chore: renamed new migration files to latest timestamp (gh-action)

.github/workflows/build-staging-and-deploy-aws.yml

@@ -74,21 +74,21 @@ jobs:
         uses: pr-mpt/actions-commit-hash@v2
       - name: Download task definition
         run: |
-          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
+          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
       - name: Render Amazon ECS task definition
         id: render-web-container
         uses: aws-actions/amazon-ecs-render-task-definition@v1
         with:
           task-definition: task-definition.json
-          container-name: infisical-core-platform
+          container-name: infisical-prod-platform
           image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
           environment-variables: "LOG_LEVEL=info"
       - name: Deploy to Amazon ECS service
         uses: aws-actions/amazon-ecs-deploy-task-definition@v1
         with:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-core-platform
-          cluster: infisical-core-platform
+          service: infisical-prod-platform
+          cluster: infisical-prod-platform
           wait-for-service-stability: true
 
   production-postgres-deployment:
@@ -122,19 +122,19 @@ jobs:
         uses: pr-mpt/actions-commit-hash@v2
       - name: Download task definition
         run: |
-          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
+          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
       - name: Render Amazon ECS task definition
         id: render-web-container
         uses: aws-actions/amazon-ecs-render-task-definition@v1
         with:
           task-definition: task-definition.json
-          container-name: infisical-core-platform
+          container-name: infisical-prod-platform
           image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
           environment-variables: "LOG_LEVEL=info"
       - name: Deploy to Amazon ECS service
         uses: aws-actions/amazon-ecs-deploy-task-definition@v1
         with:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-core-platform
-          cluster: infisical-core-platform
+          service: infisical-prod-platform
+          cluster: infisical-prod-platform
           wait-for-service-stability: true

.github/workflows/update-be-new-migration-latest-timestamp.yml

@@ -38,16 +38,23 @@ jobs:
           rm added_files.txt
           git commit -m "chore: renamed new migration files to latest timestamp (gh-action)"
 
-      - name: Get PR details
-        id: pr_details
+      - name: Get the username of the person who closed the PR
         run: |
           PR_NUMBER=${{ github.event.pull_request.number }}
-          PR_MERGER=$(curl -s "https://api.github.com/repos/${{ github.repository }}/pulls/$PR_NUMBER" | jq -r '.merged_by.login')
+          REPO_NAME=${{ github.repository }}
+          GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
           
-          echo "PR Number: $PR_NUMBER"
-          echo "PR Merger: $PR_MERGER"
-          echo "pr_merger=$PR_MERGER" >> $GITHUB_OUTPUT
+          # Use GitHub API to fetch PR data
+          PR_DATA=$(curl \
+            -H "Authorization: token $GITHUB_TOKEN" \
+            -H "Accept: application/vnd.github.v3+json" \
+            https://api.github.com/repos/$REPO_NAME/pulls/$PR_NUMBER)
 
+          # Extract the username of the person who closed the PR
+          CLOSED_BY=$(echo $PR_DATA | jq -r .closed_by.login)
+
+          echo "Pull Request #$PR_NUMBER was closed by $CLOSED_BY"
+          
       - name: Create Pull Request
         if: env.SKIP_RENAME != 'true'
         uses: peter-evans/create-pull-request@v6
@@ -56,4 +63,3 @@ jobs:
           commit-message: 'chore: renamed new migration files to latest UTC (gh-action)'
           title: 'GH Action: rename new migration file timestamp'
           branch-suffix: timestamp
-          reviewers: ${{ steps.pr_details.outputs.pr_merger }}

backend/package.json

@@ -95,13 +95,11 @@
     "axios": "^1.6.7",
     "axios-retry": "^4.0.0",
     "bcrypt": "^5.1.1",
-    "bullmq": "^5.4.2",
+    "bullmq": "^5.3.3",
     "cassandra-driver": "^4.7.2",
     "dotenv": "^16.4.1",
     "fastify": "^4.26.0",
     "fastify-plugin": "^4.5.1",
-    "google-auth-library": "^9.9.0",
-    "googleapis": "^137.1.0",
     "handlebars": "^4.7.8",
     "ioredis": "^5.3.2",
     "jmespath": "^0.16.0",

backend/src/@types/fastify.d.ts

@@ -32,10 +32,6 @@ import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-se
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
-import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
-import { TIdentityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
-import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
-import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
 import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua-service";
 import { TIntegrationServiceFactory } from "@app/services/integration/integration-service";
@@ -119,10 +115,6 @@ declare module "fastify" {
       identityAccessToken: TIdentityAccessTokenServiceFactory;
       identityProject: TIdentityProjectServiceFactory;
       identityUa: TIdentityUaServiceFactory;
-      identityKubernetesAuth: TIdentityKubernetesAuthServiceFactory;
-      identityGcpAuth: TIdentityGcpAuthServiceFactory;
-      identityAwsAuth: TIdentityAwsAuthServiceFactory;
-      identityAzureAuth: TIdentityAzureAuthServiceFactory;
       accessApprovalPolicy: TAccessApprovalPolicyServiceFactory;
       accessApprovalRequest: TAccessApprovalRequestServiceFactory;
       secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;

backend/src/@types/knex.d.ts

@@ -59,18 +59,6 @@ import {
   TIdentityAccessTokens,
   TIdentityAccessTokensInsert,
   TIdentityAccessTokensUpdate,
-  TIdentityAwsAuths,
-  TIdentityAwsAuthsInsert,
-  TIdentityAwsAuthsUpdate,
-  TIdentityAzureAuths,
-  TIdentityAzureAuthsInsert,
-  TIdentityAzureAuthsUpdate,
-  TIdentityGcpAuths,
-  TIdentityGcpAuthsInsert,
-  TIdentityGcpAuthsUpdate,
-  TIdentityKubernetesAuths,
-  TIdentityKubernetesAuthsInsert,
-  TIdentityKubernetesAuthsUpdate,
   TIdentityOrgMemberships,
   TIdentityOrgMembershipsInsert,
   TIdentityOrgMembershipsUpdate,
@@ -237,7 +225,6 @@ import {
   TWebhooksInsert,
   TWebhooksUpdate
 } from "@app/db/schemas";
-import { TSecretReferences, TSecretReferencesInsert, TSecretReferencesUpdate } from "@app/db/schemas/secret-references";
 
 declare module "knex/types/tables" {
   interface Tables {
@@ -311,11 +298,6 @@ declare module "knex/types/tables" {
     >;
     [TableName.ProjectKeys]: Knex.CompositeTableType<TProjectKeys, TProjectKeysInsert, TProjectKeysUpdate>;
     [TableName.Secret]: Knex.CompositeTableType<TSecrets, TSecretsInsert, TSecretsUpdate>;
-    [TableName.SecretReference]: Knex.CompositeTableType<
-      TSecretReferences,
-      TSecretReferencesInsert,
-      TSecretReferencesUpdate
-    >;
     [TableName.SecretBlindIndex]: Knex.CompositeTableType<
       TSecretBlindIndexes,
       TSecretBlindIndexesInsert,
@@ -344,26 +326,6 @@ declare module "knex/types/tables" {
       TIdentityUniversalAuthsInsert,
       TIdentityUniversalAuthsUpdate
     >;
-    [TableName.IdentityKubernetesAuth]: Knex.CompositeTableType<
-      TIdentityKubernetesAuths,
-      TIdentityKubernetesAuthsInsert,
-      TIdentityKubernetesAuthsUpdate
-    >;
-    [TableName.IdentityGcpAuth]: Knex.CompositeTableType<
-      TIdentityGcpAuths,
-      TIdentityGcpAuthsInsert,
-      TIdentityGcpAuthsUpdate
-    >;
-    [TableName.IdentityAwsAuth]: Knex.CompositeTableType<
-      TIdentityAwsAuths,
-      TIdentityAwsAuthsInsert,
-      TIdentityAwsAuthsUpdate
-    >;
-    [TableName.IdentityAzureAuth]: Knex.CompositeTableType<
-      TIdentityAzureAuths,
-      TIdentityAzureAuthsInsert,
-      TIdentityAzureAuthsUpdate
-    >;
     [TableName.IdentityUaClientSecret]: Knex.CompositeTableType<
       TIdentityUaClientSecrets,
       TIdentityUaClientSecretsInsert,

backend/src/db/migrations/20240507171720_test

@@ -0,0 +1 @@
+

backend/src/db/migrations/20240507210655_identity-aws-auth.ts

@@ -1,30 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityAwsAuth))) {
-    await knex.schema.createTable(TableName.IdentityAwsAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.string("type").notNullable();
-      t.string("stsEndpoint").notNullable();
-      t.string("allowedPrincipalArns").notNullable();
-      t.string("allowedAccountIds").notNullable();
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityAwsAuth);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityAwsAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityAwsAuth);
-}

backend/src/db/migrations/20240514041650_identity-gcp-auth.ts

@@ -1,30 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityGcpAuth))) {
-    await knex.schema.createTable(TableName.IdentityGcpAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.string("type").notNullable();
-      t.string("allowedServiceAccounts").notNullable();
-      t.string("allowedProjects").notNullable();
-      t.string("allowedZones").notNullable(); // GCE only (fully qualified zone names)
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityGcpAuth);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityGcpAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityGcpAuth);
-}

backend/src/db/migrations/20240514141809_inline-secret-reference-sync.ts

@@ -1,24 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretReference))) {
-    await knex.schema.createTable(TableName.SecretReference, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("environment").notNullable();
-      t.string("secretPath").notNullable();
-      t.uuid("secretId").notNullable();
-      t.foreign("secretId").references("id").inTable(TableName.Secret).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.SecretReference);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretReference);
-  await dropOnUpdateTrigger(knex, TableName.SecretReference);
-}

backend/src/db/migrations/20240518142614_kubernetes-auth.ts

@@ -1,36 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityKubernetesAuth))) {
-    await knex.schema.createTable(TableName.IdentityKubernetesAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.string("kubernetesHost").notNullable();
-      t.text("encryptedCaCert").notNullable();
-      t.string("caCertIV").notNullable();
-      t.string("caCertTag").notNullable();
-      t.text("encryptedTokenReviewerJwt").notNullable();
-      t.string("tokenReviewerJwtIV").notNullable();
-      t.string("tokenReviewerJwtTag").notNullable();
-      t.string("allowedNamespaces").notNullable();
-      t.string("allowedNames").notNullable();
-      t.string("allowedAudience").notNullable();
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityKubernetesAuth);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityKubernetesAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityKubernetesAuth);
-}

backend/src/db/migrations/20240520064127_add-integration-sync-status.ts

@@ -1,43 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasIsSyncedColumn = await knex.schema.hasColumn(TableName.Integration, "isSynced");
-  const hasSyncMessageColumn = await knex.schema.hasColumn(TableName.Integration, "syncMessage");
-  const hasLastSyncJobId = await knex.schema.hasColumn(TableName.Integration, "lastSyncJobId");
-
-  await knex.schema.alterTable(TableName.Integration, (t) => {
-    if (!hasIsSyncedColumn) {
-      t.boolean("isSynced").nullable();
-    }
-
-    if (!hasSyncMessageColumn) {
-      t.text("syncMessage").nullable();
-    }
-
-    if (!hasLastSyncJobId) {
-      t.string("lastSyncJobId").nullable();
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasIsSyncedColumn = await knex.schema.hasColumn(TableName.Integration, "isSynced");
-  const hasSyncMessageColumn = await knex.schema.hasColumn(TableName.Integration, "syncMessage");
-  const hasLastSyncJobId = await knex.schema.hasColumn(TableName.Integration, "lastSyncJobId");
-
-  await knex.schema.alterTable(TableName.Integration, (t) => {
-    if (hasIsSyncedColumn) {
-      t.dropColumn("isSynced");
-    }
-
-    if (hasSyncMessageColumn) {
-      t.dropColumn("syncMessage");
-    }
-
-    if (hasLastSyncJobId) {
-      t.dropColumn("lastSyncJobId");
-    }
-  });
-}

backend/src/db/migrations/20240522193447_index-audit-logs-project-id-org-id.ts

@@ -1,26 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
-  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
-  if (await knex.schema.hasTable(TableName.AuditLog)) {
-    await knex.schema.alterTable(TableName.AuditLog, (t) => {
-      if (doesProjectIdExist) t.index("projectId");
-      if (doesOrgIdExist) t.index("orgId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
-  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
-
-  if (await knex.schema.hasTable(TableName.AuditLog)) {
-    await knex.schema.alterTable(TableName.AuditLog, (t) => {
-      if (doesProjectIdExist) t.dropIndex("projectId");
-      if (doesOrgIdExist) t.dropIndex("orgId");
-    });
-  }
-}

backend/src/db/migrations/20240522203425_index-secret-snapshot-secrets-envid.ts

@@ -1,22 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "envId");
-  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
-    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
-      if (doesEnvIdExist) t.index("envId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "envId");
-
-  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
-    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
-      if (doesEnvIdExist) t.dropIndex("envId");
-    });
-  }
-}

backend/src/db/migrations/20240522204414_index-secret-version-envId.ts

@@ -1,22 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SecretVersion, "envId");
-  if (await knex.schema.hasTable(TableName.SecretVersion)) {
-    await knex.schema.alterTable(TableName.SecretVersion, (t) => {
-      if (doesEnvIdExist) t.index("envId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SecretVersion, "envId");
-
-  if (await knex.schema.hasTable(TableName.SecretVersion)) {
-    await knex.schema.alterTable(TableName.SecretVersion, (t) => {
-      if (doesEnvIdExist) t.dropIndex("envId");
-    });
-  }
-}

backend/src/db/migrations/20240522212706_secret-snapshot-secrets-index-on-snapshotId.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "snapshotId");
-  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
-    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
-      if (doesSnapshotIdExist) t.index("snapshotId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "snapshotId");
-  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
-    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
-      if (doesSnapshotIdExist) t.dropIndex("snapshotId");
-    });
-  }
-}

backend/src/db/migrations/20240522221147_secret-snapshot-folder-index-on-snapshotId.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotFolder, "snapshotId");
-  if (await knex.schema.hasTable(TableName.SnapshotFolder)) {
-    await knex.schema.alterTable(TableName.SnapshotFolder, (t) => {
-      if (doesSnapshotIdExist) t.index("snapshotId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotFolder, "snapshotId");
-  if (await knex.schema.hasTable(TableName.SnapshotFolder)) {
-    await knex.schema.alterTable(TableName.SnapshotFolder, (t) => {
-      if (doesSnapshotIdExist) t.dropIndex("snapshotId");
-    });
-  }
-}

backend/src/db/migrations/20240522225402_secrets-index-on-folder-id-user-id.ts

@@ -1,24 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesFolderIdExist = await knex.schema.hasColumn(TableName.Secret, "folderId");
-  const doesUserIdExist = await knex.schema.hasColumn(TableName.Secret, "userId");
-  if (await knex.schema.hasTable(TableName.Secret)) {
-    await knex.schema.alterTable(TableName.Secret, (t) => {
-      if (doesFolderIdExist && doesUserIdExist) t.index(["folderId", "userId"]);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesFolderIdExist = await knex.schema.hasColumn(TableName.Secret, "folderId");
-  const doesUserIdExist = await knex.schema.hasColumn(TableName.Secret, "userId");
-
-  if (await knex.schema.hasTable(TableName.Secret)) {
-    await knex.schema.alterTable(TableName.Secret, (t) => {
-      if (doesUserIdExist && doesFolderIdExist) t.dropIndex(["folderId", "userId"]);
-    });
-  }
-}

backend/src/db/migrations/20240523003158_audit-log-add-expireAt-index.ts

@@ -1,22 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesExpireAtExist = await knex.schema.hasColumn(TableName.AuditLog, "expiresAt");
-  if (await knex.schema.hasTable(TableName.AuditLog)) {
-    await knex.schema.alterTable(TableName.AuditLog, (t) => {
-      if (doesExpireAtExist) t.index("expiresAt");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesExpireAtExist = await knex.schema.hasColumn(TableName.AuditLog, "expiresAt");
-
-  if (await knex.schema.hasTable(TableName.AuditLog)) {
-    await knex.schema.alterTable(TableName.AuditLog, (t) => {
-      if (doesExpireAtExist) t.dropIndex("expiresAt");
-    });
-  }
-}

backend/src/db/migrations/20240527073740_identity-azure-auth.ts

@@ -1,29 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityAzureAuth))) {
-    await knex.schema.createTable(TableName.IdentityAzureAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.string("tenantId").notNullable();
-      t.string("resource").notNullable();
-      t.string("allowedServicePrincipalIds").notNullable();
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityAzureAuth);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityAzureAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityAzureAuth);
-}

backend/src/db/schemas/access-approval-policies.ts

@@ -11,8 +11,8 @@ export const AccessApprovalPoliciesSchema = z.object({
   id: z.string().uuid(),
   name: z.string(),
   approvals: z.number().default(1),
-  secretPath: z.string().nullable().optional(),
   envId: z.string().uuid(),
+  secretPath: z.string().nullable().optional(),
   createdAt: z.date(),
   updatedAt: z.date()
 });

backend/src/db/schemas/identity-aws-auths.ts

@@ -1,27 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const IdentityAwsAuthsSchema = z.object({
-  id: z.string().uuid(),
-  accessTokenTTL: z.coerce.number().default(7200),
-  accessTokenMaxTTL: z.coerce.number().default(7200),
-  accessTokenNumUsesLimit: z.coerce.number().default(0),
-  accessTokenTrustedIps: z.unknown(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  identityId: z.string().uuid(),
-  type: z.string(),
-  stsEndpoint: z.string(),
-  allowedPrincipalArns: z.string(),
-  allowedAccountIds: z.string()
-});
-
-export type TIdentityAwsAuths = z.infer<typeof IdentityAwsAuthsSchema>;
-export type TIdentityAwsAuthsInsert = Omit<z.input<typeof IdentityAwsAuthsSchema>, TImmutableDBKeys>;
-export type TIdentityAwsAuthsUpdate = Partial<Omit<z.input<typeof IdentityAwsAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-azure-auths.ts

@@ -1,26 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const IdentityAzureAuthsSchema = z.object({
-  id: z.string().uuid(),
-  accessTokenTTL: z.coerce.number().default(7200),
-  accessTokenMaxTTL: z.coerce.number().default(7200),
-  accessTokenNumUsesLimit: z.coerce.number().default(0),
-  accessTokenTrustedIps: z.unknown(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  identityId: z.string().uuid(),
-  tenantId: z.string(),
-  resource: z.string(),
-  allowedServicePrincipalIds: z.string()
-});
-
-export type TIdentityAzureAuths = z.infer<typeof IdentityAzureAuthsSchema>;
-export type TIdentityAzureAuthsInsert = Omit<z.input<typeof IdentityAzureAuthsSchema>, TImmutableDBKeys>;
-export type TIdentityAzureAuthsUpdate = Partial<Omit<z.input<typeof IdentityAzureAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-gcp-auths.ts

@@ -1,27 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const IdentityGcpAuthsSchema = z.object({
-  id: z.string().uuid(),
-  accessTokenTTL: z.coerce.number().default(7200),
-  accessTokenMaxTTL: z.coerce.number().default(7200),
-  accessTokenNumUsesLimit: z.coerce.number().default(0),
-  accessTokenTrustedIps: z.unknown(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  identityId: z.string().uuid(),
-  type: z.string(),
-  allowedServiceAccounts: z.string(),
-  allowedProjects: z.string(),
-  allowedZones: z.string()
-});
-
-export type TIdentityGcpAuths = z.infer<typeof IdentityGcpAuthsSchema>;
-export type TIdentityGcpAuthsInsert = Omit<z.input<typeof IdentityGcpAuthsSchema>, TImmutableDBKeys>;
-export type TIdentityGcpAuthsUpdate = Partial<Omit<z.input<typeof IdentityGcpAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-kubernetes-auths.ts

@@ -1,35 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const IdentityKubernetesAuthsSchema = z.object({
-  id: z.string().uuid(),
-  accessTokenTTL: z.coerce.number().default(7200),
-  accessTokenMaxTTL: z.coerce.number().default(7200),
-  accessTokenNumUsesLimit: z.coerce.number().default(0),
-  accessTokenTrustedIps: z.unknown(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  identityId: z.string().uuid(),
-  kubernetesHost: z.string(),
-  encryptedCaCert: z.string(),
-  caCertIV: z.string(),
-  caCertTag: z.string(),
-  encryptedTokenReviewerJwt: z.string(),
-  tokenReviewerJwtIV: z.string(),
-  tokenReviewerJwtTag: z.string(),
-  allowedNamespaces: z.string(),
-  allowedNames: z.string(),
-  allowedAudience: z.string()
-});
-
-export type TIdentityKubernetesAuths = z.infer<typeof IdentityKubernetesAuthsSchema>;
-export type TIdentityKubernetesAuthsInsert = Omit<z.input<typeof IdentityKubernetesAuthsSchema>, TImmutableDBKeys>;
-export type TIdentityKubernetesAuthsUpdate = Partial<
-  Omit<z.input<typeof IdentityKubernetesAuthsSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/index.ts

@@ -17,10 +17,6 @@ export * from "./group-project-memberships";
 export * from "./groups";
 export * from "./identities";
 export * from "./identity-access-tokens";
-export * from "./identity-aws-auths";
-export * from "./identity-azure-auths";
-export * from "./identity-gcp-auths";
-export * from "./identity-kubernetes-auths";
 export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";
 export * from "./identity-project-membership-role";

backend/src/db/schemas/integrations.ts

@@ -28,10 +28,7 @@ export const IntegrationsSchema = z.object({
   secretPath: z.string().default("/"),
   createdAt: z.date(),
   updatedAt: z.date(),
-  lastUsed: z.date().nullable().optional(),
-  isSynced: z.boolean().nullable().optional(),
-  syncMessage: z.string().nullable().optional(),
-  lastSyncJobId: z.string().nullable().optional()
+  lastUsed: z.date().nullable().optional()
 });
 
 export type TIntegrations = z.infer<typeof IntegrationsSchema>;

backend/src/db/schemas/models.ts

@@ -28,7 +28,6 @@ export enum TableName {
   ProjectUserMembershipRole = "project_user_membership_roles",
   ProjectKeys = "project_keys",
   Secret = "secrets",
-  SecretReference = "secret_references",
   SecretBlindIndex = "secret_blind_indexes",
   SecretVersion = "secret_versions",
   SecretFolder = "secret_folders",
@@ -45,11 +44,7 @@ export enum TableName {
   Identity = "identities",
   IdentityAccessToken = "identity_access_tokens",
   IdentityUniversalAuth = "identity_universal_auths",
-  IdentityKubernetesAuth = "identity_kubernetes_auths",
-  IdentityGcpAuth = "identity_gcp_auths",
-  IdentityAzureAuth = "identity_azure_auths",
   IdentityUaClientSecret = "identity_ua_client_secrets",
-  IdentityAwsAuth = "identity_aws_auths",
   IdentityOrgMembership = "identity_org_memberships",
   IdentityProjectMembership = "identity_project_memberships",
   IdentityProjectMembershipRole = "identity_project_membership_role",
@@ -147,9 +142,5 @@ export enum ProjectUpgradeStatus {
 }
 
 export enum IdentityAuthMethod {
-  Univeral = "universal-auth",
-  KUBERNETES_AUTH = "kubernetes-auth",
-  GCP_AUTH = "gcp-auth",
-  AWS_AUTH = "aws-auth",
-  AZURE_AUTH = "azure-auth"
+  Univeral = "universal-auth"
 }

backend/src/db/schemas/secret-references.ts

@@ -1,21 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SecretReferencesSchema = z.object({
-  id: z.string().uuid(),
-  environment: z.string(),
-  secretPath: z.string(),
-  secretId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TSecretReferences = z.infer<typeof SecretReferencesSchema>;
-export type TSecretReferencesInsert = Omit<z.input<typeof SecretReferencesSchema>, TImmutableDBKeys>;
-export type TSecretReferencesUpdate = Partial<Omit<z.input<typeof SecretReferencesSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/users.ts

@@ -22,7 +22,7 @@ export const UsersSchema = z.object({
   updatedAt: z.date(),
   isGhost: z.boolean().default(false),
   username: z.string(),
-  isEmailVerified: z.boolean().default(false).nullable().optional()
+  isEmailVerified: z.boolean().nullable().optional()
 });
 
 export type TUsers = z.infer<typeof UsersSchema>;

backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts

@@ -8,7 +8,7 @@ import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { ProjectPermissionSchema, SanitizedIdentityPrivilegeSchema } from "@app/server/routes/sanitizedSchemas";
+import { PermissionSchema, SanitizedIdentityPrivilegeSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: FastifyZodProvider) => {
@@ -39,7 +39,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
           })
           .optional()
           .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
-        permissions: ProjectPermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions)
+        permissions: PermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions)
       }),
       response: {
         200: z.object({
@@ -90,7 +90,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
           })
           .optional()
           .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
-        permissions: ProjectPermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions),
+        permissions: PermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions),
         temporaryMode: z
           .nativeEnum(IdentityProjectAdditionalPrivilegeTemporaryMode)
           .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.temporaryMode),
@@ -155,7 +155,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
                 message: "Slug must be a valid slug"
               })
               .describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.newSlug),
-            permissions: ProjectPermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
+            permissions: PermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
             isTemporary: z.boolean().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.isTemporary),
             temporaryMode: z
               .nativeEnum(IdentityProjectAdditionalPrivilegeTemporaryMode)

backend/src/ee/services/audit-log/audit-log-queue.ts

@@ -3,6 +3,7 @@ import { RawAxiosRequestHeaders } from "axios";
 import { SecretKeyEncoding } from "@app/db/schemas";
 import { request } from "@app/lib/config/request";
 import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { logger } from "@app/lib/logger";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 
@@ -112,7 +113,35 @@ export const auditLogQueueServiceFactory = ({
     );
   });
 
+  queueService.start(QueueName.AuditLogPrune, async () => {
+    logger.info(`${QueueName.AuditLogPrune}: queue task started`);
+    await auditLogDAL.pruneAuditLog();
+    logger.info(`${QueueName.AuditLogPrune}: queue task completed`);
+  });
+
+  // we do a repeat cron job in utc timezone at 12 Midnight each day
+  const startAuditLogPruneJob = async () => {
+    // clear previous job
+    await queueService.stopRepeatableJob(
+      QueueName.AuditLogPrune,
+      QueueJobs.AuditLogPrune,
+      { pattern: "0 0 * * *", utc: true },
+      QueueName.AuditLogPrune // just a job id
+    );
+
+    await queueService.queue(QueueName.AuditLogPrune, QueueJobs.AuditLogPrune, undefined, {
+      delay: 5000,
+      jobId: QueueName.AuditLogPrune,
+      repeat: { pattern: "0 0 * * *", utc: true }
+    });
+  };
+
+  queueService.listen(QueueName.AuditLogPrune, "failed", (err) => {
+    logger.error(err?.failedReason, `${QueueName.AuditLogPrune}: log pruning failed`);
+  });
+
   return {
-    pushToLog
+    pushToLog,
+    startAuditLogPruneJob
   };
 };

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -51,7 +51,6 @@ export enum EventType {
   UNAUTHORIZE_INTEGRATION = "unauthorize-integration",
   CREATE_INTEGRATION = "create-integration",
   DELETE_INTEGRATION = "delete-integration",
-  MANUAL_SYNC_INTEGRATION = "manual-sync-integration",
   ADD_TRUSTED_IP = "add-trusted-ip",
   UPDATE_TRUSTED_IP = "update-trusted-ip",
   DELETE_TRUSTED_IP = "delete-trusted-ip",
@@ -64,25 +63,9 @@ export enum EventType {
   ADD_IDENTITY_UNIVERSAL_AUTH = "add-identity-universal-auth",
   UPDATE_IDENTITY_UNIVERSAL_AUTH = "update-identity-universal-auth",
   GET_IDENTITY_UNIVERSAL_AUTH = "get-identity-universal-auth",
-  LOGIN_IDENTITY_KUBERNETES_AUTH = "login-identity-kubernetes-auth",
-  ADD_IDENTITY_KUBERNETES_AUTH = "add-identity-kubernetes-auth",
-  UPDATE_IDENTITY_KUBENETES_AUTH = "update-identity-kubernetes-auth",
-  GET_IDENTITY_KUBERNETES_AUTH = "get-identity-kubernetes-auth",
   CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
   REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "revoke-identity-universal-auth-client-secret",
   GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
-  LOGIN_IDENTITY_GCP_AUTH = "login-identity-gcp-auth",
-  ADD_IDENTITY_GCP_AUTH = "add-identity-gcp-auth",
-  UPDATE_IDENTITY_GCP_AUTH = "update-identity-gcp-auth",
-  GET_IDENTITY_GCP_AUTH = "get-identity-gcp-auth",
-  LOGIN_IDENTITY_AWS_AUTH = "login-identity-aws-auth",
-  ADD_IDENTITY_AWS_AUTH = "add-identity-aws-auth",
-  UPDATE_IDENTITY_AWS_AUTH = "update-identity-aws-auth",
-  GET_IDENTITY_AWS_AUTH = "get-identity-aws-auth",
-  LOGIN_IDENTITY_AZURE_AUTH = "login-identity-azure-auth",
-  ADD_IDENTITY_AZURE_AUTH = "add-identity-azure-auth",
-  UPDATE_IDENTITY_AZURE_AUTH = "update-identity-azure-auth",
-  GET_IDENTITY_AZURE_AUTH = "get-identity-azure-auth",
   CREATE_ENVIRONMENT = "create-environment",
   UPDATE_ENVIRONMENT = "update-environment",
   DELETE_ENVIRONMENT = "delete-environment",
@@ -286,25 +269,6 @@ interface DeleteIntegrationEvent {
   };
 }
 
