test

feat: updated ruby action

.env.example

@@ -112,4 +112,11 @@ INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL=
 
 # azure app connection
 INF_APP_CONNECTION_AZURE_CLIENT_ID=
-INF_APP_CONNECTION_AZURE_CLIENT_SECRET=
+INF_APP_CONNECTION_AZURE_CLIENT_SECRET=
+
+# datadog
+SHOULD_USE_DATADOG_TRACER=
+DATADOG_PROFILING_ENABLED=
+DATADOG_ENV=
+DATADOG_SERVICE=
+DATADOG_HOSTNAME=

.envrc

@@ -0,0 +1,3 @@
+# Learn more at https://direnv.net
+# We instruct direnv to use our Nix flake for a consistent development environment.
+use flake

.github/workflows/check-api-for-breaking-changes.yml

@@ -32,10 +32,23 @@ jobs:
         run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
       - name: Start the server
         run: |
-            echo "SECRET_SCANNING_GIT_APP_ID=793712" >> .env
-            echo "SECRET_SCANNING_PRIVATE_KEY=some-random" >> .env
-            echo "SECRET_SCANNING_WEBHOOK_SECRET=some-random" >> .env
-            docker run --name infisical-api -d -p 4000:4000 -e DB_CONNECTION_URI=$DB_CONNECTION_URI -e REDIS_URL=$REDIS_URL -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET -e ENCRYPTION_KEY=$ENCRYPTION_KEY --env-file .env --entrypoint '/bin/sh' infisical-api -c "npm run migration:latest && ls && node dist/main.mjs"
+          echo "SECRET_SCANNING_GIT_APP_ID=793712" >> .env
+          echo "SECRET_SCANNING_PRIVATE_KEY=some-random" >> .env
+          echo "SECRET_SCANNING_WEBHOOK_SECRET=some-random" >> .env
+
+          echo "Examining built image:"
+          docker image inspect infisical-api | grep -A 5 "Entrypoint"
+          
+          docker run --name infisical-api -d -p 4000:4000 \
+            -e DB_CONNECTION_URI=$DB_CONNECTION_URI \
+            -e REDIS_URL=$REDIS_URL \
+            -e JWT_AUTH_SECRET=$JWT_AUTH_SECRET \
+            -e ENCRYPTION_KEY=$ENCRYPTION_KEY \
+            --env-file .env \
+            infisical-api
+          
+          echo "Container status right after creation:"
+          docker ps -a | grep infisical-api
         env:
           REDIS_URL: redis://172.17.0.1:6379
           DB_CONNECTION_URI: postgres://infisical:infisical@172.17.0.1:5432/infisical?sslmode=disable
@@ -43,35 +56,48 @@ jobs:
           ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.21.5'
+          go-version: "1.21.5"
       - name: Wait for container to be stable and check logs
         run: |
           SECONDS=0
           HEALTHY=0
           while [ $SECONDS -lt 60 ]; do
-            if docker ps | grep infisical-api | grep -q healthy; then
-              echo "Container is healthy."
-              HEALTHY=1
+            # Check if container is running
+            if docker ps | grep infisical-api; then
+              # Try to access the API endpoint
+              if curl -s -f http://localhost:4000/api/docs/json > /dev/null 2>&1; then
+                echo "API endpoint is responding. Container seems healthy."
+                HEALTHY=1
+                break
+              fi
+            else
+              echo "Container is not running!"
+              docker ps -a | grep infisical-api
               break
             fi
+            
             echo "Waiting for container to be healthy... ($SECONDS seconds elapsed)"
-
-            docker logs infisical-api
-
-            sleep 2
-            SECONDS=$((SECONDS+2))
+            sleep 5
+            SECONDS=$((SECONDS+5))
           done
-      
+          
           if [ $HEALTHY -ne 1 ]; then
             echo "Container did not become healthy in time"
+            echo "Container status:"
+            docker ps -a | grep infisical-api
+            echo "Container logs (if any):"
+            docker logs infisical-api || echo "No logs available"
+            echo "Container inspection:"
+            docker inspect infisical-api | grep -A 5 "State"
             exit 1
           fi
       - name: Install openapi-diff
-        run: go install github.com/tufin/oasdiff@latest
+        run: go install github.com/oasdiff/oasdiff@latest
       - name: Running OpenAPI Spec diff action
         run: oasdiff breaking https://app.infisical.com/api/docs/json http://localhost:4000/api/docs/json --fail-on ERR
       - name: cleanup
+        if: always()
         run: |
           docker compose -f "docker-compose.dev.yml" down
-          docker stop infisical-api
-          docker remove infisical-api
+          docker stop infisical-api || true
+          docker rm infisical-api || true

.github/workflows/codeql.yml

@@ -0,0 +1,102 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL Advanced"
+
+on:
+  push:
+    branches: [ "main", "development" ]
+  pull_request:
+    branches: [ "main", "development" ]
+  schedule:
+    - cron: '33 7 * * 3'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: actions
+          build-mode: none
+        - language: go
+          build-mode: autobuild
+        - language: javascript-typescript
+          build-mode: none
+        # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
+        # Use `c-cpp` to analyze code written in C, C++ or both
+        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Add any setup steps before running the `github/codeql-action/init` action.
+    # This includes steps like installing compilers or runtimes (`actions/setup-node`
+    # or others). This is typically only required for manual builds.
+    # - name: Setup runtime (example)
+    #   uses: actions/setup-example@v1
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    # If the analyze step fails for one of the languages you are analyzing with
+    # "We were unable to automatically build your code", modify the matrix above
+    # to set the build mode to "manual" for that language. Then modify this step
+    # to build your code.
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+    - if: matrix.build-mode == 'manual'
+      shell: bash
+      run: |
+        echo 'If you are using a "manual" build mode for one or more of the' \
+          'languages you are analyzing, replace this with the commands to build' \
+          'your code, for example:'
+        echo '  make bootstrap'
+        echo '  make release'
+        exit 1
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/deployment-pipeline.yml

@@ -1,262 +0,0 @@
-name: Deployment pipeline
-on: [workflow_dispatch]
-
-permissions:
-  id-token: write
-  contents: read
-
-concurrency: 
-  group: "infisical-core-deployment"
-  cancel-in-progress: true  
-
-jobs:
-  infisical-tests:
-    name: Integration tests
-    # https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview
-    uses: ./.github/workflows/run-backend-tests.yml
-    
-  infisical-image:
-    name: Build
-    runs-on: ubuntu-latest
-    needs: [infisical-tests]
-    steps:
-      - name: ☁️ Checkout source
-        uses: actions/checkout@v3
-      - name: 📦 Install dependencies to test all dependencies
-        run: npm ci --only-production
-        working-directory: backend
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Set up Depot CLI
-        uses: depot/setup-action@v1
-      - name: 🏗️ Build backend and push to docker hub
-        uses: depot/build-push-action@v1
-        with:
-          project: 64mmf0n610
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          push: true
-          context: .
-          file: Dockerfile.standalone-infisical
-          tags: |
-            infisical/staging_infisical:${{ steps.commit.outputs.short }}
-            infisical/staging_infisical:latest
-          platforms: linux/amd64,linux/arm64
-          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-            INFISICAL_PLATFORM_VERSION=${{ steps.commit.outputs.short }}
-    
-  gamma-deployment:
-    name: Deploy to gamma
-    runs-on: ubuntu-latest
-    needs: [infisical-image]
-    environment:
-      name: Gamma
-    steps:
-      - uses: twingate/github-action@v1
-        with:
-          # The Twingate Service Key used to connect Twingate to the proper service
-          # Learn more about [Twingate Services](https://docs.twingate.com/docs/services)
-          #
-          # Required
-          service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Setup Node.js environment
-        uses: actions/setup-node@v2
-        with:
-          node-version: "20"
-      - name: Change directory to backend and install dependencies
-        env:
-          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
-        run: |
-          cd backend
-          npm install
-          npm run migration:latest
-      - name: Configure AWS Credentials 
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          audience: sts.amazonaws.com
-          aws-region: us-east-1
-          role-to-assume: arn:aws:iam::905418227878:role/deploy-new-ecs-img
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: Download task definition
-        run: |
-          aws ecs describe-task-definition --task-definition infisical-core-gamma-stage --query taskDefinition > task-definition.json
-      - name: Render Amazon ECS task definition
-        id: render-web-container
-        uses: aws-actions/amazon-ecs-render-task-definition@v1
-        with:
-          task-definition: task-definition.json
-          container-name: infisical-core
-          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
-          environment-variables: "LOG_LEVEL=info"
-      - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
-        with:
-          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-core-gamma-stage
-          cluster: infisical-gamma-stage
-          wait-for-service-stability: true
-
-  production-us:
-    name: US production deploy 
-    runs-on: ubuntu-latest
-    needs: [gamma-deployment]
-    environment:
-      name: Production
-    steps:
-      - uses: twingate/github-action@v1
-        with:
-          service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Setup Node.js environment
-        uses: actions/setup-node@v2
-        with:
-          node-version: "20"
-      - name: Change directory to backend and install dependencies
-        env:
-          DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
-          AUDIT_LOGS_DB_CONNECTION_URI: ${{ secrets.AUDIT_LOGS_DB_CONNECTION_URI }}
-        run: |
-          cd backend
-          npm install
-          npm run migration:latest
-      - name: Configure AWS Credentials 
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          audience: sts.amazonaws.com
-          aws-region: us-east-1
-          role-to-assume: arn:aws:iam::381492033652:role/gha-make-prod-deployment
-      - name: Save commit hashes for tag
-        id: commit
-        uses: pr-mpt/actions-commit-hash@v2
-      - name: Download task definition
-        run: |
-          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
-      - name: Render Amazon ECS task definition
-        id: render-web-container
-        uses: aws-actions/amazon-ecs-render-task-definition@v1
-        with:
-          task-definition: task-definition.json
-          container-name: infisical-core-platform
-          image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
-          environment-variables: "LOG_LEVEL=info"
-      - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
-        with:
-          task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-core-platform
-          cluster: infisical-core-platform
-          wait-for-service-stability: true
-      - name: Post slack message 
-        uses: slackapi/slack-github-action@v2.0.0
-        with:
-          webhook: ${{ secrets.SLACK_DEPLOYMENT_WEBHOOK_URL }}
-          webhook-type: incoming-webhook
-          payload: |
-            text: "*Deployment Status Update*: ${{ job.status }}"
-            blocks:
-              - type: "section"
-                text:
-                  type: "mrkdwn"
-                  text: "*Deployment Status Update*: ${{ job.status }}"
-              - type: "section"
-                fields:
-                  - type: "mrkdwn"
-                    text: "*Application:*\nInfisical Core"
-                  - type: "mrkdwn"
-                    text: "*Instance Type:*\nShared Infisical Cloud"
-              - type: "section"
-                fields:
-                  - type: "mrkdwn"
-                    text: "*Region:*\nUS"
-                  - type: "mrkdwn"
-                    text: "*Git Tag:*\n<https://github.com/Infisical/infisical/commit/${{ steps.commit.outputs.short }}>"
-
-
-  production-eu:
-      name: EU production deploy
-      runs-on: ubuntu-latest
-      needs: [production-us]
-      environment:
-        name: production-eu
-      steps:
-        - uses: twingate/github-action@v1
-          with:
-            service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
-        - name: Configure AWS Credentials 
-          uses: aws-actions/configure-aws-credentials@v4
-          with:
-            audience: sts.amazonaws.com
-            aws-region: eu-central-1
-            role-to-assume: arn:aws:iam::345594589636:role/gha-make-prod-deployment
-        - name: Checkout code
-          uses: actions/checkout@v2
-        - name: Setup Node.js environment
-          uses: actions/setup-node@v2
-          with:
-            node-version: "20"
-        - name: Change directory to backend and install dependencies
-          env:
-            DB_CONNECTION_URI: ${{ secrets.DB_CONNECTION_URI }}
-          run: |
-            cd backend
-            npm install
-            npm run migration:latest
-        - name: Save commit hashes for tag
-          id: commit
-          uses: pr-mpt/actions-commit-hash@v2
-        - name: Download task definition
-          run: |
-            aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
-        - name: Render Amazon ECS task definition
-          id: render-web-container
-          uses: aws-actions/amazon-ecs-render-task-definition@v1
-          with:
-            task-definition: task-definition.json
-            container-name: infisical-core-platform
-            image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
-            environment-variables: "LOG_LEVEL=info"
-        - name: Deploy to Amazon ECS service
-          uses: aws-actions/amazon-ecs-deploy-task-definition@v2
-          with:
-            task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-            service: infisical-core-platform
-            cluster: infisical-core-platform
-            wait-for-service-stability: true
-        - name: Post slack message 
-          uses: slackapi/slack-github-action@v2.0.0
-          with:
-            webhook: ${{ secrets.SLACK_DEPLOYMENT_WEBHOOK_URL }}
-            webhook-type: incoming-webhook
-            payload: |
-              text: "*Deployment Status Update*: ${{ job.status }}"
-              blocks:
-                - type: "section"
-                  text:
-                    type: "mrkdwn"
-                    text: "*Deployment Status Update*: ${{ job.status }}"
-                - type: "section"
-                  fields:
-                    - type: "mrkdwn"
-                      text: "*Application:*\nInfisical Core"
-                    - type: "mrkdwn"
-                      text: "*Instance Type:*\nShared Infisical Cloud"
-                - type: "section"
-                  fields:
-                    - type: "mrkdwn"
-                      text: "*Region:*\nEU"
-                    - type: "mrkdwn"
-                      text: "*Git Tag:*\n<https://github.com/Infisical/infisical/commit/${{ steps.commit.outputs.short }}>"
-

.github/workflows/release-k8-operator-helm.yml

@@ -0,0 +1,27 @@
+name: Release K8 Operator Helm Chart
+on:
+    workflow_dispatch:
+
+jobs:
+    release-helm:
+        name: Release Helm Chart
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v2
+
+            - name: Install Helm
+              uses: azure/setup-helm@v3
+              with:
+                  version: v3.10.0
+
+            - name: Install python
+              uses: actions/setup-python@v4
+
+            - name: Install Cloudsmith CLI
+              run: pip install --upgrade cloudsmith-cli
+
+            - name: Build and push helm package to CloudSmith
+              run: cd helm-charts && sh upload-k8s-operator-cloudsmith.sh
+              env:
+                  CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}

.github/workflows/release_build_infisical_cli.yml

@@ -1,131 +1,147 @@
 name: Build and release CLI
 
 on:
-    workflow_dispatch:
+  workflow_dispatch:
 
-    push:
-        # run only against tags
-        tags:
-            - "infisical-cli/v*.*.*"
+  push:
+    # run only against tags
+    tags:
+      - "infisical-cli/v*.*.*"
 
 permissions:
-    contents: write
+  contents: write
 
 jobs:
-    cli-integration-tests:
-        name: Run tests before deployment
-        uses: ./.github/workflows/run-cli-tests.yml
-        secrets:
-            CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
-            CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
-            CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
-            CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
-            CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
-            CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
-            CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
-            CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
+  # cli-integration-tests:
+  #   name: Run tests before deployment
+  #   uses: ./.github/workflows/run-cli-tests.yml
+  #   secrets:
+  #     CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
+  #     CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
+  #     CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
+  #     CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
+  #     CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+  #     CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
+  #     CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
+  #     CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
 
