName.UserEncryptionKey}.userId`,
           `${TableName.Users}.id`
         )
+        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
+          void queryBuilder
+            .on(`${TableName.OrgMembership}.userId`, `${TableName.IdentityMetadata}.userId`)
+            .andOn(`${TableName.OrgMembership}.orgId`, `${TableName.IdentityMetadata}.orgId`);
+        })
         .select(
           db.ref("id").withSchema(TableName.OrgMembership),
           db.ref("inviteEmail").withSchema(TableName.OrgMembership),
@@ -33,19 +38,66 @@ export const orgMembershipDALFactory = (db: TDbClient) => {
           db.ref("lastName").withSchema(TableName.Users),
           db.ref("isEmailVerified").withSchema(TableName.Users),
           db.ref("id").withSchema(TableName.Users).as("userId"),
-          db.ref("publicKey").withSchema(TableName.UserEncryptionKey)
+          db.ref("publicKey").withSchema(TableName.UserEncryptionKey),
+          db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
+          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
+          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue")
         )
-        .where({ isGhost: false }) // MAKE SURE USER IS NOT A GHOST USER
+        .where({ isGhost: false }); // MAKE SURE USER IS NOT A GHOST USER
-        .first();
 
       if (!member) return undefined;
 
-      const { email, isEmailVerified, username, firstName, lastName, userId, publicKey, ...data } = member;
+      const doc = sqlNestRelationships({
+        data: member,
+        key: "id",
+        parentMapper: ({
+          email,
+          isEmailVerified,
+          username,
+          firstName,
+          lastName,
+          userId,
+          publicKey,
+          roleId,
+          orgId,
+          id,
+          role,
+          status,
+          isActive,
+          inviteEmail
+        }) => ({
+          roleId,
+          orgId,
+          id,
+          role,
+          status,
+          isActive,
+          inviteEmail,
+          user: {
+            id: userId,
+            email,
+            isEmailVerified,
+            username,
+            firstName,
+            lastName,
+            userId,
+            publicKey
+          }
+        }),
+        childrenMapper: [
+          {
+            key: "metadataId",
+            label: "metadata" as const,
+            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+              id: metadataId,
+              key: metadataKey,
+              value: metadataValue
+            })
+          }
+        ]
+      });
 
-      return {
+      return doc?.[0];
-        ...data,
-        user: { email, isEmailVerified, username, firstName, lastName, id: userId, publicKey }
-      };
     } catch (error) {
       throw new DatabaseError({ error, name: "Find org membership by id" });
     }