-interface ManualSyncIntegrationEvent {
-  type: EventType.MANUAL_SYNC_INTEGRATION;
-  metadata: {
-    integrationId: string;
-    integration: string;
-    environment: string;
-    secretPath: string;
-    url?: string;
-    app?: string;
-    appId?: string;
-    targetEnvironment?: string;
-    targetEnvironmentId?: string;
-    targetService?: string;
-    targetServiceId?: string;
-    path?: string;
-    region?: string;
-  };
-}
-
 interface AddTrustedIPEvent {
   type: EventType.ADD_TRUSTED_IP;
   metadata: {
@@ -419,50 +383,6 @@ interface GetIdentityUniversalAuthEvent {
   };
 }
 
-interface LoginIdentityKubernetesAuthEvent {
-  type: EventType.LOGIN_IDENTITY_KUBERNETES_AUTH;
-  metadata: {
-    identityId: string;
-    identityKubernetesAuthId: string;
-    identityAccessTokenId: string;
-  };
-}
-
-interface AddIdentityKubernetesAuthEvent {
-  type: EventType.ADD_IDENTITY_KUBERNETES_AUTH;
-  metadata: {
-    identityId: string;
-    kubernetesHost: string;
-    allowedNamespaces: string;
-    allowedNames: string;
-    accessTokenTTL: number;
-    accessTokenMaxTTL: number;
-    accessTokenNumUsesLimit: number;
-    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface UpdateIdentityKubernetesAuthEvent {
-  type: EventType.UPDATE_IDENTITY_KUBENETES_AUTH;
-  metadata: {
-    identityId: string;
-    kubernetesHost?: string;
-    allowedNamespaces?: string;
-    allowedNames?: string;
-    accessTokenTTL?: number;
-    accessTokenMaxTTL?: number;
-    accessTokenNumUsesLimit?: number;
-    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface GetIdentityKubernetesAuthEvent {
-  type: EventType.GET_IDENTITY_KUBERNETES_AUTH;
-  metadata: {
-    identityId: string;
-  };
-}
-
 interface CreateIdentityUniversalAuthClientSecretEvent {
   type: EventType.CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET;
   metadata: {
@@ -486,138 +406,6 @@ interface RevokeIdentityUniversalAuthClientSecretEvent {
   };
 }
 
-interface LoginIdentityGcpAuthEvent {
-  type: EventType.LOGIN_IDENTITY_GCP_AUTH;
-  metadata: {
-    identityId: string;
-    identityGcpAuthId: string;
-    identityAccessTokenId: string;
-  };
-}
-
-interface AddIdentityGcpAuthEvent {
-  type: EventType.ADD_IDENTITY_GCP_AUTH;
-  metadata: {
-    identityId: string;
-    type: string;
-    allowedServiceAccounts: string;
-    allowedProjects: string;
-    allowedZones: string;
-    accessTokenTTL: number;
-    accessTokenMaxTTL: number;
-    accessTokenNumUsesLimit: number;
-    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface UpdateIdentityGcpAuthEvent {
-  type: EventType.UPDATE_IDENTITY_GCP_AUTH;
-  metadata: {
-    identityId: string;
-    type?: string;
-    allowedServiceAccounts?: string;
-    allowedProjects?: string;
-    allowedZones?: string;
-    accessTokenTTL?: number;
-    accessTokenMaxTTL?: number;
-    accessTokenNumUsesLimit?: number;
-    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface GetIdentityGcpAuthEvent {
-  type: EventType.GET_IDENTITY_GCP_AUTH;
-  metadata: {
-    identityId: string;
-  };
-}
-
-interface LoginIdentityAwsAuthEvent {
-  type: EventType.LOGIN_IDENTITY_AWS_AUTH;
-  metadata: {
-    identityId: string;
-    identityAwsAuthId: string;
-    identityAccessTokenId: string;
-  };
-}
-
-interface AddIdentityAwsAuthEvent {
-  type: EventType.ADD_IDENTITY_AWS_AUTH;
-  metadata: {
-    identityId: string;
-    stsEndpoint: string;
-    allowedPrincipalArns: string;
-    allowedAccountIds: string;
-    accessTokenTTL: number;
-    accessTokenMaxTTL: number;
-    accessTokenNumUsesLimit: number;
-    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface UpdateIdentityAwsAuthEvent {
-  type: EventType.UPDATE_IDENTITY_AWS_AUTH;
-  metadata: {
-    identityId: string;
-    stsEndpoint?: string;
-    allowedPrincipalArns?: string;
-    allowedAccountIds?: string;
-    accessTokenTTL?: number;
-    accessTokenMaxTTL?: number;
-    accessTokenNumUsesLimit?: number;
-    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface GetIdentityAwsAuthEvent {
-  type: EventType.GET_IDENTITY_AWS_AUTH;
-  metadata: {
-    identityId: string;
-  };
-}
-
-interface LoginIdentityAzureAuthEvent {
-  type: EventType.LOGIN_IDENTITY_AZURE_AUTH;
-  metadata: {
-    identityId: string;
-    identityAzureAuthId: string;
-    identityAccessTokenId: string;
-  };
-}
-
-interface AddIdentityAzureAuthEvent {
-  type: EventType.ADD_IDENTITY_AZURE_AUTH;
-  metadata: {
-    identityId: string;
-    tenantId: string;
-    resource: string;
-    accessTokenTTL: number;
-    accessTokenMaxTTL: number;
-    accessTokenNumUsesLimit: number;
-    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface UpdateIdentityAzureAuthEvent {
-  type: EventType.UPDATE_IDENTITY_AZURE_AUTH;
-  metadata: {
-    identityId: string;
-    tenantId?: string;
-    resource?: string;
-    accessTokenTTL?: number;
-    accessTokenMaxTTL?: number;
-    accessTokenNumUsesLimit?: number;
-    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface GetIdentityAzureAuthEvent {
-  type: EventType.GET_IDENTITY_AZURE_AUTH;
-  metadata: {
-    identityId: string;
-  };
-}
-
 interface CreateEnvironmentEvent {
   type: EventType.CREATE_ENVIRONMENT;
   metadata: {
@@ -857,7 +645,6 @@ export type Event =
   | UnauthorizeIntegrationEvent
   | CreateIntegrationEvent
   | DeleteIntegrationEvent
-  | ManualSyncIntegrationEvent
   | AddTrustedIPEvent
   | UpdateTrustedIPEvent
   | DeleteTrustedIPEvent
@@ -870,25 +657,9 @@ export type Event =
   | AddIdentityUniversalAuthEvent
   | UpdateIdentityUniversalAuthEvent
   | GetIdentityUniversalAuthEvent
-  | LoginIdentityKubernetesAuthEvent
-  | AddIdentityKubernetesAuthEvent
-  | UpdateIdentityKubernetesAuthEvent
-  | GetIdentityKubernetesAuthEvent
   | CreateIdentityUniversalAuthClientSecretEvent
   | GetIdentityUniversalAuthClientSecretsEvent
   | RevokeIdentityUniversalAuthClientSecretEvent
-  | LoginIdentityGcpAuthEvent
-  | AddIdentityGcpAuthEvent
-  | UpdateIdentityGcpAuthEvent
-  | GetIdentityGcpAuthEvent
-  | LoginIdentityAwsAuthEvent
-  | AddIdentityAwsAuthEvent
-  | UpdateIdentityAwsAuthEvent
-  | GetIdentityAwsAuthEvent
-  | LoginIdentityAzureAuthEvent
-  | AddIdentityAzureAuthEvent
-  | UpdateIdentityAzureAuthEvent
-  | GetIdentityAzureAuthEvent
   | CreateEnvironmentEvent
   | UpdateEnvironmentEvent
   | DeleteEnvironmentEvent

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -7,15 +7,12 @@ import {
   SecretType,
   TSecretApprovalRequestsSecretsInsert
 } from "@app/db/schemas";
-import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { groupBy, pick, unique } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
-import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
-import { getAllNestedSecretReferences } from "@app/services/secret/secret-fns";
 import { TSecretQueueFactory } from "@app/services/secret/secret-queue";
 import { TSecretServiceFactory } from "@app/services/secret/secret-service";
 import { TSecretVersionDALFactory } from "@app/services/secret/secret-version-dal";
@@ -56,7 +53,6 @@ type TSecretApprovalRequestServiceFactoryDep = {
   secretVersionDAL: Pick<TSecretVersionDALFactory, "findLatestVersionMany" | "insertMany">;
   secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "insertMany">;
   projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus">;
-  projectBotService: Pick<TProjectBotServiceFactory, "getBotKey">;
   secretService: Pick<
     TSecretServiceFactory,
     | "fnSecretBulkInsert"
@@ -84,8 +80,7 @@ export const secretApprovalRequestServiceFactory = ({
   snapshotService,
   secretService,
   secretVersionDAL,
-  secretQueueService,
-  projectBotService
+  secretQueueService
 }: TSecretApprovalRequestServiceFactoryDep) => {
   const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
     if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
@@ -357,7 +352,7 @@ export const secretApprovalRequestServiceFactory = ({
     }
 
     const secretDeletionCommits = secretApprovalSecrets.filter(({ op }) => op === CommitType.Delete);
-    const botKey = await projectBotService.getBotKey(projectId).catch(() => null);
+
     const mergeStatus = await secretApprovalRequestDAL.transaction(async (tx) => {
       const newSecrets = secretCreationCommits.length
         ? await secretService.fnSecretBulkInsert({
@@ -384,17 +379,7 @@ export const secretApprovalRequestServiceFactory = ({
               ]),
               tags: el?.tags.map(({ id }) => id),
               version: 1,
-              type: SecretType.Shared,
-              references: botKey
-                ? getAllNestedSecretReferences(
-                    decryptSymmetric128BitHexKeyUTF8({
-                      ciphertext: el.secretValueCiphertext,
-                      iv: el.secretValueIV,
-                      tag: el.secretValueTag,
-                      key: botKey
-                    })
-                  )
-                : undefined
+              type: SecretType.Shared
             })),
             secretDAL,
             secretVersionDAL,
@@ -429,17 +414,7 @@ export const secretApprovalRequestServiceFactory = ({
                   "secretReminderNote",
                   "secretReminderRepeatDays",
                   "secretBlindIndex"
-                ]),
-                references: botKey
-                  ? getAllNestedSecretReferences(
-                      decryptSymmetric128BitHexKeyUTF8({
-                        ciphertext: el.secretValueCiphertext,
-                        iv: el.secretValueIV,
-                        tag: el.secretValueTag,
-                        key: botKey
-                      })
-                    )
-                  : undefined
+                ])
               }
             })),
             secretDAL,

backend/src/ee/services/secret-scanning/secret-scanning-service.ts

@@ -90,17 +90,15 @@ export const secretScanningServiceFactory = ({
     const {
       data: { repositories }
     } = await octokit.apps.listReposAccessibleToInstallation();
-    if (!appCfg.DISABLE_SECRET_SCANNING) {
-      await Promise.all(
-        repositories.map(({ id, full_name }) =>
-          secretScanningQueue.startFullRepoScan({
-            organizationId: session.orgId,
-            installationId,
-            repository: { id, fullName: full_name }
-          })
-        )
-      );
-    }
+    await Promise.all(
+      repositories.map(({ id, full_name }) =>
+        secretScanningQueue.startFullRepoScan({
+          organizationId: session.orgId,
+          installationId,
+          repository: { id, fullName: full_name }
+        })
+      )
+    );
     return { installatedApp };
   };
 
@@ -153,7 +151,6 @@ export const secretScanningServiceFactory = ({
   };
 
   const handleRepoPushEvent = async (payload: WebhookEventMap["push"]) => {
-    const appCfg = getConfig();
     const { commits, repository, installation, pusher } = payload;
     if (!commits || !repository || !installation || !pusher) {
       return;
@@ -164,15 +161,13 @@ export const secretScanningServiceFactory = ({
     });
     if (!installationLink) return;
 
-    if (!appCfg.DISABLE_SECRET_SCANNING) {
-      await secretScanningQueue.startPushEventScan({
-        commits,
-        pusher: { name: pusher.name, email: pusher.email },
-        repository: { fullName: repository.full_name, id: repository.id },
-        organizationId: installationLink.orgId,
-        installationId: String(installation?.id)
-      });
-    }
+    await secretScanningQueue.startPushEventScan({
+      commits,
+      pusher: { name: pusher.name, email: pusher.email },
+      repository: { fullName: repository.full_name, id: repository.id },
+      organizationId: installationLink.orgId,
+      installationId: String(installation?.id)
+    });
   };
 
   const handleRepoDeleteEvent = async (installationId: string, repositoryIds: string[]) => {

backend/src/lib/api-docs/constants.ts

@@ -89,21 +89,6 @@ export const UNIVERSAL_AUTH = {
   },
   RENEW_ACCESS_TOKEN: {
     accessToken: "The access token to renew."
-  },
-  REVOKE_ACCESS_TOKEN: {
-    accessToken: "The access token to revoke."
-  }
-} as const;
-
-export const AWS_AUTH = {
-  LOGIN: {
-    identityId: "The ID of the identity to login.",
-    iamHttpRequestMethod: "The HTTP request method used in the signed request.",
-    iamRequestUrl:
-      "The base64-encoded HTTP URL used in the signed request. Most likely, the base64-encoding of https://sts.amazonaws.com/",
-    iamRequestBody:
-      "The base64-encoded body of the signed request. Most likely, the base64-encoding of Action=GetCallerIdentity&Version=2011-06-15.",
-    iamRequestHeaders: "The base64-encoded headers of the sts:GetCallerIdentity signed request."
   }
 } as const;
 
@@ -148,6 +133,36 @@ export const PROJECTS = {
     name: "The new name of the project.",
     autoCapitalization: "Disable or enable auto-capitalization for the project."
   },
+  INVITE_MEMBER: {
+    projectId: "The ID of the project to invite the member to.",
+    emails: "A list of organization member emails to invite to the project.",
+    usernames: "A list of usernames to invite to the project."
+  },
+  REMOVE_MEMBER: {
+    projectId: "The ID of the project to remove the member from.",
+    emails: "A list of organization member emails to remove from the project.",
+    usernames: "A list of usernames to remove from the project."
+  },
+  GET_USER_MEMBERSHIPS: {
+    workspaceId: "The ID of the project to get memberships from."
+  },
+  UPDATE_USER_MEMBERSHIP: {
+    workspaceId: "The ID of the project to update the membership for.",
+    membershipId: "The ID of the membership to update.",
+    roles: "A list of roles to update the membership to."
+  },
+  LIST_IDENTITY_MEMBERSHIPS: {
+    projectId: "The ID of the project to get identity memberships from."
+  },
+  UPDATE_IDENTITY_MEMBERSHIP: {
+    projectId: "The ID of the project to update the identity membership for.",
+    identityId: "The ID of the identity to update the membership for.",
+    roles: "A list of roles to update the membership to."
+  },
+  DELETE_IDENTITY_MEMBERSHIP: {
+    projectId: "The ID of the project to delete the identity membership from.",
+    identityId: "The ID of the identity to delete the membership from."
+  },
   GET_KEY: {
     workspaceId: "The ID of the project to get the key from."
   },
@@ -186,70 +201,6 @@ export const PROJECTS = {
   }
 } as const;
 
-export const PROJECT_USERS = {
-  INVITE_MEMBER: {
-    projectId: "The ID of the project to invite the member to.",
-    emails: "A list of organization member emails to invite to the project.",
-    usernames: "A list of usernames to invite to the project."
-  },
-  REMOVE_MEMBER: {
-    projectId: "The ID of the project to remove the member from.",
-    emails: "A list of organization member emails to remove from the project.",
-    usernames: "A list of usernames to remove from the project."
-  },
-  GET_USER_MEMBERSHIPS: {
-    workspaceId: "The ID of the project to get memberships from."
-  },
-  GET_USER_MEMBERSHIP: {
-    workspaceId: "The ID of the project to get memberships from.",
-    username: "The username to get project membership of. Email is the default username."
-  },
-  UPDATE_USER_MEMBERSHIP: {
-    workspaceId: "The ID of the project to update the membership for.",
-    membershipId: "The ID of the membership to update.",
-    roles: "A list of roles to update the membership to."
-  }
-};
-
-export const PROJECT_IDENTITIES = {
-  LIST_IDENTITY_MEMBERSHIPS: {
-    projectId: "The ID of the project to get identity memberships from."
-  },
-  GET_IDENTITY_MEMBERSHIP_BY_ID: {
-    identityId: "The ID of the identity to get the membership for.",
-    projectId: "The ID of the project to get the identity membership for."
-  },
-  UPDATE_IDENTITY_MEMBERSHIP: {
-    projectId: "The ID of the project to update the identity membership for.",
-    identityId: "The ID of the identity to update the membership for.",
-    roles: {
-      description: "A list of role slugs to assign to the identity project membership.",
-      role: "The role slug to assign to the newly created identity project membership.",
-      isTemporary: "Whether the assigned role is temporary.",
-      temporaryMode: "Type of temporary expiry.",
-      temporaryRange: "Expiry time for temporary access. In relative mode it could be 1s,2m,3h",
-      temporaryAccessStartTime: "Time to which the temporary access starts"
-    }
-  },
-  DELETE_IDENTITY_MEMBERSHIP: {
-    projectId: "The ID of the project to delete the identity membership from.",
-    identityId: "The ID of the identity to delete the membership from."
-  },
-  CREATE_IDENTITY_MEMBERSHIP: {
-    projectId: "The ID of the project to create the identity membership from.",
-    identityId: "The ID of the identity to create the membership from.",
-    role: "The role slug to assign to the newly created identity project membership.",
-    roles: {
-      description: "A list of role slugs to assign to the newly created identity project membership.",
-      role: "The role slug to assign to the newly created identity project membership.",
-      isTemporary: "Whether the assigned role is temporary.",
-      temporaryMode: "Type of temporary expiry.",
-      temporaryRange: "Expiry time for temporary access. In relative mode it could be 1s,2m,3h",
-      temporaryAccessStartTime: "Time to which the temporary access starts"
-    }
-  }
-};
-
 export const ENVIRONMENTS = {
   CREATE: {
     workspaceId: "The ID of the project to create the environment in.",
@@ -289,7 +240,6 @@ export const FOLDERS = {
     name: "The new name of the folder.",
     path: "The path of the folder to update.",
     directory: "The new directory of the folder to update. (Deprecated in favor of path)",
-    projectSlug: "The slug of the project where the folder is located.",
     workspaceId: "The ID of the project where the folder is located."
   },
   DELETE: {
@@ -326,8 +276,7 @@ export const RAW_SECRETS = {
     recursive:
       "Whether or not to fetch all secrets from the specified base path, and all of its subdirectories. Note, the max depth is 20 deep.",
     workspaceId: "The ID of the project to list secrets from.",
-    workspaceSlug:
-      "The slug of the project to list secrets from. This parameter is only applicable by machine identities.",
+    workspaceSlug: "The slug of the project to list secrets from. This parameter is only usable by machine identities.",
     environment: "The slug of the environment to list secrets from.",
     secretPath: "The secret path to list secrets from.",
     includeImports: "Weather to include imported secrets or not."
@@ -346,7 +295,6 @@ export const RAW_SECRETS = {
   GET: {
     secretName: "The name of the secret to get.",
     workspaceId: "The ID of the project to get the secret from.",
-    workspaceSlug: "The slug of the project to get the secret from.",
     environment: "The slug of the environment to get the secret from.",
     secretPath: "The path of the secret to get.",
     version: "The version of the secret to get.",
@@ -662,12 +610,10 @@ export const INTEGRATION = {
       secretPrefix: "The prefix for the saved secret. Used by GCP.",
       secretSuffix: "The suffix for the saved secret. Used by GCP.",
       initialSyncBehavoir: "Type of syncing behavoir with the integration.",
-      mappingBehavior: "The mapping behavior of the integration.",
       shouldAutoRedeploy: "Used by Render to trigger auto deploy.",
       secretGCPLabel: "The label for GCP secrets.",
       secretAWSTag: "The tags for AWS secrets.",
-      kmsKeyId: "The ID of the encryption key from AWS KMS.",
-      shouldDisableDelete: "The flag to disable deletion of secrets in AWS Parameter Store."
+      kmsKeyId: "The ID of the encryption key from AWS KMS."
     }
   },
   UPDATE: {
@@ -684,9 +630,6 @@ export const INTEGRATION = {
   },
   DELETE: {
     integrationId: "The ID of the integration object."
-  },
-  SYNC: {
-    integrationId: "The ID of the integration object to manually sync"
   }
 };
 

backend/src/lib/config/env.ts

@@ -13,10 +13,6 @@ const zodStrBool = z
 const envSchema = z
   .object({
     PORT: z.coerce.number().default(4000),
-    DISABLE_SECRET_SCANNING: z
-      .enum(["true", "false"])
-      .default("false")
-      .transform((el) => el === "true"),
     REDIS_URL: zpStr(z.string()),
     HOST: zpStr(z.string().default("localhost")),
     DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")).default(

backend/src/lib/knex/index.ts

@@ -104,68 +104,24 @@ export const ormify = <DbOps extends object, Tname extends keyof Tables>(db: Kne
       throw new DatabaseError({ error, name: "Create" });
     }
   },
-  updateById: async (
-    id: string,
-    {
-      $incr,
-      $decr,
-      ...data
-    }: Tables[Tname]["update"] & {
-      $incr?: { [x in keyof Partial<Tables[Tname]["base"]>]: number };
-      $decr?: { [x in keyof Partial<Tables[Tname]["base"]>]: number };
-    },
-    tx?: Knex
-  ) => {
+  updateById: async (id: string, data: Tables[Tname]["update"], tx?: Knex) => {
     try {
-      const query = (tx || db)(tableName)
+      const [res] = await (tx || db)(tableName)
         .where({ id } as never)
         .update(data as never)
         .returning("*");
-      if ($incr) {
-        Object.entries($incr).forEach(([incrementField, incrementValue]) => {
-          void query.increment(incrementField, incrementValue);
-        });
-      }
-      if ($decr) {
-        Object.entries($decr).forEach(([incrementField, incrementValue]) => {
-          void query.increment(incrementField, incrementValue);
-        });
-      }
-      const [docs] = await query;
-      return docs;
+      return res;
     } catch (error) {
       throw new DatabaseError({ error, name: "Update by id" });
     }
   },
-  update: async (
-    filter: TFindFilter<Tables[Tname]["base"]>,
-    {
-      $incr,
-      $decr,
-      ...data
-    }: Tables[Tname]["update"] & {
-      $incr?: { [x in keyof Partial<Tables[Tname]["base"]>]: number };
-      $decr?: { [x in keyof Partial<Tables[Tname]["base"]>]: number };
-    },
-    tx?: Knex
-  ) => {
+  update: async (filter: TFindFilter<Tables[Tname]["base"]>, data: Tables[Tname]["update"], tx?: Knex) => {
     try {
-      const query = (tx || db)(tableName)
+      const res = await (tx || db)(tableName)
         .where(buildFindFilter(filter))
         .update(data as never)
         .returning("*");
-      // increment and decrement operation in update
-      if ($incr) {
-        Object.entries($incr).forEach(([incrementField, incrementValue]) => {
-          void query.increment(incrementField, incrementValue);
-        });
-      }
-      if ($decr) {
-        Object.entries($decr).forEach(([incrementField, incrementValue]) => {
-          void query.increment(incrementField, incrementValue);
-        });
-      }
-      return await query;
+      return res;
     } catch (error) {
       throw new DatabaseError({ error, name: "Update" });
     }

backend/src/lib/logger/logger.ts

@@ -30,37 +30,6 @@ const loggerConfig = z.object({
   NODE_ENV: z.enum(["development", "test", "production"]).default("production")
 });
 
-const redactedKeys = [
-  "accessToken",
-  "authToken",
-  "serviceToken",
-  "identityAccessToken",
-  "token",
-  "privateKey",
-  "serverPrivateKey",
-  "plainPrivateKey",
-  "plainProjectKey",
-  "encryptedPrivateKey",
-  "userPrivateKey",
-  "protectedKey",
-  "decryptKey",
-  "encryptedProjectKey",
-  "encryptedSymmetricKey",
-  "encryptedPrivateKey",
-  "backupPrivateKey",
-  "secretKey",
-  "SecretKey",
-  "botPrivateKey",
-  "encryptedKey",
-  "plaintextProjectKey",
-  "accessKey",
-  "botKey",
-  "decryptedSecret",
-  "secrets",
-  "key",
-  "password"
-];
-
 export const initLogger = async () => {
   const cfg = loggerConfig.parse(process.env);
   const targets: pino.TransportMultiOptions["targets"][number][] = [
@@ -105,9 +74,7 @@ export const initLogger = async () => {
           hostname: bindings.hostname
           // node_version: process.version
         })
-      },
-      // redact until depth of three
-      redact: [...redactedKeys, ...redactedKeys.map((key) => `*.${key}`), ...redactedKeys.map((key) => `*.*.${key}`)]
+      }
     },
     // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
     transport

backend/src/queue/queue-service.ts

@@ -12,9 +12,7 @@ export enum QueueName {
   SecretRotation = "secret-rotation",
   SecretReminder = "secret-reminder",
   AuditLog = "audit-log",
-  // TODO(akhilmhdh): This will get removed later. For now this is kept to stop the repeatable queue
   AuditLogPrune = "audit-log-prune",
-  DailyResourceCleanUp = "daily-resource-cleanup",
   TelemetryInstanceStats = "telemtry-self-hosted-stats",
   IntegrationSync = "sync-integrations",
   SecretWebhook = "secret-webhook",
@@ -28,9 +26,7 @@ export enum QueueJobs {
   SecretReminder = "secret-reminder-job",
   SecretRotation = "secret-rotation-job",
   AuditLog = "audit-log-job",
-  // TODO(akhilmhdh): This will get removed later. For now this is kept to stop the repeatable queue
   AuditLogPrune = "audit-log-prune-job",
-  DailyResourceCleanUp = "daily-resource-cleanup-job",
   SecWebhook = "secret-webhook-trigger",
   TelemetryInstanceStats = "telemetry-self-hosted-stats",
   IntegrationSync = "secret-integration-pull",
@@ -59,10 +55,6 @@ export type TQueueJobTypes = {
     name: QueueJobs.AuditLog;
     payload: TCreateAuditLogDTO;
   };
-  [QueueName.DailyResourceCleanUp]: {
-    name: QueueJobs.DailyResourceCleanUp;
-    payload: undefined;
-  };
   [QueueName.AuditLogPrune]: {
     name: QueueJobs.AuditLogPrune;
     payload: undefined;
@@ -73,13 +65,7 @@ export type TQueueJobTypes = {
   };
   [QueueName.IntegrationSync]: {
     name: QueueJobs.IntegrationSync;
-    payload: {
-      projectId: string;
-      environment: string;
-      secretPath: string;
-      depth?: number;
-      deDupeQueue?: Record<string, boolean>;
-    };
+    payload: { projectId: string; environment: string; secretPath: string; depth?: number };
   };
   [QueueName.SecretFullRepoScan]: {
     name: QueueJobs.SecretScan;
@@ -180,9 +166,7 @@ export const queueServiceFactory = (redisUrl: string) => {
     jobId?: string
   ) => {
     const q = queueContainer[name];
-    if (q) {
-      return q.removeRepeatable(job, repeatOpt, jobId);
-    }
+    return q.removeRepeatable(job, repeatOpt, jobId);
   };
 
   const stopRepeatableJobByJobId = async <T extends QueueName>(name: T, jobId: string) => {

backend/src/server/config/rateLimiter.ts

@@ -36,7 +36,7 @@ export const writeLimit: RateLimitOptions = {
 export const secretsLimit: RateLimitOptions = {
   // secrets, folders, secret imports
   timeWindow: 60 * 1000,
-  max: 60,
+  max: 1000,
   keyGenerator: (req) => req.realIp
 };
 

backend/src/server/plugins/auth/inject-permission.ts

@@ -1,6 +1,5 @@
 import fp from "fastify-plugin";
 