-    npm-release:
-        runs-on: ubuntu-20.04
+  # npm-release:
+  #   runs-on: ubuntu-latest
+  #   env:
+  #     working-directory: ./npm
+  #   needs:
+  #     - cli-integration-tests
+  #     - goreleaser
+  #   steps:
+  #     - uses: actions/checkout@v3
+  #       with:
+  #         fetch-depth: 0
+
+  #     - name: Extract version
+  #       run: |
+  #         VERSION=$(echo ${{ github.ref_name }} | sed 's/infisical-cli\/v//')
+  #         echo "Version extracted: $VERSION"
+  #         echo "CLI_VERSION=$VERSION" >> $GITHUB_ENV
+
+  #     - name: Print version
+  #       run: echo ${{ env.CLI_VERSION }}
+
+  #     - name: Setup Node
+  #       uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+  #       with:
+  #         node-version: 20
+  #         cache: "npm"
+  #         cache-dependency-path: ./npm/package-lock.json
+  #     - name: Install dependencies
+  #       working-directory: ${{ env.working-directory }}
+  #       run: npm install --ignore-scripts
+
+  #     - name: Set NPM version
+  #       working-directory: ${{ env.working-directory }}
+  #       run: npm version ${{ env.CLI_VERSION }} --allow-same-version --no-git-tag-version
+
+  #     - name: Setup NPM
+  #       working-directory: ${{ env.working-directory }}
+  #       run: |
+  #         echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
+  #         echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc
+
+  #         echo 'registry="https://registry.npmjs.org/"' > ~/.npmrc
+  #         echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
+  #       env:
+  #         NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+  #     - name: Pack NPM
+  #       working-directory: ${{ env.working-directory }}
+  #       run: npm pack
+
+  #     - name: Publish NPM
+  #       working-directory: ${{ env.working-directory }}
+  #       run: npm publish --tarball=./infisical-sdk-${{github.ref_name}} --access public --registry=https://registry.npmjs.org/
+  #       env:
+  #         NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+  #         NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+  goreleaser:
+    runs-on: ubuntu-latest
+    needs: [cli-integration-tests]
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - run: git fetch --force --tags
+      - run: echo "Ref name ${{github.ref_name}}"
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ">=1.19.3"
+          cache: true
+          cache-dependency-path: cli/go.sum
+      - name: Setup for libssl1.0-dev
+        run: |
+          echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
+          sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
+          sudo apt update
+          sudo apt-get install -y libssl1.0-dev
+      - name: OSXCross for CGO Support
+        run: |
+          mkdir ../../osxcross
+          git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
+      - uses: goreleaser/goreleaser-action@v4
+        with:
+          distribution: goreleaser-pro
+          version: v1.26.2-pro
+          args: release --clean
         env:
-            working-directory: ./npm
-        needs:
-            - cli-integration-tests
-            - goreleaser
-        steps:
-            - uses: actions/checkout@v3
-              with:
-                  fetch-depth: 0
-
-            - name: Extract version
-              run: |
-                  VERSION=$(echo ${{ github.ref_name }} | sed 's/infisical-cli\/v//')
-                  echo "Version extracted: $VERSION"
-                  echo "CLI_VERSION=$VERSION" >> $GITHUB_ENV
-
-            - name: Print version
-              run: echo ${{ env.CLI_VERSION }}
-
-            - name: Setup Node
-              uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
-              with:
-                  node-version: 20
-                  cache: "npm"
-                  cache-dependency-path: ./npm/package-lock.json
-            - name: Install dependencies
-              working-directory: ${{ env.working-directory }}
-              run: npm install --ignore-scripts
-
-            - name: Set NPM version
-              working-directory: ${{ env.working-directory }}
-              run: npm version ${{ env.CLI_VERSION }} --allow-same-version --no-git-tag-version
-
-            - name: Setup NPM
-              working-directory: ${{ env.working-directory }}
-              run: |
-                  echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
-                  echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc
-
-                  echo 'registry="https://registry.npmjs.org/"' > ~/.npmrc
-                  echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
-              env:
-                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-
-            - name: Pack NPM
-              working-directory: ${{ env.working-directory }}
-              run: npm pack
-
-            - name: Publish NPM
-              working-directory: ${{ env.working-directory }}
-              run: npm publish --tarball=./infisical-sdk-${{github.ref_name}} --access public --registry=https://registry.npmjs.org/
-              env:
-                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-                  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-
-    goreleaser:
-        runs-on: ubuntu-20.04
-        needs: [cli-integration-tests]
-        steps:
-            - uses: actions/checkout@v3
-              with:
-                  fetch-depth: 0
-            - name: 🐋 Login to Docker Hub
-              uses: docker/login-action@v2
-              with:
-                  username: ${{ secrets.DOCKERHUB_USERNAME }}
-                  password: ${{ secrets.DOCKERHUB_TOKEN }}
-            - name: 🔧 Set up Docker Buildx
-              uses: docker/setup-buildx-action@v2
-            - run: git fetch --force --tags
-            - run: echo "Ref name ${{github.ref_name}}"
-            - uses: actions/setup-go@v3
-              with:
-                  go-version: ">=1.19.3"
-                  cache: true
-                  cache-dependency-path: cli/go.sum
-            - name: libssl1.1 => libssl1.0-dev for OSXCross
-              run: |
-                  echo 'deb http://security.ubuntu.com/ubuntu bionic-security main' | sudo tee -a /etc/apt/sources.list
-                  sudo apt update && apt-cache policy libssl1.0-dev
-                  sudo apt-get install libssl1.0-dev
-            - name: OSXCross for CGO Support
-              run: |
-                  mkdir ../../osxcross
-                  git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
-            - uses: goreleaser/goreleaser-action@v4
-              with:
-                  distribution: goreleaser-pro
-                  version: v1.26.2-pro
-                  args: release --clean
-              env:
-                  GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
-                  POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
-                  FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
-                  AUR_KEY: ${{ secrets.AUR_KEY }}
-                  GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-            - uses: actions/setup-python@v4
-            - run: pip install --upgrade cloudsmith-cli
-            - name: Publish to CloudSmith
-              run: sh cli/upload_to_cloudsmith.sh
-              env:
-                  CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
+          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
+          FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
+          AUR_KEY: ${{ secrets.AUR_KEY }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+      - uses: actions/setup-python@v4
+      - run: pip install --upgrade cloudsmith-cli
+      - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252
+        with:
+          ruby-version: "3.3" # Not needed with a .ruby-version, .tool-versions or mise.toml
+          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+      - name: Install deb-s3
+        run: gem install deb-s3
+      - name: Configure GPG Key
+        run: echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --batch --passphrase "$GPG_SIGNING_KEY_PASSPHRASE" --import
+        env:
+          GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
+          GPG_SIGNING_KEY_PASSPHRASE: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
+      - name: Publish to CloudSmith
+        run: sh cli/upload_to_cloudsmith.sh
+        env:
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+          INFISICAL_CLI_S3_BUCKET: ${{ secrets.INFISICAL_CLI_S3_BUCKET }}
+          INFISICAL_CLI_REPO_SIGNING_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_SIGNING_KEY_ID }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}

.github/workflows/release_docker_k8_operator.yaml

@@ -1,52 +1,107 @@
-name: Release image + Helm chart K8s Operator
+name: Release K8 Operator Docker Image
 on:
-  push:
-    tags:
-      - "infisical-k8-operator/v*.*.*"
+    push:
+        tags:
+            - "infisical-k8-operator/v*.*.*"
+
+permissions:
+    contents: write
+    pull-requests: write
 
 jobs:
-  release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Extract version from tag
-        id: extract_version
-        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical-k8-operator/}"
-      - uses: actions/checkout@v2
+    release-image:
+        name: Generate Helm Chart PR
+        runs-on: ubuntu-latest
+        outputs:
+            pr_number: ${{ steps.create-pr.outputs.pull-request-number }}
+        steps:
+            - name: Extract version from tag
+              id: extract_version
+              run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical-k8-operator/}"
 
-      - name: 🔧 Set up QEMU
-        uses: docker/setup-qemu-action@v1
+            - name: Checkout code
+              uses: actions/checkout@v2
 
-      - name: 🔧 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+            # Dependency for helm generation
+            - name: Install Helm
+              uses: azure/setup-helm@v3
+              with:
+                  version: v3.10.0
 
-      - name: 🐋 Login to Docker Hub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+            # Dependency for helm generation
+            - name: Install Go
+              uses: actions/setup-go@v4
+              with:
+                  go-version: 1.21
 
-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          context: k8-operator
-          push: true
-          platforms: linux/amd64,linux/arm64
-          tags: |
-            infisical/kubernetes-operator:latest
-            infisical/kubernetes-operator:${{ steps.extract_version.outputs.version }}
+            # Install binaries for helm generation
+            - name: Install dependencies
+              working-directory: k8-operator
+              run: |
+                  make helmify
+                  make kustomize
+                  make controller-gen
 
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Install Helm
-        uses: azure/setup-helm@v3
-        with:
-          version: v3.10.0
-      - name: Install python
-        uses: actions/setup-python@v4
-      - name: Install Cloudsmith CLI
-        run: pip install --upgrade cloudsmith-cli
-      - name: Build and push helm package to Cloudsmith
-        run: cd helm-charts && sh upload-k8s-operator-cloudsmith.sh
-        env:
-          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+            - name: Generate Helm Chart
+              working-directory: k8-operator
+              run: make helm
+
+            - name: Update Helm Chart Version
+              run: ./k8-operator/scripts/update-version.sh ${{ steps.extract_version.outputs.version }}
+
+            - name: Debug - Check file changes
+              run: |
+                  echo "Current git status:"
+                  git status
+                  echo ""
+                  echo "Modified files:"
+                  git diff --name-only
+
+                  # If there is no diff, exit with error. Version should always be changed, so if there is no diff, something is wrong and we should exit.
+                  if [ -z "$(git diff --name-only)" ]; then
+                    echo "No helm changes or version changes. Invalid release detected, Exiting."
+                    exit 1
+                  fi
+
+            - name: Create Helm Chart PR
+              id: create-pr
+              uses: peter-evans/create-pull-request@v5
+              with:
+                  token: ${{ secrets.GITHUB_TOKEN }}
+                  commit-message: "Update Helm chart to version ${{ steps.extract_version.outputs.version }}"
+                  committer: GitHub <noreply@github.com>
+                  author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
+                  branch: helm-update-${{ steps.extract_version.outputs.version }}
+                  delete-branch: true
+                  title: "Update Helm chart to version ${{ steps.extract_version.outputs.version }}"
+                  body: |
+                      This PR updates the Helm chart to version `${{ steps.extract_version.outputs.version }}`.
+                      Additionally the helm chart has been updated to match the latest operator code changes.
+
+                      Associated Release Workflow: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
+
+                      Once you have approved this PR, you can trigger the helm release workflow manually.
+                  base: main
+
+            - name: 🔧 Set up QEMU
+              uses: docker/setup-qemu-action@v1
+
+            - name: 🔧 Set up Docker Buildx
+              uses: docker/setup-buildx-action@v1
+
+            - name: 🐋 Login to Docker Hub
+              uses: docker/login-action@v1
+              with:
+                  username: ${{ secrets.DOCKERHUB_USERNAME }}
+                  password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+            - name: Build and push
+              id: docker_build
+              uses: docker/build-push-action@v2
+              with:
+                  context: k8-operator
+                  push: true
+                  platforms: linux/amd64,linux/arm64
+                  tags: |
+                      infisical/kubernetes-operator:latest
+                      infisical/kubernetes-operator:${{ steps.extract_version.outputs.version }}

.github/workflows/run-backend-tests.yml

@@ -34,7 +34,10 @@ jobs:
         working-directory: backend
       - name: Start postgres and redis
         run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
-      - name: Start integration test
+      - name: Run unit test
+        run: npm run test:unit
+        working-directory: backend
+      - name: Run integration test
         run: npm run test:e2e
         working-directory: backend
         env:
@@ -44,4 +47,5 @@ jobs:
           ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
       - name: cleanup
         run: |
-          docker compose -f "docker-compose.dev.yml" down
+          docker compose -f "docker-compose.dev.yml" down
+

.goreleaser.yaml

@@ -16,23 +16,23 @@ monorepo:
   dir: cli
 
 builds:
-  - id: darwin-build
-    binary: infisical
-    ldflags:
-      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
-      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
-    flags:
-      - -trimpath
-    env:
-      - CGO_ENABLED=1
-      - CC=/home/runner/work/osxcross/target/bin/o64-clang
-      - CXX=/home/runner/work/osxcross/target/bin/o64-clang++
-    goos:
-      - darwin
-    ignore:
-      - goos: darwin
-        goarch: "386"
-    dir: ./cli
+#   - id: darwin-build
+#     binary: infisical
+#     ldflags:
+#       - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+#       - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
+#     flags:
+#       - -trimpath
+#     env:
+#       - CGO_ENABLED=1
+#       - CC=/home/runner/work/osxcross/target/bin/o64-clang
+#       - CXX=/home/runner/work/osxcross/target/bin/o64-clang++
+#     goos:
+#       - darwin
+#     ignore:
+#       - goos: darwin
+#         goarch: "386"
+#     dir: ./cli
 
   - id: all-other-builds
     env:
@@ -44,11 +44,11 @@ builds:
     flags:
       - -trimpath
     goos:
-      - freebsd
+      # - freebsd
       - linux
-      - netbsd
-      - openbsd
-      - windows
+      # - netbsd
+      # - openbsd
+      # - windows
     goarch:
       - "386"
       - amd64
@@ -75,8 +75,10 @@ archives:
       - ../completions/*
 
 release:
-  replace_existing_draft: true
-  mode: "replace"
+  # replace_existing_draft: true
+  # mode: "replace"
+  disable: true
+  skip_upload: true
 
 checksum:
   name_template: "checksums.txt"
@@ -91,39 +93,39 @@ snapshot:
 #     dir: "{{ dir .ArtifactPath }}"
 #     cmd: curl -F package=@{{ .ArtifactName }} https://{{ .Env.FURY_TOKEN }}@push.fury.io/infisical/
 
-brews:
-  - name: infisical
-    tap:
-      owner: Infisical
-      name: homebrew-get-cli
-    commit_author:
-      name: "Infisical"
-      email: ai@infisical.com
-    folder: Formula
-    homepage: "https://infisical.com"
-    description: "The official Infisical CLI"
-    install: |-
-      bin.install "infisical"
-      bash_completion.install "completions/infisical.bash" => "infisical"
-      zsh_completion.install "completions/infisical.zsh" => "_infisical"
-      fish_completion.install "completions/infisical.fish"
-      man1.install "manpages/infisical.1.gz"
-  - name: "infisical@{{.Version}}"
-    tap:
-      owner: Infisical
-      name: homebrew-get-cli
-    commit_author:
-      name: "Infisical"
-      email: ai@infisical.com
-    folder: Formula
-    homepage: "https://infisical.com"
-    description: "The official Infisical CLI"
-    install: |-
-      bin.install "infisical"
-      bash_completion.install "completions/infisical.bash" => "infisical"
-      zsh_completion.install "completions/infisical.zsh" => "_infisical"
-      fish_completion.install "completions/infisical.fish"
-      man1.install "manpages/infisical.1.gz"
+# brews:
+#   - name: infisical
+#     tap:
+#       owner: Infisical
+#       name: homebrew-get-cli
+#     commit_author:
+#       name: "Infisical"
+#       email: ai@infisical.com
+#     folder: Formula
+#     homepage: "https://infisical.com"
+#     description: "The official Infisical CLI"
+#     install: |-
+#       bin.install "infisical"
+#       bash_completion.install "completions/infisical.bash" => "infisical"
+#       zsh_completion.install "completions/infisical.zsh" => "_infisical"
+#       fish_completion.install "completions/infisical.fish"
+#       man1.install "manpages/infisical.1.gz"
+#   - name: "infisical@{{.Version}}"
+#     tap:
+#       owner: Infisical
+#       name: homebrew-get-cli
+#     commit_author:
+#       name: "Infisical"
+#       email: ai@infisical.com
+#     folder: Formula
+#     homepage: "https://infisical.com"
+#     description: "The official Infisical CLI"
+#     install: |-
+#       bin.install "infisical"
+#       bash_completion.install "completions/infisical.bash" => "infisical"
+#       zsh_completion.install "completions/infisical.zsh" => "_infisical"
+#       fish_completion.install "completions/infisical.fish"
+#       man1.install "manpages/infisical.1.gz"
 
 nfpms:
   - id: infisical
@@ -136,10 +138,10 @@ nfpms:
     description: The offical Infisical CLI
     license: MIT
     formats:
-      - rpm
+      # - rpm
       - deb
-      - apk
-      - archlinux
+      # - apk
+      # - archlinux
     bindir: /usr/bin
     contents:
       - src: ./completions/infisical.bash
@@ -151,73 +153,73 @@ nfpms:
       - src: ./manpages/infisical.1.gz
         dst: /usr/share/man/man1/infisical.1.gz
 
-scoop:
-  bucket:
-    owner: Infisical
-    name: scoop-infisical
-  commit_author:
-    name: "Infisical"
-    email: ai@infisical.com
-  homepage: "https://infisical.com"
-  description: "The official Infisical CLI"
-  license: MIT
+# scoop:
+#   bucket:
+#     owner: Infisical
+#     name: scoop-infisical
+#   commit_author:
+#     name: "Infisical"
+#     email: ai@infisical.com
+#   homepage: "https://infisical.com"
+#   description: "The official Infisical CLI"
+#   license: MIT
 
-aurs:
-  - name: infisical-bin
-    homepage: "https://infisical.com"
-    description: "The official Infisical CLI"
-    maintainers:
-      - Infisical, Inc <support@infisical.com>
-    license: MIT
-    private_key: "{{ .Env.AUR_KEY }}"
-    git_url: "ssh://aur@aur.archlinux.org/infisical-bin.git"
-    package: |-
-      # bin
-      install -Dm755 "./infisical" "${pkgdir}/usr/bin/infisical"
-      # license
-      install -Dm644 "./LICENSE" "${pkgdir}/usr/share/licenses/infisical/LICENSE"
-      # completions
-      mkdir -p "${pkgdir}/usr/share/bash-completion/completions/"
-      mkdir -p "${pkgdir}/usr/share/zsh/site-functions/"
-      mkdir -p "${pkgdir}/usr/share/fish/vendor_completions.d/"
-      install -Dm644 "./completions/infisical.bash" "${pkgdir}/usr/share/bash-completion/completions/infisical"
-      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/_infisical"
-      install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
-      # man pages
-      install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"
+# aurs:
+#   - name: infisical-bin
+#     homepage: "https://infisical.com"
+#     description: "The official Infisical CLI"
+#     maintainers:
+#       - Infisical, Inc <support@infisical.com>
+#     license: MIT
+#     private_key: "{{ .Env.AUR_KEY }}"
+#     git_url: "ssh://aur@aur.archlinux.org/infisical-bin.git"
+#     package: |-
+#       # bin
+#       install -Dm755 "./infisical" "${pkgdir}/usr/bin/infisical"
+#       # license
+#       install -Dm644 "./LICENSE" "${pkgdir}/usr/share/licenses/infisical/LICENSE"
+#       # completions
+#       mkdir -p "${pkgdir}/usr/share/bash-completion/completions/"
+#       mkdir -p "${pkgdir}/usr/share/zsh/site-functions/"
+#       mkdir -p "${pkgdir}/usr/share/fish/vendor_completions.d/"
+#       install -Dm644 "./completions/infisical.bash" "${pkgdir}/usr/share/bash-completion/completions/infisical"
+#       install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/_infisical"
+#       install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
+#       # man pages
+#       install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"
 
-dockers:
-  - dockerfile: docker/alpine
-    goos: linux
-    goarch: amd64
-    use: buildx
-    ids:
-      - all-other-builds
-    image_templates:
-      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
-      - "infisical/cli:latest-amd64"
-    build_flag_templates:
-      - "--pull"
-      - "--platform=linux/amd64"
-  - dockerfile: docker/alpine
-    goos: linux
-    goarch: amd64
-    use: buildx
-    ids:
-      - all-other-builds
-    image_templates:
-      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
-      - "infisical/cli:latest-arm64"
-    build_flag_templates:
-      - "--pull"
-      - "--platform=linux/arm64"
+# dockers:
+#   - dockerfile: docker/alpine
+#     goos: linux
+#     goarch: amd64
+#     use: buildx
+#     ids:
+#       - all-other-builds
+#     image_templates:
+#       - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
+#       - "infisical/cli:latest-amd64"
+#     build_flag_templates:
+#       - "--pull"
+#       - "--platform=linux/amd64"
+#   - dockerfile: docker/alpine
+#     goos: linux
+#     goarch: amd64
+#     use: buildx
+#     ids:
+#       - all-other-builds
+#     image_templates:
+#       - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
+#       - "infisical/cli:latest-arm64"
+#     build_flag_templates:
+#       - "--pull"
+#       - "--platform=linux/arm64"
 
-docker_manifests:
-  - name_template: "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}"
-    image_templates:
-      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
-      - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
-  - name_template: "infisical/cli:latest"
-    image_templates:
-      - "infisical/cli:latest-amd64"
-      - "infisical/cli:latest-arm64"
+# docker_manifests:
+#   - name_template: "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}"
+#     image_templates:
+#       - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
+#       - "infisical/cli:{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
+#   - name_template: "infisical/cli:latest"
+#     image_templates:
+#       - "infisical/cli:latest-amd64"
+#       - "infisical/cli:latest-arm64"

.infisicalignore

@@ -8,3 +8,9 @@ frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/S
 docs/mint.json:generic-api-key:651
 backend/src/ee/services/hsm/hsm-service.ts:generic-api-key:134
 docs/documentation/platform/audit-log-streams/audit-log-streams.mdx:generic-api-key:104
+docs/cli/commands/bootstrap.mdx:jwt:86
+docs/documentation/platform/audit-log-streams/audit-log-streams.mdx:generic-api-key:102
+docs/self-hosting/guides/automated-bootstrapping.mdx:jwt:74
+frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretDetailSidebar.tsx:generic-api-key:72
+k8-operator/config/samples/crd/pushsecret/source-secret-with-templating.yaml:private-key:11
+k8-operator/config/samples/crd/pushsecret/push-secret-with-template.yaml:private-key:52

Dockerfile.fips.standalone-infisical

@@ -161,6 +161,9 @@ COPY --from=backend-runner /app /backend
 
 COPY --from=frontend-runner /app ./backend/frontend-build
 
+ARG INFISICAL_PLATFORM_VERSION
+ENV INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
+
 ENV PORT 8080
 ENV HOST=0.0.0.0
 ENV HTTPS_ENABLED false 

Dockerfile.standalone-infisical

@@ -3,13 +3,10 @@ ARG POSTHOG_API_KEY=posthog-api-key
 ARG INTERCOM_ID=intercom-id
 ARG CAPTCHA_SITE_KEY=captcha-site-key
 
-FROM  node:20-alpine AS base
+FROM node:20-slim AS base
 
 FROM base AS frontend-dependencies
 
-# Check https://github.com/nodejs/docker-node/tree/b4117f9333da4138b03a546ec926ef50a31506c3#nodealpine to understand why libc6-compat might be needed.
-RUN apk add --no-cache libc6-compat
-
 WORKDIR /app
 
 COPY frontend/package.json frontend/package-lock.json  ./
@@ -45,8 +42,8 @@ RUN npm run build
 FROM base AS frontend-runner
 WORKDIR /app
 
-RUN addgroup --system --gid 1001 nodejs
-RUN adduser --system --uid 1001 non-root-user
+RUN groupadd --system --gid 1001 nodejs
+RUN useradd --system --uid 1001 --gid nodejs non-root-user
 
 COPY --from=frontend-builder --chown=non-root-user:nodejs /app/dist ./
 
@@ -56,21 +53,23 @@ USER non-root-user
 ## BACKEND
 ##
 FROM base AS backend-build
-RUN addgroup --system --gid 1001 nodejs \
-  && adduser --system --uid 1001 non-root-user
 
 WORKDIR /app
 
 # Install all required dependencies for build
-RUN apk --update add \
+RUN apt-get update && apt-get install -y \
     python3 \
     make \
     g++ \
     unixodbc \
-    freetds \
+    freetds-bin \
     unixodbc-dev \
     libc-dev \
-    freetds-dev
+    freetds-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN groupadd --system --gid 1001 nodejs
+RUN useradd --system --uid 1001 --gid nodejs non-root-user
 
 COPY backend/package*.json ./
 RUN npm ci --only-production
@@ -86,18 +85,19 @@ FROM base AS backend-runner
 WORKDIR /app
 
 # Install all required dependencies for runtime
-RUN apk --update add \
+RUN apt-get update && apt-get install -y \
     python3 \
     make \
     g++ \
     unixodbc \
-    freetds \
+    freetds-bin \
     unixodbc-dev \
     libc-dev \
-    freetds-dev
+    freetds-dev \
+    && rm -rf /var/lib/apt/lists/*
 
 # Configure ODBC
-RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 
 COPY backend/package*.json ./
 RUN npm ci --only-production
@@ -109,34 +109,36 @@ RUN mkdir frontend-build
 # Production stage
 FROM base AS production
 
-RUN apk add --upgrade --no-cache ca-certificates
-RUN apk add --no-cache bash curl && curl -1sLf \
-  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
-  && apk add infisical=0.31.1 && apk add --no-cache git
-
-WORKDIR /
-
-# Install all required runtime dependencies
-RUN apk --update add \
+RUN apt-get update && apt-get install -y \
+    ca-certificates \
+    bash \
+    curl \
+    git \
     python3 \
     make \
     g++ \
     unixodbc \
-    freetds \
+    freetds-bin \
     unixodbc-dev \
     libc-dev \
     freetds-dev \
-    bash \
-    curl \
-    git \
-    openssh
+		wget \
+    openssh-client \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Infisical CLI
+RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
+    && apt-get update && apt-get install -y infisical=0.31.1 \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /
 
 # Configure ODBC in production
-RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 
 # Setup user permissions
-RUN addgroup --system --gid 1001 nodejs \
-  && adduser --system --uid 1001 non-root-user
+RUN groupadd --system --gid 1001 nodejs \
+  && useradd --system --uid 1001 --gid nodejs non-root-user
 
 # Give non-root-user permission to update SSL certs
 RUN chown -R non-root-user /etc/ssl/certs
@@ -154,11 +156,11 @@ ENV INTERCOM_ID=$INTERCOM_ID
 ARG CAPTCHA_SITE_KEY
 ENV CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
 
-
 COPY --from=backend-runner /app /backend
-
 COPY --from=frontend-runner /app ./backend/frontend-build
 
+ARG INFISICAL_PLATFORM_VERSION
+ENV INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
 
 ENV PORT 8080
 ENV HOST=0.0.0.0
@@ -166,6 +168,7 @@ ENV HTTPS_ENABLED false
 ENV NODE_ENV production
 ENV STANDALONE_BUILD true 
 ENV STANDALONE_MODE true
+
 WORKDIR /backend
 
 ENV TELEMETRY_ENABLED true

backend/Dockerfile

@@ -1,23 +1,22 @@
 # Build stage
-FROM node:20-alpine AS build
+FROM node:20-slim AS build
 
 WORKDIR /app
 
 # Required for pkcs11js
-RUN apk --update add \
-        python3 \
-        make \
-        g++ \
-        openssh
+RUN apt-get update && apt-get install -y \
+    python3 \
+    make \
+    g++ \
+    openssh-client
 
-# install dependencies for TDS driver (required for SAP ASE dynamic secrets)
-RUN apk add --no-cache \
+# Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apt-get install -y \
     unixodbc \
-    freetds \
+    freetds-bin \
+    freetds-dev \
     unixodbc-dev \
-    libc-dev \
-    freetds-dev
-
+    libc-dev
 
 COPY package*.json ./
 RUN npm ci --only-production
@@ -26,36 +25,36 @@ COPY . .
 RUN npm run build
 
 # Production stage
-FROM node:20-alpine
+FROM node:20-slim
 WORKDIR /app
 
 ENV npm_config_cache /home/node/.npm
 
 COPY package*.json ./
 
-RUN apk --update add \
-        python3 \
-        make \
-        g++
+RUN apt-get update && apt-get install -y \
+    python3 \
+    make \
+    g++
 
-# install dependencies for TDS driver (required for SAP ASE dynamic secrets)
-RUN apk add --no-cache \
+# Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apt-get install -y \
     unixodbc \
-    freetds \
+    freetds-bin \
+    freetds-dev \
     unixodbc-dev \
-    libc-dev \
-    freetds-dev
+    libc-dev
 
-
-RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 
 RUN npm ci --only-production && npm cache clean --force
 
 COPY --from=build /app .
 
-RUN apk add --no-cache bash curl && curl -1sLf \
-  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
-  && apk add infisical=0.8.1 && apk add --no-cache git
+# Install Infisical CLI
+RUN apt-get install -y curl bash && \
+    curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash && \
+    apt-get update && apt-get install -y infisical=0.8.1 git
 
 HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
   CMD node healthcheck.js

backend/Dockerfile.dev

@@ -1,4 +1,4 @@
-FROM node:20-alpine
+FROM node:20-slim
 
 # ? Setup a test SoftHSM module. In production a real HSM is used.
 
@@ -7,32 +7,32 @@ ARG SOFTHSM2_VERSION=2.5.0
 ENV SOFTHSM2_VERSION=${SOFTHSM2_VERSION} \
     SOFTHSM2_SOURCES=/tmp/softhsm2
 
-# install build dependencies including python3 (required for pkcs11js and partially TDS driver)
-RUN apk --update add \
-        alpine-sdk \
-        autoconf \
-        automake \
-        git \
-        libtool \
-        openssl-dev \
-        python3 \
-        make \
-        g++ \
-        openssh
+# Install build dependencies including python3 (required for pkcs11js and partially TDS driver)
+RUN apt-get update && apt-get install -y \
+    build-essential \
+    autoconf \
+    automake \
+    git \
+    libtool \
+    libssl-dev \
+    python3 \
+    make \
+    g++ \
+    openssh-client \
+    curl \
+    pkg-config
 
-# install dependencies for TDS driver (required for SAP ASE dynamic secrets)
-RUN apk add --no-cache \
+# Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apt-get install -y \
     unixodbc \
-    freetds \
     unixodbc-dev \
-    libc-dev \
-    freetds-dev
+    freetds-dev \
+    freetds-bin \
+    tdsodbc
 
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 
-RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/libtdsodbc.so\nSetup = /usr/lib/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
-
-# build and install SoftHSM2
-
+# Build and install SoftHSM2
 RUN git clone https://github.com/opendnssec/SoftHSMv2.git ${SOFTHSM2_SOURCES}
 WORKDIR ${SOFTHSM2_SOURCES}
 
@@ -45,16 +45,18 @@ RUN git checkout ${SOFTHSM2_VERSION} -b ${SOFTHSM2_VERSION} \
 WORKDIR /root
 RUN rm -fr ${SOFTHSM2_SOURCES}
 
-# install pkcs11-tool
-RUN apk --update add opensc
+# Install pkcs11-tool
+RUN apt-get install -y opensc
 
-RUN softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
+RUN mkdir -p /etc/softhsm2/tokens && \
+    softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
 
 # ? App setup
 
-RUN apk add --no-cache bash curl && curl -1sLf \
-  'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
-  && apk add infisical=0.8.1 && apk add --no-cache git
+# Install Infisical CLI
+RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash && \
+    apt-get update && \
+    apt-get install -y infisical=0.8.1
 
 WORKDIR /app
 

backend/Dockerfile.dev.fips

@@ -0,0 +1,85 @@
+FROM node:20-slim
+
+# ? Setup a test SoftHSM module. In production a real HSM is used.
+
+ARG SOFTHSM2_VERSION=2.5.0
+
+ENV SOFTHSM2_VERSION=${SOFTHSM2_VERSION} \
+    SOFTHSM2_SOURCES=/tmp/softhsm2
+
+# Install build dependencies including python3 (required for pkcs11js and partially TDS driver)
+RUN apt-get update && apt-get install -y \
+    build-essential \
+    autoconf \
+    automake \
+    git \
+    libtool \
+    libssl-dev \
+    python3 \
+    make \
+    g++ \
+    openssh-client \
+    curl \
+    pkg-config \
+    perl \
+    wget
+
+# Install dependencies for TDS driver (required for SAP ASE dynamic secrets)
+RUN apt-get install -y \
+    unixodbc \
+    unixodbc-dev \
+    freetds-dev \
+    freetds-bin \
+    tdsodbc
+
+RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nFileUsage = 1\n" > /etc/odbcinst.ini
+
+# Build and install SoftHSM2
+RUN git clone https://github.com/opendnssec/SoftHSMv2.git ${SOFTHSM2_SOURCES}
+WORKDIR ${SOFTHSM2_SOURCES}
+
+RUN git checkout ${SOFTHSM2_VERSION} -b ${SOFTHSM2_VERSION} \
+    && sh autogen.sh \
+    && ./configure --prefix=/usr/local --disable-gost \
+    && make \
+    && make install
+
+WORKDIR /root
+RUN rm -fr ${SOFTHSM2_SOURCES}
+
+# Install pkcs11-tool
+RUN apt-get install -y opensc
+
+RUN mkdir -p /etc/softhsm2/tokens && \
+    softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
+    
+WORKDIR /openssl-build
+RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
+    && tar -xf openssl-3.1.2.tar.gz \
+    && cd openssl-3.1.2 \
+    && ./Configure enable-fips \
+    && make \
+    && make install_fips
+
+# ? App setup
+
+# Install Infisical CLI
+RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash && \
+    apt-get update && \
+    apt-get install -y infisical=0.8.1
+
+WORKDIR /app
+
+COPY package.json package.json
+COPY package-lock.json package-lock.json
+
+RUN npm install
+
+COPY . .
+
+ENV HOST=0.0.0.0
+ENV OPENSSL_CONF=/app/nodejs.cnf
+ENV OPENSSL_MODULES=/usr/local/lib/ossl-modules
+ENV NODE_OPTIONS=--force-fips
+
+CMD ["npm", "run", "dev:docker"]

backend/e2e-test/mocks/queue.ts

@@ -11,6 +11,7 @@ export const mockQueue = (): TQueueServiceFactory => {
       job[name] = jobData;
     },
     queuePg: async () => {},
+    schedulePg: async () => {},
     initialize: async () => {},
     shutdown: async () => undefined,
     stopRepeatableJob: async () => true,

backend/e2e-test/routes/v3/secrets-v2.spec.ts

@@ -535,6 +535,107 @@ describe.each([{ auth: AuthMode.JWT }, { auth: AuthMode.IDENTITY_ACCESS_TOKEN }]
       );
     });
 
+    test.each(secretTestCases)("Bulk upsert secrets in path $path", async ({ secret, path }) => {
+      const updateSharedSecRes = await testServer.inject({
+        method: "PATCH",
+        url: `/api/v3/secrets/batch/raw`,
+        headers: {
+          authorization: `Bearer ${authToken}`
+        },
+        body: {
+          workspaceId: seedData1.projectV3.id,
+          environment: seedData1.environment.slug,
+          secretPath: path,
+          mode: "upsert",
+          secrets: Array.from(Array(5)).map((_e, i) => ({
+            secretKey: `BULK-${secret.key}-${i + 1}`,
+            secretValue: "update-value",
+            secretComment: secret.comment
+          }))
+        }
+      });
+      expect(updateSharedSecRes.statusCode).toBe(200);
+      const updateSharedSecPayload = JSON.parse(updateSharedSecRes.payload);
+      expect(updateSharedSecPayload).toHaveProperty("secrets");
+
+      // bulk ones should exist
+      const secrets = await getSecrets(seedData1.environment.slug, path);
+      expect(secrets).toEqual(
+        expect.arrayContaining(
+          Array.from(Array(5)).map((_e, i) =>
+            expect.objectContaining({
+              secretKey: `BULK-${secret.key}-${i + 1}`,
+              secretValue: "update-value",
+              type: SecretType.Shared
+            })
+          )
+        )
+      );
+      await Promise.all(
+        Array.from(Array(5)).map((_e, i) => deleteSecret({ path, key: `BULK-${secret.key}-${i + 1}` }))
+      );
+    });
+
+    test("Bulk upsert secrets in path multiple paths", async () => {
+      const firstBatchSecrets = Array.from(Array(5)).map((_e, i) => ({
+        secretKey: `BULK-KEY-${secretTestCases[0].secret.key}-${i + 1}`,
+        secretValue: "update-value",
+        secretComment: "comment",
+        secretPath: secretTestCases[0].path
+      }));
+      const secondBatchSecrets = Array.from(Array(5)).map((_e, i) => ({
+        secretKey: `BULK-KEY-${secretTestCases[1].secret.key}-${i + 1}`,
+        secretValue: "update-value",
+        secretComment: "comment",
+        secretPath: secretTestCases[1].path
+      }));
+      const testSecrets = [...firstBatchSecrets, ...secondBatchSecrets];
+
+      const updateSharedSecRes = await testServer.inject({
+        method: "PATCH",
+        url: `/api/v3/secrets/batch/raw`,
+        headers: {
+          authorization: `Bearer ${authToken}`
+        },
+        body: {
+          workspaceId: seedData1.projectV3.id,
+          environment: seedData1.environment.slug,
+          mode: "upsert",
+          secrets: testSecrets
+        }
+      });
+      expect(updateSharedSecRes.statusCode).toBe(200);
+      const updateSharedSecPayload = JSON.parse(updateSharedSecRes.payload);
+      expect(updateSharedSecPayload).toHaveProperty("secrets");
+
+      // bulk ones should exist
+      const firstBatchSecretsOnInfisical = await getSecrets(seedData1.environment.slug, secretTestCases[0].path);
+      expect(firstBatchSecretsOnInfisical).toEqual(
+        expect.arrayContaining(
+          firstBatchSecrets.map((el) =>
+            expect.objectContaining({
+              secretKey: el.secretKey,
+              secretValue: "update-value",
+              type: SecretType.Shared
+            })
+          )
+        )
+      );
+      const secondBatchSecretsOnInfisical = await getSecrets(seedData1.environment.slug, secretTestCases[1].path);
+      expect(secondBatchSecretsOnInfisical).toEqual(
+        expect.arrayContaining(
+          secondBatchSecrets.map((el) =>
+            expect.objectContaining({
+              secretKey: el.secretKey,
+              secretValue: "update-value",
+              type: SecretType.Shared
+            })
+          )
+        )
+      );
+      await Promise.all(testSecrets.map((el) => deleteSecret({ path: el.secretPath, key: el.secretKey })));
+    });
+
     test.each(secretTestCases)("Bulk delete secrets in path $path", async ({ secret, path }) => {
       await Promise.all(
         Array.from(Array(5)).map((_e, i) => createSecret({ ...secret, key: `BULK-${secret.key}-${i + 1}`, path }))

backend/e2e-test/vitest-environment-knex.ts

@@ -23,14 +23,14 @@ export default {
   name: "knex-env",
   transformMode: "ssr",
   async setup() {
-    const logger = await initLogger();
-    const cfg = initEnvConfig(logger);
+    const logger = initLogger();
+    const envConfig = initEnvConfig(logger);
     const db = initDbConnection({
-      dbConnectionUri: cfg.DB_CONNECTION_URI,
-      dbRootCert: cfg.DB_ROOT_CERT
+      dbConnectionUri: envConfig.DB_CONNECTION_URI,
+      dbRootCert: envConfig.DB_ROOT_CERT
     });
 