-import { logger } from "@app/lib/logger";
 import { ActorType } from "@app/services/auth/auth-type";
 
 // inject permission type needed based on auth extracted
@@ -16,10 +15,6 @@ export const injectPermission = fp(async (server) => {
         orgId: req.auth.orgId, // if the req.auth.authMode is AuthMode.API_KEY, the orgId will be "API_KEY"
         authMethod: req.auth.authMethod // if the req.auth.authMode is AuthMode.API_KEY, the authMethod will be null
       };
-
-      logger.info(
-        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.userId}] [type=${ActorType.USER}]`
-      );
     } else if (req.auth.actor === ActorType.IDENTITY) {
       req.permission = {
         type: ActorType.IDENTITY,
@@ -27,10 +22,6 @@ export const injectPermission = fp(async (server) => {
         orgId: req.auth.orgId,
         authMethod: null
       };
-
-      logger.info(
-        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.identityId}] [type=${ActorType.IDENTITY}]`
-      );
     } else if (req.auth.actor === ActorType.SERVICE) {
       req.permission = {
         type: ActorType.SERVICE,
@@ -38,10 +29,6 @@ export const injectPermission = fp(async (server) => {
         orgId: req.auth.orgId,
         authMethod: null
       };
-
-      logger.info(
-        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.serviceTokenId}] [type=${ActorType.SERVICE}]`
-      );
     } else if (req.auth.actor === ActorType.SCIM_CLIENT) {
       req.permission = {
         type: ActorType.SCIM_CLIENT,
@@ -49,10 +36,6 @@ export const injectPermission = fp(async (server) => {
         orgId: req.auth.orgId,
         authMethod: null
       };
-
-      logger.info(
-        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.scimTokenId}] [type=${ActorType.SCIM_CLIENT}]`
-      );
     }
   });
 });

backend/src/server/plugins/ip.ts

@@ -6,7 +6,6 @@ const headersOrder = [
   "cf-connecting-ip", // Cloudflare
   "Cf-Pseudo-IPv4", // Cloudflare
   "x-client-ip", // Most common
-  "x-envoy-external-address", // for envoy
   "x-forwarded-for", // Mostly used by proxies
   "fastly-client-ip",
   "true-client-ip", // Akamai and Cloudflare
@@ -24,21 +23,7 @@ export const fastifyIp = fp(async (fastify) => {
     const forwardedIpHeader = headersOrder.find((header) => Boolean(req.headers[header]));
     const forwardedIp = forwardedIpHeader ? req.headers[forwardedIpHeader] : undefined;
     if (forwardedIp) {
-      if (Array.isArray(forwardedIp)) {
-        // eslint-disable-next-line
-        req.realIp = forwardedIp[0];
-        return;
-      }
-
-      if (forwardedIp.includes(",")) {
-        // the ip header when placed with load balancers that proxy request
-        // will attach the internal ips to header by appending with comma
-        // https://github.com/go-chi/chi/blob/master/middleware/realip.go
-        const clientIPFromProxy = forwardedIp.slice(0, forwardedIp.indexOf(",")).trim();
-        req.realIp = clientIPFromProxy;
-        return;
-      }
-      req.realIp = forwardedIp;
+      req.realIp = Array.isArray(forwardedIp) ? forwardedIp[0] : forwardedIp;
     } else {
       req.realIp = req.ip;
     }

backend/src/server/plugins/maintenanceMode.ts

@@ -5,13 +5,8 @@ import { getConfig } from "@app/lib/config/env";
 export const maintenanceMode = fp(async (fastify) => {
   fastify.addHook("onRequest", async (req) => {
     const serverEnvs = getConfig();
-    if (serverEnvs.MAINTENANCE_MODE) {
-      // skip if its universal auth login or renew
-      if (req.url === "/api/v1/auth/universal-auth/login" && req.method === "POST") return;
-      if (req.url === "/api/v1/auth/token/renew" && req.method === "POST") return;
-      if (req.url !== "/api/v1/auth/checkAuth" && req.method !== "GET") {
-        throw new Error("Infisical is in maintenance mode. Please try again later.");
-      }
+    if (req.url !== "/api/v1/auth/checkAuth" && req.method !== "GET" && serverEnvs.MAINTENANCE_MODE) {
+      throw new Error("Infisical is in maintenance mode. Please try again later.");
     }
   });
 });

backend/src/server/routes/index.ts

@@ -78,14 +78,6 @@ import { identityOrgDALFactory } from "@app/services/identity/identity-org-dal";
 import { identityServiceFactory } from "@app/services/identity/identity-service";
 import { identityAccessTokenDALFactory } from "@app/services/identity-access-token/identity-access-token-dal";
 import { identityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
-import { identityAwsAuthDALFactory } from "@app/services/identity-aws-auth/identity-aws-auth-dal";
-import { identityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
-import { identityAzureAuthDALFactory } from "@app/services/identity-azure-auth/identity-azure-auth-dal";
-import { identityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
-import { identityGcpAuthDALFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-dal";
-import { identityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
-import { identityKubernetesAuthDALFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-dal";
-import { identityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { identityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { identityProjectMembershipRoleDALFactory } from "@app/services/identity-project/identity-project-membership-role-dal";
 import { identityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
@@ -117,7 +109,6 @@ import { projectMembershipServiceFactory } from "@app/services/project-membershi
 import { projectUserMembershipRoleDALFactory } from "@app/services/project-membership/project-user-membership-role-dal";
 import { projectRoleDALFactory } from "@app/services/project-role/project-role-dal";
 import { projectRoleServiceFactory } from "@app/services/project-role/project-role-service";
-import { dailyResourceCleanUpQueueServiceFactory } from "@app/services/resource-cleanup/resource-cleanup-queue";
 import { secretDALFactory } from "@app/services/secret/secret-dal";
 import { secretQueueFactory } from "@app/services/secret/secret-queue";
 import { secretServiceFactory } from "@app/services/secret/secret-service";
@@ -163,10 +154,7 @@ export const registerRoutes = async (
     keyStore
   }: { db: Knex; smtp: TSmtpService; queue: TQueueServiceFactory; keyStore: TKeyStoreFactory }
 ) => {
-  const appCfg = getConfig();
-  if (!appCfg.DISABLE_SECRET_SCANNING) {
-    await server.register(registerSecretScannerGhApp, { prefix: "/ss-webhook" });
-  }
+  await server.register(registerSecretScannerGhApp, { prefix: "/ss-webhook" });
 
   // db layers
   const userDAL = userDALFactory(db);
@@ -212,11 +200,7 @@ export const registerRoutes = async (
   const identityProjectAdditionalPrivilegeDAL = identityProjectAdditionalPrivilegeDALFactory(db);
 
   const identityUaDAL = identityUaDALFactory(db);
-  const identityKubernetesAuthDAL = identityKubernetesAuthDALFactory(db);
   const identityUaClientSecretDAL = identityUaClientSecretDALFactory(db);
-  const identityAwsAuthDAL = identityAwsAuthDALFactory(db);
-  const identityGcpAuthDAL = identityGcpAuthDALFactory(db);
-  const identityAzureAuthDAL = identityAzureAuthDALFactory(db);
 
   const auditLogDAL = auditLogDALFactory(db);
   const auditLogStreamDAL = auditLogStreamDALFactory(db);
@@ -551,10 +535,8 @@ export const registerRoutes = async (
     folderDAL,
     folderVersionDAL,
     projectEnvDAL,
-    snapshotService,
-    projectDAL
+    snapshotService
   });
-
   const integrationAuthService = integrationAuthServiceFactory({
     integrationAuthDAL,
     integrationDAL,
@@ -613,7 +595,6 @@ export const registerRoutes = async (
   });
   const sarService = secretApprovalRequestServiceFactory({
     permissionService,
-    projectBotService,
     folderDAL,
     secretDAL,
     secretTagDAL,
@@ -718,41 +699,6 @@ export const registerRoutes = async (
     identityUaDAL,
     licenseService
   });
-  const identityKubernetesAuthService = identityKubernetesAuthServiceFactory({
-    identityKubernetesAuthDAL,
-    identityOrgMembershipDAL,
-    identityAccessTokenDAL,
-    identityDAL,
-    orgBotDAL,
-    permissionService,
-    licenseService
-  });
-  const identityGcpAuthService = identityGcpAuthServiceFactory({
-    identityGcpAuthDAL,
-    identityOrgMembershipDAL,
-    identityAccessTokenDAL,
-    identityDAL,
-    permissionService,
-    licenseService
-  });
-
-  const identityAwsAuthService = identityAwsAuthServiceFactory({
-    identityAccessTokenDAL,
-    identityAwsAuthDAL,
-    identityOrgMembershipDAL,
-    identityDAL,
-    licenseService,
-    permissionService
-  });
-
-  const identityAzureAuthService = identityAzureAuthServiceFactory({
-    identityAzureAuthDAL,
-    identityOrgMembershipDAL,
-    identityAccessTokenDAL,
-    identityDAL,
-    permissionService,
-    licenseService
-  });
 
   const dynamicSecretProviders = buildDynamicSecretProviders();
   const dynamicSecretQueueService = dynamicSecretLeaseQueueServiceFactory({
@@ -781,19 +727,14 @@ export const registerRoutes = async (
     folderDAL,
     licenseService
   });
-  const dailyResourceCleanUp = dailyResourceCleanUpQueueServiceFactory({
-    auditLogDAL,
-    queueService,
-    identityAccessTokenDAL
-  });
 
   await superAdminService.initServerCfg();
   //
   // setup the communication with license key server
   await licenseService.init();
 
+  await auditLogQueue.startAuditLogPruneJob();
   await telemetryQueue.startTelemetryCheck();
-  await dailyResourceCleanUp.startCleanUp();
 
   // inject all services
   server.decorate<FastifyZodProvider["services"]>("services", {
@@ -827,10 +768,6 @@ export const registerRoutes = async (
     identityAccessToken: identityAccessTokenService,
     identityProject: identityProjectService,
     identityUa: identityUaService,
-    identityKubernetesAuth: identityKubernetesAuthService,
-    identityGcpAuth: identityGcpAuthService,
-    identityAwsAuth: identityAwsAuthService,
-    identityAzureAuth: identityAzureAuthService,
     secretApprovalPolicy: sapService,
     accessApprovalPolicy: accessApprovalPolicyService,
     accessApprovalRequest: accessApprovalRequestService,

backend/src/server/routes/sanitizedSchemas.ts

@@ -8,7 +8,6 @@ import {
   UsersSchema
 } from "@app/db/schemas";
 import { UnpackedPermissionSchema } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 
 // sometimes the return data must be santizied to avoid leaking important values
 // always prefer pick over omit in zod
@@ -65,12 +64,14 @@ export const secretRawSchema = z.object({
   secretComment: z.string().optional()
 });
 
-export const ProjectPermissionSchema = z.object({
+export const PermissionSchema = z.object({
   action: z
-    .nativeEnum(ProjectPermissionActions)
+    .string()
+    .min(1)
     .describe("Describe what action an entity can take. Possible actions: create, edit, delete, and read"),
   subject: z
-    .nativeEnum(ProjectPermissionSub)
+    .string()
+    .min(1)
     .describe("The entity this permission pertains to. Possible options: secrets, environments"),
   conditions: z
     .object({

backend/src/server/routes/v1/admin-router.ts

@@ -20,23 +20,16 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
     schema: {
       response: {
         200: z.object({
-          config: SuperAdminSchema.omit({ createdAt: true, updatedAt: true }).extend({
-            isMigrationModeOn: z.boolean(),
-            isSecretScanningDisabled: z.boolean()
-          })
+          config: SuperAdminSchema.omit({ createdAt: true, updatedAt: true }).merge(
+            z.object({ isMigrationModeOn: z.boolean() })
+          )
         })
       }
     },
     handler: async () => {
       const config = await getServerCfg();
       const serverEnvs = getConfig();
-      return {
-        config: {
-          ...config,
-          isMigrationModeOn: serverEnvs.MAINTENANCE_MODE,
-          isSecretScanningDisabled: serverEnvs.DISABLE_SECRET_SCANNING
-        }
-      };
+      return { config: { ...config, isMigrationModeOn: serverEnvs.MAINTENANCE_MODE } };
     }
   });
 

backend/src/server/routes/v1/identity-access-token-router.ts

@@ -36,29 +36,4 @@ export const registerIdentityAccessTokenRouter = async (server: FastifyZodProvid
       };
     }
   });
-
-  server.route({
-    url: "/token/revoke",
-    method: "POST",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Revoke access token",
-      body: z.object({
-        accessToken: z.string().trim().describe(UNIVERSAL_AUTH.REVOKE_ACCESS_TOKEN.accessToken)
-      }),
-      response: {
-        200: z.object({
-          message: z.string()
-        })
-      }
-    },
-    handler: async (req) => {
-      await server.services.identityAccessToken.revokeAccessToken(req.body.accessToken);
-      return {
-        message: "Successfully revoked access token"
-      };
-    }
-  });
 };

backend/src/server/routes/v1/identity-aws-iam-auth-router.ts

@@ -1,269 +0,0 @@
-import { z } from "zod";
-
-import { IdentityAwsAuthsSchema } from "@app/db/schemas";
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { AWS_AUTH } from "@app/lib/api-docs";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
-import {
-  validateAccountIds,
-  validatePrincipalArns
-} from "@app/services/identity-aws-auth/identity-aws-auth-validators";
-
-export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/aws-auth/login",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Login with AWS Auth",
-      body: z.object({
-        identityId: z.string().describe(AWS_AUTH.LOGIN.identityId),
-        iamHttpRequestMethod: z.string().default("POST").describe(AWS_AUTH.LOGIN.iamHttpRequestMethod),
-        iamRequestBody: z.string().describe(AWS_AUTH.LOGIN.iamRequestBody),
-        iamRequestHeaders: z.string().describe(AWS_AUTH.LOGIN.iamRequestHeaders)
-      }),
-      response: {
-        200: z.object({
-          accessToken: z.string(),
-          expiresIn: z.coerce.number(),
-          accessTokenMaxTTL: z.coerce.number(),
-          tokenType: z.literal("Bearer")
-        })
-      }
-    },
-    handler: async (req) => {
-      const { identityAwsAuth, accessToken, identityAccessToken, identityMembershipOrg } =
-        await server.services.identityAwsAuth.login(req.body);
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityMembershipOrg?.orgId,
-        event: {
-          type: EventType.LOGIN_IDENTITY_AWS_AUTH,
-          metadata: {
-            identityId: identityAwsAuth.identityId,
-            identityAccessTokenId: identityAccessToken.id,
-            identityAwsAuthId: identityAwsAuth.id
-          }
-        }
-      });
-
-      return {
-        accessToken,
-        tokenType: "Bearer" as const,
-        expiresIn: identityAwsAuth.accessTokenTTL,
-        accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL
-      };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/aws-auth/identities/:identityId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Attach AWS Auth configuration onto identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string().trim()
-      }),
-      body: z.object({
-        stsEndpoint: z.string().trim().min(1).default("https://sts.amazonaws.com/"),
-        allowedPrincipalArns: validatePrincipalArns,
-        allowedAccountIds: validateAccountIds,
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
-        accessTokenTTL: z
-          .number()
-          .int()
-          .min(1)
-          .refine((value) => value !== 0, {
-            message: "accessTokenTTL must have a non zero number"
-          })
-          .default(2592000),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .default(2592000),
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
-      }),
-      response: {
-        200: z.object({
-          identityAwsAuth: IdentityAwsAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityAwsAuth = await server.services.identityAwsAuth.attachAwsAuth({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body,
-        identityId: req.params.identityId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityAwsAuth.orgId,
-        event: {
-          type: EventType.ADD_IDENTITY_AWS_AUTH,
-          metadata: {
-            identityId: identityAwsAuth.identityId,
-            stsEndpoint: identityAwsAuth.stsEndpoint,
-            allowedPrincipalArns: identityAwsAuth.allowedPrincipalArns,
-            allowedAccountIds: identityAwsAuth.allowedAccountIds,
-            accessTokenTTL: identityAwsAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityAwsAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityAwsAuth.accessTokenNumUsesLimit
-          }
-        }
-      });
-
-      return { identityAwsAuth };
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/aws-auth/identities/:identityId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Update AWS Auth configuration on identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string()
-      }),
-      body: z.object({
-        stsEndpoint: z.string().trim().min(1).optional(),
-        allowedPrincipalArns: validatePrincipalArns,
-        allowedAccountIds: validateAccountIds,
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .optional(),
-        accessTokenTTL: z.number().int().min(0).optional(),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .optional()
-      }),
-      response: {
-        200: z.object({
-          identityAwsAuth: IdentityAwsAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityAwsAuth = await server.services.identityAwsAuth.updateAwsAuth({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body,
-        identityId: req.params.identityId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityAwsAuth.orgId,
-        event: {
-          type: EventType.UPDATE_IDENTITY_AWS_AUTH,
-          metadata: {
-            identityId: identityAwsAuth.identityId,
-            stsEndpoint: identityAwsAuth.stsEndpoint,
-            allowedPrincipalArns: identityAwsAuth.allowedPrincipalArns,
-            allowedAccountIds: identityAwsAuth.allowedAccountIds,
-            accessTokenTTL: identityAwsAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityAwsAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityAwsAuth.accessTokenNumUsesLimit
-          }
-        }
-      });
-
-      return { identityAwsAuth };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/aws-auth/identities/:identityId",
-    config: {
-      rateLimit: readLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Retrieve AWS Auth configuration on identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string()
-      }),
-      response: {
-        200: z.object({
-          identityAwsAuth: IdentityAwsAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityAwsAuth = await server.services.identityAwsAuth.getAwsAuth({
-        identityId: req.params.identityId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityAwsAuth.orgId,
-        event: {
-          type: EventType.GET_IDENTITY_AWS_AUTH,
-          metadata: {
-            identityId: identityAwsAuth.identityId
-          }
-        }
-      });
-      return { identityAwsAuth };
-    }
-  });
-};

backend/src/server/routes/v1/identity-azure-auth-router.ts

@@ -1,262 +0,0 @@
-import { z } from "zod";
-
-import { IdentityAzureAuthsSchema } from "@app/db/schemas";
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
-import { validateAzureAuthField } from "@app/services/identity-azure-auth/identity-azure-auth-validators";
-
-export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/azure-auth/login",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Login with Azure Auth",
-      body: z.object({
-        identityId: z.string(),
-        jwt: z.string()
-      }),
-      response: {
-        200: z.object({
-          accessToken: z.string(),
-          expiresIn: z.coerce.number(),
-          accessTokenMaxTTL: z.coerce.number(),
-          tokenType: z.literal("Bearer")
-        })
-      }
-    },
-    handler: async (req) => {
-      const { identityAzureAuth, accessToken, identityAccessToken, identityMembershipOrg } =
-        await server.services.identityAzureAuth.login(req.body);
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityMembershipOrg.orgId,
-        event: {
-          type: EventType.LOGIN_IDENTITY_AZURE_AUTH,
-          metadata: {
-            identityId: identityAzureAuth.identityId,
-            identityAccessTokenId: identityAccessToken.id,
-            identityAzureAuthId: identityAzureAuth.id
-          }
-        }
-      });
-
-      return {
-        accessToken,
-        tokenType: "Bearer" as const,
-        expiresIn: identityAzureAuth.accessTokenTTL,
-        accessTokenMaxTTL: identityAzureAuth.accessTokenMaxTTL
-      };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/azure-auth/identities/:identityId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Attach Azure Auth configuration onto identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string().trim()
-      }),
-      body: z.object({
-        tenantId: z.string().trim(),
-        resource: z.string().trim(),
-        allowedServicePrincipalIds: validateAzureAuthField,
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
-        accessTokenTTL: z
-          .number()
-          .int()
-          .min(1)
-          .refine((value) => value !== 0, {
-            message: "accessTokenTTL must have a non zero number"
-          })
-          .default(2592000),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .default(2592000),
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
-      }),
-      response: {
-        200: z.object({
-          identityAzureAuth: IdentityAzureAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityAzureAuth = await server.services.identityAzureAuth.attachAzureAuth({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body,
-        identityId: req.params.identityId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityAzureAuth.orgId,
-        event: {
-          type: EventType.ADD_IDENTITY_AZURE_AUTH,
-          metadata: {
-            identityId: identityAzureAuth.identityId,
-            tenantId: identityAzureAuth.tenantId,
-            resource: identityAzureAuth.resource,
-            accessTokenTTL: identityAzureAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityAzureAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityAzureAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityAzureAuth.accessTokenNumUsesLimit
-          }
-        }
-      });
-
-      return { identityAzureAuth };
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/azure-auth/identities/:identityId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Update Azure Auth configuration on identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string().trim()
-      }),
-      body: z.object({
-        tenantId: z.string().trim().optional(),
-        resource: z.string().trim().optional(),
-        allowedServicePrincipalIds: validateAzureAuthField.optional(),
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .optional(),
-        accessTokenTTL: z.number().int().min(0).optional(),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .optional()
-      }),
-      response: {
-        200: z.object({
-          identityAzureAuth: IdentityAzureAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityAzureAuth = await server.services.identityAzureAuth.updateAzureAuth({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        ...req.body,
-        identityId: req.params.identityId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityAzureAuth.orgId,
-        event: {
-          type: EventType.UPDATE_IDENTITY_AZURE_AUTH,
-          metadata: {
-            identityId: identityAzureAuth.identityId,
-            tenantId: identityAzureAuth.tenantId,
-            resource: identityAzureAuth.resource,
-            accessTokenTTL: identityAzureAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityAzureAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityAzureAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityAzureAuth.accessTokenNumUsesLimit
-          }
-        }
-      });
-
-      return { identityAzureAuth };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/azure-auth/identities/:identityId",
-    config: {
-      rateLimit: readLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Retrieve Azure Auth configuration on identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string()
-      }),
-      response: {
-        200: z.object({
-          identityAzureAuth: IdentityAzureAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityAzureAuth = await server.services.identityAzureAuth.getAzureAuth({
-        identityId: req.params.identityId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityAzureAuth.orgId,
-        event: {
-          type: EventType.GET_IDENTITY_AZURE_AUTH,
-          metadata: {
-            identityId: identityAzureAuth.identityId
-          }
-        }
-      });
-
-      return { identityAzureAuth };
-    }
-  });
-};

backend/src/server/routes/v1/identity-gcp-auth-router.ts

@@ -1,268 +0,0 @@
-import { z } from "zod";
-
-import { IdentityGcpAuthsSchema } from "@app/db/schemas";
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
-import { validateGcpAuthField } from "@app/services/identity-gcp-auth/identity-gcp-auth-validators";
-
-export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/gcp-auth/login",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Login with GCP Auth",
-      body: z.object({
-        identityId: z.string(),
-        jwt: z.string()
-      }),
-      response: {
-        200: z.object({
-          accessToken: z.string(),
-          expiresIn: z.coerce.number(),
-          accessTokenMaxTTL: z.coerce.number(),
-          tokenType: z.literal("Bearer")
-        })
-      }
-    },
-    handler: async (req) => {
-      const { identityGcpAuth, accessToken, identityAccessToken, identityMembershipOrg } =
-        await server.services.identityGcpAuth.login(req.body);
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityMembershipOrg?.orgId,
-        event: {
-          type: EventType.LOGIN_IDENTITY_GCP_AUTH,
-          metadata: {
-            identityId: identityGcpAuth.identityId,
-            identityAccessTokenId: identityAccessToken.id,
-            identityGcpAuthId: identityGcpAuth.id
-          }
-        }
-      });
-
-      return {
-        accessToken,
-        tokenType: "Bearer" as const,
-        expiresIn: identityGcpAuth.accessTokenTTL,
-        accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL
-      };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/gcp-auth/identities/:identityId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Attach GCP Auth configuration onto identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string().trim()
-      }),
-      body: z.object({
-        type: z.enum(["iam", "gce"]),
-        allowedServiceAccounts: validateGcpAuthField,
-        allowedProjects: validateGcpAuthField,
-        allowedZones: validateGcpAuthField,
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
-        accessTokenTTL: z
-          .number()
-          .int()
-          .min(1)
-          .refine((value) => value !== 0, {
-            message: "accessTokenTTL must have a non zero number"
-          })
-          .default(2592000),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .default(2592000),
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
-      }),
-      response: {
-        200: z.object({
-          identityGcpAuth: IdentityGcpAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityGcpAuth = await server.services.identityGcpAuth.attachGcpAuth({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body,
-        identityId: req.params.identityId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityGcpAuth.orgId,
-        event: {
-          type: EventType.ADD_IDENTITY_GCP_AUTH,
-          metadata: {
-            identityId: identityGcpAuth.identityId,
-            type: identityGcpAuth.type,
-            allowedServiceAccounts: identityGcpAuth.allowedServiceAccounts,
-            allowedProjects: identityGcpAuth.allowedProjects,
-            allowedZones: identityGcpAuth.allowedZones,
-            accessTokenTTL: identityGcpAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityGcpAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityGcpAuth.accessTokenNumUsesLimit
-          }
-        }
-      });
-
-      return { identityGcpAuth };
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/gcp-auth/identities/:identityId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Update GCP Auth configuration on identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string().trim()
-      }),
-      body: z.object({
-        type: z.enum(["iam", "gce"]).optional(),
-        allowedServiceAccounts: validateGcpAuthField.optional(),
-        allowedProjects: validateGcpAuthField.optional(),
-        allowedZones: validateGcpAuthField.optional(),
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .optional(),
-        accessTokenTTL: z.number().int().min(0).optional(),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .optional()
-      }),
-      response: {
-        200: z.object({
-          identityGcpAuth: IdentityGcpAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityGcpAuth = await server.services.identityGcpAuth.updateGcpAuth({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        ...req.body,
-        identityId: req.params.identityId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityGcpAuth.orgId,
-        event: {
-          type: EventType.UPDATE_IDENTITY_GCP_AUTH,
-          metadata: {
-            identityId: identityGcpAuth.identityId,
-            type: identityGcpAuth.type,
-            allowedServiceAccounts: identityGcpAuth.allowedServiceAccounts,
-            allowedProjects: identityGcpAuth.allowedProjects,
-            allowedZones: identityGcpAuth.allowedZones,
-            accessTokenTTL: identityGcpAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityGcpAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityGcpAuth.accessTokenNumUsesLimit
-          }
-        }
-      });
-
-      return { identityGcpAuth };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/gcp-auth/identities/:identityId",
-    config: {
-      rateLimit: readLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Retrieve GCP Auth configuration on identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string()
-      }),
-      response: {
-        200: z.object({
-          identityGcpAuth: IdentityGcpAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityGcpAuth = await server.services.identityGcpAuth.getGcpAuth({
-        identityId: req.params.identityId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityGcpAuth.orgId,
-        event: {
-          type: EventType.GET_IDENTITY_GCP_AUTH,
-          metadata: {
-            identityId: identityGcpAuth.identityId
-          }
-        }
-      });
-
-      return { identityGcpAuth };
-    }
-  });
-};