-    const redis = new Redis(cfg.REDIS_URL);
+    const redis = new Redis(envConfig.REDIS_URL);
     await redis.flushdb("SYNC");
 
     try {
@@ -42,6 +42,7 @@ export default {
         },
         true
       );
+
       await db.migrate.latest({
         directory: path.join(__dirname, "../src/db/migrations"),
         extension: "ts",
@@ -52,14 +53,24 @@ export default {
         directory: path.join(__dirname, "../src/db/seeds"),
         extension: "ts"
       });
-      const smtp = mockSmtpServer();
-      const queue = queueServiceFactory(cfg.REDIS_URL, { dbConnectionUrl: cfg.DB_CONNECTION_URI });
-      const keyStore = keyStoreFactory(cfg.REDIS_URL);
 
-      const hsmModule = initializeHsmModule();
+      const smtp = mockSmtpServer();
+      const queue = queueServiceFactory(envConfig.REDIS_URL, { dbConnectionUrl: envConfig.DB_CONNECTION_URI });
+      const keyStore = keyStoreFactory(envConfig.REDIS_URL);
+
+      const hsmModule = initializeHsmModule(envConfig);
       hsmModule.initialize();
 
-      const server = await main({ db, smtp, logger, queue, keyStore, hsmModule: hsmModule.getModule(), redis });
+      const server = await main({
+        db,
+        smtp,
+        logger,
+        queue,
+        keyStore,
+        hsmModule: hsmModule.getModule(),
+        redis,
+        envConfig
+      });
 
       // @ts-expect-error type
       globalThis.testServer = server;
@@ -73,8 +84,8 @@ export default {
           organizationId: seedData1.organization.id,
           accessVersion: 1
         },
-        cfg.AUTH_SECRET,
-        { expiresIn: cfg.JWT_AUTH_LIFETIME }
+        envConfig.AUTH_SECRET,
+        { expiresIn: envConfig.JWT_AUTH_LIFETIME }
       );
     } catch (error) {
       // eslint-disable-next-line

backend/nodejs.cnf

@@ -0,0 +1,16 @@
+nodejs_conf = nodejs_init
+
+.include /usr/local/ssl/fipsmodule.cnf
+
+[nodejs_init]
+providers = provider_sect
+
+[provider_sect]
+default = default_sect
+fips = fips_sect
+
+[default_sect]
+activate = 1
+
+[algorithm_sect]
+default_properties = fips=yes 

backend/package.json

@@ -40,29 +40,38 @@
     "type:check": "tsc --noEmit",
     "lint:fix": "eslint --fix --ext js,ts ./src",
     "lint": "eslint 'src/**/*.ts'",
+    "test:unit": "vitest run -c vitest.unit.config.ts",
     "test:e2e": "vitest run -c vitest.e2e.config.ts --bail=1",
     "test:e2e-watch": "vitest -c vitest.e2e.config.ts --bail=1",
     "test:e2e-coverage": "vitest run --coverage -c vitest.e2e.config.ts",
     "generate:component": "tsx ./scripts/create-backend-file.ts",
     "generate:schema": "tsx ./scripts/generate-schema-types.ts && eslint --fix --ext ts ./src/db/schemas",
-    "auditlog-migration:latest": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:latest",
-    "auditlog-migration:up": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:up",
-    "auditlog-migration:down": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:down",
-    "auditlog-migration:list": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:list",
-    "auditlog-migration:status": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:status",
-    "auditlog-migration:unlock": "knex --knexfile ./src/db/auditlog-knexfile.ts migrate:unlock",
-    "auditlog-migration:rollback": "knex --knexfile ./src/db/auditlog-knexfile.ts migrate:rollback",
+    "auditlog-migration:latest": "node ./dist/db/rename-migrations-to-mjs.mjs && knex --knexfile ./dist/db/auditlog-knexfile.mjs --client pg migrate:latest",
+    "auditlog-migration:up": "knex --knexfile ./dist/db/auditlog-knexfile.mjs --client pg migrate:up",
+    "auditlog-migration:down": "knex --knexfile ./dist/db/auditlog-knexfile.mjs --client pg migrate:down",
+    "auditlog-migration:list": "knex --knexfile ./dist/db/auditlog-knexfile.mjs --client pg migrate:list",
+    "auditlog-migration:status": "knex --knexfile ./dist/db/auditlog-knexfile.mjs --client pg migrate:status",
+    "auditlog-migration:unlock": "knex --knexfile ./dist/db/auditlog-knexfile.mjs migrate:unlock",
+    "auditlog-migration:rollback": "knex --knexfile ./dist/db/auditlog-knexfile.mjs migrate:rollback",
     "migration:new": "tsx ./scripts/create-migration.ts",
-    "migration:up": "npm run auditlog-migration:up && knex --knexfile ./src/db/knexfile.ts --client pg migrate:up",
-    "migration:down": "npm run auditlog-migration:down && knex --knexfile ./src/db/knexfile.ts --client pg migrate:down",
-    "migration:list": "npm run auditlog-migration:list && knex --knexfile ./src/db/knexfile.ts --client pg migrate:list",
-    "migration:latest": "npm run auditlog-migration:latest && knex --knexfile ./src/db/knexfile.ts --client pg migrate:latest",
-    "migration:status": "npm run auditlog-migration:status && knex --knexfile ./src/db/knexfile.ts --client pg migrate:status",
-    "migration:rollback": "npm run auditlog-migration:rollback && knex --knexfile ./src/db/knexfile.ts migrate:rollback",
-    "migration:unlock": "npm run auditlog-migration:unlock && knex --knexfile ./src/db/knexfile.ts migrate:unlock",
+    "migration:up": "npm run auditlog-migration:up && knex --knexfile ./dist/db/knexfile.mjs --client pg migrate:up",
+    "migration:down": "npm run auditlog-migration:down && knex --knexfile ./dist/db/knexfile.mjs --client pg migrate:down",
+    "migration:list": "npm run auditlog-migration:list && knex --knexfile ./dist/db/knexfile.mjs --client pg migrate:list",
+    "migration:latest": "node ./dist/db/rename-migrations-to-mjs.mjs && npm run auditlog-migration:latest && knex --knexfile ./dist/db/knexfile.mjs --client pg migrate:latest",
+    "migration:status": "npm run auditlog-migration:status && knex --knexfile ./dist/db/knexfile.mjs --client pg migrate:status",
+    "migration:rollback": "npm run auditlog-migration:rollback && knex --knexfile ./dist/db/knexfile.mjs migrate:rollback",
+    "migration:unlock": "npm run auditlog-migration:unlock && knex --knexfile ./dist/db/knexfile.mjs migrate:unlock",
+    "migration:up-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:up",
+    "migration:down-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:down",
+    "migration:list-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:list",
+    "migration:latest-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:latest",
+    "migration:status-dev": "knex --knexfile ./src/db/knexfile.ts --client pg migrate:status",
+    "migration:rollback-dev": "knex --knexfile ./src/db/knexfile.ts migrate:rollback",
+    "migration:unlock-dev": "knex --knexfile ./src/db/knexfile.ts migrate:unlock",
     "migrate:org": "tsx ./scripts/migrate-organization.ts",
     "seed:new": "tsx ./scripts/create-seed-file.ts",
-    "seed": "knex --knexfile ./src/db/knexfile.ts --client pg seed:run",
+    "seed": "knex --knexfile ./dist/db/knexfile.ts --client pg seed:run",
+    "seed-dev": "knex --knexfile ./src/db/knexfile.ts --client pg seed:run",
     "db:reset": "npm run migration:rollback -- --all && npm run migration:latest"
   },
   "keywords": [],
@@ -129,7 +138,7 @@
     "@fastify/etag": "^5.1.0",
     "@fastify/formbody": "^7.4.0",
     "@fastify/helmet": "^11.1.1",
-    "@fastify/multipart": "8.3.0",
+    "@fastify/multipart": "8.3.1",
     "@fastify/passport": "^2.4.0",
     "@fastify/rate-limit": "^9.0.0",
     "@fastify/request-context": "^5.1.0",
@@ -138,17 +147,18 @@
     "@fastify/swagger": "^8.14.0",
     "@fastify/swagger-ui": "^2.1.0",
     "@google-cloud/kms": "^4.5.0",
-    "@node-saml/passport-saml": "^4.0.4",
+    "@infisical/quic": "^1.0.8",
+    "@node-saml/passport-saml": "^5.0.1",
     "@octokit/auth-app": "^7.1.1",
     "@octokit/plugin-retry": "^5.0.5",
     "@octokit/rest": "^20.0.2",
     "@octokit/webhooks-types": "^7.3.1",
     "@octopusdeploy/api-client": "^3.4.1",
     "@opentelemetry/api": "^1.9.0",
-    "@opentelemetry/auto-instrumentations-node": "^0.53.0",
     "@opentelemetry/exporter-metrics-otlp-proto": "^0.55.0",
     "@opentelemetry/exporter-prometheus": "^0.55.0",
     "@opentelemetry/instrumentation": "^0.55.0",
+    "@opentelemetry/instrumentation-http": "^0.57.2",
     "@opentelemetry/resources": "^1.28.0",
     "@opentelemetry/sdk-metrics": "^1.28.0",
     "@opentelemetry/semantic-conventions": "^1.27.0",
@@ -156,8 +166,8 @@
     "@peculiar/x509": "^1.12.1",
     "@serdnam/pino-cloudwatch-transport": "^1.0.4",
     "@sindresorhus/slugify": "1.1.0",
-    "@slack/oauth": "^3.0.1",
-    "@slack/web-api": "^7.3.4",
+    "@slack/oauth": "^3.0.2",
+    "@slack/web-api": "^7.8.0",
     "@ucast/mongo2js": "^1.3.4",
     "ajv": "^8.12.0",
     "argon2": "^0.31.2",
@@ -169,6 +179,7 @@
     "cassandra-driver": "^4.7.2",
     "connect-redis": "^7.1.1",
     "cron": "^3.1.7",
+    "dd-trace": "^5.40.0",
     "dotenv": "^16.4.1",
     "fastify": "^4.28.1",
     "fastify-plugin": "^4.5.1",
@@ -177,6 +188,7 @@
     "handlebars": "^4.7.8",
     "hdb": "^0.19.10",
     "ioredis": "^5.3.2",
+    "isomorphic-dompurify": "^2.22.0",
     "jmespath": "^0.16.0",
     "jsonwebtoken": "^9.0.2",
     "jsrp": "^0.2.4",
@@ -189,7 +201,7 @@
     "mongodb": "^6.8.1",
     "ms": "^2.1.3",
     "mysql2": "^3.9.8",
-    "nanoid": "^3.3.4",
+    "nanoid": "^3.3.8",
     "nodemailer": "^6.9.9",
     "odbc": "^2.4.9",
     "openid-client": "^5.6.5",

backend/src/@types/fastify-request-context.d.ts

@@ -1,7 +0,0 @@
-import "@fastify/request-context";
-
-declare module "@fastify/request-context" {
-  interface RequestContextData {
-    reqId: string;
-  }
-}

backend/src/@types/fastify.d.ts

@@ -13,9 +13,13 @@ import { TCertificateEstServiceFactory } from "@app/ee/services/certificate-est/
 import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-service";
 import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
 import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/external-kms-service";
+import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TGroupServiceFactory } from "@app/ee/services/group/group-service";
 import { TIdentityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { TIdentityProjectAdditionalPrivilegeV2ServiceFactory } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service";
+import { TKmipClientDALFactory } from "@app/ee/services/kmip/kmip-client-dal";
+import { TKmipOperationServiceFactory } from "@app/ee/services/kmip/kmip-operation-service";
+import { TKmipServiceFactory } from "@app/ee/services/kmip/kmip-service";
 import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
@@ -29,6 +33,7 @@ import { TScimServiceFactory } from "@app/ee/services/scim/scim-service";
 import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
 import { TSecretApprovalRequestServiceFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-service";
 import { TSecretRotationServiceFactory } from "@app/ee/services/secret-rotation/secret-rotation-service";
+import { TSecretRotationV2ServiceFactory } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-service";
 import { TSecretScanningServiceFactory } from "@app/ee/services/secret-scanning/secret-scanning-service";
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
 import { TSshCertificateAuthorityServiceFactory } from "@app/ee/services/ssh/ssh-certificate-authority-service";
@@ -93,6 +98,19 @@ import { TUserEngagementServiceFactory } from "@app/services/user-engagement/use
 import { TWebhookServiceFactory } from "@app/services/webhook/webhook-service";
 import { TWorkflowIntegrationServiceFactory } from "@app/services/workflow-integration/workflow-integration-service";
 
+declare module "@fastify/request-context" {
+  interface RequestContextData {
+    reqId: string;
+    identityAuthInfo?: {
+      identityId: string;
+      oidc?: {
+        claims: Record<string, string>;
+      };
+    };
+    identityPermissionMetadata?: Record<string, unknown>; // filled by permission service
+  }
+}
+
 declare module "fastify" {
   interface Session {
     callbackPort: string;
@@ -120,6 +138,11 @@ declare module "fastify" {
       isUserCompleted: string;
       providerAuthToken: string;
     };
+    kmipUser: {
+      projectId: string;
+      clientId: string;
+      name: string;
+    };
     auditLogInfo: Pick<TCreateAuditLogDTO, "userAgent" | "userAgentType" | "ipAddress" | "actor">;
     ssoConfig: Awaited<ReturnType<TSamlConfigServiceFactory["getSaml"]>>;
     ldapConfig: Awaited<ReturnType<TLdapConfigServiceFactory["getLdapCfg"]>>;
@@ -212,11 +235,16 @@ declare module "fastify" {
       totp: TTotpServiceFactory;
       appConnection: TAppConnectionServiceFactory;
       secretSync: TSecretSyncServiceFactory;
+      kmip: TKmipServiceFactory;
+      kmipOperation: TKmipOperationServiceFactory;
+      gateway: TGatewayServiceFactory;
+      secretRotationV2: TSecretRotationV2ServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer
     store: {
       user: Pick<TUserDALFactory, "findById">;
+      kmipClient: Pick<TKmipClientDALFactory, "findByProjectAndClientId">;
     };
   }
 }

backend/src/@types/knex.d.ts

@@ -17,6 +17,9 @@ import {
   TApiKeys,
   TApiKeysInsert,
   TApiKeysUpdate,
+  TAppConnections,
+  TAppConnectionsInsert,
+  TAppConnectionsUpdate,
   TAuditLogs,
   TAuditLogsInsert,
   TAuditLogStreams,
@@ -65,9 +68,15 @@ import {
   TDynamicSecrets,
   TDynamicSecretsInsert,
   TDynamicSecretsUpdate,
+  TExternalGroupOrgRoleMappings,
+  TExternalGroupOrgRoleMappingsInsert,
+  TExternalGroupOrgRoleMappingsUpdate,
   TExternalKms,
   TExternalKmsInsert,
   TExternalKmsUpdate,
+  TGateways,
+  TGatewaysInsert,
+  TGatewaysUpdate,
   TGitAppInstallSessions,
   TGitAppInstallSessionsInsert,
   TGitAppInstallSessionsUpdate,
@@ -143,6 +152,18 @@ import {
   TInternalKms,
   TInternalKmsInsert,
   TInternalKmsUpdate,
+  TKmipClientCertificates,
+  TKmipClientCertificatesInsert,
+  TKmipClientCertificatesUpdate,
+  TKmipClients,
+  TKmipClientsInsert,
+  TKmipClientsUpdate,
+  TKmipOrgConfigs,
+  TKmipOrgConfigsInsert,
+  TKmipOrgConfigsUpdate,
+  TKmipOrgServerCertificates,
+  TKmipOrgServerCertificatesInsert,
+  TKmipOrgServerCertificatesUpdate,
   TKmsKeys,
   TKmsKeysInsert,
   TKmsKeysUpdate,
@@ -167,6 +188,9 @@ import {
   TOrgBots,
   TOrgBotsInsert,
   TOrgBotsUpdate,
+  TOrgGatewayConfig,
+  TOrgGatewayConfigInsert,
+  TOrgGatewayConfigUpdate,
   TOrgMemberships,
   TOrgMembershipsInsert,
   TOrgMembershipsUpdate,
@@ -188,6 +212,9 @@ import {
   TProjectEnvironments,
   TProjectEnvironmentsInsert,
   TProjectEnvironmentsUpdate,
+  TProjectGateways,
+  TProjectGatewaysInsert,
+  TProjectGatewaysUpdate,
   TProjectKeys,
   TProjectKeysInsert,
   TProjectKeysUpdate,
@@ -278,6 +305,12 @@ import {
   TSecretRotations,
   TSecretRotationsInsert,
   TSecretRotationsUpdate,
+  TSecretRotationsV2,
+  TSecretRotationsV2Insert,
+  TSecretRotationsV2Update,
+  TSecretRotationV2SecretMappings,
+  TSecretRotationV2SecretMappingsInsert,
+  TSecretRotationV2SecretMappingsUpdate,
   TSecrets,
   TSecretScanningGitRisks,
   TSecretScanningGitRisksInsert,
@@ -299,15 +332,27 @@ import {
   TSecretSnapshotsInsert,
   TSecretSnapshotsUpdate,
   TSecretsUpdate,
+  TSecretsV2,
+  TSecretsV2Insert,
+  TSecretsV2Update,
+  TSecretSyncs,
+  TSecretSyncsInsert,
+  TSecretSyncsUpdate,
   TSecretTagJunction,
   TSecretTagJunctionInsert,
   TSecretTagJunctionUpdate,
   TSecretTags,
   TSecretTagsInsert,
   TSecretTagsUpdate,
+  TSecretV2TagJunction,
+  TSecretV2TagJunctionInsert,
+  TSecretV2TagJunctionUpdate,
   TSecretVersions,
   TSecretVersionsInsert,
   TSecretVersionsUpdate,
+  TSecretVersionsV2,
+  TSecretVersionsV2Insert,
+  TSecretVersionsV2Update,
   TSecretVersionTagJunction,
   TSecretVersionTagJunctionInsert,
   TSecretVersionTagJunctionUpdate,
@@ -366,24 +411,6 @@ import {
   TWorkflowIntegrationsInsert,
   TWorkflowIntegrationsUpdate
 } from "@app/db/schemas";
-import { TAppConnections, TAppConnectionsInsert, TAppConnectionsUpdate } from "@app/db/schemas/app-connections";
-import {
-  TExternalGroupOrgRoleMappings,
-  TExternalGroupOrgRoleMappingsInsert,
-  TExternalGroupOrgRoleMappingsUpdate
-} from "@app/db/schemas/external-group-org-role-mappings";
-import { TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate } from "@app/db/schemas/secret-syncs";
-import {
-  TSecretV2TagJunction,
-  TSecretV2TagJunctionInsert,
-  TSecretV2TagJunctionUpdate
-} from "@app/db/schemas/secret-v2-tag-junction";
-import {
-  TSecretVersionsV2,
-  TSecretVersionsV2Insert,
-  TSecretVersionsV2Update
-} from "@app/db/schemas/secret-versions-v2";
-import { TSecretsV2, TSecretsV2Insert, TSecretsV2Update } from "@app/db/schemas/secrets-v2";
 
 declare module "knex" {
   namespace Knex {
@@ -902,5 +929,42 @@ declare module "knex/types/tables" {
       TAppConnectionsUpdate
     >;
     [TableName.SecretSync]: KnexOriginal.CompositeTableType<TSecretSyncs, TSecretSyncsInsert, TSecretSyncsUpdate>;
+    [TableName.KmipClient]: KnexOriginal.CompositeTableType<TKmipClients, TKmipClientsInsert, TKmipClientsUpdate>;
+    [TableName.KmipOrgConfig]: KnexOriginal.CompositeTableType<
+      TKmipOrgConfigs,
+      TKmipOrgConfigsInsert,
+      TKmipOrgConfigsUpdate
+    >;
+    [TableName.KmipOrgServerCertificates]: KnexOriginal.CompositeTableType<
+      TKmipOrgServerCertificates,
+      TKmipOrgServerCertificatesInsert,
+      TKmipOrgServerCertificatesUpdate
+    >;
+    [TableName.KmipClientCertificates]: KnexOriginal.CompositeTableType<
+      TKmipClientCertificates,
+      TKmipClientCertificatesInsert,
+      TKmipClientCertificatesUpdate
+    >;
+    [TableName.Gateway]: KnexOriginal.CompositeTableType<TGateways, TGatewaysInsert, TGatewaysUpdate>;
+    [TableName.ProjectGateway]: KnexOriginal.CompositeTableType<
+      TProjectGateways,
+      TProjectGatewaysInsert,
+      TProjectGatewaysUpdate
+    >;
+    [TableName.OrgGatewayConfig]: KnexOriginal.CompositeTableType<
+      TOrgGatewayConfig,
+      TOrgGatewayConfigInsert,
+      TOrgGatewayConfigUpdate
+    >;
+    [TableName.SecretRotationV2]: KnexOriginal.CompositeTableType<
+      TSecretRotationsV2,
+      TSecretRotationsV2Insert,
+      TSecretRotationsV2Update
+    >;
+    [TableName.SecretRotationV2SecretMapping]: KnexOriginal.CompositeTableType<
+      TSecretRotationV2SecretMappings,
+      TSecretRotationV2SecretMappingsInsert,
+      TSecretRotationV2SecretMappingsUpdate
+    >;
   }
 }

backend/src/auto-start-migrations.ts

@@ -0,0 +1,105 @@
+import path from "node:path";
+
+import dotenv from "dotenv";
+import { Knex } from "knex";
+import { Logger } from "pino";
+
+import { PgSqlLock } from "./keystore/keystore";
+
+dotenv.config();
+
+type TArgs = {
+  auditLogDb?: Knex;
+  applicationDb: Knex;
+  logger: Logger;
+};
+
+const isProduction = process.env.NODE_ENV === "production";
+const migrationConfig = {
+  directory: path.join(__dirname, "./db/migrations"),
+  loadExtensions: [".mjs", ".ts"],
+  tableName: "infisical_migrations"
+};
+
+const migrationStatusCheckErrorHandler = (err: Error) => {
+  // happens for first time  in which the migration table itself is not created yet
+  //    error: select * from "infisical_migrations" - relation "infisical_migrations" does not exist
+  if (err?.message?.includes("does not exist")) {
+    return true;
+  }
+  throw err;
+};
+
+export const runMigrations = async ({ applicationDb, auditLogDb, logger }: TArgs) => {
+  try {
+    // akhilmhdh(Feb 10 2025): 2 years  from now remove this
+    if (isProduction) {
+      const migrationTable = migrationConfig.tableName;
+      const hasMigrationTable = await applicationDb.schema.hasTable(migrationTable);
+      if (hasMigrationTable) {
+        const firstFile = (await applicationDb(migrationTable).where({}).first()) as { name: string };
+        if (firstFile?.name?.includes(".ts")) {
+          await applicationDb(migrationTable).update({
+            name: applicationDb.raw("REPLACE(name, '.ts', '.mjs')")
+          });
+        }
+      }
+      if (auditLogDb) {
+        const hasMigrationTableInAuditLog = await auditLogDb.schema.hasTable(migrationTable);
+        if (hasMigrationTableInAuditLog) {
+          const firstFile = (await auditLogDb(migrationTable).where({}).first()) as { name: string };
+          if (firstFile?.name?.includes(".ts")) {
+            await auditLogDb(migrationTable).update({
+              name: auditLogDb.raw("REPLACE(name, '.ts', '.mjs')")
+            });
+          }
+        }
+      }
+    }
+
+    const shouldRunMigration = Boolean(
+      await applicationDb.migrate.status(migrationConfig).catch(migrationStatusCheckErrorHandler)
+    ); // db.length - code.length
+    if (!shouldRunMigration) {
+      logger.info("No migrations pending: Skipping migration process.");
+      return;
+    }
+
+    if (auditLogDb) {
+      await auditLogDb.transaction(async (tx) => {
+        await tx.raw("SELECT pg_advisory_xact_lock(?)", [PgSqlLock.BootUpMigration]);
+        logger.info("Running audit log migrations.");
+
+        const didPreviousInstanceRunMigration = !(await auditLogDb.migrate
+          .status(migrationConfig)
+          .catch(migrationStatusCheckErrorHandler));
+        if (didPreviousInstanceRunMigration) {
+          logger.info("No audit log migrations pending: Applied by previous instance. Skipping migration process.");
+          return;
+        }
+
+        await auditLogDb.migrate.latest(migrationConfig);
+        logger.info("Finished audit log migrations.");
+      });
+    }
+
+    await applicationDb.transaction(async (tx) => {
+      await tx.raw("SELECT pg_advisory_xact_lock(?)", [PgSqlLock.BootUpMigration]);
+      logger.info("Running application migrations.");
+
+      const didPreviousInstanceRunMigration = !(await applicationDb.migrate
+        .status(migrationConfig)
+        .catch(migrationStatusCheckErrorHandler));
+      if (didPreviousInstanceRunMigration) {
+        logger.info("No application migrations pending: Applied by previous instance. Skipping migration process.");
+        return;
+      }
+
+      await applicationDb.migrate.latest(migrationConfig);
+      logger.info("Finished application migrations.");
+    });
+  } catch (err) {
+    logger.error(err, "Boot up migration failed");
+    process.exit(1);
+  }
+};

backend/src/db/instance.ts

@@ -49,6 +49,9 @@ export const initDbConnection = ({
             ca: Buffer.from(dbRootCert, "base64").toString("ascii")
           }
         : false
+    },
+    migrations: {
+      tableName: "infisical_migrations"
     }
   });
 
@@ -64,6 +67,9 @@ export const initDbConnection = ({
               ca: Buffer.from(replicaDbCertificate, "base64").toString("ascii")
             }
           : false
+      },
+      migrations: {
+        tableName: "infisical_migrations"
       }
     });
   });
@@ -98,6 +104,9 @@ export const initAuditLogDbConnection = ({
             ca: Buffer.from(dbRootCert, "base64").toString("ascii")
           }
         : false
+    },
+    migrations: {
+      tableName: "infisical_migrations"
     }
   });
 

backend/src/db/knexfile.ts

@@ -38,7 +38,8 @@ export default {
       directory: "./seeds"
     },
     migrations: {
-      tableName: "infisical_migrations"
+      tableName: "infisical_migrations",
+      loadExtensions: [".mjs", ".ts"]
     }
   },
   production: {
@@ -62,7 +63,8 @@ export default {
       max: 10
     },
     migrations: {
-      tableName: "infisical_migrations"
+      tableName: "infisical_migrations",
+      loadExtensions: [".mjs", ".ts"]
     }
   }
 } as Knex.Config;

backend/src/db/manual-migrations/partition-audit-logs.ts

@@ -16,7 +16,7 @@ const createAuditLogPartition = async (knex: Knex, startDate: Date, endDate: Dat
   const startDateStr = formatPartitionDate(startDate);
   const endDateStr = formatPartitionDate(endDate);
 
-  const partitionName = `${TableName.AuditLog}_${startDateStr.replace(/-/g, "")}_${endDateStr.replace(/-/g, "")}`;
+  const partitionName = `${TableName.AuditLog}_${startDateStr.replaceAll("-", "")}_${endDateStr.replaceAll("-", "")}`;
 
   await knex.schema.raw(
     `CREATE TABLE ${partitionName} PARTITION OF ${TableName.AuditLog} FOR VALUES FROM ('${startDateStr}') TO ('${endDateStr}')`

backend/src/db/migrations/20250203141127_add-kmip.ts

@@ -0,0 +1,108 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasKmipClientTable = await knex.schema.hasTable(TableName.KmipClient);
+  if (!hasKmipClientTable) {
+    await knex.schema.createTable(TableName.KmipClient, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("name").notNullable();
+      t.specificType("permissions", "text[]");
+      t.string("description");
+      t.string("projectId").notNullable();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+    });
+  }
+
+  const hasKmipOrgPkiConfig = await knex.schema.hasTable(TableName.KmipOrgConfig);
+  if (!hasKmipOrgPkiConfig) {
+    await knex.schema.createTable(TableName.KmipOrgConfig, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+
+      t.uuid("orgId").notNullable();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.unique("orgId");
+
+      t.string("caKeyAlgorithm").notNullable();
+
+      t.datetime("rootCaIssuedAt").notNullable();
+      t.datetime("rootCaExpiration").notNullable();
+      t.string("rootCaSerialNumber").notNullable();
+      t.binary("encryptedRootCaCertificate").notNullable();
+      t.binary("encryptedRootCaPrivateKey").notNullable();
+
+      t.datetime("serverIntermediateCaIssuedAt").notNullable();
+      t.datetime("serverIntermediateCaExpiration").notNullable();
+      t.string("serverIntermediateCaSerialNumber");
+      t.binary("encryptedServerIntermediateCaCertificate").notNullable();
+      t.binary("encryptedServerIntermediateCaChain").notNullable();
+      t.binary("encryptedServerIntermediateCaPrivateKey").notNullable();
+
+      t.datetime("clientIntermediateCaIssuedAt").notNullable();
+      t.datetime("clientIntermediateCaExpiration").notNullable();
+      t.string("clientIntermediateCaSerialNumber").notNullable();
+      t.binary("encryptedClientIntermediateCaCertificate").notNullable();
+      t.binary("encryptedClientIntermediateCaChain").notNullable();
+      t.binary("encryptedClientIntermediateCaPrivateKey").notNullable();
+
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.KmipOrgConfig);
+  }
+
+  const hasKmipOrgServerCertTable = await knex.schema.hasTable(TableName.KmipOrgServerCertificates);
+  if (!hasKmipOrgServerCertTable) {
+    await knex.schema.createTable(TableName.KmipOrgServerCertificates, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("orgId").notNullable();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.string("commonName").notNullable();
+      t.string("altNames").notNullable();
+      t.string("serialNumber").notNullable();
+      t.string("keyAlgorithm").notNullable();
+      t.datetime("issuedAt").notNullable();
+      t.datetime("expiration").notNullable();
+      t.binary("encryptedCertificate").notNullable();
+      t.binary("encryptedChain").notNullable();
+    });
+  }
+
+  const hasKmipClientCertTable = await knex.schema.hasTable(TableName.KmipClientCertificates);
+  if (!hasKmipClientCertTable) {
+    await knex.schema.createTable(TableName.KmipClientCertificates, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("kmipClientId").notNullable();
+      t.foreign("kmipClientId").references("id").inTable(TableName.KmipClient).onDelete("CASCADE");
+      t.string("serialNumber").notNullable();
+      t.string("keyAlgorithm").notNullable();
+      t.datetime("issuedAt").notNullable();
+      t.datetime("expiration").notNullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasKmipOrgPkiConfig = await knex.schema.hasTable(TableName.KmipOrgConfig);
+  if (hasKmipOrgPkiConfig) {
+    await knex.schema.dropTable(TableName.KmipOrgConfig);
+    await dropOnUpdateTrigger(knex, TableName.KmipOrgConfig);
+  }
+
+  const hasKmipOrgServerCertTable = await knex.schema.hasTable(TableName.KmipOrgServerCertificates);
+  if (hasKmipOrgServerCertTable) {
+    await knex.schema.dropTable(TableName.KmipOrgServerCertificates);
+  }
+
+  const hasKmipClientCertTable = await knex.schema.hasTable(TableName.KmipClientCertificates);
+  if (hasKmipClientCertTable) {
+    await knex.schema.dropTable(TableName.KmipClientCertificates);
+  }
+
+  const hasKmipClientTable = await knex.schema.hasTable(TableName.KmipClient);
+  if (hasKmipClientTable) {
+    await knex.schema.dropTable(TableName.KmipClient);
+  }
+}

backend/src/db/migrations/20250210101840_webhook-to-kms.ts

@@ -0,0 +1,130 @@
+import { Knex } from "knex";
+
+import { inMemoryKeyStore } from "@app/keystore/memory";
+import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { initLogger } from "@app/lib/logger";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+
+import { SecretKeyEncoding, TableName } from "../schemas";
+import { getMigrationEnvConfig } from "./utils/env-config";
+import { createCircularCache } from "./utils/ring-buffer";
+import { getMigrationEncryptionServices } from "./utils/services";
+
+const BATCH_SIZE = 500;
+export async function up(knex: Knex): Promise<void> {
+  const hasEncryptedKey = await knex.schema.hasColumn(TableName.Webhook, "encryptedPassKey");
+  const hasEncryptedUrl = await knex.schema.hasColumn(TableName.Webhook, "encryptedUrl");
+  const hasUrl = await knex.schema.hasColumn(TableName.Webhook, "url");
+
+  const hasWebhookTable = await knex.schema.hasTable(TableName.Webhook);
+  if (hasWebhookTable) {
+    await knex.schema.alterTable(TableName.Webhook, (t) => {
+      if (!hasEncryptedKey) t.binary("encryptedPassKey");
+      if (!hasEncryptedUrl) t.binary("encryptedUrl");
+      if (hasUrl) t.string("url").nullable().alter();
+    });
+  }
+
+  initLogger();
+  const envConfig = getMigrationEnvConfig();
+  const keyStore = inMemoryKeyStore();
+  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+  const projectEncryptionRingBuffer =
+    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
+  const webhooks = await knex(TableName.Webhook)
+    .where({})
+    .join(TableName.Environment, `${TableName.Environment}.id`, `${TableName.Webhook}.envId`)
+    .select(
+      "url",
+      "encryptedSecretKey",
+      "iv",
+      "tag",
+      "keyEncoding",
+      "urlCipherText",
+      "urlIV",
+      "urlTag",
+      knex.ref("id").withSchema(TableName.Webhook),
+      "envId"
+    )
+    .select(knex.ref("projectId").withSchema(TableName.Environment))
+    .orderBy(`${TableName.Environment}.projectId` as "projectId");
+
+  const updatedWebhooks = await Promise.all(
+    webhooks.map(async (el) => {
+      let projectKmsService = projectEncryptionRingBuffer.getItem(el.projectId);
+      if (!projectKmsService) {
+        projectKmsService = await kmsService.createCipherPairWithDataKey(
+          {
+            type: KmsDataKey.SecretManager,
+            projectId: el.projectId
+          },
+          knex
+        );
+        projectEncryptionRingBuffer.push(el.projectId, projectKmsService);
+      }
+
+      let encryptedSecretKey = null;
+      if (el.encryptedSecretKey && el.iv && el.tag && el.keyEncoding) {
+        const decyptedSecretKey = infisicalSymmetricDecrypt({
+          keyEncoding: el.keyEncoding as SecretKeyEncoding,
+          iv: el.iv,
+          tag: el.tag,
+          ciphertext: el.encryptedSecretKey
+        });
+        encryptedSecretKey = projectKmsService.encryptor({
+          plainText: Buffer.from(decyptedSecretKey, "utf8")
+        }).cipherTextBlob;
+      }
+
+      const decryptedUrl =
+        el.urlIV && el.urlTag && el.urlCipherText && el.keyEncoding
+          ? infisicalSymmetricDecrypt({
+              keyEncoding: el.keyEncoding as SecretKeyEncoding,
+              iv: el.urlIV,
+              tag: el.urlTag,
+              ciphertext: el.urlCipherText
+            })
+          : null;
+
+      const encryptedUrl = projectKmsService.encryptor({
+        plainText: Buffer.from(decryptedUrl || el.url || "")
+      }).cipherTextBlob;
+      return { id: el.id, encryptedUrl, encryptedSecretKey, envId: el.envId };
+    })
+  );
+
+  for (let i = 0; i < updatedWebhooks.length; i += BATCH_SIZE) {
+    // eslint-disable-next-line no-await-in-loop
+    await knex(TableName.Webhook)
+      .insert(
+        updatedWebhooks.slice(i, i + BATCH_SIZE).map((el) => ({
+          id: el.id,
+          envId: el.envId,
+          url: "",
+          encryptedUrl: el.encryptedUrl,
+          encryptedPassKey: el.encryptedSecretKey
+        }))
+      )
+      .onConflict("id")
+      .merge();
+  }
+
+  if (hasWebhookTable) {
+    await knex.schema.alterTable(TableName.Webhook, (t) => {
+      if (!hasEncryptedUrl) t.binary("encryptedUrl").notNullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasEncryptedKey = await knex.schema.hasColumn(TableName.Webhook, "encryptedPassKey");
+  const hasEncryptedUrl = await knex.schema.hasColumn(TableName.Webhook, "encryptedUrl");
+
+  const hasWebhookTable = await knex.schema.hasTable(TableName.Webhook);
+  if (hasWebhookTable) {
+    await knex.schema.alterTable(TableName.Webhook, (t) => {
+      if (hasEncryptedKey) t.dropColumn("encryptedPassKey");
+      if (hasEncryptedUrl) t.dropColumn("encryptedUrl");
+    });
+  }
+}