backend/src/server/routes/v1/identity-kubernetes-auth-router.ts

@@ -1,283 +0,0 @@
-import { z } from "zod";
-
-import { IdentityKubernetesAuthsSchema } from "@app/db/schemas";
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
-
-const IdentityKubernetesAuthResponseSchema = IdentityKubernetesAuthsSchema.omit({
-  encryptedCaCert: true,
-  caCertIV: true,
-  caCertTag: true,
-  encryptedTokenReviewerJwt: true,
-  tokenReviewerJwtIV: true,
-  tokenReviewerJwtTag: true
-}).extend({
-  caCert: z.string(),
-  tokenReviewerJwt: z.string()
-});
-
-export const registerIdentityKubernetesRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/kubernetes-auth/login",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Login with Kubernetes Auth",
-      body: z.object({
-        identityId: z.string().trim(),
-        jwt: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          accessToken: z.string(),
-          expiresIn: z.coerce.number(),
-          accessTokenMaxTTL: z.coerce.number(),
-          tokenType: z.literal("Bearer")
-        })
-      }
-    },
-    handler: async (req) => {
-      const { identityKubernetesAuth, accessToken, identityAccessToken, identityMembershipOrg } =
-        await server.services.identityKubernetesAuth.login({
-          identityId: req.body.identityId,
-          jwt: req.body.jwt
-        });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityMembershipOrg?.orgId,
-        event: {
-          type: EventType.LOGIN_IDENTITY_KUBERNETES_AUTH,
-          metadata: {
-            identityId: identityKubernetesAuth.identityId,
-            identityAccessTokenId: identityAccessToken.id,
-            identityKubernetesAuthId: identityKubernetesAuth.id
-          }
-        }
-      });
-      return {
-        accessToken,
-        tokenType: "Bearer" as const,
-        expiresIn: identityKubernetesAuth.accessTokenTTL,
-        accessTokenMaxTTL: identityKubernetesAuth.accessTokenMaxTTL
-      };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/kubernetes-auth/identities/:identityId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Attach Kubernetes Auth configuration onto identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string().trim()
-      }),
-      body: z.object({
-        kubernetesHost: z.string().trim().min(1),
-        caCert: z.string().trim().default(""),
-        tokenReviewerJwt: z.string().trim().min(1),
-        allowedNamespaces: z.string(), // TODO: validation
-        allowedNames: z.string(),
-        allowedAudience: z.string(),
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
-        accessTokenTTL: z
-          .number()
-          .int()
-          .min(1)
-          .refine((value) => value !== 0, {
-            message: "accessTokenTTL must have a non zero number"
-          })
-          .default(2592000),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .default(2592000),
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
-      }),
-      response: {
-        200: z.object({
-          identityKubernetesAuth: IdentityKubernetesAuthResponseSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityKubernetesAuth = await server.services.identityKubernetesAuth.attachKubernetesAuth({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body,
-        identityId: req.params.identityId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityKubernetesAuth.orgId,
-        event: {
-          type: EventType.ADD_IDENTITY_KUBERNETES_AUTH,
-          metadata: {
-            identityId: identityKubernetesAuth.identityId,
-            kubernetesHost: identityKubernetesAuth.kubernetesHost,
-            allowedNamespaces: identityKubernetesAuth.allowedNamespaces,
-            allowedNames: identityKubernetesAuth.allowedNames,
-            accessTokenTTL: identityKubernetesAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityKubernetesAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityKubernetesAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityKubernetesAuth.accessTokenNumUsesLimit
-          }
-        }
-      });
-
-      return { identityKubernetesAuth: IdentityKubernetesAuthResponseSchema.parse(identityKubernetesAuth) };
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/kubernetes-auth/identities/:identityId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Update Kubernetes Auth configuration on identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string()
-      }),
-      body: z.object({
-        kubernetesHost: z.string().trim().min(1).optional(),
-        caCert: z.string().trim().optional(),
-        tokenReviewerJwt: z.string().trim().min(1).optional(),
-        allowedNamespaces: z.string().optional(), // TODO: validation
-        allowedNames: z.string().optional(),
-        allowedAudience: z.string().optional(),
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .optional(),
-        accessTokenTTL: z.number().int().min(0).optional(),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .optional()
-      }),
-      response: {
-        200: z.object({
-          identityKubernetesAuth: IdentityKubernetesAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityKubernetesAuth = await server.services.identityKubernetesAuth.updateKubernetesAuth({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body,
-        identityId: req.params.identityId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityKubernetesAuth.orgId,
-        event: {
-          type: EventType.UPDATE_IDENTITY_KUBENETES_AUTH,
-          metadata: {
-            identityId: identityKubernetesAuth.identityId,
-            kubernetesHost: identityKubernetesAuth.kubernetesHost,
-            allowedNamespaces: identityKubernetesAuth.allowedNamespaces,
-            allowedNames: identityKubernetesAuth.allowedNames,
-            accessTokenTTL: identityKubernetesAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityKubernetesAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityKubernetesAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityKubernetesAuth.accessTokenNumUsesLimit
-          }
-        }
-      });
-
-      return { identityKubernetesAuth };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/kubernetes-auth/identities/:identityId",
-    config: {
-      rateLimit: readLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Retrieve Kubernetes Auth configuration on identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string()
-      }),
-      response: {
-        200: z.object({
-          identityKubernetesAuth: IdentityKubernetesAuthResponseSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityKubernetesAuth = await server.services.identityKubernetesAuth.getKubernetesAuth({
-        identityId: req.params.identityId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityKubernetesAuth.orgId,
-        event: {
-          type: EventType.GET_IDENTITY_KUBERNETES_AUTH,
-          metadata: {
-            identityId: identityKubernetesAuth.identityId
-          }
-        }
-      });
-
-      return { identityKubernetesAuth: IdentityKubernetesAuthResponseSchema.parse(identityKubernetesAuth) };
-    }
-  });
-};

backend/src/server/routes/v1/index.ts

@@ -2,10 +2,6 @@ import { registerAdminRouter } from "./admin-router";
 import { registerAuthRoutes } from "./auth-router";
 import { registerProjectBotRouter } from "./bot-router";
 import { registerIdentityAccessTokenRouter } from "./identity-access-token-router";
-import { registerIdentityAwsAuthRouter } from "./identity-aws-iam-auth-router";
-import { registerIdentityAzureAuthRouter } from "./identity-azure-auth-router";
-import { registerIdentityGcpAuthRouter } from "./identity-gcp-auth-router";
-import { registerIdentityKubernetesRouter } from "./identity-kubernetes-auth-router";
 import { registerIdentityRouter } from "./identity-router";
 import { registerIdentityUaRouter } from "./identity-ua";
 import { registerIntegrationAuthRouter } from "./integration-auth-router";
@@ -31,11 +27,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
     async (authRouter) => {
       await authRouter.register(registerAuthRoutes);
       await authRouter.register(registerIdentityUaRouter);
-      await authRouter.register(registerIdentityKubernetesRouter);
-      await authRouter.register(registerIdentityGcpAuthRouter);
       await authRouter.register(registerIdentityAccessTokenRouter);
-      await authRouter.register(registerIdentityAwsAuthRouter);
-      await authRouter.register(registerIdentityAzureAuthRouter);
     },
     { prefix: "/auth" }
   );

backend/src/server/routes/v1/integration-router.ts

@@ -8,7 +8,6 @@ import { writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { IntegrationMappingBehavior } from "@app/services/integration-auth/integration-list";
 import { PostHogEventTypes, TIntegrationCreatedEvent } from "@app/services/telemetry/telemetry-types";
 
 export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
@@ -50,10 +49,6 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
             secretPrefix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretPrefix),
             secretSuffix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretSuffix),
             initialSyncBehavior: z.string().optional().describe(INTEGRATION.CREATE.metadata.initialSyncBehavoir),
-            mappingBehavior: z
-              .nativeEnum(IntegrationMappingBehavior)
-              .optional()
-              .describe(INTEGRATION.CREATE.metadata.mappingBehavior),
             shouldAutoRedeploy: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldAutoRedeploy),
             secretGCPLabel: z
               .object({
@@ -71,8 +66,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
               )
               .optional()
               .describe(INTEGRATION.CREATE.metadata.secretAWSTag),
-            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId),
-            shouldDisableDelete: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldDisableDelete)
+            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId)
           })
           .default({})
       }),
@@ -148,8 +142,8 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
         integrationId: z.string().trim().describe(INTEGRATION.UPDATE.integrationId)
       }),
       body: z.object({
-        app: z.string().trim().optional().describe(INTEGRATION.UPDATE.app),
-        appId: z.string().trim().optional().describe(INTEGRATION.UPDATE.appId),
+        app: z.string().trim().describe(INTEGRATION.UPDATE.app),
+        appId: z.string().trim().describe(INTEGRATION.UPDATE.appId),
         isActive: z.boolean().describe(INTEGRATION.UPDATE.isActive),
         secretPath: z
           .string()
@@ -159,34 +153,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
           .describe(INTEGRATION.UPDATE.secretPath),
         targetEnvironment: z.string().trim().describe(INTEGRATION.UPDATE.targetEnvironment),
         owner: z.string().trim().describe(INTEGRATION.UPDATE.owner),
-        environment: z.string().trim().describe(INTEGRATION.UPDATE.environment),
-        metadata: z
-          .object({
-            secretPrefix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretPrefix),
-            secretSuffix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretSuffix),
-            initialSyncBehavior: z.string().optional().describe(INTEGRATION.CREATE.metadata.initialSyncBehavoir),
-            mappingBehavior: z.string().optional().describe(INTEGRATION.CREATE.metadata.mappingBehavior),
-            shouldAutoRedeploy: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldAutoRedeploy),
-            secretGCPLabel: z
-              .object({
-                labelName: z.string(),
-                labelValue: z.string()
-              })
-              .optional()
-              .describe(INTEGRATION.CREATE.metadata.secretGCPLabel),
-            secretAWSTag: z
-              .array(
-                z.object({
-                  key: z.string(),
-                  value: z.string()
-                })
-              )
-              .optional()
-              .describe(INTEGRATION.CREATE.metadata.secretAWSTag),
-            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId),
-            shouldDisableDelete: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldDisableDelete)
-          })
-          .optional()
+        environment: z.string().trim().describe(INTEGRATION.UPDATE.environment)
       }),
       response: {
         200: z.object({
@@ -268,64 +235,5 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
     }
   });
 
-  server.route({
-    method: "POST",
-    url: "/:integrationId/sync",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Manually trigger sync of an integration by integration id",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        integrationId: z.string().trim().describe(INTEGRATION.SYNC.integrationId)
-      }),
-      response: {
-        200: z.object({
-          integration: IntegrationsSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const integration = await server.services.integration.syncIntegration({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        id: req.params.integrationId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: integration.projectId,
-        event: {
-          type: EventType.MANUAL_SYNC_INTEGRATION,
-          // eslint-disable-next-line
-          metadata: shake({
-            integrationId: integration.id,
-            integration: integration.integration,
-            environment: integration.environment.slug,
-            secretPath: integration.secretPath,
-            url: integration.url,
-            app: integration.app,
-            appId: integration.appId,
-            targetEnvironment: integration.targetEnvironment,
-            targetEnvironmentId: integration.targetEnvironmentId,
-            targetService: integration.targetService,
-            targetServiceId: integration.targetServiceId,
-            path: integration.path,
-            region: integration.region
-            // eslint-disable-next-line
-          }) as any
-        }
-      });
-
-      return { integration };
-    }
-  });
+  // TODO(akhilmhdh-pg): manual sync
 };

backend/src/server/routes/v1/project-membership-router.ts

@@ -9,7 +9,7 @@ import {
   UsersSchema
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { PROJECT_USERS } from "@app/lib/api-docs";
+import { PROJECTS } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -30,7 +30,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECT_USERS.GET_USER_MEMBERSHIPS.workspaceId)
+        workspaceId: z.string().trim().describe(PROJECTS.GET_USER_MEMBERSHIPS.workspaceId)
       }),
       response: {
         200: z.object({
@@ -74,66 +74,6 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
     }
   });
 
-  server.route({
-    method: "POST",
-    url: "/:workspaceId/memberships/details",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "Return project user memberships",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        workspaceId: z.string().min(1).trim().describe(PROJECT_USERS.GET_USER_MEMBERSHIP.workspaceId)
-      }),
-      body: z.object({
-        username: z.string().min(1).trim().describe(PROJECT_USERS.GET_USER_MEMBERSHIP.username)
-      }),
-      response: {
-        200: z.object({
-          membership: ProjectMembershipsSchema.extend({
-            user: UsersSchema.pick({
-              email: true,
-              firstName: true,
-              lastName: true,
-              id: true
-            }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
-            roles: z.array(
-              z.object({
-                id: z.string(),
-                role: z.string(),
-                customRoleId: z.string().optional().nullable(),
-                customRoleName: z.string().optional().nullable(),
-                customRoleSlug: z.string().optional().nullable(),
-                isTemporary: z.boolean(),
-                temporaryMode: z.string().optional().nullable(),
-                temporaryRange: z.string().nullable().optional(),
-                temporaryAccessStartTime: z.date().nullable().optional(),
-                temporaryAccessEndTime: z.date().nullable().optional()
-              })
-            )
-          }).omit({ createdAt: true, updatedAt: true })
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const membership = await server.services.projectMembership.getProjectMembershipByUsername({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        projectId: req.params.workspaceId,
-        username: req.body.username
-      });
-      return { membership };
-    }
-  });
-
   server.route({
     method: "POST",
     url: "/:workspaceId/memberships",
@@ -202,8 +142,8 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECT_USERS.UPDATE_USER_MEMBERSHIP.workspaceId),
-        membershipId: z.string().trim().describe(PROJECT_USERS.UPDATE_USER_MEMBERSHIP.membershipId)
+        workspaceId: z.string().trim().describe(PROJECTS.UPDATE_USER_MEMBERSHIP.workspaceId),
+        membershipId: z.string().trim().describe(PROJECTS.UPDATE_USER_MEMBERSHIP.membershipId)
       }),
       body: z.object({
         roles: z
@@ -224,7 +164,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
           )
           .min(1)
           .refine((data) => data.some(({ isTemporary }) => !isTemporary), "At least one long lived role is required")
-          .describe(PROJECT_USERS.UPDATE_USER_MEMBERSHIP.roles)
+          .describe(PROJECTS.UPDATE_USER_MEMBERSHIP.roles)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/secret-folder-router.ts

@@ -127,70 +127,6 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
     }
   });
 
-  server.route({
-    url: "/batch",
-    method: "PATCH",
-    config: {
-      rateLimit: secretsLimit
-    },
-    schema: {
-      description: "Update folders by batch",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      body: z.object({
-        projectSlug: z.string().trim().describe(FOLDERS.UPDATE.projectSlug),
-        folders: z
-          .object({
-            id: z.string().describe(FOLDERS.UPDATE.folderId),
-            environment: z.string().trim().describe(FOLDERS.UPDATE.environment),
-            name: z.string().trim().describe(FOLDERS.UPDATE.name),
-            path: z.string().trim().default("/").transform(removeTrailingSlash).describe(FOLDERS.UPDATE.path)
-          })
-          .array()
-          .min(1)
-      }),
-      response: {
-        200: z.object({
-          folders: SecretFoldersSchema.array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { newFolders, oldFolders, projectId } = await server.services.folder.updateManyFolders({
-        ...req.body,
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId
-      });
-
-      await Promise.all(
-        req.body.folders.map(async (folder, index) => {
-          await server.services.auditLog.createAuditLog({
-            ...req.auditLogInfo,
-            projectId,
-            event: {
-              type: EventType.UPDATE_FOLDER,
-              metadata: {
-                environment: oldFolders[index].envId,
-                folderId: oldFolders[index].id,
-                folderPath: folder.path,
-                newFolderName: newFolders[index].name,
-                oldFolderName: oldFolders[index].name
-              }
-            }
-          });
-        })
-      );
-
-      return { folders: newFolders };
-    }
-  });
-
   // TODO(daniel): Expose this route in api reference and write docs for it.
   server.route({
     method: "DELETE",

backend/src/server/routes/v2/identity-project-router.ts

@@ -7,8 +7,7 @@ import {
   ProjectMembershipRole,
   ProjectUserMembershipRolesSchema
 } from "@app/db/schemas";
-import { PROJECT_IDENTITIES } from "@app/lib/api-docs";
-import { BadRequestError } from "@app/lib/errors";
+import { PROJECTS } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -23,48 +22,12 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      description: "Create project identity membership",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
       params: z.object({
         projectId: z.string().trim(),
         identityId: z.string().trim()
       }),
       body: z.object({
-        // @depreciated
-        role: z.string().trim().optional().default(ProjectMembershipRole.NoAccess),
-        roles: z
-          .array(
-            z.union([
-              z.object({
-                role: z.string().describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.role),
-                isTemporary: z
-                  .literal(false)
-                  .default(false)
-                  .describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.role)
-              }),
-              z.object({
-                role: z.string().describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.role),
-                isTemporary: z.literal(true).describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.role),
-                temporaryMode: z
-                  .nativeEnum(ProjectUserMembershipTemporaryMode)
-                  .describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.role),
-                temporaryRange: z
-                  .string()
-                  .refine((val) => ms(val) > 0, "Temporary range must be a positive number")
-                  .describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.role),
-                temporaryAccessStartTime: z
-                  .string()
-                  .datetime()
-                  .describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.role)
-              })
-            ])
-          )
-          .describe(PROJECT_IDENTITIES.CREATE_IDENTITY_MEMBERSHIP.roles.description)
-          .optional()
+        role: z.string().trim().min(1).default(ProjectMembershipRole.NoAccess)
       }),
       response: {
         200: z.object({
@@ -73,9 +36,6 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
       }
     },
     handler: async (req) => {
-      const { role, roles } = req.body;
-      if (!role && !roles) throw new BadRequestError({ message: "You must provide either role or roles field" });
-
       const identityMembership = await server.services.identityProject.createProjectIdentity({
         actor: req.permission.type,
         actorId: req.permission.id,
@@ -83,7 +43,7 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
         actorOrgId: req.permission.orgId,
         identityId: req.params.identityId,
         projectId: req.params.projectId,
-        roles: roles || [{ role }]
+        role: req.body.role
       });
       return { identityMembership };
     }
@@ -104,39 +64,28 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        projectId: z.string().trim().describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.projectId),
-        identityId: z.string().trim().describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.identityId)
+        projectId: z.string().trim().describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.projectId),
+        identityId: z.string().trim().describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.identityId)
       }),
       body: z.object({
         roles: z
           .array(
             z.union([
               z.object({
-                role: z.string().describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.role),
-                isTemporary: z
-                  .literal(false)
-                  .default(false)
-                  .describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.isTemporary)
+                role: z.string(),
+                isTemporary: z.literal(false).default(false)
               }),
               z.object({
-                role: z.string().describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.role),
-                isTemporary: z.literal(true).describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.isTemporary),
-                temporaryMode: z
-                  .nativeEnum(ProjectUserMembershipTemporaryMode)
-                  .describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.temporaryMode),
-                temporaryRange: z
-                  .string()
-                  .refine((val) => ms(val) > 0, "Temporary range must be a positive number")
-                  .describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.temporaryRange),
-                temporaryAccessStartTime: z
-                  .string()
-                  .datetime()
-                  .describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.temporaryAccessStartTime)
+                role: z.string(),
+                isTemporary: z.literal(true),
+                temporaryMode: z.nativeEnum(ProjectUserMembershipTemporaryMode),
+                temporaryRange: z.string().refine((val) => ms(val) > 0, "Temporary range must be a positive number"),
+                temporaryAccessStartTime: z.string().datetime()
               })
             ])
           )
           .min(1)
-          .describe(PROJECT_IDENTITIES.UPDATE_IDENTITY_MEMBERSHIP.roles.description)
+          .describe(PROJECTS.UPDATE_IDENTITY_MEMBERSHIP.roles)
       }),
       response: {
         200: z.object({
@@ -173,8 +122,8 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        projectId: z.string().trim().describe(PROJECT_IDENTITIES.DELETE_IDENTITY_MEMBERSHIP.projectId),
-        identityId: z.string().trim().describe(PROJECT_IDENTITIES.DELETE_IDENTITY_MEMBERSHIP.identityId)
+        projectId: z.string().trim().describe(PROJECTS.DELETE_IDENTITY_MEMBERSHIP.projectId),
+        identityId: z.string().trim().describe(PROJECTS.DELETE_IDENTITY_MEMBERSHIP.identityId)
       }),
       response: {
         200: z.object({
@@ -210,7 +159,7 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        projectId: z.string().trim().describe(PROJECT_IDENTITIES.LIST_IDENTITY_MEMBERSHIPS.projectId)
+        projectId: z.string().trim().describe(PROJECTS.LIST_IDENTITY_MEMBERSHIPS.projectId)
       }),
       response: {
         200: z.object({
@@ -251,61 +200,4 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
       return { identityMemberships };
     }
   });
-
-  server.route({
-    method: "GET",
-    url: "/:projectId/identity-memberships/:identityId",
-    config: {
-      rateLimit: readLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Return project identity membership",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        projectId: z.string().trim().describe(PROJECT_IDENTITIES.GET_IDENTITY_MEMBERSHIP_BY_ID.projectId),
-        identityId: z.string().trim().describe(PROJECT_IDENTITIES.GET_IDENTITY_MEMBERSHIP_BY_ID.identityId)
-      }),
-      response: {
-        200: z.object({
-          identityMembership: z.object({
-            id: z.string(),
-            identityId: z.string(),
-            createdAt: z.date(),
-            updatedAt: z.date(),
-            roles: z.array(
-              z.object({
-                id: z.string(),
-                role: z.string(),
-                customRoleId: z.string().optional().nullable(),
-                customRoleName: z.string().optional().nullable(),
-                customRoleSlug: z.string().optional().nullable(),
-                isTemporary: z.boolean(),
-                temporaryMode: z.string().optional().nullable(),
-                temporaryRange: z.string().nullable().optional(),
-                temporaryAccessStartTime: z.date().nullable().optional(),
-                temporaryAccessEndTime: z.date().nullable().optional()
-              })
-            ),
-            identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true })
-          })
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityMembership = await server.services.identityProject.getProjectIdentityByIdentityId({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        projectId: req.params.projectId,
-        identityId: req.params.identityId
-      });
-      return { identityMembership };
-    }
-  });
 };

backend/src/server/routes/v2/project-membership-router.ts

@@ -2,7 +2,7 @@ import { z } from "zod";
 
 import { ProjectMembershipsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { PROJECT_USERS } from "@app/lib/api-docs";
+import { PROJECTS } from "@app/lib/api-docs";
 import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -22,11 +22,11 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        projectId: z.string().describe(PROJECT_USERS.INVITE_MEMBER.projectId)
+        projectId: z.string().describe(PROJECTS.INVITE_MEMBER.projectId)
       }),
       body: z.object({
-        emails: z.string().email().array().default([]).describe(PROJECT_USERS.INVITE_MEMBER.emails),
-        usernames: z.string().array().default([]).describe(PROJECT_USERS.INVITE_MEMBER.usernames)
+        emails: z.string().email().array().default([]).describe(PROJECTS.INVITE_MEMBER.emails),
+        usernames: z.string().array().default([]).describe(PROJECTS.INVITE_MEMBER.usernames)
       }),
       response: {
         200: z.object({
@@ -77,11 +77,11 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        projectId: z.string().describe(PROJECT_USERS.REMOVE_MEMBER.projectId)
+        projectId: z.string().describe(PROJECTS.REMOVE_MEMBER.projectId)
       }),
       body: z.object({
-        emails: z.string().email().array().default([]).describe(PROJECT_USERS.REMOVE_MEMBER.emails),
-        usernames: z.string().array().default([]).describe(PROJECT_USERS.REMOVE_MEMBER.usernames)
+        emails: z.string().email().array().default([]).describe(PROJECTS.REMOVE_MEMBER.emails),
+        usernames: z.string().array().default([]).describe(PROJECTS.REMOVE_MEMBER.usernames)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v3/secret-router.ts

@@ -293,7 +293,6 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       }),
       querystring: z.object({
         workspaceId: z.string().trim().optional().describe(RAW_SECRETS.GET.workspaceId),
-        workspaceSlug: z.string().trim().optional().describe(RAW_SECRETS.GET.workspaceSlug),
         environment: z.string().trim().optional().describe(RAW_SECRETS.GET.environment),
         secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.GET.secretPath),
         version: z.coerce.number().optional().describe(RAW_SECRETS.GET.version),
@@ -312,7 +311,6 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const { workspaceSlug } = req.query;
       let { secretPath, environment, workspaceId } = req.query;
       if (req.auth.actor === ActorType.SERVICE) {
         const scope = ServiceTokenScopes.parse(req.auth.serviceToken.scopes);
@@ -324,9 +322,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       }
 
-      if (!environment) throw new BadRequestError({ message: "Missing environment" });
-      if (!workspaceId && !workspaceSlug)
-        throw new BadRequestError({ message: "You must provide workspaceSlug or workspaceId" });
+      if (!workspaceId || !environment) throw new BadRequestError({ message: "Missing workspace id or environment" });
 
       const secret = await server.services.secret.getSecretByNameRaw({
         actorId: req.permission.id,
@@ -335,7 +331,6 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         actorOrgId: req.permission.orgId,
         environment,
         projectId: workspaceId,
-        projectSlug: workspaceSlug,
         path: secretPath,
         secretName: req.params.secretName,
         type: req.query.type,
@@ -344,7 +339,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       });
 
       await server.services.auditLog.createAuditLog({
-        projectId: secret.workspace,
+        projectId: req.query.workspaceId,
         ...req.auditLogInfo,
         event: {
           type: EventType.GET_SECRET,
@@ -363,7 +358,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         distinctId: getTelemetryDistinctId(req),
         properties: {
           numberOfSecrets: 1,
-          workspaceId: secret.workspace,
+          workspaceId,
           environment,
           secretPath: req.query.secretPath,
           channel: getUserAgentType(req.headers["user-agent"]),
@@ -1926,41 +1921,4 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
       return { secrets };
     }
   });
-
-  server.route({
-    method: "POST",
-    url: "/backfill-secret-references",
-    config: {
-      rateLimit: secretsLimit
-    },
-    schema: {
-      description: "Backfill secret references",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      body: z.object({
-        projectId: z.string().trim().min(1)
-      }),
-      response: {
-        200: z.object({
-          message: z.string()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { projectId } = req.body;
-      const message = await server.services.secret.backfillSecretReferences({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        projectId
-      });
-
-      return message;
-    }
-  });
 };

backend/src/services/identity-access-token/identity-access-token-dal.ts

@@ -1,7 +1,7 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { IdentityAuthMethod, TableName, TIdentityAccessTokens } from "@app/db/schemas";
+import { TableName, TIdentityAccessTokens } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { ormify, selectAllTableCols } from "@app/lib/knex";
 
@@ -15,111 +15,27 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => {
       const doc = await (tx || db)(TableName.IdentityAccessToken)
         .where(filter)
         .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.IdentityAccessToken}.identityId`)
-        .leftJoin(TableName.IdentityUaClientSecret, (qb) => {
-          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.Univeral])).andOn(
-            `${TableName.IdentityAccessToken}.identityUAClientSecretId`,
-            `${TableName.IdentityUaClientSecret}.id`
-          );
-        })
-        .leftJoin(TableName.IdentityUniversalAuth, (qb) => {
-          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.Univeral])).andOn(
-            `${TableName.IdentityUaClientSecret}.identityUAId`,
-            `${TableName.IdentityUniversalAuth}.id`
-          );
-        })
-        .leftJoin(TableName.IdentityGcpAuth, (qb) => {
-          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.GCP_AUTH])).andOn(
-            `${TableName.Identity}.id`,
-            `${TableName.IdentityGcpAuth}.identityId`
-          );
-        })
-        .leftJoin(TableName.IdentityAwsAuth, (qb) => {
-          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.AWS_AUTH])).andOn(
-            `${TableName.Identity}.id`,
-            `${TableName.IdentityAwsAuth}.identityId`
-          );
-        })
-        .leftJoin(TableName.IdentityAzureAuth, (qb) => {
-          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.AZURE_AUTH])).andOn(
-            `${TableName.Identity}.id`,
-            `${TableName.IdentityAzureAuth}.identityId`
-          );
-        })
-        .leftJoin(TableName.IdentityKubernetesAuth, (qb) => {
-          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.KUBERNETES_AUTH])).andOn(
-            `${TableName.Identity}.id`,
-            `${TableName.IdentityKubernetesAuth}.identityId`
-          );
-        })
+        .leftJoin(
+          TableName.IdentityUaClientSecret,
+          `${TableName.IdentityAccessToken}.identityUAClientSecretId`,
+          `${TableName.IdentityUaClientSecret}.id`
+        )
+        .leftJoin(
+          TableName.IdentityUniversalAuth,
+          `${TableName.IdentityUaClientSecret}.identityUAId`,
+          `${TableName.IdentityUniversalAuth}.id`
+        )
         .select(selectAllTableCols(TableName.IdentityAccessToken))
         .select(
-          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityUniversalAuth).as("accessTokenTrustedIpsUa"),
-          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityGcpAuth).as("accessTokenTrustedIpsGcp"),
-          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityAwsAuth).as("accessTokenTrustedIpsAws"),
-          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityAzureAuth).as("accessTokenTrustedIpsAzure"),
-          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityKubernetesAuth).as("accessTokenTrustedIpsK8s"),
+          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityUniversalAuth),
           db.ref("name").withSchema(TableName.Identity)
         )
         .first();
-
-      if (!doc) return;
-
-      return {
-        ...doc,
-        accessTokenTrustedIps:
-          doc.accessTokenTrustedIpsUa ||
-          doc.accessTokenTrustedIpsGcp ||
-          doc.accessTokenTrustedIpsAws ||
-          doc.accessTokenTrustedIpsAzure ||
-          doc.accessTokenTrustedIpsK8s
-      };
+      return doc;
     } catch (error) {
       throw new DatabaseError({ error, name: "IdAccessTokenFindOne" });
     }
   };
 