backend/src/db/migrations/20250210101841_dynamic-secret-root-to-kms.ts

@@ -0,0 +1,111 @@
+import { Knex } from "knex";
+
+import { inMemoryKeyStore } from "@app/keystore/memory";
+import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { selectAllTableCols } from "@app/lib/knex";
+import { initLogger } from "@app/lib/logger";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+
+import { SecretKeyEncoding, TableName } from "../schemas";
+import { getMigrationEnvConfig } from "./utils/env-config";
+import { createCircularCache } from "./utils/ring-buffer";
+import { getMigrationEncryptionServices } from "./utils/services";
+
+const BATCH_SIZE = 500;
+export async function up(knex: Knex): Promise<void> {
+  const hasEncryptedInputColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "encryptedInput");
+  const hasInputCiphertextColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "inputCiphertext");
+  const hasInputIVColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "inputIV");
+  const hasInputTagColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "inputTag");
+
+  const hasDynamicSecretTable = await knex.schema.hasTable(TableName.DynamicSecret);
+  if (hasDynamicSecretTable) {
+    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
+      if (!hasEncryptedInputColumn) t.binary("encryptedInput");
+      if (hasInputCiphertextColumn) t.text("inputCiphertext").nullable().alter();
+      if (hasInputIVColumn) t.string("inputIV").nullable().alter();
+      if (hasInputTagColumn) t.string("inputTag").nullable().alter();
+    });
+  }
+
+  initLogger();
+  const envConfig = getMigrationEnvConfig();
+  const keyStore = inMemoryKeyStore();
+  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+  const projectEncryptionRingBuffer =
+    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
+
+  const dynamicSecretRootCredentials = await knex(TableName.DynamicSecret)
+    .join(TableName.SecretFolder, `${TableName.SecretFolder}.id`, `${TableName.DynamicSecret}.folderId`)
+    .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
+    .select(selectAllTableCols(TableName.DynamicSecret))
+    .select(knex.ref("projectId").withSchema(TableName.Environment))
+    .orderBy(`${TableName.Environment}.projectId` as "projectId");
+
+  const updatedDynamicSecrets = await Promise.all(
+    dynamicSecretRootCredentials.map(async ({ projectId, ...el }) => {
+      let projectKmsService = projectEncryptionRingBuffer.getItem(projectId);
+      if (!projectKmsService) {
+        projectKmsService = await kmsService.createCipherPairWithDataKey(
+          {
+            type: KmsDataKey.SecretManager,
+            projectId
+          },
+          knex
+        );
+        projectEncryptionRingBuffer.push(projectId, projectKmsService);
+      }
+
+      const decryptedInputData =
+        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+        // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+        el.inputIV && el.inputTag && el.inputCiphertext && el.keyEncoding
+          ? infisicalSymmetricDecrypt({
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              keyEncoding: el.keyEncoding as SecretKeyEncoding,
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              iv: el.inputIV,
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              tag: el.inputTag,
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              ciphertext: el.inputCiphertext
+            })
+          : "";
+
+      const encryptedInput = projectKmsService.encryptor({
+        plainText: Buffer.from(decryptedInputData)
+      }).cipherTextBlob;
+
+      return { ...el, encryptedInput };
+    })
+  );
+
+  for (let i = 0; i < updatedDynamicSecrets.length; i += BATCH_SIZE) {
+    // eslint-disable-next-line no-await-in-loop
+    await knex(TableName.DynamicSecret)
+      .insert(updatedDynamicSecrets.slice(i, i + BATCH_SIZE))
+      .onConflict("id")
+      .merge();
+  }
+
+  if (hasDynamicSecretTable) {
+    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
+      if (!hasEncryptedInputColumn) t.binary("encryptedInput").notNullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasEncryptedInputColumn = await knex.schema.hasColumn(TableName.DynamicSecret, "encryptedInput");
+
+  const hasDynamicSecretTable = await knex.schema.hasTable(TableName.DynamicSecret);
+  if (hasDynamicSecretTable) {
+    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
+      if (hasEncryptedInputColumn) t.dropColumn("encryptedInput");
+    });
+  }
+}

backend/src/db/migrations/20250210101841_secret-rotation-to-kms.ts

@@ -0,0 +1,103 @@
+import { Knex } from "knex";
+
+import { inMemoryKeyStore } from "@app/keystore/memory";
+import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { selectAllTableCols } from "@app/lib/knex";
+import { initLogger } from "@app/lib/logger";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+
+import { SecretKeyEncoding, TableName } from "../schemas";
+import { getMigrationEnvConfig } from "./utils/env-config";
+import { createCircularCache } from "./utils/ring-buffer";
+import { getMigrationEncryptionServices } from "./utils/services";
+
+const BATCH_SIZE = 500;
+export async function up(knex: Knex): Promise<void> {
+  const hasEncryptedRotationData = await knex.schema.hasColumn(TableName.SecretRotation, "encryptedRotationData");
+
+  const hasRotationTable = await knex.schema.hasTable(TableName.SecretRotation);
+  if (hasRotationTable) {
+    await knex.schema.alterTable(TableName.SecretRotation, (t) => {
+      if (!hasEncryptedRotationData) t.binary("encryptedRotationData");
+    });
+  }
+
+  initLogger();
+  const envConfig = getMigrationEnvConfig();
+  const keyStore = inMemoryKeyStore();
+  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+  const projectEncryptionRingBuffer =
+    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
+
+  const secretRotations = await knex(TableName.SecretRotation)
+    .join(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretRotation}.envId`)
+    .select(selectAllTableCols(TableName.SecretRotation))
+    .select(knex.ref("projectId").withSchema(TableName.Environment))
+    .orderBy(`${TableName.Environment}.projectId` as "projectId");
+
+  const updatedRotationData = await Promise.all(
+    secretRotations.map(async ({ projectId, ...el }) => {
+      let projectKmsService = projectEncryptionRingBuffer.getItem(projectId);
+      if (!projectKmsService) {
+        projectKmsService = await kmsService.createCipherPairWithDataKey(
+          {
+            type: KmsDataKey.SecretManager,
+            projectId
+          },
+          knex
+        );
+        projectEncryptionRingBuffer.push(projectId, projectKmsService);
+      }
+
+      const decryptedRotationData =
+        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+        // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+        el.encryptedDataTag && el.encryptedDataIV && el.encryptedData && el.keyEncoding
+          ? infisicalSymmetricDecrypt({
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              keyEncoding: el.keyEncoding as SecretKeyEncoding,
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              iv: el.encryptedDataIV,
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              tag: el.encryptedDataTag,
+              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+              ciphertext: el.encryptedData
+            })
+          : "";
+
+      const encryptedRotationData = projectKmsService.encryptor({
+        plainText: Buffer.from(decryptedRotationData)
+      }).cipherTextBlob;
+      return { ...el, encryptedRotationData };
+    })
+  );
+
+  for (let i = 0; i < updatedRotationData.length; i += BATCH_SIZE) {
+    // eslint-disable-next-line no-await-in-loop
+    await knex(TableName.SecretRotation)
+      .insert(updatedRotationData.slice(i, i + BATCH_SIZE))
+      .onConflict("id")
+      .merge();
+  }
+
+  if (hasRotationTable) {
+    await knex.schema.alterTable(TableName.SecretRotation, (t) => {
+      if (!hasEncryptedRotationData) t.binary("encryptedRotationData").notNullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasEncryptedRotationData = await knex.schema.hasColumn(TableName.SecretRotation, "encryptedRotationData");
+
+  const hasRotationTable = await knex.schema.hasTable(TableName.SecretRotation);
+  if (hasRotationTable) {
+    await knex.schema.alterTable(TableName.SecretRotation, (t) => {
+      if (hasEncryptedRotationData) t.dropColumn("encryptedRotationData");
+    });
+  }
+}

backend/src/db/migrations/20250210101842_identity-k8-auth-to-kms.ts

@@ -0,0 +1,200 @@
+import { Knex } from "knex";
+
+import { inMemoryKeyStore } from "@app/keystore/memory";
+import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { selectAllTableCols } from "@app/lib/knex";
+import { initLogger } from "@app/lib/logger";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+
+import { SecretKeyEncoding, TableName, TOrgBots } from "../schemas";
+import { getMigrationEnvConfig } from "./utils/env-config";
+import { createCircularCache } from "./utils/ring-buffer";
+import { getMigrationEncryptionServices } from "./utils/services";
+
+const BATCH_SIZE = 500;
+const reencryptIdentityK8sAuth = async (knex: Knex) => {
+  const hasEncryptedKubernetesTokenReviewerJwt = await knex.schema.hasColumn(
+    TableName.IdentityKubernetesAuth,
+    "encryptedKubernetesTokenReviewerJwt"
+  );
+  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(
+    TableName.IdentityKubernetesAuth,
+    "encryptedKubernetesCaCertificate"
+  );
+  const hasidentityKubernetesAuthTable = await knex.schema.hasTable(TableName.IdentityKubernetesAuth);
+
+  const hasEncryptedCaCertColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "encryptedCaCert");
+  const hasCaCertIVColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "caCertIV");
+  const hasCaCertTagColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "caCertTag");
+  const hasEncryptedTokenReviewerJwtColumn = await knex.schema.hasColumn(
+    TableName.IdentityKubernetesAuth,
+    "encryptedTokenReviewerJwt"
+  );
+  const hasTokenReviewerJwtIVColumn = await knex.schema.hasColumn(
+    TableName.IdentityKubernetesAuth,
+    "tokenReviewerJwtIV"
+  );
+  const hasTokenReviewerJwtTagColumn = await knex.schema.hasColumn(
+    TableName.IdentityKubernetesAuth,
+    "tokenReviewerJwtTag"
+  );
+
+  if (hasidentityKubernetesAuthTable) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
+      if (hasEncryptedCaCertColumn) t.text("encryptedCaCert").nullable().alter();
+      if (hasCaCertIVColumn) t.string("caCertIV").nullable().alter();
+      if (hasCaCertTagColumn) t.string("caCertTag").nullable().alter();
+      if (hasEncryptedTokenReviewerJwtColumn) t.text("encryptedTokenReviewerJwt").nullable().alter();
+      if (hasTokenReviewerJwtIVColumn) t.string("tokenReviewerJwtIV").nullable().alter();
+      if (hasTokenReviewerJwtTagColumn) t.string("tokenReviewerJwtTag").nullable().alter();
+
+      if (!hasEncryptedKubernetesTokenReviewerJwt) t.binary("encryptedKubernetesTokenReviewerJwt");
+      if (!hasEncryptedCertificateColumn) t.binary("encryptedKubernetesCaCertificate");
+    });
+  }
+
+  initLogger();
+  const envConfig = getMigrationEnvConfig();
+  const keyStore = inMemoryKeyStore();
+  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+  const orgEncryptionRingBuffer =
+    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
+  const identityKubernetesConfigs = await knex(TableName.IdentityKubernetesAuth)
+    .join(
+      TableName.IdentityOrgMembership,
+      `${TableName.IdentityOrgMembership}.identityId`,
+      `${TableName.IdentityKubernetesAuth}.identityId`
+    )
+    .join<TOrgBots>(TableName.OrgBot, `${TableName.OrgBot}.orgId`, `${TableName.IdentityOrgMembership}.orgId`)
+    .select(selectAllTableCols(TableName.IdentityKubernetesAuth))
+    .select(
+      knex.ref("encryptedSymmetricKey").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyIV").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyTag").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyKeyEncoding").withSchema(TableName.OrgBot),
+      knex.ref("orgId").withSchema(TableName.OrgBot)
+    )
+    .orderBy(`${TableName.OrgBot}.orgId` as "orgId");
+
+  const updatedIdentityKubernetesConfigs = [];
+
+  for await (const {
+    encryptedSymmetricKey,
+    symmetricKeyKeyEncoding,
+    symmetricKeyTag,
+    symmetricKeyIV,
+    orgId,
+    ...el
+  } of identityKubernetesConfigs) {
+    let orgKmsService = orgEncryptionRingBuffer.getItem(orgId);
+
+    if (!orgKmsService) {
+      orgKmsService = await kmsService.createCipherPairWithDataKey(
+        {
+          type: KmsDataKey.Organization,
+          orgId
+        },
+        knex
+      );
+      orgEncryptionRingBuffer.push(orgId, orgKmsService);
+    }
+
+    const key = infisicalSymmetricDecrypt({
+      ciphertext: encryptedSymmetricKey,
+      iv: symmetricKeyIV,
+      tag: symmetricKeyTag,
+      keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+    });
+
+    const decryptedTokenReviewerJwt =
+      // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+      // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+      el.encryptedTokenReviewerJwt && el.tokenReviewerJwtIV && el.tokenReviewerJwtTag
+        ? decryptSymmetric({
+            key,
+            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+            iv: el.tokenReviewerJwtIV,
+            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+            tag: el.tokenReviewerJwtTag,
+            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+            ciphertext: el.encryptedTokenReviewerJwt
+          })
+        : "";
+
+    const decryptedCertificate =
+      // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+      // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+      el.encryptedCaCert && el.caCertIV && el.caCertTag
+        ? decryptSymmetric({
+            key,
+            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+            iv: el.caCertIV,
+            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+            tag: el.caCertTag,
+            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+            // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+            ciphertext: el.encryptedCaCert
+          })
+        : "";
+
+    const encryptedKubernetesTokenReviewerJwt = orgKmsService.encryptor({
+      plainText: Buffer.from(decryptedTokenReviewerJwt)
+    }).cipherTextBlob;
+    const encryptedKubernetesCaCertificate = orgKmsService.encryptor({
+      plainText: Buffer.from(decryptedCertificate)
+    }).cipherTextBlob;
+
+    updatedIdentityKubernetesConfigs.push({
+      ...el,
+      accessTokenTrustedIps: JSON.stringify(el.accessTokenTrustedIps),
+      encryptedKubernetesCaCertificate,
+      encryptedKubernetesTokenReviewerJwt
+    });
+  }
+
+  for (let i = 0; i < updatedIdentityKubernetesConfigs.length; i += BATCH_SIZE) {
+    // eslint-disable-next-line no-await-in-loop
+    await knex(TableName.IdentityKubernetesAuth)
+      .insert(updatedIdentityKubernetesConfigs.slice(i, i + BATCH_SIZE))
+      .onConflict("id")
+      .merge();
+  }
+  if (hasidentityKubernetesAuthTable) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
+      if (!hasEncryptedKubernetesTokenReviewerJwt)
+        t.binary("encryptedKubernetesTokenReviewerJwt").notNullable().alter();
+    });
+  }
+};
+
+export async function up(knex: Knex): Promise<void> {
+  await reencryptIdentityK8sAuth(knex);
+}
+
+const dropIdentityK8sColumns = async (knex: Knex) => {
+  const hasEncryptedKubernetesTokenReviewerJwt = await knex.schema.hasColumn(
+    TableName.IdentityKubernetesAuth,
+    "encryptedKubernetesTokenReviewerJwt"
+  );
+  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(
+    TableName.IdentityKubernetesAuth,
+    "encryptedKubernetesCaCertificate"
+  );
+  const hasidentityKubernetesAuthTable = await knex.schema.hasTable(TableName.IdentityKubernetesAuth);
+
+  if (hasidentityKubernetesAuthTable) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
+      if (hasEncryptedKubernetesTokenReviewerJwt) t.dropColumn("encryptedKubernetesTokenReviewerJwt");
+      if (hasEncryptedCertificateColumn) t.dropColumn("encryptedKubernetesCaCertificate");
+    });
+  }
+};
+
+export async function down(knex: Knex): Promise<void> {
+  await dropIdentityK8sColumns(knex);
+}

backend/src/db/migrations/20250210101842_identity-oidc-auth-to-kms.ts

@@ -0,0 +1,141 @@
+import { Knex } from "knex";
+
+import { inMemoryKeyStore } from "@app/keystore/memory";
+import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { selectAllTableCols } from "@app/lib/knex";
+import { initLogger } from "@app/lib/logger";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+
+import { SecretKeyEncoding, TableName, TOrgBots } from "../schemas";
+import { getMigrationEnvConfig } from "./utils/env-config";
+import { createCircularCache } from "./utils/ring-buffer";
+import { getMigrationEncryptionServices } from "./utils/services";
+
+const BATCH_SIZE = 500;
+const reencryptIdentityOidcAuth = async (knex: Knex) => {
+  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(
+    TableName.IdentityOidcAuth,
+    "encryptedCaCertificate"
+  );
+  const hasidentityOidcAuthTable = await knex.schema.hasTable(TableName.IdentityOidcAuth);
+
+  const hasEncryptedCaCertColumn = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "encryptedCaCert");
+  const hasCaCertIVColumn = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "caCertIV");
+  const hasCaCertTagColumn = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "caCertTag");
+
+  if (hasidentityOidcAuthTable) {
+    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
+      if (hasEncryptedCaCertColumn) t.text("encryptedCaCert").nullable().alter();
+      if (hasCaCertIVColumn) t.string("caCertIV").nullable().alter();
+      if (hasCaCertTagColumn) t.string("caCertTag").nullable().alter();
+
+      if (!hasEncryptedCertificateColumn) t.binary("encryptedCaCertificate");
+    });
+  }
+
+  initLogger();
+  const envConfig = getMigrationEnvConfig();
+  const keyStore = inMemoryKeyStore();
+  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+  const orgEncryptionRingBuffer =
+    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
+
+  const identityOidcConfig = await knex(TableName.IdentityOidcAuth)
+    .join(
+      TableName.IdentityOrgMembership,
+      `${TableName.IdentityOrgMembership}.identityId`,
+      `${TableName.IdentityOidcAuth}.identityId`
+    )
+    .join<TOrgBots>(TableName.OrgBot, `${TableName.OrgBot}.orgId`, `${TableName.IdentityOrgMembership}.orgId`)
+    .select(selectAllTableCols(TableName.IdentityOidcAuth))
+    .select(
+      knex.ref("encryptedSymmetricKey").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyIV").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyTag").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyKeyEncoding").withSchema(TableName.OrgBot),
+      knex.ref("orgId").withSchema(TableName.OrgBot)
+    )
+    .orderBy(`${TableName.OrgBot}.orgId` as "orgId");
+
+  const updatedIdentityOidcConfigs = await Promise.all(
+    identityOidcConfig.map(
+      async ({ encryptedSymmetricKey, symmetricKeyKeyEncoding, symmetricKeyTag, symmetricKeyIV, orgId, ...el }) => {
+        let orgKmsService = orgEncryptionRingBuffer.getItem(orgId);
+        if (!orgKmsService) {
+          orgKmsService = await kmsService.createCipherPairWithDataKey(
+            {
+              type: KmsDataKey.Organization,
+              orgId
+            },
+            knex
+          );
+          orgEncryptionRingBuffer.push(orgId, orgKmsService);
+        }
+        const key = infisicalSymmetricDecrypt({
+          ciphertext: encryptedSymmetricKey,
+          iv: symmetricKeyIV,
+          tag: symmetricKeyTag,
+          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+        });
+
+        const decryptedCertificate =
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+          el.encryptedCaCert && el.caCertIV && el.caCertTag
+            ? decryptSymmetric({
+                key,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                iv: el.caCertIV,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                tag: el.caCertTag,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.encryptedCaCert
+              })
+            : "";
+
+        const encryptedCaCertificate = orgKmsService.encryptor({
+          plainText: Buffer.from(decryptedCertificate)
+        }).cipherTextBlob;
+
+        return {
+          ...el,
+          accessTokenTrustedIps: JSON.stringify(el.accessTokenTrustedIps),
+          encryptedCaCertificate
+        };
+      }
+    )
+  );
+
+  for (let i = 0; i < updatedIdentityOidcConfigs.length; i += BATCH_SIZE) {
+    // eslint-disable-next-line no-await-in-loop
+    await knex(TableName.IdentityOidcAuth)
+      .insert(updatedIdentityOidcConfigs.slice(i, i + BATCH_SIZE))
+      .onConflict("id")
+      .merge();
+  }
+};
+
+export async function up(knex: Knex): Promise<void> {
+  await reencryptIdentityOidcAuth(knex);
+}
+
+const dropIdentityOidcColumns = async (knex: Knex) => {
+  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(
+    TableName.IdentityOidcAuth,
+    "encryptedCaCertificate"
+  );
+  const hasidentityOidcTable = await knex.schema.hasTable(TableName.IdentityOidcAuth);
+
+  if (hasidentityOidcTable) {
+    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
+      if (hasEncryptedCertificateColumn) t.dropColumn("encryptedCaCertificate");
+    });
+  }
+};
+
+export async function down(knex: Knex): Promise<void> {
+  await dropIdentityOidcColumns(knex);
+}