-  const removeExpiredTokens = async (tx?: Knex) => {
-    try {
-      const docs = (tx || db)(TableName.IdentityAccessToken)
-        .where({
-          isAccessTokenRevoked: true
-        })
-        .orWhere((qb) => {
-          void qb
-            .where("accessTokenNumUsesLimit", ">", 0)
-            .andWhere(
-              "accessTokenNumUses",
-              ">=",
-              db.ref("accessTokenNumUsesLimit").withSchema(TableName.IdentityAccessToken)
-            );
-        })
-        .orWhere((qb) => {
-          void qb.where("accessTokenTTL", ">", 0).andWhere((qb2) => {
-            void qb2
-              .where((qb3) => {
-                void qb3
-                  .whereNotNull("accessTokenLastRenewedAt")
-                  // accessTokenLastRenewedAt + convert_integer_to_seconds(accessTokenTTL) < present_date
-                  .andWhereRaw(
-                    `"${TableName.IdentityAccessToken}"."accessTokenLastRenewedAt" + make_interval(secs => "${TableName.IdentityAccessToken}"."accessTokenTTL") < NOW()`
-                  );
-              })
-              .orWhere((qb3) => {
-                void qb3
-                  .whereNull("accessTokenLastRenewedAt")
-                  // created + convert_integer_to_seconds(accessTokenTTL) < present_date
-                  .andWhereRaw(
-                    `"${TableName.IdentityAccessToken}"."createdAt" + make_interval(secs => "${TableName.IdentityAccessToken}"."accessTokenTTL") < NOW()`
-                  );
-              });
-          });
-        })
-        .delete();
-      return await docs;
-    } catch (error) {
-      throw new DatabaseError({ error, name: "IdentityAccessTokenPrune" });
-    }
-  };
-
-  return { ...identityAccessTokenOrm, findOne, removeExpiredTokens };
+  return { ...identityAccessTokenOrm, findOne };
 };

backend/src/services/identity-access-token/identity-access-token-service.ts

@@ -21,18 +21,17 @@ export const identityAccessTokenServiceFactory = ({
   identityAccessTokenDAL,
   identityOrgMembershipDAL
 }: TIdentityAccessTokenServiceFactoryDep) => {
-  const validateAccessTokenExp = async (identityAccessToken: TIdentityAccessTokens) => {
+  const validateAccessTokenExp = (identityAccessToken: TIdentityAccessTokens) => {
     const {
-      id: tokenId,
       accessTokenTTL,
       accessTokenNumUses,
       accessTokenNumUsesLimit,
       accessTokenLastRenewedAt,
+      accessTokenMaxTTL,
       createdAt: accessTokenCreatedAt
     } = identityAccessToken;
 
     if (accessTokenNumUsesLimit > 0 && accessTokenNumUses > 0 && accessTokenNumUses >= accessTokenNumUsesLimit) {
-      await identityAccessTokenDAL.deleteById(tokenId);
       throw new BadRequestError({
         message: "Unable to renew because access token number of uses limit reached"
       });
@@ -47,26 +46,41 @@ export const identityAccessTokenServiceFactory = ({
         const ttlInMilliseconds = Number(accessTokenTTL) * 1000;
         const expirationDate = new Date(accessTokenRenewed.getTime() + ttlInMilliseconds);
 
-        if (currentDate > expirationDate) {
-          await identityAccessTokenDAL.deleteById(tokenId);
+        if (currentDate > expirationDate)
           throw new UnauthorizedError({
             message: "Failed to renew MI access token due to TTL expiration"
           });
-        }
       } else {
         // access token has never been renewed
         const accessTokenCreated = new Date(accessTokenCreatedAt);
         const ttlInMilliseconds = Number(accessTokenTTL) * 1000;
         const expirationDate = new Date(accessTokenCreated.getTime() + ttlInMilliseconds);
 
-        if (currentDate > expirationDate) {
-          await identityAccessTokenDAL.deleteById(tokenId);
+        if (currentDate > expirationDate)
           throw new UnauthorizedError({
             message: "Failed to renew MI access token due to TTL expiration"
           });
-        }
       }
     }
+
+    // max ttl checks
+    if (Number(accessTokenMaxTTL) > 0) {
+      const accessTokenCreated = new Date(accessTokenCreatedAt);
+      const ttlInMilliseconds = Number(accessTokenMaxTTL) * 1000;
+      const currentDate = new Date();
+      const expirationDate = new Date(accessTokenCreated.getTime() + ttlInMilliseconds);
+
+      if (currentDate > expirationDate)
+        throw new UnauthorizedError({
+          message: "Failed to renew MI access token due to Max TTL expiration"
+        });
+
+      const extendToDate = new Date(currentDate.getTime() + Number(accessTokenTTL));
+      if (extendToDate > expirationDate)
+        throw new UnauthorizedError({
+          message: "Failed to renew MI access token past its Max TTL expiration"
+        });
+    }
   };
 
   const renewAccessToken = async ({ accessToken }: TRenewAccessTokenDTO) => {
@@ -83,32 +97,7 @@ export const identityAccessTokenServiceFactory = ({
     });
     if (!identityAccessToken) throw new UnauthorizedError();
 
-    await validateAccessTokenExp(identityAccessToken);
-
-    const { accessTokenMaxTTL, createdAt: accessTokenCreatedAt, accessTokenTTL } = identityAccessToken;
-
-    // max ttl checks - will it go above max ttl
-    if (Number(accessTokenMaxTTL) > 0) {
-      const accessTokenCreated = new Date(accessTokenCreatedAt);
-      const ttlInMilliseconds = Number(accessTokenMaxTTL) * 1000;
-      const currentDate = new Date();
-      const expirationDate = new Date(accessTokenCreated.getTime() + ttlInMilliseconds);
-
-      if (currentDate > expirationDate) {
-        await identityAccessTokenDAL.deleteById(identityAccessToken.id);
-        throw new UnauthorizedError({
-          message: "Failed to renew MI access token due to Max TTL expiration"
-        });
-      }
-
-      const extendToDate = new Date(currentDate.getTime() + Number(accessTokenTTL * 1000));
-      if (extendToDate > expirationDate) {
-        await identityAccessTokenDAL.deleteById(identityAccessToken.id);
-        throw new UnauthorizedError({
-          message: "Failed to renew MI access token past its Max TTL expiration"
-        });
-      }
-    }
+    validateAccessTokenExp(identityAccessToken);
 
     const updatedIdentityAccessToken = await identityAccessTokenDAL.updateById(identityAccessToken.id, {
       accessTokenLastRenewedAt: new Date()
@@ -117,24 +106,6 @@ export const identityAccessTokenServiceFactory = ({
     return { accessToken, identityAccessToken: updatedIdentityAccessToken };
   };
 
-  const revokeAccessToken = async (accessToken: string) => {
-    const appCfg = getConfig();
-
-    const decodedToken = jwt.verify(accessToken, appCfg.AUTH_SECRET) as JwtPayload & {
-      identityAccessTokenId: string;
-    };
-    if (decodedToken.authTokenType !== AuthTokenType.IDENTITY_ACCESS_TOKEN) throw new UnauthorizedError();
-
-    const identityAccessToken = await identityAccessTokenDAL.findOne({
-      [`${TableName.IdentityAccessToken}.id` as "id"]: decodedToken.identityAccessTokenId,
-      isAccessTokenRevoked: false
-    });
-    if (!identityAccessToken) throw new UnauthorizedError();
-
-    const revokedToken = await identityAccessTokenDAL.deleteById(identityAccessToken.id);
-    return { revokedToken };
-  };
-
   const fnValidateIdentityAccessToken = async (token: TIdentityAccessTokenJwtPayload, ipAddress?: string) => {
     const identityAccessToken = await identityAccessTokenDAL.findOne({
       [`${TableName.IdentityAccessToken}.id` as "id"]: token.identityAccessTokenId,
@@ -142,7 +113,7 @@ export const identityAccessTokenServiceFactory = ({
     });
     if (!identityAccessToken) throw new UnauthorizedError();
 
-    if (ipAddress && identityAccessToken) {
+    if (ipAddress) {
       checkIPAgainstBlocklist({
         ipAddress,
         trustedIps: identityAccessToken?.accessTokenTrustedIps as TIp[]
@@ -157,16 +128,9 @@ export const identityAccessTokenServiceFactory = ({
       throw new UnauthorizedError({ message: "Identity does not belong to any organization" });
     }
 
-    await validateAccessTokenExp(identityAccessToken);
-
-    await identityAccessTokenDAL.updateById(identityAccessToken.id, {
-      accessTokenLastUsedAt: new Date(),
-      $incr: {
-        accessTokenNumUses: 1
-      }
-    });
+    validateAccessTokenExp(identityAccessToken);
     return { ...identityAccessToken, orgId: identityOrgMembership.orgId };
   };
 
-  return { renewAccessToken, revokeAccessToken, fnValidateIdentityAccessToken };
+  return { renewAccessToken, fnValidateIdentityAccessToken };
 };

backend/src/services/identity-aws-auth/identity-aws-auth-dal.ts

@@ -1,11 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TIdentityAwsAuthDALFactory = ReturnType<typeof identityAwsAuthDALFactory>;
-
-export const identityAwsAuthDALFactory = (db: TDbClient) => {
-  const awsAuthOrm = ormify(db, TableName.IdentityAwsAuth);
-
-  return awsAuthOrm;
-};

backend/src/services/identity-aws-auth/identity-aws-auth-fns.ts

@@ -1,67 +0,0 @@
-/**
- * Extracts the identity ARN from the GetCallerIdentity response to one of the following formats:
- * - arn:aws:iam::123456789012:user/MyUserName
- * - arn:aws:iam::123456789012:role/MyRoleName
- */
-export const extractPrincipalArn = (arn: string) => {
-  // split the ARN into parts using ":" as the delimiter
-  const fullParts = arn.split(":");
-  if (fullParts.length !== 6) {
-    throw new Error(`Unrecognized ARN: contains ${fullParts.length} colon-separated parts, expected 6`);
-  }
-  const [prefix, partition, service, , accountNumber, resource] = fullParts;
-  if (prefix !== "arn") {
-    throw new Error('Unrecognized ARN: does not begin with "arn:"');
-  }
-
-  // structure to hold the parsed data
-  const entity = {
-    Partition: partition,
-    Service: service,
-    AccountNumber: accountNumber,
-    Type: "",
-    Path: "",
-    FriendlyName: "",
-    SessionInfo: ""
-  };
-
-  // validate the service is either 'iam' or 'sts'
-  if (entity.Service !== "iam" && entity.Service !== "sts") {
-    throw new Error(`Unrecognized service: ${entity.Service}, not one of iam or sts`);
-  }
-
-  // parse the last part of the ARN which describes the resource
-  const parts = resource.split("/");
-  if (parts.length < 2) {
-    throw new Error(`Unrecognized ARN: "${resource}" contains fewer than 2 slash-separated parts`);
-  }
-
-  const [type, ...rest] = parts;
-  entity.Type = type;
-  entity.FriendlyName = parts[parts.length - 1];
-
-  // handle different types of resources
-  switch (entity.Type) {
-    case "assumed-role": {
-      if (rest.length < 2) {
-        throw new Error(`Unrecognized ARN: "${resource}" contains fewer than 3 slash-separated parts`);
-      }
-      // assumed roles use a special format where the friendly name is the role name
-      const [roleName, sessionId] = rest;
-      entity.Type = "role"; // treat assumed role case as role
-      entity.FriendlyName = roleName;
-      entity.SessionInfo = sessionId;
-      break;
-    }
-    case "user":
-    case "role":
-    case "instance-profile":
-      // standard cases: just join back the path if there's any
-      entity.Path = rest.slice(0, -1).join("/");
-      break;
-    default:
-      throw new Error(`Unrecognized principal type: "${entity.Type}"`);
-  }
-
-  return `arn:aws:iam::${entity.AccountNumber}:${entity.Type}/${entity.FriendlyName}`;
-};

backend/src/services/identity-aws-auth/identity-aws-auth-service.ts

@@ -1,310 +0,0 @@
-/* eslint-disable @typescript-eslint/no-unsafe-assignment */
-import { ForbiddenError } from "@casl/ability";
-import axios from "axios";
-import jwt from "jsonwebtoken";
-
-import { IdentityAuthMethod } from "@app/db/schemas";
-import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
-import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
-import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
-
-import { AuthTokenType } from "../auth/auth-type";
-import { TIdentityDALFactory } from "../identity/identity-dal";
-import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
-import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
-import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
-import { TIdentityAwsAuthDALFactory } from "./identity-aws-auth-dal";
-import { extractPrincipalArn } from "./identity-aws-auth-fns";
-import {
-  TAttachAwsAuthDTO,
-  TAwsGetCallerIdentityHeaders,
-  TGetAwsAuthDTO,
-  TGetCallerIdentityResponse,
-  TLoginAwsAuthDTO,
-  TUpdateAwsAuthDTO
-} from "./identity-aws-auth-types";
-
-type TIdentityAwsAuthServiceFactoryDep = {
-  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
-  identityAwsAuthDAL: Pick<TIdentityAwsAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
-  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
-  identityDAL: Pick<TIdentityDALFactory, "updateById">;
-  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
-};
-
-export type TIdentityAwsAuthServiceFactory = ReturnType<typeof identityAwsAuthServiceFactory>;
-
-export const identityAwsAuthServiceFactory = ({
-  identityAccessTokenDAL,
-  identityAwsAuthDAL,
-  identityOrgMembershipDAL,
-  identityDAL,
-  licenseService,
-  permissionService
-}: TIdentityAwsAuthServiceFactoryDep) => {
-  const login = async ({ identityId, iamHttpRequestMethod, iamRequestBody, iamRequestHeaders }: TLoginAwsAuthDTO) => {
-    const identityAwsAuth = await identityAwsAuthDAL.findOne({ identityId });
-    if (!identityAwsAuth) throw new UnauthorizedError();
-
-    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityAwsAuth.identityId });
-
-    const headers: TAwsGetCallerIdentityHeaders = JSON.parse(Buffer.from(iamRequestHeaders, "base64").toString());
-    const body: string = Buffer.from(iamRequestBody, "base64").toString();
-
-    const {
-      data: {
-        GetCallerIdentityResponse: {
-          GetCallerIdentityResult: { Account, Arn }
-        }
-      }
-    }: { data: TGetCallerIdentityResponse } = await axios({
-      method: iamHttpRequestMethod,
-      url: identityAwsAuth.stsEndpoint,
-      headers,
-      data: body
-    });
-
-    if (identityAwsAuth.allowedAccountIds) {
-      // validate if Account is in the list of allowed Account IDs
-
-      const isAccountAllowed = identityAwsAuth.allowedAccountIds
-        .split(",")
-        .map((accountId) => accountId.trim())
-        .some((accountId) => accountId === Account);
-
-      if (!isAccountAllowed) throw new UnauthorizedError();
-    }
-
-    if (identityAwsAuth.allowedPrincipalArns) {
-      // validate if Arn is in the list of allowed Principal ARNs
-
-      const isArnAllowed = identityAwsAuth.allowedPrincipalArns
-        .split(",")
-        .map((principalArn) => principalArn.trim())
-        .some((principalArn) => {
-          // convert wildcard ARN to a regular expression: "arn:aws:iam::123456789012:*" -> "^arn:aws:iam::123456789012:.*$"
-          // considers exact matches + wildcard matches
-          const regex = new RegExp(`^${principalArn.replace(/\*/g, ".*")}$`);
-          return regex.test(extractPrincipalArn(Arn));
-        });
-
-      if (!isArnAllowed) throw new UnauthorizedError();
-    }
-
-    const identityAccessToken = await identityAwsAuthDAL.transaction(async (tx) => {
-      const newToken = await identityAccessTokenDAL.create(
-        {
-          identityId: identityAwsAuth.identityId,
-          isAccessTokenRevoked: false,
-          accessTokenTTL: identityAwsAuth.accessTokenTTL,
-          accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL,
-          accessTokenNumUses: 0,
-          accessTokenNumUsesLimit: identityAwsAuth.accessTokenNumUsesLimit
-        },
-        tx
-      );
-      return newToken;
-    });
-
-    const appCfg = getConfig();
-    const accessToken = jwt.sign(
-      {
-        identityId: identityAwsAuth.identityId,
-        identityAccessTokenId: identityAccessToken.id,
-        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
-      } as TIdentityAccessTokenJwtPayload,
-      appCfg.AUTH_SECRET,
-      {
-        expiresIn:
-          Number(identityAccessToken.accessTokenMaxTTL) === 0
-            ? undefined
-            : Number(identityAccessToken.accessTokenMaxTTL)
-      }
-    );
-
-    return { accessToken, identityAwsAuth, identityAccessToken, identityMembershipOrg };
-  };
-
-  const attachAwsAuth = async ({
-    identityId,
-    stsEndpoint,
-    allowedPrincipalArns,
-    allowedAccountIds,
-    accessTokenTTL,
-    accessTokenMaxTTL,
-    accessTokenNumUsesLimit,
-    accessTokenTrustedIps,
-    actorId,
-    actorAuthMethod,
-    actor,
-    actorOrgId
-  }: TAttachAwsAuthDTO) => {
-    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
-    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
-    if (identityMembershipOrg.identity.authMethod)
-      throw new BadRequestError({
-        message: "Failed to add AWS Auth to already configured identity"
-      });
-
-    if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
-      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
-    }
-
-    const { permission } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      identityMembershipOrg.orgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
-
-    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
-    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
-      if (
-        !plan.ipAllowlisting &&
-        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
-        accessTokenTrustedIp.ipAddress !== "::/0"
-      )
-        throw new BadRequestError({
-          message:
-            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
-        });
-      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
-        throw new BadRequestError({
-          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
-        });
-      return extractIPDetails(accessTokenTrustedIp.ipAddress);
-    });
-
-    const identityAwsAuth = await identityAwsAuthDAL.transaction(async (tx) => {
-      const doc = await identityAwsAuthDAL.create(
-        {
-          identityId: identityMembershipOrg.identityId,
-          type: "iam",
-          stsEndpoint,
-          allowedPrincipalArns,
-          allowedAccountIds,
-          accessTokenMaxTTL,
-          accessTokenTTL,
-          accessTokenNumUsesLimit,
-          accessTokenTrustedIps: JSON.stringify(reformattedAccessTokenTrustedIps)
-        },
-        tx
-      );
-      await identityDAL.updateById(
-        identityMembershipOrg.identityId,
-        {
-          authMethod: IdentityAuthMethod.AWS_AUTH
-        },
-        tx
-      );
-      return doc;
-    });
-    return { ...identityAwsAuth, orgId: identityMembershipOrg.orgId };
-  };
-
-  const updateAwsAuth = async ({
-    identityId,
-    stsEndpoint,
-    allowedPrincipalArns,
-    allowedAccountIds,
-    accessTokenTTL,
-    accessTokenMaxTTL,
-    accessTokenNumUsesLimit,
-    accessTokenTrustedIps,
-    actorId,
-    actorAuthMethod,
-    actor,
-    actorOrgId
-  }: TUpdateAwsAuthDTO) => {
-    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
-    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_AUTH)
-      throw new BadRequestError({
-        message: "Failed to update AWS Auth"
-      });
-
-    const identityAwsAuth = await identityAwsAuthDAL.findOne({ identityId });
-
-    if (
-      (accessTokenMaxTTL || identityAwsAuth.accessTokenMaxTTL) > 0 &&
-      (accessTokenTTL || identityAwsAuth.accessTokenMaxTTL) > (accessTokenMaxTTL || identityAwsAuth.accessTokenMaxTTL)
-    ) {
-      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
-    }
-
-    const { permission } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      identityMembershipOrg.orgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
-
-    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
-    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
-      if (
-        !plan.ipAllowlisting &&
-        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
-        accessTokenTrustedIp.ipAddress !== "::/0"
-      )
-        throw new BadRequestError({
-          message:
-            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
-        });
-      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
-        throw new BadRequestError({
-          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
-        });
-      return extractIPDetails(accessTokenTrustedIp.ipAddress);
-    });
-
-    const updatedAwsAuth = await identityAwsAuthDAL.updateById(identityAwsAuth.id, {
-      stsEndpoint,
-      allowedPrincipalArns,
-      allowedAccountIds,
-      accessTokenMaxTTL,
-      accessTokenTTL,
-      accessTokenNumUsesLimit,
-      accessTokenTrustedIps: reformattedAccessTokenTrustedIps
-        ? JSON.stringify(reformattedAccessTokenTrustedIps)
-        : undefined
-    });
-
-    return { ...updatedAwsAuth, orgId: identityMembershipOrg.orgId };
-  };
-
-  const getAwsAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetAwsAuthDTO) => {
-    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
-    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_AUTH)
-      throw new BadRequestError({
-        message: "The identity does not have AWS Auth attached"
-      });
-
-    const awsIdentityAuth = await identityAwsAuthDAL.findOne({ identityId });
-
-    const { permission } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      identityMembershipOrg.orgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
-    return { ...awsIdentityAuth, orgId: identityMembershipOrg.orgId };
-  };
-
-  return {
-    login,
-    attachAwsAuth,
-    updateAwsAuth,
-    getAwsAuth
-  };
-};

backend/src/services/identity-aws-auth/identity-aws-auth-types.ts

@@ -1,54 +0,0 @@
-import { TProjectPermission } from "@app/lib/types";
-
-export type TLoginAwsAuthDTO = {
-  identityId: string;
-  iamHttpRequestMethod: string;
-  iamRequestBody: string;
-  iamRequestHeaders: string;
-};
-
-export type TAttachAwsAuthDTO = {
-  identityId: string;
-  stsEndpoint: string;
-  allowedPrincipalArns: string;
-  allowedAccountIds: string;
-  accessTokenTTL: number;
-  accessTokenMaxTTL: number;
-  accessTokenNumUsesLimit: number;
-  accessTokenTrustedIps: { ipAddress: string }[];
-} & Omit<TProjectPermission, "projectId">;
-
-export type TUpdateAwsAuthDTO = {
-  identityId: string;
-  stsEndpoint?: string;
-  allowedPrincipalArns?: string;
-  allowedAccountIds?: string;
-  accessTokenTTL?: number;
-  accessTokenMaxTTL?: number;
-  accessTokenNumUsesLimit?: number;
-  accessTokenTrustedIps?: { ipAddress: string }[];
-} & Omit<TProjectPermission, "projectId">;
-
-export type TGetAwsAuthDTO = {
-  identityId: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TAwsGetCallerIdentityHeaders = {
-  "Content-Type": string;
-  Host: string;
-  "X-Amz-Date": string;
-  "Content-Length": number;
-  "x-amz-security-token": string;
-  Authorization: string;
-};
-
-export type TGetCallerIdentityResponse = {
-  GetCallerIdentityResponse: {
-    GetCallerIdentityResult: {
-      Account: string;
-      Arn: string;
-      UserId: string;
-    };
-    ResponseMetadata: { RequestId: string };
-  };
-};

backend/src/services/identity-aws-auth/identity-aws-auth-validators.ts

@@ -1,58 +0,0 @@
-import { z } from "zod";
-
-const twelveDigitRegex = /^\d{12}$/;
-const arnRegex = /^arn:aws:iam::\d{12}:(user\/[\w-]+|role\/[\w-]+|\*)$/;
-
-export const validateAccountIds = z
-  .string()
-  .trim()
-  .default("")
-  // Custom validation to ensure each part is a 12-digit number
-  .refine(
-    (data) => {
-      if (data === "") return true;
-      // Split the string by commas to check each supposed number
-      const accountIds = data.split(",").map((id) => id.trim());
-      // Return true only if every item matches the 12-digit requirement
-      return accountIds.every((id) => twelveDigitRegex.test(id));
-    },
-    {
-      message: "Each account ID must be a 12-digit number."
-    }
-  )
-  // Transform the string to normalize space after commas
-  .transform((data) => {
-    if (data === "") return "";
-    // Trim each ID and join with ', ' to ensure formatting
-    return data
-      .split(",")
-      .map((id) => id.trim())
-      .join(", ");
-  });
-
-export const validatePrincipalArns = z
-  .string()
-  .trim()
-  .default("")
-  // Custom validation for ARN format
-  .refine(
-    (data) => {
-      // Skip validation if the string is empty
-      if (data === "") return true;
-      // Split the string by commas to check each supposed ARN
-      const arns = data.split(",");
-      // Return true only if every item matches one of the allowed ARN formats
-      return arns.every((arn) => arnRegex.test(arn.trim()));
-    },
-    {
-      message:
-        "Each ARN must be in the format of 'arn:aws:iam::123456789012:user/UserName', 'arn:aws:iam::123456789012:role/RoleName', or 'arn:aws:iam::123456789012:*'."
-    }
-  )
-  // Transform to normalize the spaces around commas
-  .transform((data) =>
-    data
-      .split(",")
-      .map((arn) => arn.trim())
-      .join(", ")
-  );

backend/src/services/identity-azure-auth/identity-azure-auth-dal.ts

@@ -1,10 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TIdentityAzureAuthDALFactory = ReturnType<typeof identityAzureAuthDALFactory>;
-
-export const identityAzureAuthDALFactory = (db: TDbClient) => {
-  const azureAuthOrm = ormify(db, TableName.IdentityAzureAuth);
-  return azureAuthOrm;
-};

backend/src/services/identity-azure-auth/identity-azure-auth-fns.ts

@@ -1,34 +0,0 @@
-import axios from "axios";
-import jwt from "jsonwebtoken";
-
-import { UnauthorizedError } from "@app/lib/errors";
-
-import { TAzureAuthJwtPayload, TAzureJwksUriResponse, TDecodedAzureAuthJwt } from "./identity-azure-auth-types";
-
-export const validateAzureIdentity = async ({
-  tenantId,
-  resource,
-  jwt: azureJwt
-}: {
-  tenantId: string;
-  resource: string;
-  jwt: string;
-}) => {
-  const jwksUri = `https://login.microsoftonline.com/${tenantId}/discovery/keys`;
-
-  const decodedJwt = jwt.decode(azureJwt, { complete: true }) as TDecodedAzureAuthJwt;
-  const { kid } = decodedJwt.header;
-
-  const { data }: { data: TAzureJwksUriResponse } = await axios.get(jwksUri);
-  const signingKeys = data.keys;
-
-  const signingKey = signingKeys.find((key) => key.kid === kid);
-  if (!signingKey) throw new UnauthorizedError();
-
-  const publicKey = `-----BEGIN CERTIFICATE-----\n${signingKey.x5c[0]}\n-----END CERTIFICATE-----`;
-
-  return jwt.verify(azureJwt, publicKey, {
-    audience: resource,
-    issuer: `https://sts.windows.net/${tenantId}/`
-  }) as TAzureAuthJwtPayload;
-};