backend/src/db/migrations/20250210101845_directory-config-to-kms.ts

@@ -0,0 +1,493 @@
+import { Knex } from "knex";
+
+import { inMemoryKeyStore } from "@app/keystore/memory";
+import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { selectAllTableCols } from "@app/lib/knex";
+import { initLogger } from "@app/lib/logger";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+
+import { SecretKeyEncoding, TableName } from "../schemas";
+import { getMigrationEnvConfig } from "./utils/env-config";
+import { createCircularCache } from "./utils/ring-buffer";
+import { getMigrationEncryptionServices } from "./utils/services";
+
+const BATCH_SIZE = 500;
+const reencryptSamlConfig = async (knex: Knex) => {
+  const hasEncryptedEntrypointColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlEntryPoint");
+  const hasEncryptedIssuerColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlIssuer");
+  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlCertificate");
+  const hasSamlConfigTable = await knex.schema.hasTable(TableName.SamlConfig);
+
+  if (hasSamlConfigTable) {
+    await knex.schema.alterTable(TableName.SamlConfig, (t) => {
+      if (!hasEncryptedEntrypointColumn) t.binary("encryptedSamlEntryPoint");
+      if (!hasEncryptedIssuerColumn) t.binary("encryptedSamlIssuer");
+      if (!hasEncryptedCertificateColumn) t.binary("encryptedSamlCertificate");
+    });
+  }
+
+  initLogger();
+  const envConfig = getMigrationEnvConfig();
+  const keyStore = inMemoryKeyStore();
+  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+  const orgEncryptionRingBuffer =
+    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
+
+  const samlConfigs = await knex(TableName.SamlConfig)
+    .join(TableName.OrgBot, `${TableName.OrgBot}.orgId`, `${TableName.SamlConfig}.orgId`)
+    .select(selectAllTableCols(TableName.SamlConfig))
+    .select(
+      knex.ref("encryptedSymmetricKey").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyIV").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyTag").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyKeyEncoding").withSchema(TableName.OrgBot)
+    )
+    .orderBy(`${TableName.OrgBot}.orgId` as "orgId");
+
+  const updatedSamlConfigs = await Promise.all(
+    samlConfigs.map(
+      async ({ encryptedSymmetricKey, symmetricKeyKeyEncoding, symmetricKeyTag, symmetricKeyIV, ...el }) => {
+        let orgKmsService = orgEncryptionRingBuffer.getItem(el.orgId);
+        if (!orgKmsService) {
+          orgKmsService = await kmsService.createCipherPairWithDataKey(
+            {
+              type: KmsDataKey.Organization,
+              orgId: el.orgId
+            },
+            knex
+          );
+          orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
+        }
+        const key = infisicalSymmetricDecrypt({
+          ciphertext: encryptedSymmetricKey,
+          iv: symmetricKeyIV,
+          tag: symmetricKeyTag,
+          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+        });
+
+        const decryptedEntryPoint =
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+          el.encryptedEntryPoint && el.entryPointIV && el.entryPointTag
+            ? decryptSymmetric({
+                key,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                iv: el.entryPointIV,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                tag: el.entryPointTag,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.encryptedEntryPoint
+              })
+            : "";
+
+        const decryptedIssuer =
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+          el.encryptedIssuer && el.issuerIV && el.issuerTag
+            ? decryptSymmetric({
+                key,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                iv: el.issuerIV,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                tag: el.issuerTag,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.encryptedIssuer
+              })
+            : "";
+
+        const decryptedCertificate =
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+          el.encryptedCert && el.certIV && el.certTag
+            ? decryptSymmetric({
+                key,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                iv: el.certIV,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                tag: el.certTag,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.encryptedCert
+              })
+            : "";
+
+        const encryptedSamlIssuer = orgKmsService.encryptor({
+          plainText: Buffer.from(decryptedIssuer)
+        }).cipherTextBlob;
+        const encryptedSamlCertificate = orgKmsService.encryptor({
+          plainText: Buffer.from(decryptedCertificate)
+        }).cipherTextBlob;
+        const encryptedSamlEntryPoint = orgKmsService.encryptor({
+          plainText: Buffer.from(decryptedEntryPoint)
+        }).cipherTextBlob;
+        return { ...el, encryptedSamlCertificate, encryptedSamlEntryPoint, encryptedSamlIssuer };
+      }
+    )
+  );
+
+  for (let i = 0; i < updatedSamlConfigs.length; i += BATCH_SIZE) {
+    // eslint-disable-next-line no-await-in-loop
+    await knex(TableName.SamlConfig)
+      .insert(updatedSamlConfigs.slice(i, i + BATCH_SIZE))
+      .onConflict("id")
+      .merge();
+  }
+
+  if (hasSamlConfigTable) {
+    await knex.schema.alterTable(TableName.SamlConfig, (t) => {
+      if (!hasEncryptedEntrypointColumn) t.binary("encryptedSamlEntryPoint").notNullable().alter();
+      if (!hasEncryptedIssuerColumn) t.binary("encryptedSamlIssuer").notNullable().alter();
+      if (!hasEncryptedCertificateColumn) t.binary("encryptedSamlCertificate").notNullable().alter();
+    });
+  }
+};
+
+const reencryptLdapConfig = async (knex: Knex) => {
+  const hasEncryptedLdapBindDNColum = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapBindDN");
+  const hasEncryptedLdapBindPassColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapBindPass");
+  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapCaCertificate");
+  const hasLdapConfigTable = await knex.schema.hasTable(TableName.LdapConfig);
+
+  const hasEncryptedCACertColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedCACert");
+  const hasCaCertIVColumn = await knex.schema.hasColumn(TableName.LdapConfig, "caCertIV");
+  const hasCaCertTagColumn = await knex.schema.hasColumn(TableName.LdapConfig, "caCertTag");
+  const hasEncryptedBindPassColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedBindPass");
+  const hasBindPassIVColumn = await knex.schema.hasColumn(TableName.LdapConfig, "bindPassIV");
+  const hasBindPassTagColumn = await knex.schema.hasColumn(TableName.LdapConfig, "bindPassTag");
+  const hasEncryptedBindDNColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedBindDN");
+  const hasBindDNIVColumn = await knex.schema.hasColumn(TableName.LdapConfig, "bindDNIV");
+  const hasBindDNTagColumn = await knex.schema.hasColumn(TableName.LdapConfig, "bindDNTag");
+
+  if (hasLdapConfigTable) {
+    await knex.schema.alterTable(TableName.LdapConfig, (t) => {
+      if (hasEncryptedCACertColumn) t.text("encryptedCACert").nullable().alter();
+      if (hasCaCertIVColumn) t.string("caCertIV").nullable().alter();
+      if (hasCaCertTagColumn) t.string("caCertTag").nullable().alter();
+      if (hasEncryptedBindPassColumn) t.string("encryptedBindPass").nullable().alter();
+      if (hasBindPassIVColumn) t.string("bindPassIV").nullable().alter();
+      if (hasBindPassTagColumn) t.string("bindPassTag").nullable().alter();
+      if (hasEncryptedBindDNColumn) t.string("encryptedBindDN").nullable().alter();
+      if (hasBindDNIVColumn) t.string("bindDNIV").nullable().alter();
+      if (hasBindDNTagColumn) t.string("bindDNTag").nullable().alter();
+
+      if (!hasEncryptedLdapBindDNColum) t.binary("encryptedLdapBindDN");
+      if (!hasEncryptedLdapBindPassColumn) t.binary("encryptedLdapBindPass");
+      if (!hasEncryptedCertificateColumn) t.binary("encryptedLdapCaCertificate");
+    });
+  }
+
+  initLogger();
+  const envConfig = getMigrationEnvConfig();
+  const keyStore = inMemoryKeyStore();
+  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+  const orgEncryptionRingBuffer =
+    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
+
+  const ldapConfigs = await knex(TableName.LdapConfig)
+    .join(TableName.OrgBot, `${TableName.OrgBot}.orgId`, `${TableName.LdapConfig}.orgId`)
+    .select(selectAllTableCols(TableName.LdapConfig))
+    .select(
+      knex.ref("encryptedSymmetricKey").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyIV").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyTag").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyKeyEncoding").withSchema(TableName.OrgBot)
+    )
+    .orderBy(`${TableName.OrgBot}.orgId` as "orgId");
+
+  const updatedLdapConfigs = await Promise.all(
+    ldapConfigs.map(
+      async ({ encryptedSymmetricKey, symmetricKeyKeyEncoding, symmetricKeyTag, symmetricKeyIV, ...el }) => {
+        let orgKmsService = orgEncryptionRingBuffer.getItem(el.orgId);
+        if (!orgKmsService) {
+          orgKmsService = await kmsService.createCipherPairWithDataKey(
+            {
+              type: KmsDataKey.Organization,
+              orgId: el.orgId
+            },
+            knex
+          );
+          orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
+        }
+        const key = infisicalSymmetricDecrypt({
+          ciphertext: encryptedSymmetricKey,
+          iv: symmetricKeyIV,
+          tag: symmetricKeyTag,
+          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+        });
+
+        const decryptedBindDN =
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+          el.encryptedBindDN && el.bindDNIV && el.bindDNTag
+            ? decryptSymmetric({
+                key,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                iv: el.bindDNIV,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                tag: el.bindDNTag,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.encryptedBindDN
+              })
+            : "";
+
+        const decryptedBindPass =
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+          el.encryptedBindPass && el.bindPassIV && el.bindPassTag
+            ? decryptSymmetric({
+                key,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                iv: el.bindPassIV,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                tag: el.bindPassTag,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.encryptedBindPass
+              })
+            : "";
+
+        const decryptedCertificate =
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+          el.encryptedCACert && el.caCertIV && el.caCertTag
+            ? decryptSymmetric({
+                key,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                iv: el.caCertIV,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                tag: el.caCertTag,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.encryptedCACert
+              })
+            : "";
+
+        const encryptedLdapBindDN = orgKmsService.encryptor({
+          plainText: Buffer.from(decryptedBindDN)
+        }).cipherTextBlob;
+        const encryptedLdapBindPass = orgKmsService.encryptor({
+          plainText: Buffer.from(decryptedBindPass)
+        }).cipherTextBlob;
+        const encryptedLdapCaCertificate = orgKmsService.encryptor({
+          plainText: Buffer.from(decryptedCertificate)
+        }).cipherTextBlob;
+        return { ...el, encryptedLdapBindPass, encryptedLdapBindDN, encryptedLdapCaCertificate };
+      }
+    )
+  );
+
+  for (let i = 0; i < updatedLdapConfigs.length; i += BATCH_SIZE) {
+    // eslint-disable-next-line no-await-in-loop
+    await knex(TableName.LdapConfig)
+      .insert(updatedLdapConfigs.slice(i, i + BATCH_SIZE))
+      .onConflict("id")
+      .merge();
+  }
+  if (hasLdapConfigTable) {
+    await knex.schema.alterTable(TableName.LdapConfig, (t) => {
+      if (!hasEncryptedLdapBindPassColumn) t.binary("encryptedLdapBindPass").notNullable().alter();
+      if (!hasEncryptedLdapBindDNColum) t.binary("encryptedLdapBindDN").notNullable().alter();
+    });
+  }
+};
+
+const reencryptOidcConfig = async (knex: Knex) => {
+  const hasEncryptedOidcClientIdColumn = await knex.schema.hasColumn(TableName.OidcConfig, "encryptedOidcClientId");
+  const hasEncryptedOidcClientSecretColumn = await knex.schema.hasColumn(
+    TableName.OidcConfig,
+    "encryptedOidcClientSecret"
+  );
+
+  const hasEncryptedClientIdColumn = await knex.schema.hasColumn(TableName.OidcConfig, "encryptedClientId");
+  const hasClientIdIVColumn = await knex.schema.hasColumn(TableName.OidcConfig, "clientIdIV");
+  const hasClientIdTagColumn = await knex.schema.hasColumn(TableName.OidcConfig, "clientIdTag");
+  const hasEncryptedClientSecretColumn = await knex.schema.hasColumn(TableName.OidcConfig, "encryptedClientSecret");
+  const hasClientSecretIVColumn = await knex.schema.hasColumn(TableName.OidcConfig, "clientSecretIV");
+  const hasClientSecretTagColumn = await knex.schema.hasColumn(TableName.OidcConfig, "clientSecretTag");
+
+  const hasOidcConfigTable = await knex.schema.hasTable(TableName.OidcConfig);
+
+  if (hasOidcConfigTable) {
+    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
+      if (hasEncryptedClientIdColumn) t.text("encryptedClientId").nullable().alter();
+      if (hasClientIdIVColumn) t.string("clientIdIV").nullable().alter();
+      if (hasClientIdTagColumn) t.string("clientIdTag").nullable().alter();
+      if (hasEncryptedClientSecretColumn) t.text("encryptedClientSecret").nullable().alter();
+      if (hasClientSecretIVColumn) t.string("clientSecretIV").nullable().alter();
+      if (hasClientSecretTagColumn) t.string("clientSecretTag").nullable().alter();
+
+      if (!hasEncryptedOidcClientIdColumn) t.binary("encryptedOidcClientId");
+      if (!hasEncryptedOidcClientSecretColumn) t.binary("encryptedOidcClientSecret");
+    });
+  }
+
+  initLogger();
+  const envConfig = getMigrationEnvConfig();
+  const keyStore = inMemoryKeyStore();
+  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+  const orgEncryptionRingBuffer =
+    createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
+
+  const oidcConfigs = await knex(TableName.OidcConfig)
+    .join(TableName.OrgBot, `${TableName.OrgBot}.orgId`, `${TableName.OidcConfig}.orgId`)
+    .select(selectAllTableCols(TableName.OidcConfig))
+    .select(
+      knex.ref("encryptedSymmetricKey").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyIV").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyTag").withSchema(TableName.OrgBot),
+      knex.ref("symmetricKeyKeyEncoding").withSchema(TableName.OrgBot)
+    )
+    .orderBy(`${TableName.OrgBot}.orgId` as "orgId");
+
+  const updatedOidcConfigs = await Promise.all(
+    oidcConfigs.map(
+      async ({ encryptedSymmetricKey, symmetricKeyKeyEncoding, symmetricKeyTag, symmetricKeyIV, ...el }) => {
+        let orgKmsService = orgEncryptionRingBuffer.getItem(el.orgId);
+        if (!orgKmsService) {
+          orgKmsService = await kmsService.createCipherPairWithDataKey(
+            {
+              type: KmsDataKey.Organization,
+              orgId: el.orgId
+            },
+            knex
+          );
+          orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
+        }
+        const key = infisicalSymmetricDecrypt({
+          ciphertext: encryptedSymmetricKey,
+          iv: symmetricKeyIV,
+          tag: symmetricKeyTag,
+          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+        });
+
+        const decryptedClientId =
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+          el.encryptedClientId && el.clientIdIV && el.clientIdTag
+            ? decryptSymmetric({
+                key,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                iv: el.clientIdIV,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                tag: el.clientIdTag,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.encryptedClientId
+              })
+            : "";
+
+        const decryptedClientSecret =
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+          el.encryptedClientSecret && el.clientSecretIV && el.clientSecretTag
+            ? decryptSymmetric({
+                key,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                iv: el.clientSecretIV,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                tag: el.clientSecretTag,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.encryptedClientSecret
+              })
+            : "";
+
+        const encryptedOidcClientId = orgKmsService.encryptor({
+          plainText: Buffer.from(decryptedClientId)
+        }).cipherTextBlob;
+        const encryptedOidcClientSecret = orgKmsService.encryptor({
+          plainText: Buffer.from(decryptedClientSecret)
+        }).cipherTextBlob;
+        return { ...el, encryptedOidcClientId, encryptedOidcClientSecret };
+      }
+    )
+  );
+
+  for (let i = 0; i < updatedOidcConfigs.length; i += BATCH_SIZE) {
+    // eslint-disable-next-line no-await-in-loop
+    await knex(TableName.OidcConfig)
+      .insert(updatedOidcConfigs.slice(i, i + BATCH_SIZE))
+      .onConflict("id")
+      .merge();
+  }
+  if (hasOidcConfigTable) {
+    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
+      if (!hasEncryptedOidcClientIdColumn) t.binary("encryptedOidcClientId").notNullable().alter();
+      if (!hasEncryptedOidcClientSecretColumn) t.binary("encryptedOidcClientSecret").notNullable().alter();
+    });
+  }
+};
+
+export async function up(knex: Knex): Promise<void> {
+  await reencryptSamlConfig(knex);
+  await reencryptLdapConfig(knex);
+  await reencryptOidcConfig(knex);
+}
+
+const dropSamlConfigColumns = async (knex: Knex) => {
+  const hasEncryptedEntrypointColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlEntryPoint");
+  const hasEncryptedIssuerColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlIssuer");
+  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(TableName.SamlConfig, "encryptedSamlCertificate");
+  const hasSamlConfigTable = await knex.schema.hasTable(TableName.SamlConfig);
+
+  if (hasSamlConfigTable) {
+    await knex.schema.alterTable(TableName.SamlConfig, (t) => {
+      if (hasEncryptedEntrypointColumn) t.dropColumn("encryptedSamlEntryPoint");
+      if (hasEncryptedIssuerColumn) t.dropColumn("encryptedSamlIssuer");
+      if (hasEncryptedCertificateColumn) t.dropColumn("encryptedSamlCertificate");
+    });
+  }
+};
+
+const dropLdapConfigColumns = async (knex: Knex) => {
+  const hasEncryptedBindDN = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapBindDN");
+  const hasEncryptedBindPass = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapBindPass");
+  const hasEncryptedCertificateColumn = await knex.schema.hasColumn(TableName.LdapConfig, "encryptedLdapCaCertificate");
+  const hasLdapConfigTable = await knex.schema.hasTable(TableName.LdapConfig);
+
+  if (hasLdapConfigTable) {
+    await knex.schema.alterTable(TableName.LdapConfig, (t) => {
+      if (hasEncryptedBindDN) t.dropColumn("encryptedLdapBindDN");
+      if (hasEncryptedBindPass) t.dropColumn("encryptedLdapBindPass");
+      if (hasEncryptedCertificateColumn) t.dropColumn("encryptedLdapCaCertificate");
+    });
+  }
+};
+
+const dropOidcConfigColumns = async (knex: Knex) => {
+  const hasEncryptedClientId = await knex.schema.hasColumn(TableName.OidcConfig, "encryptedOidcClientId");
+  const hasEncryptedClientSecret = await knex.schema.hasColumn(TableName.OidcConfig, "encryptedOidcClientSecret");
+  const hasOidcConfigTable = await knex.schema.hasTable(TableName.OidcConfig);
+
+  if (hasOidcConfigTable) {
+    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
+      if (hasEncryptedClientId) t.dropColumn("encryptedOidcClientId");
+      if (hasEncryptedClientSecret) t.dropColumn("encryptedOidcClientSecret");
+    });
+  }
+};
+
+export async function down(knex: Knex): Promise<void> {
+  await dropSamlConfigColumns(knex);
+  await dropLdapConfigColumns(knex);
+  await dropOidcConfigColumns(knex);
+}