backend/src/services/identity-azure-auth/identity-azure-auth-service.ts

@@ -1,286 +0,0 @@
-import { ForbiddenError } from "@casl/ability";
-import jwt from "jsonwebtoken";
-
-import { IdentityAuthMethod } from "@app/db/schemas";
-import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
-import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
-import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
-
-import { AuthTokenType } from "../auth/auth-type";
-import { TIdentityDALFactory } from "../identity/identity-dal";
-import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
-import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
-import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
-import { TIdentityAzureAuthDALFactory } from "./identity-azure-auth-dal";
-import { validateAzureIdentity } from "./identity-azure-auth-fns";
-import {
-  TAttachAzureAuthDTO,
-  TGetAzureAuthDTO,
-  TLoginAzureAuthDTO,
-  TUpdateAzureAuthDTO
-} from "./identity-azure-auth-types";
-
-type TIdentityAzureAuthServiceFactoryDep = {
-  identityAzureAuthDAL: Pick<TIdentityAzureAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
-  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
-  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
-  identityDAL: Pick<TIdentityDALFactory, "updateById">;
-  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
-  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-};
-
-export type TIdentityAzureAuthServiceFactory = ReturnType<typeof identityAzureAuthServiceFactory>;
-
-export const identityAzureAuthServiceFactory = ({
-  identityAzureAuthDAL,
-  identityOrgMembershipDAL,
-  identityAccessTokenDAL,
-  identityDAL,
-  permissionService,
-  licenseService
-}: TIdentityAzureAuthServiceFactoryDep) => {
-  const login = async ({ identityId, jwt: azureJwt }: TLoginAzureAuthDTO) => {
-    const identityAzureAuth = await identityAzureAuthDAL.findOne({ identityId });
-    if (!identityAzureAuth) throw new UnauthorizedError();
-
-    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityAzureAuth.identityId });
-    if (!identityMembershipOrg) throw new UnauthorizedError();
-
-    const azureIdentity = await validateAzureIdentity({
-      tenantId: identityAzureAuth.tenantId,
-      resource: identityAzureAuth.resource,
-      jwt: azureJwt
-    });
-
-    if (azureIdentity.tid !== identityAzureAuth.tenantId) throw new UnauthorizedError();
-
-    if (identityAzureAuth.allowedServicePrincipalIds) {
-      // validate if the service principal id is in the list of allowed service principal ids
-
-      const isServicePrincipalAllowed = identityAzureAuth.allowedServicePrincipalIds
-        .split(",")
-        .map((servicePrincipalId) => servicePrincipalId.trim())
-        .some((servicePrincipalId) => servicePrincipalId === azureIdentity.oid);
-
-      if (!isServicePrincipalAllowed) throw new UnauthorizedError();
-    }
-
-    const identityAccessToken = await identityAzureAuthDAL.transaction(async (tx) => {
-      const newToken = await identityAccessTokenDAL.create(
-        {
-          identityId: identityAzureAuth.identityId,
-          isAccessTokenRevoked: false,
-          accessTokenTTL: identityAzureAuth.accessTokenTTL,
-          accessTokenMaxTTL: identityAzureAuth.accessTokenMaxTTL,
-          accessTokenNumUses: 0,
-          accessTokenNumUsesLimit: identityAzureAuth.accessTokenNumUsesLimit
-        },
-        tx
-      );
-      return newToken;
-    });
-
-    const appCfg = getConfig();
-    const accessToken = jwt.sign(
-      {
-        identityId: identityAzureAuth.identityId,
-        identityAccessTokenId: identityAccessToken.id,
-        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
-      } as TIdentityAccessTokenJwtPayload,
-      appCfg.AUTH_SECRET,
-      {
-        expiresIn:
-          Number(identityAccessToken.accessTokenMaxTTL) === 0
-            ? undefined
-            : Number(identityAccessToken.accessTokenMaxTTL)
-      }
-    );
-
-    return { accessToken, identityAzureAuth, identityAccessToken, identityMembershipOrg };
-  };
-
-  const attachAzureAuth = async ({
-    identityId,
-    tenantId,
-    resource,
-    allowedServicePrincipalIds,
-    accessTokenTTL,
-    accessTokenMaxTTL,
-    accessTokenNumUsesLimit,
-    accessTokenTrustedIps,
-    actorId,
-    actorAuthMethod,
-    actor,
-    actorOrgId
-  }: TAttachAzureAuthDTO) => {
-    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
-    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
-    if (identityMembershipOrg.identity.authMethod)
-      throw new BadRequestError({
-        message: "Failed to add Azure Auth to already configured identity"
-      });
-
-    if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
-      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
-    }
-
-    const { permission } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      identityMembershipOrg.orgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
-
-    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
-    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
-      if (
-        !plan.ipAllowlisting &&
-        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
-        accessTokenTrustedIp.ipAddress !== "::/0"
-      )
-        throw new BadRequestError({
-          message:
-            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
-        });
-      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
-        throw new BadRequestError({
-          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
-        });
-      return extractIPDetails(accessTokenTrustedIp.ipAddress);
-    });
-
-    const identityAzureAuth = await identityAzureAuthDAL.transaction(async (tx) => {
-      const doc = await identityAzureAuthDAL.create(
-        {
-          identityId: identityMembershipOrg.identityId,
-          tenantId,
-          resource,
-          allowedServicePrincipalIds,
-          accessTokenMaxTTL,
-          accessTokenTTL,
-          accessTokenNumUsesLimit,
-          accessTokenTrustedIps: JSON.stringify(reformattedAccessTokenTrustedIps)
-        },
-        tx
-      );
-      await identityDAL.updateById(
-        identityMembershipOrg.identityId,
-        {
-          authMethod: IdentityAuthMethod.AZURE_AUTH
-        },
-        tx
-      );
-      return doc;
-    });
-    return { ...identityAzureAuth, orgId: identityMembershipOrg.orgId };
-  };
-
-  const updateAzureAuth = async ({
-    identityId,
-    tenantId,
-    resource,
-    allowedServicePrincipalIds,
-    accessTokenTTL,
-    accessTokenMaxTTL,
-    accessTokenNumUsesLimit,
-    accessTokenTrustedIps,
-    actorId,
-    actorAuthMethod,
-    actor,
-    actorOrgId
-  }: TUpdateAzureAuthDTO) => {
-    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
-    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AZURE_AUTH)
-      throw new BadRequestError({
-        message: "Failed to update Azure Auth"
-      });
-
-    const identityGcpAuth = await identityAzureAuthDAL.findOne({ identityId });
-
-    if (
-      (accessTokenMaxTTL || identityGcpAuth.accessTokenMaxTTL) > 0 &&
-      (accessTokenTTL || identityGcpAuth.accessTokenMaxTTL) > (accessTokenMaxTTL || identityGcpAuth.accessTokenMaxTTL)
-    ) {
-      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
-    }
-
-    const { permission } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      identityMembershipOrg.orgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
-
-    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
-    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
-      if (
-        !plan.ipAllowlisting &&
-        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
-        accessTokenTrustedIp.ipAddress !== "::/0"
-      )
-        throw new BadRequestError({
-          message:
-            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
-        });
-      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
-        throw new BadRequestError({
-          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
-        });
-      return extractIPDetails(accessTokenTrustedIp.ipAddress);
-    });
-
-    const updatedAzureAuth = await identityAzureAuthDAL.updateById(identityGcpAuth.id, {
-      tenantId,
-      resource,
-      allowedServicePrincipalIds,
-      accessTokenMaxTTL,
-      accessTokenTTL,
-      accessTokenNumUsesLimit,
-      accessTokenTrustedIps: reformattedAccessTokenTrustedIps
-        ? JSON.stringify(reformattedAccessTokenTrustedIps)
-        : undefined
-    });
-
-    return {
-      ...updatedAzureAuth,
-      orgId: identityMembershipOrg.orgId
-    };
-  };
-
-  const getAzureAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetAzureAuthDTO) => {
-    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
-    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AZURE_AUTH)
-      throw new BadRequestError({
-        message: "The identity does not have Azure Auth attached"
-      });
-
-    const identityAzureAuth = await identityAzureAuthDAL.findOne({ identityId });
-
-    const { permission } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      identityMembershipOrg.orgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
-
-    return { ...identityAzureAuth, orgId: identityMembershipOrg.orgId };
-  };
-
-  return {
-    login,
-    attachAzureAuth,
-    updateAzureAuth,
-    getAzureAuth
-  };
-};

backend/src/services/identity-azure-auth/identity-azure-auth-types.ts

@@ -1,120 +0,0 @@
-import { TProjectPermission } from "@app/lib/types";
-
-export type TLoginAzureAuthDTO = {
-  identityId: string;
-  jwt: string;
-};
-
-export type TAttachAzureAuthDTO = {
-  identityId: string;
-  tenantId: string;
-  resource: string;
-  allowedServicePrincipalIds: string;
-  accessTokenTTL: number;
-  accessTokenMaxTTL: number;
-  accessTokenNumUsesLimit: number;
-  accessTokenTrustedIps: { ipAddress: string }[];
-} & Omit<TProjectPermission, "projectId">;
-
-export type TUpdateAzureAuthDTO = {
-  identityId: string;
-  tenantId?: string;
-  resource?: string;
-  allowedServicePrincipalIds?: string;
-  accessTokenTTL?: number;
-  accessTokenMaxTTL?: number;
-  accessTokenNumUsesLimit?: number;
-  accessTokenTrustedIps?: { ipAddress: string }[];
-} & Omit<TProjectPermission, "projectId">;
-
-export type TGetAzureAuthDTO = {
-  identityId: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TAzureJwksUriResponse = {
-  keys: {
-    kty: string;
-    use: string;
-    kid: string;
-    x5t: string;
-    n: string;
-    e: string;
-    x5c: string[];
-  }[];
-};
-
-type TUserPayload = {
-  aud: string;
-  iss: string;
-  iat: number;
-  nbf: number;
-  exp: number;
-  acr: string;
-  aio: string;
-  amr: string[];
-  appid: string;
-  appidacr: string;
-  family_name: string;
-  given_name: string;
-  groups: string[];
-  idtyp: string;
-  ipaddr: string;
-  name: string;
-  oid: string;
-  puid: string;
-  rh: string;
-  scp: string;
-  sub: string;
-  tid: string;
-  unique_name: string;
-  upn: string;
-  uti: string;
-  ver: string;
-  wids: string[];
-  xms_cae: string;
-  xms_cc: string[];
-  xms_filter_index: string[];
-  xms_rd: string;
-  xms_ssm: string;
-  xms_tcdt: number;
-};
-
-type TAppPayload = {
-  aud: string;
-  iss: string;
-  iat: number;
-  nbf: number;
-  exp: number;
-  aio: string;
-  appid: string;
-  appidacr: string;
-  idp: string;
-  idtyp: string;
-  oid: string; // service principal id
-  rh: string;
-  sub: string;
-  tid: string;
-  uti: string;
-  ver: string;
-  xms_cae: string;
-  xms_cc: string[];
-  xms_rd: string;
-  xms_ssm: string;
-  xms_tcdt: number;
-};
-
-export type TAzureAuthJwtPayload = TUserPayload | TAppPayload;
-
-export type TDecodedAzureAuthJwt = {
-  header: {
-    type: string;
-    alg: string;
-    x5t: string;
-    kid: string;
-  };
-  payload: TAzureAuthJwtPayload;
-  signature: string;
-  metadata: {
-    [key: string]: string;
-  };
-};

backend/src/services/identity-azure-auth/identity-azure-auth-validators.ts

@@ -1,14 +0,0 @@
-import { z } from "zod";
-
-export const validateAzureAuthField = z
-  .string()
-  .trim()
-  .default("")
-  .transform((data) => {
-    if (data === "") return "";
-    // Trim each ID and join with ', ' to ensure formatting
-    return data
-      .split(",")
-      .map((id) => id.trim())
-      .join(", ");
-  });

backend/src/services/identity-gcp-auth/identity-gcp-auth-dal.ts

@@ -1,10 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TIdentityGcpAuthDALFactory = ReturnType<typeof identityGcpAuthDALFactory>;
-
-export const identityGcpAuthDALFactory = (db: TDbClient) => {
-  const gcpAuthOrm = ormify(db, TableName.IdentityGcpAuth);
-  return gcpAuthOrm;
-};

backend/src/services/identity-gcp-auth/identity-gcp-auth-fns.ts

@@ -1,70 +0,0 @@
-import axios from "axios";
-import { OAuth2Client } from "google-auth-library";
-import jwt from "jsonwebtoken";
-
-import { UnauthorizedError } from "@app/lib/errors";
-
-import { TDecodedGcpIamAuthJwt, TGcpIdTokenPayload } from "./identity-gcp-auth-types";
-
-/**
- * Validates that the identity token [jwt] sent in from a client GCE instance as part of GCP ID Token authentication
- * is valid.
- * @param {string} identityId - The ID of the identity in Infisical that is being authenticated against (used as audience).
- * @param {string} jwt - The identity token to validate.
- * @param {string} credentials - The credentials in the GCP Auth configuration for Infisical.
- */
-export const validateIdTokenIdentity = async ({
-  identityId,
-  jwt: identityToken
-}: {
-  identityId: string;
-  jwt: string;
-}) => {
-  const oAuth2Client = new OAuth2Client();
-  const response = await oAuth2Client.getFederatedSignonCerts();
-  const ticket = await oAuth2Client.verifySignedJwtWithCertsAsync(
-    identityToken,
-    response.certs,
-    identityId, // audience
-    ["https://accounts.google.com"]
-  );
-  const payload = ticket.getPayload() as TGcpIdTokenPayload;
-  if (!payload || !payload.email) throw new UnauthorizedError();
-
-  return { email: payload.email, computeEngineDetails: payload.google?.compute_engine };
-};
-
-/**
- * Validates that the signed JWT token for a GCP service account is valid as part of GCP IAM authentication.
- * @param {string} identityId - The ID of the identity in Infisical that is being authenticated against (used as audience).
- * @param {string} jwt - The signed JWT token to validate.
- * @param {string} credentials - The credentials in the GCP Auth configuration for Infisical.
- * @returns
- */
-export const validateIamIdentity = async ({
-  identityId,
-  jwt: serviceAccountJwt
-}: {
-  identityId: string;
-  jwt: string;
-}) => {
-  const decodedJwt = jwt.decode(serviceAccountJwt, { complete: true }) as TDecodedGcpIamAuthJwt;
-  const { sub, aud } = decodedJwt.payload;
-
-  const {
-    data
-  }: {
-    data: {
-      [key: string]: string;
-    };
-  } = await axios.get(`https://www.googleapis.com/service_accounts/v1/metadata/x509/${sub}`);
-
-  const publicKey = data[decodedJwt.header.kid];
-
-  jwt.verify(serviceAccountJwt, publicKey, {
-    algorithms: ["RS256"]
-  });
-
-  if (aud !== identityId) throw new UnauthorizedError();
-  return { email: sub };
-};

backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts

@@ -1,324 +0,0 @@
-import { ForbiddenError } from "@casl/ability";
-import jwt from "jsonwebtoken";
-
-import { IdentityAuthMethod } from "@app/db/schemas";
-import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
-import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
-import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
-
-import { AuthTokenType } from "../auth/auth-type";
-import { TIdentityDALFactory } from "../identity/identity-dal";
-import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
-import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
-import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
-import { TIdentityGcpAuthDALFactory } from "./identity-gcp-auth-dal";
-import { validateIamIdentity, validateIdTokenIdentity } from "./identity-gcp-auth-fns";
-import {
-  TAttachGcpAuthDTO,
-  TGcpIdentityDetails,
-  TGetGcpAuthDTO,
-  TLoginGcpAuthDTO,
-  TUpdateGcpAuthDTO
-} from "./identity-gcp-auth-types";
-
-type TIdentityGcpAuthServiceFactoryDep = {
-  identityGcpAuthDAL: Pick<TIdentityGcpAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
-  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
-  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
-  identityDAL: Pick<TIdentityDALFactory, "updateById">;
-  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
-  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-};
-
-export type TIdentityGcpAuthServiceFactory = ReturnType<typeof identityGcpAuthServiceFactory>;
-
-export const identityGcpAuthServiceFactory = ({
-  identityGcpAuthDAL,
-  identityOrgMembershipDAL,
-  identityAccessTokenDAL,
-  identityDAL,
-  permissionService,
-  licenseService
-}: TIdentityGcpAuthServiceFactoryDep) => {
-  const login = async ({ identityId, jwt: gcpJwt }: TLoginGcpAuthDTO) => {
-    const identityGcpAuth = await identityGcpAuthDAL.findOne({ identityId });
-    if (!identityGcpAuth) throw new UnauthorizedError();
-
-    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityGcpAuth.identityId });
-    if (!identityMembershipOrg) throw new UnauthorizedError();
-
-    let gcpIdentityDetails: TGcpIdentityDetails;
-    switch (identityGcpAuth.type) {
-      case "gce": {
-        gcpIdentityDetails = await validateIdTokenIdentity({
-          identityId,
-          jwt: gcpJwt
-        });
-        break;
-      }
-      case "iam": {
-        gcpIdentityDetails = await validateIamIdentity({
-          identityId,
-          jwt: gcpJwt
-        });
-        break;
-      }
-      default: {
-        throw new BadRequestError({ message: "Invalid GCP Auth type" });
-      }
-    }
-
-    if (identityGcpAuth.allowedServiceAccounts) {
-      // validate if the service account is in the list of allowed service accounts
-
-      const isServiceAccountAllowed = identityGcpAuth.allowedServiceAccounts
-        .split(",")
-        .map((serviceAccount) => serviceAccount.trim())
-        .some((serviceAccount) => serviceAccount === gcpIdentityDetails.email);
-
-      if (!isServiceAccountAllowed) throw new UnauthorizedError();
-    }
-
-    if (identityGcpAuth.type === "gce" && identityGcpAuth.allowedProjects && gcpIdentityDetails.computeEngineDetails) {
-      // validate if the project that the service account belongs to is in the list of allowed projects
-
-      const isProjectAllowed = identityGcpAuth.allowedProjects
-        .split(",")
-        .map((project) => project.trim())
-        .some((project) => project === gcpIdentityDetails.computeEngineDetails?.project_id);
-
-      if (!isProjectAllowed) throw new UnauthorizedError();
-    }
-
-    if (identityGcpAuth.type === "gce" && identityGcpAuth.allowedZones && gcpIdentityDetails.computeEngineDetails) {
-      const isZoneAllowed = identityGcpAuth.allowedZones
-        .split(",")
-        .map((zone) => zone.trim())
-        .some((zone) => zone === gcpIdentityDetails.computeEngineDetails?.zone);
-
-      if (!isZoneAllowed) throw new UnauthorizedError();
-    }
-
-    const identityAccessToken = await identityGcpAuthDAL.transaction(async (tx) => {
-      const newToken = await identityAccessTokenDAL.create(
-        {
-          identityId: identityGcpAuth.identityId,
-          isAccessTokenRevoked: false,
-          accessTokenTTL: identityGcpAuth.accessTokenTTL,
-          accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL,
-          accessTokenNumUses: 0,
-          accessTokenNumUsesLimit: identityGcpAuth.accessTokenNumUsesLimit
-        },
-        tx
-      );
-      return newToken;
-    });
-
-    const appCfg = getConfig();
-    const accessToken = jwt.sign(
-      {
-        identityId: identityGcpAuth.identityId,
-        identityAccessTokenId: identityAccessToken.id,
-        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
-      } as TIdentityAccessTokenJwtPayload,
-      appCfg.AUTH_SECRET,
-      {
-        expiresIn:
-          Number(identityAccessToken.accessTokenMaxTTL) === 0
-            ? undefined
-            : Number(identityAccessToken.accessTokenMaxTTL)
-      }
-    );
-
-    return { accessToken, identityGcpAuth, identityAccessToken, identityMembershipOrg };
-  };
-
-  const attachGcpAuth = async ({
-    identityId,
-    type,
-    allowedServiceAccounts,
-    allowedProjects,
-    allowedZones,
-    accessTokenTTL,
-    accessTokenMaxTTL,
-    accessTokenNumUsesLimit,
-    accessTokenTrustedIps,
-    actorId,
-    actorAuthMethod,
-    actor,
-    actorOrgId
-  }: TAttachGcpAuthDTO) => {
-    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
-    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
-    if (identityMembershipOrg.identity.authMethod)
-      throw new BadRequestError({
-        message: "Failed to add GCP Auth to already configured identity"
-      });
-
-    if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
-      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
-    }
-
-    const { permission } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      identityMembershipOrg.orgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
-
-    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
-    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
-      if (
-        !plan.ipAllowlisting &&
-        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
-        accessTokenTrustedIp.ipAddress !== "::/0"
-      )
-        throw new BadRequestError({
-          message:
-            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
-        });
-      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
-        throw new BadRequestError({
-          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
-        });
-      return extractIPDetails(accessTokenTrustedIp.ipAddress);
-    });
-
-    const identityGcpAuth = await identityGcpAuthDAL.transaction(async (tx) => {
-      const doc = await identityGcpAuthDAL.create(
-        {
-          identityId: identityMembershipOrg.identityId,
-          type,
-          allowedServiceAccounts,
-          allowedProjects,
-          allowedZones,
-          accessTokenMaxTTL,
-          accessTokenTTL,
-          accessTokenNumUsesLimit,
-          accessTokenTrustedIps: JSON.stringify(reformattedAccessTokenTrustedIps)
-        },
-        tx
-      );
-      await identityDAL.updateById(
-        identityMembershipOrg.identityId,
-        {
-          authMethod: IdentityAuthMethod.GCP_AUTH
-        },
-        tx
-      );
-      return doc;
-    });
-    return { ...identityGcpAuth, orgId: identityMembershipOrg.orgId };
-  };
-
-  const updateGcpAuth = async ({
-    identityId,
-    type,
-    allowedServiceAccounts,
-    allowedProjects,
-    allowedZones,
-    accessTokenTTL,
-    accessTokenMaxTTL,
-    accessTokenNumUsesLimit,
-    accessTokenTrustedIps,
-    actorId,
-    actorAuthMethod,
-    actor,
-    actorOrgId
-  }: TUpdateGcpAuthDTO) => {
-    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
-    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.GCP_AUTH)
-      throw new BadRequestError({
-        message: "Failed to update GCP Auth"
-      });
-
-    const identityGcpAuth = await identityGcpAuthDAL.findOne({ identityId });
-
-    if (
-      (accessTokenMaxTTL || identityGcpAuth.accessTokenMaxTTL) > 0 &&
-      (accessTokenTTL || identityGcpAuth.accessTokenMaxTTL) > (accessTokenMaxTTL || identityGcpAuth.accessTokenMaxTTL)
-    ) {
-      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
-    }
-
-    const { permission } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      identityMembershipOrg.orgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
-
-    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
-    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
-      if (
-        !plan.ipAllowlisting &&
-        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
-        accessTokenTrustedIp.ipAddress !== "::/0"
-      )
-        throw new BadRequestError({
-          message:
-            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
-        });
-      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
-        throw new BadRequestError({
-          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
-        });
-      return extractIPDetails(accessTokenTrustedIp.ipAddress);
-    });
-
-    const updatedGcpAuth = await identityGcpAuthDAL.updateById(identityGcpAuth.id, {
-      type,
-      allowedServiceAccounts,
-      allowedProjects,
-      allowedZones,
-      accessTokenMaxTTL,
-      accessTokenTTL,
-      accessTokenNumUsesLimit,
-      accessTokenTrustedIps: reformattedAccessTokenTrustedIps
-        ? JSON.stringify(reformattedAccessTokenTrustedIps)
-        : undefined
-    });
-
-    return {
-      ...updatedGcpAuth,
-      orgId: identityMembershipOrg.orgId
-    };
-  };
-
-  const getGcpAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetGcpAuthDTO) => {
-    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
-    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.GCP_AUTH)
-      throw new BadRequestError({
-        message: "The identity does not have GCP Auth attached"
-      });
-
-    const identityGcpAuth = await identityGcpAuthDAL.findOne({ identityId });
-
-    const { permission } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      identityMembershipOrg.orgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
-
-    return { ...identityGcpAuth, orgId: identityMembershipOrg.orgId };
-  };
-
-  return {
-    login,
-    attachGcpAuth,
-    updateGcpAuth,
-    getGcpAuth
-  };
-};

backend/src/services/identity-gcp-auth/identity-gcp-auth-types.ts

@@ -1,78 +0,0 @@
-import { TProjectPermission } from "@app/lib/types";
-
-export type TLoginGcpAuthDTO = {
-  identityId: string;
-  jwt: string;
-};
-
-export type TAttachGcpAuthDTO = {
-  identityId: string;
-  type: "iam" | "gce";
-  allowedServiceAccounts: string;
-  allowedProjects: string;
-  allowedZones: string;
-  accessTokenTTL: number;
-  accessTokenMaxTTL: number;
-  accessTokenNumUsesLimit: number;
-  accessTokenTrustedIps: { ipAddress: string }[];
-} & Omit<TProjectPermission, "projectId">;
-
-export type TUpdateGcpAuthDTO = {
-  identityId: string;
-  type?: "iam" | "gce";
-  allowedServiceAccounts?: string;
-  allowedProjects?: string;
-  allowedZones?: string;
-  accessTokenTTL?: number;
-  accessTokenMaxTTL?: number;
-  accessTokenNumUsesLimit?: number;
-  accessTokenTrustedIps?: { ipAddress: string }[];
-} & Omit<TProjectPermission, "projectId">;
-
-export type TGetGcpAuthDTO = {
-  identityId: string;
-} & Omit<TProjectPermission, "projectId">;
-
-type TComputeEngineDetails = {
-  instance_creation_timestamp: number;
-  instance_id: string;
-  instance_name: string;
-  project_id: string;
-  project_number: number;
-  zone: string;
-};
-
-export type TGcpIdentityDetails = {
-  email: string;
-  computeEngineDetails?: TComputeEngineDetails;
-};
-
-export type TGcpIdTokenPayload = {
-  aud: string;
-  azp: string;
-  email: string;
-  email_verified: boolean;
-  exp: number;
-  google?: {
-    compute_engine: TComputeEngineDetails;
-  };
-  iat: number;
-  iss: string;
-  sub: string;
-};
-
-export type TDecodedGcpIamAuthJwt = {
-  header: {
-    alg: string;
-    kid: string;
-    typ: string;
-  };
-  payload: {
-    sub: string;
-    aud: string;
-  };
-  signature: string;
-  metadata: {
-    [key: string]: string;
-  };
-};

backend/src/services/identity-gcp-auth/identity-gcp-auth-validators.ts

@@ -1,14 +0,0 @@
-import { z } from "zod";
-
-export const validateGcpAuthField = z
-  .string()
-  .trim()
-  .default("")
-  .transform((data) => {
-    if (data === "") return "";
-    // Trim each ID and join with ', ' to ensure formatting
-    return data
-      .split(",")
-      .map((id) => id.trim())
-      .join(", ");
-  });

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-dal.ts

@@ -1,10 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TIdentityKubernetesAuthDALFactory = ReturnType<typeof identityKubernetesAuthDALFactory>;
-
-export const identityKubernetesAuthDALFactory = (db: TDbClient) => {
-  const kubernetesAuthOrm = ormify(db, TableName.IdentityKubernetesAuth);
-  return kubernetesAuthOrm;
-};

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-fns.ts

@@ -1,15 +0,0 @@
-/**
- * Extracts the K8s service account name and namespace
- * from the username in this format: system:serviceaccount:default:infisical-auth
- */
-export const extractK8sUsername = (username: string) => {
-  const parts = username.split(":");
-  // Ensure that the username format is correct
-  if (parts.length === 4 && parts[0] === "system" && parts[1] === "serviceaccount") {
-    return {
-      namespace: parts[2],
-      name: parts[3]
-    };
-  }
-  throw new Error("Invalid username format");
-};

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts

@@ -1,515 +0,0 @@
-import { ForbiddenError } from "@casl/ability";
-import axios from "axios";
-import https from "https";
-import jwt from "jsonwebtoken";
-
-import { IdentityAuthMethod, SecretKeyEncoding, TIdentityKubernetesAuthsUpdate } from "@app/db/schemas";
-import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
-import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { getConfig } from "@app/lib/config/env";
-import {
-  decryptSymmetric,
-  encryptSymmetric,
-  generateAsymmetricKeyPair,
-  generateSymmetricKey,
-  infisicalSymmetricDecrypt,
-  infisicalSymmetricEncypt
-} from "@app/lib/crypto/encryption";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
-import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
-import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
-
-import { AuthTokenType } from "../auth/auth-type";
-import { TIdentityDALFactory } from "../identity/identity-dal";
-import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
-import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
-import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
-import { TIdentityKubernetesAuthDALFactory } from "./identity-kubernetes-auth-dal";
-import { extractK8sUsername } from "./identity-kubernetes-auth-fns";
-import {
-  TAttachKubernetesAuthDTO,
-  TCreateTokenReviewResponse,
-  TGetKubernetesAuthDTO,
-  TLoginKubernetesAuthDTO,
-  TUpdateKubernetesAuthDTO
-} from "./identity-kubernetes-auth-types";
-
-type TIdentityKubernetesAuthServiceFactoryDep = {
-  identityKubernetesAuthDAL: Pick<
-    TIdentityKubernetesAuthDALFactory,
-    "create" | "findOne" | "transaction" | "updateById"
-  >;
-  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
-  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne" | "findById">;
-  identityDAL: Pick<TIdentityDALFactory, "updateById">;
-  orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "transaction" | "create">;
-  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
-  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-};
-
-export type TIdentityKubernetesAuthServiceFactory = ReturnType<typeof identityKubernetesAuthServiceFactory>;
-
-export const identityKubernetesAuthServiceFactory = ({
-  identityKubernetesAuthDAL,
-  identityOrgMembershipDAL,
-  identityAccessTokenDAL,
-  identityDAL,
-  orgBotDAL,
-  permissionService,
-  licenseService
-}: TIdentityKubernetesAuthServiceFactoryDep) => {
-  const login = async ({ identityId, jwt: serviceAccountJwt }: TLoginKubernetesAuthDTO) => {
-    const identityKubernetesAuth = await identityKubernetesAuthDAL.findOne({ identityId });
-    if (!identityKubernetesAuth) throw new UnauthorizedError();
-
-    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({
-      identityId: identityKubernetesAuth.identityId
-    });
-    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
-
-    const orgBot = await orgBotDAL.findOne({ orgId: identityMembershipOrg.orgId });
-    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
-
-    const key = infisicalSymmetricDecrypt({
-      ciphertext: orgBot.encryptedSymmetricKey,
-      iv: orgBot.symmetricKeyIV,
-      tag: orgBot.symmetricKeyTag,
-      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
-    });
-
-    const { encryptedCaCert, caCertIV, caCertTag, encryptedTokenReviewerJwt, tokenReviewerJwtIV, tokenReviewerJwtTag } =
-      identityKubernetesAuth;
-
-    let caCert = "";
-    if (encryptedCaCert && caCertIV && caCertTag) {
-      caCert = decryptSymmetric({
-        ciphertext: encryptedCaCert,
-        iv: caCertIV,
-        tag: caCertTag,
-        key
-      });
-    }
-
-    let tokenReviewerJwt = "";
-    if (encryptedTokenReviewerJwt && tokenReviewerJwtIV && tokenReviewerJwtTag) {
-      tokenReviewerJwt = decryptSymmetric({
-        ciphertext: encryptedTokenReviewerJwt,
-        iv: tokenReviewerJwtIV,
-        tag: tokenReviewerJwtTag,
-        key
-      });
-    }
-
-    const { data }: { data: TCreateTokenReviewResponse } = await axios.post(
-      `${identityKubernetesAuth.kubernetesHost}/apis/authentication.k8s.io/v1/tokenreviews`,
-      {
-        apiVersion: "authentication.k8s.io/v1",
-        kind: "TokenReview",
-        spec: {
-          token: serviceAccountJwt
-        }
-      },
-      {
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: `Bearer ${tokenReviewerJwt}`
-        },
-        httpsAgent: new https.Agent({
-          ca: caCert,
-          rejectUnauthorized: !!caCert
-        })
-      }
-    );
-
-    if ("error" in data.status) throw new UnauthorizedError({ message: data.status.error });
-
-    // check the response to determine if the token is valid
-    if (!(data.status && data.status.authenticated)) throw new UnauthorizedError();
-
-    const { namespace: targetNamespace, name: targetName } = extractK8sUsername(data.status.user.username);
-
-    if (identityKubernetesAuth.allowedNamespaces) {
-      // validate if [targetNamespace] is in the list of allowed namespaces
-
-      const isNamespaceAllowed = identityKubernetesAuth.allowedNamespaces
-        .split(",")
-        .map((namespace) => namespace.trim())
-        .some((namespace) => namespace === targetNamespace);
-
-      if (!isNamespaceAllowed) throw new UnauthorizedError();
-    }
-
-    if (identityKubernetesAuth.allowedNames) {
-      // validate if [targetName] is in the list of allowed names
-
-      const isNameAllowed = identityKubernetesAuth.allowedNames
-        .split(",")
-        .map((name) => name.trim())
-        .some((name) => name === targetName);
-
-      if (!isNameAllowed) throw new UnauthorizedError();
-    }
-
-    if (identityKubernetesAuth.allowedAudience) {
-      // validate if [audience] is in the list of allowed audiences
-      const isAudienceAllowed = data.status.audiences.some(
-        (audience) => audience === identityKubernetesAuth.allowedAudience
-      );
-
-      if (!isAudienceAllowed) throw new UnauthorizedError();
-    }
-
-    const identityAccessToken = await identityKubernetesAuthDAL.transaction(async (tx) => {
-      const newToken = await identityAccessTokenDAL.create(
-        {
-          identityId: identityKubernetesAuth.identityId,
-          isAccessTokenRevoked: false,
-          accessTokenTTL: identityKubernetesAuth.accessTokenTTL,
-          accessTokenMaxTTL: identityKubernetesAuth.accessTokenMaxTTL,
-          accessTokenNumUses: 0,
-          accessTokenNumUsesLimit: identityKubernetesAuth.accessTokenNumUsesLimit
-        },
-        tx
-      );
-      return newToken;
-    });
-
-    const appCfg = getConfig();
-    const accessToken = jwt.sign(
-      {
-        identityId: identityKubernetesAuth.identityId,
-        identityAccessTokenId: identityAccessToken.id,
-        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
-      } as TIdentityAccessTokenJwtPayload,
-      appCfg.AUTH_SECRET,
-      {
-        expiresIn:
-          Number(identityAccessToken.accessTokenMaxTTL) === 0
-            ? undefined
-            : Number(identityAccessToken.accessTokenMaxTTL)
-      }
-    );
-
-    return { accessToken, identityKubernetesAuth, identityAccessToken, identityMembershipOrg };
-  };
-
-  const attachKubernetesAuth = async ({
-    identityId,
-    kubernetesHost,
-    caCert,
-    tokenReviewerJwt,
-    allowedNamespaces,
-    allowedNames,
-    allowedAudience,
-    accessTokenTTL,
-    accessTokenMaxTTL,
-    accessTokenNumUsesLimit,
-    accessTokenTrustedIps,
-    actorId,
-    actorAuthMethod,
-    actor,
-    actorOrgId
-  }: TAttachKubernetesAuthDTO) => {
-    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
-    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
-    if (identityMembershipOrg.identity.authMethod)
-      throw new BadRequestError({
-        message: "Failed to add Kubernetes Auth to already configured identity"
-      });
-
-    if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
-      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
-    }
-
-    const { permission } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      identityMembershipOrg.orgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
-
-    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
-    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
-      if (
-        !plan.ipAllowlisting &&
-        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
-        accessTokenTrustedIp.ipAddress !== "::/0"
-      )
-        throw new BadRequestError({
-          message:
-            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
-        });
-      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
-        throw new BadRequestError({
-          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
-        });
-      return extractIPDetails(accessTokenTrustedIp.ipAddress);
-    });
-
-    const orgBot = await orgBotDAL.transaction(async (tx) => {
-      const doc = await orgBotDAL.findOne({ orgId: identityMembershipOrg.orgId }, tx);
-      if (doc) return doc;
-
-      const { privateKey, publicKey } = generateAsymmetricKeyPair();
-      const key = generateSymmetricKey();
-      const {
-        ciphertext: encryptedPrivateKey,
-        iv: privateKeyIV,
-        tag: privateKeyTag,
-        encoding: privateKeyKeyEncoding,
-        algorithm: privateKeyAlgorithm
-      } = infisicalSymmetricEncypt(privateKey);
-      const {
-        ciphertext: encryptedSymmetricKey,
-        iv: symmetricKeyIV,
-        tag: symmetricKeyTag,
-        encoding: symmetricKeyKeyEncoding,
-        algorithm: symmetricKeyAlgorithm
-      } = infisicalSymmetricEncypt(key);
-
-      return orgBotDAL.create(
-        {
-          name: "Infisical org bot",
-          publicKey,
-          privateKeyIV,
-          encryptedPrivateKey,
-          symmetricKeyIV,
-          symmetricKeyTag,
-          encryptedSymmetricKey,
-          symmetricKeyAlgorithm,
-          orgId: identityMembershipOrg.orgId,
-          privateKeyTag,
-          privateKeyAlgorithm,
-          privateKeyKeyEncoding,
-          symmetricKeyKeyEncoding
-        },
-        tx
-      );
-    });
-
-    const key = infisicalSymmetricDecrypt({
-      ciphertext: orgBot.encryptedSymmetricKey,
-      iv: orgBot.symmetricKeyIV,
-      tag: orgBot.symmetricKeyTag,
-      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
-    });
-
-    const { ciphertext: encryptedCaCert, iv: caCertIV, tag: caCertTag } = encryptSymmetric(caCert, key);
-    const {
-      ciphertext: encryptedTokenReviewerJwt,
-      iv: tokenReviewerJwtIV,
-      tag: tokenReviewerJwtTag
-    } = encryptSymmetric(tokenReviewerJwt, key);
-
-    const identityKubernetesAuth = await identityKubernetesAuthDAL.transaction(async (tx) => {
-      const doc = await identityKubernetesAuthDAL.create(
-        {
-          identityId: identityMembershipOrg.identityId,
-          kubernetesHost,
-          encryptedCaCert,
-          caCertIV,
-          caCertTag,
-          encryptedTokenReviewerJwt,
-          tokenReviewerJwtIV,
-          tokenReviewerJwtTag,
-          allowedNamespaces,
-          allowedNames,
-          allowedAudience,
-          accessTokenMaxTTL,
-          accessTokenTTL,
-          accessTokenNumUsesLimit,
-          accessTokenTrustedIps: JSON.stringify(reformattedAccessTokenTrustedIps)
-        },
-        tx
-      );
-      await identityDAL.updateById(
-        identityMembershipOrg.identityId,
-        {
-          authMethod: IdentityAuthMethod.KUBERNETES_AUTH
-        },
-        tx
-      );
-      return doc;
-    });
-
-    return { ...identityKubernetesAuth, caCert, tokenReviewerJwt, orgId: identityMembershipOrg.orgId };
-  };
-
-  const updateKubernetesAuth = async ({
-    identityId,
-    kubernetesHost,
-    caCert,
-    tokenReviewerJwt,
-    allowedNamespaces,
-    allowedNames,
-    allowedAudience,
-    accessTokenTTL,
-    accessTokenMaxTTL,
-    accessTokenNumUsesLimit,
-    accessTokenTrustedIps,
-    actorId,
-    actorAuthMethod,
-    actor,
-    actorOrgId
-  }: TUpdateKubernetesAuthDTO) => {
-    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
-    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.KUBERNETES_AUTH)
-      throw new BadRequestError({
-        message: "Failed to update Kubernetes Auth"
-      });
-
-    const identityKubernetesAuth = await identityKubernetesAuthDAL.findOne({ identityId });
-
-    if (
-      (accessTokenMaxTTL || identityKubernetesAuth.accessTokenMaxTTL) > 0 &&
-      (accessTokenTTL || identityKubernetesAuth.accessTokenMaxTTL) >
-        (accessTokenMaxTTL || identityKubernetesAuth.accessTokenMaxTTL)
-    ) {
-      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
-    }
-
-    const { permission } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      identityMembershipOrg.orgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
-
-    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
-    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
-      if (
-        !plan.ipAllowlisting &&
-        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
-        accessTokenTrustedIp.ipAddress !== "::/0"
-      )
-        throw new BadRequestError({
-          message:
-            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
-        });
-      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
-        throw new BadRequestError({
-          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
-        });
-      return extractIPDetails(accessTokenTrustedIp.ipAddress);
-    });
-
-    const updateQuery: TIdentityKubernetesAuthsUpdate = {
-      kubernetesHost,
-      allowedNamespaces,
-      allowedNames,
-      allowedAudience,
-      accessTokenMaxTTL,
-      accessTokenTTL,
-      accessTokenNumUsesLimit,
-      accessTokenTrustedIps: reformattedAccessTokenTrustedIps
-        ? JSON.stringify(reformattedAccessTokenTrustedIps)
-        : undefined
-    };
-
-    const orgBot = await orgBotDAL.findOne({ orgId: identityMembershipOrg.orgId });
-    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
-
-    const key = infisicalSymmetricDecrypt({
-      ciphertext: orgBot.encryptedSymmetricKey,
-      iv: orgBot.symmetricKeyIV,
-      tag: orgBot.symmetricKeyTag,
-      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
-    });
-
-    if (caCert !== undefined) {
-      const { ciphertext: encryptedCACert, iv: caCertIV, tag: caCertTag } = encryptSymmetric(caCert, key);
-      updateQuery.encryptedCaCert = encryptedCACert;
-      updateQuery.caCertIV = caCertIV;
-      updateQuery.caCertTag = caCertTag;
-    }
-
-    if (tokenReviewerJwt !== undefined) {
-      const {
-        ciphertext: encryptedTokenReviewerJwt,
-        iv: tokenReviewerJwtIV,
-        tag: tokenReviewerJwtTag
-      } = encryptSymmetric(tokenReviewerJwt, key);
-      updateQuery.encryptedTokenReviewerJwt = encryptedTokenReviewerJwt;
-      updateQuery.tokenReviewerJwtIV = tokenReviewerJwtIV;
-      updateQuery.tokenReviewerJwtTag = tokenReviewerJwtTag;
-    }
-
-    const updatedKubernetesAuth = await identityKubernetesAuthDAL.updateById(identityKubernetesAuth.id, updateQuery);
-
-    return { ...updatedKubernetesAuth, orgId: identityMembershipOrg.orgId };
-  };
-
-  const getKubernetesAuth = async ({
-    identityId,
-    actorId,
-    actor,
-    actorAuthMethod,
-    actorOrgId
-  }: TGetKubernetesAuthDTO) => {
-    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
-    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
-    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.KUBERNETES_AUTH)
-      throw new BadRequestError({
-        message: "The identity does not have Kubernetes Auth attached"
-      });
-
-    const identityKubernetesAuth = await identityKubernetesAuthDAL.findOne({ identityId });
-
-    const { permission } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      identityMembershipOrg.orgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
-
-    const orgBot = await orgBotDAL.findOne({ orgId: identityMembershipOrg.orgId });
-    if (!orgBot) throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
-
-    const key = infisicalSymmetricDecrypt({
-      ciphertext: orgBot.encryptedSymmetricKey,
-      iv: orgBot.symmetricKeyIV,
-      tag: orgBot.symmetricKeyTag,
-      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
-    });
-
-    const { encryptedCaCert, caCertIV, caCertTag, encryptedTokenReviewerJwt, tokenReviewerJwtIV, tokenReviewerJwtTag } =
-      identityKubernetesAuth;
-
-    let caCert = "";
-    if (encryptedCaCert && caCertIV && caCertTag) {
-      caCert = decryptSymmetric({
-        ciphertext: encryptedCaCert,
-        iv: caCertIV,
-        tag: caCertTag,
-        key
-      });
-    }
-
-    let tokenReviewerJwt = "";
-    if (encryptedTokenReviewerJwt && tokenReviewerJwtIV && tokenReviewerJwtTag) {
-      tokenReviewerJwt = decryptSymmetric({
-        ciphertext: encryptedTokenReviewerJwt,
-        iv: tokenReviewerJwtIV,
-        tag: tokenReviewerJwtTag,
-        key
-      });
-    }
-
-    return { ...identityKubernetesAuth, caCert, tokenReviewerJwt, orgId: identityMembershipOrg.orgId };
-  };
-
-  return {
-    login,
-    attachKubernetesAuth,
-    updateKubernetesAuth,
-    getKubernetesAuth
-  };
-};

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-types.ts

@@ -1,61 +0,0 @@
-import { TProjectPermission } from "@app/lib/types";
-
-export type TLoginKubernetesAuthDTO = {
-  identityId: string;
-  jwt: string;
-};
-
-export type TAttachKubernetesAuthDTO = {
-  identityId: string;
-  kubernetesHost: string;
-  caCert: string;
-  tokenReviewerJwt: string;
-  allowedNamespaces: string;
-  allowedNames: string;
-  allowedAudience: string;
-  accessTokenTTL: number;
-  accessTokenMaxTTL: number;
-  accessTokenNumUsesLimit: number;
-  accessTokenTrustedIps: { ipAddress: string }[];
-} & Omit<TProjectPermission, "projectId">;
-
-export type TUpdateKubernetesAuthDTO = {
-  identityId: string;
-  kubernetesHost?: string;
-  caCert?: string;
-  tokenReviewerJwt?: string;
-  allowedNamespaces?: string;
-  allowedNames?: string;
-  allowedAudience?: string;
-  accessTokenTTL?: number;
-  accessTokenMaxTTL?: number;
-  accessTokenNumUsesLimit?: number;
-  accessTokenTrustedIps?: { ipAddress: string }[];
-} & Omit<TProjectPermission, "projectId">;
-
-export type TGetKubernetesAuthDTO = {
-  identityId: string;
-} & Omit<TProjectPermission, "projectId">;
-
-type TCreateTokenReviewSuccessResponse = {
-  authenticated: true;
-  user: {
-    username: string;
-    uid: string;
-    groups: string[];
-  };
-  audiences: string[];
-};
-
-type TCreateTokenReviewErrorResponse = {
-  error: string;
-};
-
-export type TCreateTokenReviewResponse = {
-  apiVersion: "authentication.k8s.io/v1";
-  kind: "TokenReview";
-  spec: {
-    token: string;
-  };
-  status: TCreateTokenReviewSuccessResponse | TCreateTokenReviewErrorResponse;
-};

backend/src/services/identity-project/identity-project-dal.ts

@@ -10,16 +10,11 @@ export type TIdentityProjectDALFactory = ReturnType<typeof identityProjectDALFac
 export const identityProjectDALFactory = (db: TDbClient) => {
   const identityProjectOrm = ormify(db, TableName.IdentityProjectMembership);
 
-  const findByProjectId = async (projectId: string, filter: { identityId?: string } = {}, tx?: Knex) => {
+  const findByProjectId = async (projectId: string, tx?: Knex) => {
     try {
       const docs = await (tx || db)(TableName.IdentityProjectMembership)
         .where(`${TableName.IdentityProjectMembership}.projectId`, projectId)
         .join(TableName.Identity, `${TableName.IdentityProjectMembership}.identityId`, `${TableName.Identity}.id`)
-        .where((qb) => {
-          if (filter.identityId) {
-            void qb.where("identityId", filter.identityId);
-          }
-        })
         .join(
           TableName.IdentityProjectMembershipRole,
           `${TableName.IdentityProjectMembershipRole}.projectMembershipId`,

backend/src/services/identity-project/identity-project-service.ts

@@ -18,7 +18,6 @@ import { TIdentityProjectMembershipRoleDALFactory } from "./identity-project-mem
 import {
   TCreateProjectIdentityDTO,
   TDeleteProjectIdentityDTO,
-  TGetProjectIdentityByIdentityIdDTO,
   TListProjectIdentityDTO,
   TUpdateProjectIdentityDTO
 } from "./identity-project-types";
@@ -52,7 +51,7 @@ export const identityProjectServiceFactory = ({
     actorOrgId,
     actorAuthMethod,
     projectId,
-    roles
+    role
   }: TCreateProjectIdentityDTO) => {
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -79,33 +78,17 @@ export const identityProjectServiceFactory = ({
         message: `Failed to find identity with id ${identityId}`
       });
 
-    for await (const { role: requestedRoleChange } of roles) {
-      const { permission: rolePermission } = await permissionService.getProjectPermissionByRole(
-        requestedRoleChange,
-        projectId
-      );
-
-      const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, rolePermission);
-
-      if (!hasRequiredPriviledges) {
-        throw new ForbiddenRequestError({ message: "Failed to change to a more privileged role" });
-      }
-    }
-
-    // validate custom roles input
-    const customInputRoles = roles.filter(
-      ({ role }) => !Object.values(ProjectMembershipRole).includes(role as ProjectMembershipRole)
+    const { permission: rolePermission, role: customRole } = await permissionService.getProjectPermissionByRole(
+      role,
+      project.id
     );
-    const hasCustomRole = Boolean(customInputRoles.length);
-    const customRoles = hasCustomRole
-      ? await projectRoleDAL.find({
-          projectId,
-          $in: { slug: customInputRoles.map(({ role }) => role) }
-        })
-      : [];
-    if (customRoles.length !== customInputRoles.length) throw new BadRequestError({ message: "Custom role not found" });
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to add identity to project with more privileged role"
+      });
+    const isCustomRole = Boolean(customRole);
 
-    const customRolesGroupBySlug = groupBy(customRoles, ({ slug }) => slug);
     const projectIdentity = await identityProjectDAL.transaction(async (tx) => {
       const identityProjectMembership = await identityProjectDAL.create(
         {
@@ -114,32 +97,16 @@ export const identityProjectServiceFactory = ({
         },
         tx
       );
-      const sanitizedProjectMembershipRoles = roles.map((inputRole) => {
-        const isCustomRole = Boolean(customRolesGroupBySlug?.[inputRole.role]?.[0]);
-        if (!inputRole.isTemporary) {
-          return {
-            projectMembershipId: identityProjectMembership.id,
-            role: isCustomRole ? ProjectMembershipRole.Custom : inputRole.role,
-            customRoleId: customRolesGroupBySlug[inputRole.role] ? customRolesGroupBySlug[inputRole.role][0].id : null
-          };
-        }
 
-        // check cron or relative here later for now its just relative
-        const relativeTimeInMs = ms(inputRole.temporaryRange);
-        return {
+      await identityProjectMembershipRoleDAL.create(
+        {
           projectMembershipId: identityProjectMembership.id,
-          role: isCustomRole ? ProjectMembershipRole.Custom : inputRole.role,
-          customRoleId: customRolesGroupBySlug[inputRole.role] ? customRolesGroupBySlug[inputRole.role][0].id : null,
-          isTemporary: true,
-          temporaryMode: ProjectUserMembershipTemporaryMode.Relative,
-          temporaryRange: inputRole.temporaryRange,
-          temporaryAccessStartTime: new Date(inputRole.temporaryAccessStartTime),
-          temporaryAccessEndTime: new Date(new Date(inputRole.temporaryAccessStartTime).getTime() + relativeTimeInMs)
-        };
-      });
-
-      const identityRoles = await identityProjectMembershipRoleDAL.insertMany(sanitizedProjectMembershipRoles, tx);
-      return { ...identityProjectMembership, roles: identityRoles };
+          role: isCustomRole ? ProjectMembershipRole.Custom : role,
+          customRoleId: customRole?.id
+        },
+        tx
+      );
+      return identityProjectMembership;
     });
     return projectIdentity;
   };
@@ -168,18 +135,16 @@ export const identityProjectServiceFactory = ({
         message: `Identity with id ${identityId} doesn't exists in project with id ${projectId}`
       });
 
-    for await (const { role: requestedRoleChange } of roles) {
-      const { permission: rolePermission } = await permissionService.getProjectPermissionByRole(
-        requestedRoleChange,
-        projectId
-      );
-
-      const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, rolePermission);
-
-      if (!hasRequiredPriviledges) {
-        throw new ForbiddenRequestError({ message: "Failed to change to a more privileged role" });
-      }
-    }
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      projectIdentity.identityId,
+      projectIdentity.projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
+    if (!hasRequiredPriviledges)
+      throw new ForbiddenRequestError({ message: "Failed to delete more privileged identity" });
 
     // validate custom roles input
     const customInputRoles = roles.filter(
@@ -259,7 +224,7 @@ export const identityProjectServiceFactory = ({
     if (!hasRequiredPriviledges)
       throw new ForbiddenRequestError({ message: "Failed to delete more privileged identity" });
 
-    const [deletedIdentity] = await identityProjectDAL.delete({ identityId, projectId });
+    const [deletedIdentity] = await identityProjectDAL.delete({ identityId });
     return deletedIdentity;
   };
 
@@ -283,33 +248,10 @@ export const identityProjectServiceFactory = ({
     return identityMemberships;
   };
 
-  const getProjectIdentityByIdentityId = async ({
-    projectId,
-    actor,
-    actorId,
-    actorAuthMethod,
-    actorOrgId,
-    identityId
-  }: TGetProjectIdentityByIdentityIdDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);
-
-    const [identityMembership] = await identityProjectDAL.findByProjectId(projectId, { identityId });
-    if (!identityMembership) throw new BadRequestError({ message: `Membership not found for identity ${identityId}` });
-    return identityMembership;
-  };
-
   return {
     createProjectIdentity,
     updateProjectIdentity,
     deleteProjectIdentity,
-    listProjectIdentities,
-    getProjectIdentityByIdentityId
+    listProjectIdentities
   };
 };

backend/src/services/identity-project/identity-project-types.ts

@@ -4,19 +4,7 @@ import { ProjectUserMembershipTemporaryMode } from "../project-membership/projec
 
 export type TCreateProjectIdentityDTO = {
   identityId: string;
-  roles: (
-    | {
-        role: string;
-        isTemporary?: false;
-      }
-    | {
-        role: string;
-        isTemporary: true;
-        temporaryMode: ProjectUserMembershipTemporaryMode.Relative;
-        temporaryRange: string;
-        temporaryAccessStartTime: string;
-      }
-  )[];
+  role: string;
 } & TProjectPermission;
 
 export type TUpdateProjectIdentityDTO = {
@@ -41,7 +29,3 @@ export type TDeleteProjectIdentityDTO = {
 } & TProjectPermission;
 
 export type TListProjectIdentityDTO = TProjectPermission;
-
-export type TGetProjectIdentityByIdentityIdDTO = {
-  identityId: string;
-} & TProjectPermission;

backend/src/services/identity-ua/identity-ua-service.ts

@@ -52,7 +52,7 @@ export const identityUaServiceFactory = ({
 }: TIdentityUaServiceFactoryDep) => {
   const login = async (clientId: string, clientSecret: string, ip: string) => {
     const identityUa = await identityUaDAL.findOne({ clientId });
-    if (!identityUa) throw new UnauthorizedError({ message: "Invalid credentials" });
+    if (!identityUa) throw new UnauthorizedError();
 
     const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityUa.identityId });
 
@@ -68,7 +68,7 @@ export const identityUaServiceFactory = ({
     const validClientSecretInfo = clientSecrtInfo.find(({ clientSecretHash }) =>
       bcrypt.compareSync(clientSecret, clientSecretHash)
     );
-    if (!validClientSecretInfo) throw new UnauthorizedError({ message: "Invalid credentials" });
+    if (!validClientSecretInfo) throw new UnauthorizedError();
 
     const { clientSecretTTL, clientSecretNumUses, clientSecretNumUsesLimit } = validClientSecretInfo;
     if (Number(clientSecretTTL) > 0) {

backend/src/services/integration-auth/integration-list.ts

@@ -43,11 +43,6 @@ export enum IntegrationInitialSyncBehavior {
   PREFER_SOURCE = "prefer-source"
 }
 
-export enum IntegrationMappingBehavior {
-  ONE_TO_ONE = "one-to-one",
-  MANY_TO_ONE = "many-to-one"
-}
-
 export enum IntegrationUrls {
   // integration oauth endpoints
   GCP_TOKEN_URL = "https://oauth2.googleapis.com/token",

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -9,12 +9,9 @@
 
 import {
   CreateSecretCommand,
-  DescribeSecretCommand,
   GetSecretValueCommand,
   ResourceNotFoundException,
   SecretsManagerClient,
-  TagResourceCommand,
-  UntagResourceCommand,
   UpdateSecretCommand
 } from "@aws-sdk/client-secrets-manager";
 import { Octokit } from "@octokit/rest";
@@ -30,12 +27,7 @@ import { BadRequestError } from "@app/lib/errors";
 import { TCreateManySecretsRawFn, TUpdateManySecretsRawFn } from "@app/services/secret/secret-types";
 
 import { TIntegrationDALFactory } from "../integration/integration-dal";
-import {
-  IntegrationInitialSyncBehavior,
-  IntegrationMappingBehavior,
-  Integrations,
-  IntegrationUrls
-} from "./integration-list";
+import { IntegrationInitialSyncBehavior, Integrations, IntegrationUrls } from "./integration-list";
 
 const getSecretKeyValuePair = (secrets: Record<string, { value: string | null; comment?: string } | null>) =>
   Object.keys(secrets).reduce<Record<string, string | null | undefined>>((prev, key) => {
@@ -467,39 +459,27 @@ const syncSecretsAWSParameterStore = async ({
   ssm.config.update(config);
 
   const metadata = z.record(z.any()).parse(integration.metadata || {});
-  const awsParameterStoreSecretsObj: Record<string, AWS.SSM.Parameter> = {};
 
-  // now fetch all aws parameter store secrets
-  let hasNext = true;
-  let nextToken: string | undefined;
-  while (hasNext) {
-    const parameters = await ssm
-      .getParametersByPath({
-        Path: integration.path as string,
-        Recursive: false,
-        WithDecryption: true,
-        MaxResults: 10,
-        NextToken: nextToken
-      })
-      .promise();
+  const params = {
+    Path: integration.path as string,
+    Recursive: false,
+    WithDecryption: true
+  };
 
-    if (parameters.Parameters) {
-      parameters.Parameters.forEach((parameter) => {
-        if (parameter.Name) {
-          const secKey = parameter.Name.substring((integration.path as string).length);
-          awsParameterStoreSecretsObj[secKey] = parameter;
-        }
-      });
-    }
-    hasNext = Boolean(parameters.NextToken);
-    nextToken = parameters.NextToken;
-  }
+  const parameterList = (await ssm.getParametersByPath(params).promise()).Parameters;
 
+  const awsParameterStoreSecretsObj = (parameterList || [])
+    .filter(({ Name }) => Boolean(Name))
+    .reduce(
+      (obj, secret) => ({
+        ...obj,
+        [(secret.Name as string).substring((integration.path as string).length)]: secret
+      }),
+      {} as Record<string, AWS.SSM.Parameter>
+    );
   // Identify secrets to create
-  // don't use Promise.all() and promise map here
-  // it will cause rate limit
-  for (const key in secrets) {
-    if (Object.hasOwn(secrets, key)) {
+  await Promise.all(
+    Object.keys(secrets).map(async (key) => {
       if (!(key in awsParameterStoreSecretsObj)) {
         // case: secret does not exist in AWS parameter store
         // -> create secret
@@ -534,31 +514,23 @@ const syncSecretsAWSParameterStore = async ({
           })
           .promise();
       }
+    })
+  );
 
-      await new Promise((resolve) => {
-        setTimeout(resolve, 50);
-      });
-    }
-  }
-
-  if (!metadata.shouldDisableDelete) {
-    for (const key in awsParameterStoreSecretsObj) {
-      if (Object.hasOwn(awsParameterStoreSecretsObj, key)) {
-        if (!(key in secrets)) {
-          // case:
-          // -> delete secret
-          await ssm
-            .deleteParameter({
-              Name: awsParameterStoreSecretsObj[key].Name as string
-            })
-            .promise();
-        }
-        await new Promise((resolve) => {
-          setTimeout(resolve, 50);
-        });
+  // Identify secrets to delete
+  await Promise.all(
+    Object.keys(awsParameterStoreSecretsObj).map(async (key) => {
+      if (!(key in secrets)) {
+        // case:
+        // -> delete secret
+        await ssm
+          .deleteParameter({
+            Name: awsParameterStoreSecretsObj[key].Name as string
+          })
+          .promise();
       }
-    }
-  }
+    })
+  );
 };
 
 /**
@@ -575,149 +547,52 @@ const syncSecretsAWSSecretManager = async ({
   accessId: string | null;
   accessToken: string;
 }) => {
+  let secretsManager;
+  const secKeyVal = getSecretKeyValuePair(secrets);
   const metadata = z.record(z.any()).parse(integration.metadata || {});
+  try {
+    if (!accessId) return;
 
-  if (!accessId) return;
+    secretsManager = new SecretsManagerClient({
+      region: integration.region as string,
+      credentials: {
+        accessKeyId: accessId,
+        secretAccessKey: accessToken
+      }
+    });
 
-  const secretsManager = new SecretsManagerClient({
-    region: integration.region as string,
-    credentials: {
-      accessKeyId: accessId,
-      secretAccessKey: accessToken
+    const awsSecretManagerSecret = await secretsManager.send(
+      new GetSecretValueCommand({
+        SecretId: integration.app as string
+      })
+    );
+
+    let awsSecretManagerSecretObj: { [key: string]: AWS.SecretsManager } = {};
+
+    if (awsSecretManagerSecret?.SecretString) {
+      awsSecretManagerSecretObj = JSON.parse(awsSecretManagerSecret.SecretString);
     }
-  });
-
-  const processAwsSecret = async (
-    secretId: string,
-    secretValue: Record<string, string | null | undefined> | string
-  ) => {
-    try {
-      const awsSecretManagerSecret = await secretsManager.send(
-        new GetSecretValueCommand({
-          SecretId: secretId
+    if (!isEqual(awsSecretManagerSecretObj, secKeyVal)) {
+      await secretsManager.send(
+        new UpdateSecretCommand({
+          SecretId: integration.app as string,
+          SecretString: JSON.stringify(secKeyVal)
         })
       );
-
-      let secretToCompare;
-      if (awsSecretManagerSecret?.SecretString) {
-        if (typeof secretValue === "string") {
-          secretToCompare = awsSecretManagerSecret.SecretString;
-        } else {
-          secretToCompare = JSON.parse(awsSecretManagerSecret.SecretString);
-        }
-      }
-
-      if (!isEqual(secretToCompare, secretValue)) {
-        await secretsManager.send(
-          new UpdateSecretCommand({
-            SecretId: secretId,
-            SecretString: typeof secretValue === "string" ? secretValue : JSON.stringify(secretValue)
-          })
-        );
-      }
-
-      const secretAWSTag = metadata.secretAWSTag as { key: string; value: string }[] | undefined;
-
-      if (secretAWSTag && secretAWSTag.length) {
-        const describedSecret = await secretsManager.send(
-          // requires secretsmanager:DescribeSecret policy
-          new DescribeSecretCommand({
-            SecretId: secretId
-          })
-        );
-
-        if (!describedSecret.Tags) return;
-
-        const integrationTagObj = secretAWSTag.reduce(
-          (acc, item) => {
-            acc[item.key] = item.value;
-            return acc;
-          },
-          {} as Record<string, string>
-        );
-
-        const awsTagObj = (describedSecret.Tags || []).reduce(
-          (acc, item) => {
-            if (item.Key && item.Value) {
-              acc[item.Key] = item.Value;
-            }
-            return acc;
-          },
-          {} as Record<string, string>
-        );
-
-        const tagsToUpdate: { Key: string; Value: string }[] = [];
-        const tagsToDelete: { Key: string; Value: string }[] = [];
-
-        describedSecret.Tags?.forEach((tag) => {
-          if (tag.Key && tag.Value) {
-            if (!(tag.Key in integrationTagObj)) {
-              // delete tag from AWS secret manager
-              tagsToDelete.push({
-                Key: tag.Key,
-                Value: tag.Value
-              });
-            } else if (tag.Value !== integrationTagObj[tag.Key]) {
-              // update tag in AWS secret manager
-              tagsToUpdate.push({
-                Key: tag.Key,
-                Value: integrationTagObj[tag.Key]
-              });
-            }
-          }
-        });
-
-        secretAWSTag?.forEach((tag) => {
-          if (!(tag.key in awsTagObj)) {
-            // create tag in AWS secret manager
-            tagsToUpdate.push({
-              Key: tag.key,
-              Value: tag.value
-            });
-          }
-        });
-
-        if (tagsToUpdate.length) {
-          await secretsManager.send(
-            new TagResourceCommand({
-              SecretId: secretId,
-              Tags: tagsToUpdate
-            })
-          );
-        }
-
-        if (tagsToDelete.length) {
-          await secretsManager.send(
-            new UntagResourceCommand({
-              SecretId: secretId,
-              TagKeys: tagsToDelete.map((tag) => tag.Key)
-            })
-          );
-        }
-      }
-    } catch (err) {
-      // case when AWS manager can't find the specified secret
-      if (err instanceof ResourceNotFoundException && secretsManager) {
-        await secretsManager.send(
-          new CreateSecretCommand({
-            Name: secretId,
-            SecretString: typeof secretValue === "string" ? secretValue : JSON.stringify(secretValue),
-            ...(metadata.kmsKeyId && { KmsKeyId: metadata.kmsKeyId }),
-            Tags: metadata.secretAWSTag
-              ? metadata.secretAWSTag.map((tag: { key: string; value: string }) => ({ Key: tag.key, Value: tag.value }))
-              : []
-          })
-        );
-      }
     }
-  };
-
-  if (metadata.mappingBehavior === IntegrationMappingBehavior.ONE_TO_ONE) {
-    for await (const [key, value] of Object.entries(secrets)) {
-      await processAwsSecret(key, value.value);
+  } catch (err) {
+    if (err instanceof ResourceNotFoundException && secretsManager) {
+      await secretsManager.send(
+        new CreateSecretCommand({
+          Name: integration.app as string,
+          SecretString: JSON.stringify(secKeyVal),
+          ...(metadata.kmsKeyId && { KmsKeyId: metadata.kmsKeyId }),
+          Tags: metadata.secretAWSTag
+            ? metadata.secretAWSTag.map((tag: { key: string; value: string }) => ({ Key: tag.key, Value: tag.value }))
+            : []
+        })
+      );
     }
-  } else {
-    await processAwsSecret(integration.app as string, getSecretKeyValuePair(secrets));
   }
 };
 
@@ -2696,21 +2571,18 @@ const syncSecretsCloudflarePages = async ({
     })
   ).data.result.deployment_configs[integration.targetEnvironment as string].env_vars;
 
-  let secretEntries: [string, object | null][] = Object.entries(getSecretKeyValuePair(secrets)).map(([key, val]) => [
-    key,
-    { type: "secret_text", value: val }
-  ]);
-
-  if (getSecretsRes) {
-    const toDeleteKeys = Object.keys(getSecretsRes).filter((key) => !Object.keys(secrets).includes(key));
-    const toDeleteEntries: [string, null][] = toDeleteKeys.map((key) => [key, null]);
-    secretEntries = [...secretEntries, ...toDeleteEntries];
-  }
+  // copy the secrets object, so we can set deleted keys to null
+  const secretsObj = Object.fromEntries(
+    Object.entries(getSecretKeyValuePair(secrets)).map(([key, val]) => [
+      key,
+      key in Object.keys(getSecretsRes) ? { type: "secret_text", value: val } : null
+    ])
+  );
 
   const data = {
     deployment_configs: {
       [integration.targetEnvironment as string]: {
-        env_vars: Object.fromEntries(secretEntries)
+        env_vars: secretsObj
       }
     }
   };
@@ -2988,7 +2860,7 @@ const syncSecretsDigitalOceanAppPlatform = async ({
       spec: {
         name: integration.app,
         ...appSettings,
-        envs: Object.entries(secrets).map(([key, data]) => ({ key, value: data.value, type: "SECRET" }))
+        envs: Object.entries(secrets).map(([key, data]) => ({ key, value: data.value }))
       }
     },
     {

backend/src/services/integration/integration-service.ts

@@ -9,12 +9,7 @@ import { TIntegrationAuthDALFactory } from "../integration-auth/integration-auth
 import { TSecretQueueFactory } from "../secret/secret-queue";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TIntegrationDALFactory } from "./integration-dal";
-import {
-  TCreateIntegrationDTO,
-  TDeleteIntegrationDTO,
-  TSyncIntegrationDTO,
-  TUpdateIntegrationDTO
-} from "./integration-types";
+import { TCreateIntegrationDTO, TDeleteIntegrationDTO, TUpdateIntegrationDTO } from "./integration-types";
 
 type TIntegrationServiceFactoryDep = {
   integrationDAL: TIntegrationDALFactory;
@@ -108,8 +103,7 @@ export const integrationServiceFactory = ({
     owner,
     isActive,
     environment,
-    secretPath,
-    metadata
+    secretPath
   }: TUpdateIntegrationDTO) => {
     const integration = await integrationDAL.findById(id);
     if (!integration) throw new BadRequestError({ message: "Integration auth not found" });
@@ -133,17 +127,7 @@ export const integrationServiceFactory = ({
       appId,
       targetEnvironment,
       owner,
-      secretPath,
-      metadata: {
-        ...(integration.metadata as object),
-        ...metadata
-      }
-    });
-
-    await secretQueueService.syncIntegrations({
-      environment: folder.environment.slug,
-      secretPath,
-      projectId: folder.projectId
+      secretPath
     });
 
     return updatedIntegration;
@@ -206,35 +190,10 @@ export const integrationServiceFactory = ({
     return integrations;
   };
 
-  const syncIntegration = async ({ id, actorId, actor, actorOrgId, actorAuthMethod }: TSyncIntegrationDTO) => {
-    const integration = await integrationDAL.findById(id);
-    if (!integration) {
-      throw new BadRequestError({ message: "Integration not found" });
-    }
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      integration.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
-
-    await secretQueueService.syncIntegrations({
-      environment: integration.environment.slug,
-      secretPath: integration.secretPath,
-      projectId: integration.projectId
-    });
-
-    return { ...integration, envId: integration.environment.id };
-  };
-
   return {
     createIntegration,
     updateIntegration,
     deleteIntegration,
-    listIntegrationByProject,
-    syncIntegration
+    listIntegrationByProject
   };
 };

backend/src/services/integration/integration-types.ts

@@ -27,39 +27,20 @@ export type TCreateIntegrationDTO = {
       value: string;
     }[];
     kmsKeyId?: string;
-    shouldDisableDelete?: boolean;
   };
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateIntegrationDTO = {
   id: string;
-  app?: string;
-  appId?: string;
+  app: string;
+  appId: string;
   isActive?: boolean;
   secretPath: string;
   targetEnvironment: string;
   owner: string;
   environment: string;
-  metadata?: {
-    secretPrefix?: string;
-    secretSuffix?: string;
-    secretGCPLabel?: {
-      labelName: string;
-      labelValue: string;
-    };
-    secretAWSTag?: {
-      key: string;
-      value: string;
-    }[];
-    kmsKeyId?: string;
-    shouldDisableDelete?: boolean;
-  };
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteIntegrationDTO = {
   id: string;
 } & Omit<TProjectPermission, "projectId">;
-
-export type TSyncIntegrationDTO = {
-  id: string;
-} & Omit<TProjectPermission, "projectId">;

backend/src/services/org/org-service.ts

@@ -546,10 +546,6 @@ export const orgServiceFactory = ({
       code
     });
 
-    await userDAL.updateById(user.id, {
-      isEmailVerified: true
-    });
-
     if (user.isAccepted) {
       // this means user has already completed signup process
       // isAccepted is set true when keys are exchanged

backend/src/services/project-bot/project-bot-fns.ts

@@ -3,7 +3,6 @@ import { decryptAsymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/en
 import { BadRequestError } from "@app/lib/errors";
 import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
 
-import { TProjectDALFactory } from "../project/project-dal";
 import { TGetPrivateKeyDTO } from "./project-bot-types";
 
 export const getBotPrivateKey = ({ bot }: TGetPrivateKeyDTO) =>
@@ -14,17 +13,11 @@ export const getBotPrivateKey = ({ bot }: TGetPrivateKeyDTO) =>
     ciphertext: bot.encryptedPrivateKey
   });
 
-export const getBotKeyFnFactory = (
-  projectBotDAL: TProjectBotDALFactory,
-  projectDAL: Pick<TProjectDALFactory, "findById">
-) => {
+export const getBotKeyFnFactory = (projectBotDAL: TProjectBotDALFactory) => {
   const getBotKeyFn = async (projectId: string) => {
-    const project = await projectDAL.findById(projectId);
-    if (!project) throw new BadRequestError({ message: "Project not found during bot lookup." });
+    const bot = await projectBotDAL.findOne({ projectId });
 
-    const bot = await projectBotDAL.findOne({ projectId: project.id });
-
-    if (!bot) throw new BadRequestError({ message: "Failed to find bot key" });
+    if (!bot) throw new BadRequestError({ message: "failed to find bot key" });
     if (!bot.isActive) throw new BadRequestError({ message: "Bot is not active" });
     if (!bot.encryptedProjectKeyNonce || !bot.encryptedProjectKey)
       throw new BadRequestError({ message: "Encryption key missing" });

backend/src/services/project-bot/project-bot-service.ts

@@ -25,7 +25,7 @@ export const projectBotServiceFactory = ({
   projectDAL,
   permissionService
 }: TProjectBotServiceFactoryDep) => {
-  const getBotKeyFn = getBotKeyFnFactory(projectBotDAL, projectDAL);
+  const getBotKeyFn = getBotKeyFnFactory(projectBotDAL);
 
   const getBotKey = async (projectId: string) => {
     return getBotKeyFn(projectId);

backend/src/services/project-membership/project-membership-dal.ts

@@ -1,5 +1,3 @@
-import { Knex } from "knex";
-
 import { TDbClient } from "@app/db";
 import { TableName, TUserEncryptionKeys } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
@@ -11,19 +9,11 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
   const projectMemberOrm = ormify(db, TableName.ProjectMembership);
 
   // special query
-  const findAllProjectMembers = async (projectId: string, filter: { usernames?: string[]; username?: string } = {}) => {
+  const findAllProjectMembers = async (projectId: string) => {
     try {
       const docs = await db(TableName.ProjectMembership)
         .where({ [`${TableName.ProjectMembership}.projectId` as "projectId"]: projectId })
         .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
-        .where((qb) => {
-          if (filter.usernames) {
-            void qb.whereIn("username", filter.usernames);
-          }
-          if (filter.username) {
-            void qb.where("username", filter.username);
-          }
-        })
         .join<TUserEncryptionKeys>(
           TableName.UserEncryptionKey,
           `${TableName.UserEncryptionKey}.userId`,
@@ -106,9 +96,9 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findProjectGhostUser = async (projectId: string, tx?: Knex) => {
+  const findProjectGhostUser = async (projectId: string) => {
     try {
-      const ghostUser = await (tx || db)(TableName.ProjectMembership)
+      const ghostUser = await db(TableName.ProjectMembership)
         .where({ projectId })
         .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
         .select(selectAllTableCols(TableName.Users))

backend/src/services/project-membership/project-membership-service.ts

@@ -34,7 +34,6 @@ import {
   TAddUsersToWorkspaceNonE2EEDTO,
   TDeleteProjectMembershipOldDTO,
   TDeleteProjectMembershipsDTO,
-  TGetProjectMembershipByUsernameDTO,
   TGetProjectMembershipDTO,
   TUpdateProjectMembershipDTO
 } from "./project-membership-types";
@@ -90,28 +89,6 @@ export const projectMembershipServiceFactory = ({
     return projectMembershipDAL.findAllProjectMembers(projectId);
   };
 
-  const getProjectMembershipByUsername = async ({
-    actorId,
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    projectId,
-    username
-  }: TGetProjectMembershipByUsernameDTO) => {
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
-
-    const [membership] = await projectMembershipDAL.findAllProjectMembers(projectId, { username });
-    if (!membership) throw new BadRequestError({ message: `Project membership not found for user ${username}` });
-    return membership;
-  };
-
   const addUsersToProject = async ({
     projectId,
     actorId,
@@ -533,7 +510,6 @@ export const projectMembershipServiceFactory = ({
 
   return {
     getProjectMemberships,
-    getProjectMembershipByUsername,
     updateProjectMembership,
     addUsersToProjectNonE2EE,
     deleteProjectMemberships,

backend/src/services/project-membership/project-membership-types.ts

@@ -9,10 +9,6 @@ export type TInviteUserToProjectDTO = {
   emails: string[];
 } & TProjectPermission;
 
-export type TGetProjectMembershipByUsernameDTO = {
-  username: string;
-} & TProjectPermission;
-
 export type TUpdateProjectMembershipDTO = {
   membershipId: string;
   roles: (

backend/src/services/project/project-service.ts

@@ -340,7 +340,7 @@ export const projectServiceFactory = ({
 
     const deletedProject = await projectDAL.transaction(async (tx) => {
       const delProject = await projectDAL.deleteById(project.id, tx);
-      const projectGhostUser = await projectMembershipDAL.findProjectGhostUser(project.id, tx).catch(() => null);
+      const projectGhostUser = await projectMembershipDAL.findProjectGhostUser(project.id).catch(() => null);
 
       // Delete the org membership for the ghost user if it's found.
       if (projectGhostUser) {

backend/src/services/resource-cleanup/resource-cleanup-queue.ts

@@ -1,58 +0,0 @@
-import { TAuditLogDALFactory } from "@app/ee/services/audit-log/audit-log-dal";
-import { logger } from "@app/lib/logger";
-import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
-
-import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
-
-type TDailyResourceCleanUpQueueServiceFactoryDep = {
-  auditLogDAL: Pick<TAuditLogDALFactory, "pruneAuditLog">;
-  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "removeExpiredTokens">;
-  queueService: TQueueServiceFactory;
-};
-
-export type TDailyResourceCleanUpQueueServiceFactory = ReturnType<typeof dailyResourceCleanUpQueueServiceFactory>;
-
-export const dailyResourceCleanUpQueueServiceFactory = ({
-  auditLogDAL,
-  queueService,
-  identityAccessTokenDAL
-}: TDailyResourceCleanUpQueueServiceFactoryDep) => {
-  queueService.start(QueueName.DailyResourceCleanUp, async () => {
-    logger.info(`${QueueName.DailyResourceCleanUp}: queue task started`);
-    await auditLogDAL.pruneAuditLog();
-    await identityAccessTokenDAL.removeExpiredTokens();
-    logger.info(`${QueueName.DailyResourceCleanUp}: queue task completed`);
-  });
-
-  // we do a repeat cron job in utc timezone at 12 Midnight each day
-  const startCleanUp = async () => {
-    // TODO(akhilmhdh): remove later
-    await queueService.stopRepeatableJob(
-      QueueName.AuditLogPrune,
-      QueueJobs.AuditLogPrune,
-      { pattern: "0 0 * * *", utc: true },
-      QueueName.AuditLogPrune // just a job id
-    );
-    // clear previous job
-    await queueService.stopRepeatableJob(
-      QueueName.DailyResourceCleanUp,
-      QueueJobs.DailyResourceCleanUp,
-      { pattern: "0 0 * * *", utc: true },
-      QueueName.DailyResourceCleanUp // just a job id
-    );
-
-    await queueService.queue(QueueName.DailyResourceCleanUp, QueueJobs.DailyResourceCleanUp, undefined, {
-      delay: 5000,
-      jobId: QueueName.DailyResourceCleanUp,
-      repeat: { pattern: "0 0 * * *", utc: true }
-    });
-  };
-
-  queueService.listen(QueueName.DailyResourceCleanUp, "failed", (_, err) => {
-    logger.error(err, `${QueueName.DailyResourceCleanUp}: resource cleanup failed`);
-  });
-
-  return {
-    startCleanUp
-  };
-};

backend/src/services/secret-folder/secret-folder-service.ts

@@ -8,16 +8,9 @@ import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
 import { BadRequestError } from "@app/lib/errors";
 
-import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TSecretFolderDALFactory } from "./secret-folder-dal";
-import {
-  TCreateFolderDTO,
-  TDeleteFolderDTO,
-  TGetFolderDTO,
-  TUpdateFolderDTO,
-  TUpdateManyFoldersDTO
-} from "./secret-folder-types";
+import { TCreateFolderDTO, TDeleteFolderDTO, TGetFolderDTO, TUpdateFolderDTO } from "./secret-folder-types";
 import { TSecretFolderVersionDALFactory } from "./secret-folder-version-dal";
 
 type TSecretFolderServiceFactoryDep = {
@@ -26,7 +19,6 @@ type TSecretFolderServiceFactoryDep = {
   folderDAL: TSecretFolderDALFactory;
   projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
   folderVersionDAL: TSecretFolderVersionDALFactory;
-  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
 };
 
 export type TSecretFolderServiceFactory = ReturnType<typeof secretFolderServiceFactory>;
@@ -36,8 +28,7 @@ export const secretFolderServiceFactory = ({
   snapshotService,
   permissionService,
   projectEnvDAL,
-  folderVersionDAL,
-  projectDAL
+  folderVersionDAL
 }: TSecretFolderServiceFactoryDep) => {
   const createFolder = async ({
     projectId,
@@ -125,105 +116,6 @@ export const secretFolderServiceFactory = ({
     return folder;
   };
 
-  const updateManyFolders = async ({
-    actor,
-    actorId,
-    projectSlug,
-    actorAuthMethod,
-    actorOrgId,
-    folders
-  }: TUpdateManyFoldersDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) {
-      throw new BadRequestError({ message: "Project not found" });
-    }
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      project.id,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    folders.forEach(({ environment, path: secretPath }) => {
-      ForbiddenError.from(permission).throwUnlessCan(
-        ProjectPermissionActions.Edit,
-        subject(ProjectPermissionSub.Secrets, { environment, secretPath })
-      );
-    });
-
-    const result = await folderDAL.transaction(async (tx) =>
-      Promise.all(
-        folders.map(async (newFolder) => {
-          const { environment, path: secretPath, id, name } = newFolder;
-
-          const parentFolder = await folderDAL.findBySecretPath(project.id, environment, secretPath);
-          if (!parentFolder) {
-            throw new BadRequestError({ message: "Secret path not found", name: "Batch update folder" });
-          }
-
-          const env = await projectEnvDAL.findOne({ projectId: project.id, slug: environment });
-          if (!env) {
-            throw new BadRequestError({ message: "Environment not found", name: "Batch update folder" });
-          }
-          const folder = await folderDAL
-            .findOne({ envId: env.id, id, parentId: parentFolder.id })
-            // now folder api accepts id based change
-            // this is for cli backward compatiability and when cli removes this, we will remove this logic
-            .catch(() => folderDAL.findOne({ envId: env.id, name: id, parentId: parentFolder.id }));
-
-          if (!folder) {
-            throw new BadRequestError({ message: "Folder not found" });
-          }
-          if (name !== folder.name) {
-            // ensure that new folder name is unique
-            const folderToCheck = await folderDAL.findOne({
-              name,
-              envId: env.id,
-              parentId: parentFolder.id
-            });
-
-            if (folderToCheck) {
-              throw new BadRequestError({
-                message: "Folder with specified name already exists",
-                name: "Batch update folder"
-              });
-            }
-          }
-
-          const [doc] = await folderDAL.update(
-            { envId: env.id, id: folder.id, parentId: parentFolder.id },
-            { name },
-            tx
-          );
-          await folderVersionDAL.create(
-            {
-              name: doc.name,
-              envId: doc.envId,
-              version: doc.version,
-              folderId: doc.id
-            },
-            tx
-          );
-          if (!doc) {
-            throw new BadRequestError({ message: "Folder not found", name: "Batch update folder" });
-          }
-
-          return { oldFolder: folder, newFolder: doc };
-        })
-      )
-    );
-
-    await Promise.all(result.map(async (res) => snapshotService.performSnapshot(res.newFolder.parentId as string)));
-
-    return {
-      projectId: project.id,
-      newFolders: result.map((res) => res.newFolder),
-      oldFolders: result.map((res) => res.oldFolder)
-    };
-  };
-
   const updateFolder = async ({
     projectId,
     actor,
@@ -259,21 +151,6 @@ export const secretFolderServiceFactory = ({
       .catch(() => folderDAL.findOne({ envId: env.id, name: id, parentId: parentFolder.id }));
 
     if (!folder) throw new BadRequestError({ message: "Folder not found" });
-    if (name !== folder.name) {
-      // ensure that new folder name is unique
-      const folderToCheck = await folderDAL.findOne({
-        name,
-        envId: env.id,
-        parentId: parentFolder.id
-      });
-
-      if (folderToCheck) {
-        throw new BadRequestError({
-          message: "Folder with specified name already exists",
-          name: "Update folder"
-        });
-      }
-    }
 
     const newFolder = await folderDAL.transaction(async (tx) => {
       const [doc] = await folderDAL.update({ envId: env.id, id: folder.id, parentId: parentFolder.id }, { name }, tx);
@@ -362,7 +239,6 @@ export const secretFolderServiceFactory = ({
   return {
     createFolder,
     updateFolder,
-    updateManyFolders,
     deleteFolder,
     getFolders
   };

backend/src/services/secret-folder/secret-folder-types.ts

@@ -13,16 +13,6 @@ export type TUpdateFolderDTO = {
   name: string;
 } & TProjectPermission;
 
-export type TUpdateManyFoldersDTO = {
-  projectSlug: string;
-  folders: {
-    environment: string;
-    path: string;
-    id: string;
-    name: string;
-  }[];
-} & Omit<TProjectPermission, "projectId">;
-
 export type TDeleteFolderDTO = {
   environment: string;
   path: string;