backend/src/db/migrations/20250212191958_create-gateway.ts

@@ -0,0 +1,115 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.OrgGatewayConfig))) {
+    await knex.schema.createTable(TableName.OrgGatewayConfig, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("rootCaKeyAlgorithm").notNullable();
+
+      t.datetime("rootCaIssuedAt").notNullable();
+      t.datetime("rootCaExpiration").notNullable();
+      t.string("rootCaSerialNumber").notNullable();
+      t.binary("encryptedRootCaCertificate").notNullable();
+      t.binary("encryptedRootCaPrivateKey").notNullable();
+
+      t.datetime("clientCaIssuedAt").notNullable();
+      t.datetime("clientCaExpiration").notNullable();
+      t.string("clientCaSerialNumber");
+      t.binary("encryptedClientCaCertificate").notNullable();
+      t.binary("encryptedClientCaPrivateKey").notNullable();
+
+      t.string("clientCertSerialNumber").notNullable();
+      t.string("clientCertKeyAlgorithm").notNullable();
+      t.datetime("clientCertIssuedAt").notNullable();
+      t.datetime("clientCertExpiration").notNullable();
+      t.binary("encryptedClientCertificate").notNullable();
+      t.binary("encryptedClientPrivateKey").notNullable();
+
+      t.datetime("gatewayCaIssuedAt").notNullable();
+      t.datetime("gatewayCaExpiration").notNullable();
+      t.string("gatewayCaSerialNumber").notNullable();
+      t.binary("encryptedGatewayCaCertificate").notNullable();
+      t.binary("encryptedGatewayCaPrivateKey").notNullable();
+
+      t.uuid("orgId").notNullable();
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+      t.unique("orgId");
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.OrgGatewayConfig);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.Gateway))) {
+    await knex.schema.createTable(TableName.Gateway, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+
+      t.string("name").notNullable();
+      t.string("serialNumber").notNullable();
+      t.string("keyAlgorithm").notNullable();
+      t.datetime("issuedAt").notNullable();
+      t.datetime("expiration").notNullable();
+      t.datetime("heartbeat");
+
+      t.binary("relayAddress").notNullable();
+
+      t.uuid("orgGatewayRootCaId").notNullable();
+      t.foreign("orgGatewayRootCaId").references("id").inTable(TableName.OrgGatewayConfig).onDelete("CASCADE");
+
+      t.uuid("identityId").notNullable();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.Gateway);
+  }
+
+  if (!(await knex.schema.hasTable(TableName.ProjectGateway))) {
+    await knex.schema.createTable(TableName.ProjectGateway, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+
+      t.string("projectId").notNullable();
+      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+
+      t.uuid("gatewayId").notNullable();
+      t.foreign("gatewayId").references("id").inTable(TableName.Gateway).onDelete("CASCADE");
+
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.ProjectGateway);
+  }
+
+  if (await knex.schema.hasTable(TableName.DynamicSecret)) {
+    const doesGatewayColExist = await knex.schema.hasColumn(TableName.DynamicSecret, "projectGatewayId");
+    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
+      // not setting a foreign constraint so that cascade effects are not triggered
+      if (!doesGatewayColExist) {
+        t.uuid("projectGatewayId");
+        t.foreign("projectGatewayId").references("id").inTable(TableName.ProjectGateway);
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.DynamicSecret)) {
+    const doesGatewayColExist = await knex.schema.hasColumn(TableName.DynamicSecret, "projectGatewayId");
+    await knex.schema.alterTable(TableName.DynamicSecret, (t) => {
+      if (doesGatewayColExist) t.dropColumn("projectGatewayId");
+    });
+  }
+
+  await knex.schema.dropTableIfExists(TableName.ProjectGateway);
+  await dropOnUpdateTrigger(knex, TableName.ProjectGateway);
+
+  await knex.schema.dropTableIfExists(TableName.Gateway);
+  await dropOnUpdateTrigger(knex, TableName.Gateway);
+
+  await knex.schema.dropTableIfExists(TableName.OrgGatewayConfig);
+  await dropOnUpdateTrigger(knex, TableName.OrgGatewayConfig);
+}

backend/src/db/migrations/20250226021631_secret-requests.ts

@@ -0,0 +1,25 @@
+import { Knex } from "knex";
+
+import { SecretSharingType } from "@app/services/secret-sharing/secret-sharing-types";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasSharingTypeColumn = await knex.schema.hasColumn(TableName.SecretSharing, "type");
+
+  await knex.schema.alterTable(TableName.SecretSharing, (table) => {
+    if (!hasSharingTypeColumn) {
+      table.string("type", 32).defaultTo(SecretSharingType.Share).notNullable();
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasSharingTypeColumn = await knex.schema.hasColumn(TableName.SecretSharing, "type");
+
+  await knex.schema.alterTable(TableName.SecretSharing, (table) => {
+    if (hasSharingTypeColumn) {
+      table.dropColumn("type");
+    }
+  });
+}

backend/src/db/migrations/20250226082254_add-gov-banner-and-consent-fields.ts

@@ -0,0 +1,31 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasAuthConsentContentCol = await knex.schema.hasColumn(TableName.SuperAdmin, "authConsentContent");
+  const hasPageFrameContentCol = await knex.schema.hasColumn(TableName.SuperAdmin, "pageFrameContent");
+  if (await knex.schema.hasTable(TableName.SuperAdmin)) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      if (!hasAuthConsentContentCol) {
+        t.text("authConsentContent");
+      }
+      if (!hasPageFrameContentCol) {
+        t.text("pageFrameContent");
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasAuthConsentContentCol = await knex.schema.hasColumn(TableName.SuperAdmin, "authConsentContent");
+  const hasPageFrameContentCol = await knex.schema.hasColumn(TableName.SuperAdmin, "pageFrameContent");
+  await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+    if (hasAuthConsentContentCol) {
+      t.dropColumn("authConsentContent");
+    }
+    if (hasPageFrameContentCol) {
+      t.dropColumn("pageFrameContent");
+    }
+  });
+}

backend/src/db/migrations/20250228022604_increase-secret-reminder-note-max-length.ts

@@ -0,0 +1,35 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  for await (const tableName of [
+    TableName.SecretV2,
+    TableName.SecretVersionV2,
+    TableName.SecretApprovalRequestSecretV2
+  ]) {
+    const hasReminderNoteCol = await knex.schema.hasColumn(tableName, "reminderNote");
+
+    if (hasReminderNoteCol) {
+      await knex.schema.alterTable(tableName, (t) => {
+        t.string("reminderNote", 1024).alter();
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  for await (const tableName of [
+    TableName.SecretV2,
+    TableName.SecretVersionV2,
+    TableName.SecretApprovalRequestSecretV2
+  ]) {
+    const hasReminderNoteCol = await knex.schema.hasColumn(tableName, "reminderNote");
+
+    if (hasReminderNoteCol) {
+      await knex.schema.alterTable(tableName, (t) => {
+        t.string("reminderNote").alter();
+      });
+    }
+  }
+}

backend/src/db/migrations/20250303213350_add-folder-description.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasProjectDescription = await knex.schema.hasColumn(TableName.SecretFolder, "description");
+
+  if (!hasProjectDescription) {
+    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
+      t.string("description");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasProjectDescription = await knex.schema.hasColumn(TableName.SecretFolder, "description");
+
+  if (hasProjectDescription) {
+    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
+      t.dropColumn("description");
+    });
+  }
+}

backend/src/db/migrations/20250305080145_add-secret-review-comment.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.SecretApprovalRequestReviewer, "comment"))) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (t) => {
+      t.string("comment");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SecretApprovalRequestReviewer, "comment")) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (t) => {
+      t.dropColumn("comment");
+    });
+  }
+}

backend/src/db/migrations/20250305131152_add-actor-id-to-secret-versions-v2.ts

@@ -0,0 +1,45 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretVersionV2)) {
+    const hasSecretVersionV2UserActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "userActorId");
+    const hasSecretVersionV2IdentityActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "identityActorId");
+    const hasSecretVersionV2ActorType = await knex.schema.hasColumn(TableName.SecretVersionV2, "actorType");
+
+    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
+      if (!hasSecretVersionV2UserActorId) {
+        t.uuid("userActorId");
+        t.foreign("userActorId").references("id").inTable(TableName.Users);
+      }
+      if (!hasSecretVersionV2IdentityActorId) {
+        t.uuid("identityActorId");
+        t.foreign("identityActorId").references("id").inTable(TableName.Identity);
+      }
+      if (!hasSecretVersionV2ActorType) {
+        t.string("actorType");
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretVersionV2)) {
+    const hasSecretVersionV2UserActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "userActorId");
+    const hasSecretVersionV2IdentityActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "identityActorId");
+    const hasSecretVersionV2ActorType = await knex.schema.hasColumn(TableName.SecretVersionV2, "actorType");
+
+    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
+      if (hasSecretVersionV2UserActorId) {
+        t.dropColumn("userActorId");
+      }
+      if (hasSecretVersionV2IdentityActorId) {
+        t.dropColumn("identityActorId");
+      }
+      if (hasSecretVersionV2ActorType) {
+        t.dropColumn("actorType");
+      }
+    });
+  }
+}

backend/src/db/migrations/20250311105617_add-share-to-anyone-setting-to-organizations.ts

@@ -0,0 +1,32 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Organization)) {
+    const hasSecretShareToAnyoneCol = await knex.schema.hasColumn(
+      TableName.Organization,
+      "allowSecretSharingOutsideOrganization"
+    );
+
+    if (!hasSecretShareToAnyoneCol) {
+      await knex.schema.alterTable(TableName.Organization, (t) => {
+        t.boolean("allowSecretSharingOutsideOrganization").defaultTo(true);
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Organization)) {
+    const hasSecretShareToAnyoneCol = await knex.schema.hasColumn(
+      TableName.Organization,
+      "allowSecretSharingOutsideOrganization"
+    );
+    if (hasSecretShareToAnyoneCol) {
+      await knex.schema.alterTable(TableName.Organization, (t) => {
+        t.dropColumn("allowSecretSharingOutsideOrganization");
+      });
+    }
+  }
+}

backend/src/db/migrations/20250313124706_add-privilege-upgrade-field.ts

@@ -0,0 +1,31 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.Organization, "shouldUseNewPrivilegeSystem"))) {
+    await knex.schema.alterTable(TableName.Organization, (t) => {
+      t.boolean("shouldUseNewPrivilegeSystem");
+      t.string("privilegeUpgradeInitiatedByUsername");
+      t.dateTime("privilegeUpgradeInitiatedAt");
+    });
+
+    await knex(TableName.Organization).update({
+      shouldUseNewPrivilegeSystem: false
+    });
+
+    await knex.schema.alterTable(TableName.Organization, (t) => {
+      t.boolean("shouldUseNewPrivilegeSystem").defaultTo(true).notNullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.Organization, "shouldUseNewPrivilegeSystem")) {
+    await knex.schema.alterTable(TableName.Organization, (t) => {
+      t.dropColumn("shouldUseNewPrivilegeSystem");
+      t.dropColumn("privilegeUpgradeInitiatedByUsername");
+      t.dropColumn("privilegeUpgradeInitiatedAt");
+    });
+  }
+}

backend/src/db/migrations/20250314145202_identity-oidc-claim-mapping.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasMappingField = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "claimMetadataMapping");
+  if (!hasMappingField) {
+    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
+      t.jsonb("claimMetadataMapping");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasMappingField = await knex.schema.hasColumn(TableName.IdentityOidcAuth, "claimMetadataMapping");
+  if (hasMappingField) {
+    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
+      t.dropColumn("claimMetadataMapping");
+    });
+  }
+}

backend/src/db/migrations/20250317101525_add-instance-admin-mi.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas/models";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.SuperAdmin, "adminIdentityIds"))) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.specificType("adminIdentityIds", "text[]");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SuperAdmin, "adminIdentityIds")) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.dropColumn("adminIdentityIds");
+    });
+  }
+}

backend/src/db/migrations/20250319134021_recursive-folder-index.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const doesParentColumExist = await knex.schema.hasColumn(TableName.SecretFolder, "parentId");
+  const doesNameColumnExist = await knex.schema.hasColumn(TableName.SecretFolder, "name");
+  if (doesParentColumExist && doesNameColumnExist) {
+    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
+      t.index(["parentId", "name"]);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const doesParentColumExist = await knex.schema.hasColumn(TableName.SecretFolder, "parentId");
+  const doesNameColumnExist = await knex.schema.hasColumn(TableName.SecretFolder, "name");
+  if (doesParentColumExist && doesNameColumnExist) {
+    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
+      t.dropIndex(["parentId", "name"]);
+    });
+  }
+}

backend/src/db/migrations/20250321100157_k8s-self-reviewer-jwt.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasReviewerJwtCol = await knex.schema.hasColumn(
+    TableName.IdentityKubernetesAuth,
+    "encryptedKubernetesTokenReviewerJwt"
+  );
+  if (hasReviewerJwtCol) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
+      t.binary("encryptedKubernetesTokenReviewerJwt").nullable().alter();
+    });
+  }
+}
+
+export async function down(): Promise<void> {
+  // we can't make it back to non nullable, it will fail
+}

backend/src/db/migrations/20250324142102_add-self-approvals-to-secret-approval-policies.ts

@@ -0,0 +1,29 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas/models";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "allowedSelfApprovals"))) {
+    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
+      t.boolean("allowedSelfApprovals").notNullable().defaultTo(true);
+    });
+  }
+  if (!(await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "allowedSelfApprovals"))) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
+      t.boolean("allowedSelfApprovals").notNullable().defaultTo(true);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "allowedSelfApprovals")) {
+    await knex.schema.alterTable(TableName.SecretApprovalPolicy, (t) => {
+      t.dropColumn("allowedSelfApprovals");
+    });
+  }
+  if (await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "allowedSelfApprovals")) {
+    await knex.schema.alterTable(TableName.AccessApprovalPolicy, (t) => {
+      t.dropColumn("allowedSelfApprovals");
+    });
+  }
+}

backend/src/db/migrations/20250324142104_app-connection-is-platform-managed-credentials-col.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.AppConnection, "isPlatformManagedCredentials"))) {
+    await knex.schema.alterTable(TableName.AppConnection, (t) => {
+      t.boolean("isPlatformManagedCredentials").defaultTo(false);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.AppConnection, "isPlatformManagedCredentials")) {
+    await knex.schema.alterTable(TableName.AppConnection, (t) => {
+      t.dropColumn("isPlatformManagedCredentials");
+    });
+  }
+}

backend/src/db/migrations/20250324142105_secret-rotation-v2.ts

@@ -0,0 +1,58 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.SecretRotationV2))) {
+    await knex.schema.createTable(TableName.SecretRotationV2, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.string("name", 32).notNullable();
+      t.string("description");
+      t.string("type").notNullable();
+      t.jsonb("parameters").notNullable();
+      t.jsonb("secretsMapping").notNullable();
+      t.binary("encryptedGeneratedCredentials").notNullable();
+      t.boolean("isAutoRotationEnabled").notNullable().defaultTo(true);
+      t.integer("activeIndex").notNullable().defaultTo(0);
+      t.uuid("folderId").notNullable();
+      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("CASCADE");
+      t.uuid("connectionId").notNullable();
+      t.foreign("connectionId").references("id").inTable(TableName.AppConnection);
+      t.timestamps(true, true, true);
+      t.integer("rotationInterval").notNullable();
+      t.jsonb("rotateAtUtc").notNullable(); // { hours: number; minutes: number }
+      t.string("rotationStatus").notNullable();
+      t.datetime("lastRotationAttemptedAt").notNullable();
+      t.datetime("lastRotatedAt").notNullable();
+      t.binary("encryptedLastRotationMessage"); // we encrypt this because it may contain sensitive info (SQL errors showing credentials)
+      t.string("lastRotationJobId");
+      t.datetime("nextRotationAt");
+      t.boolean("isLastRotationManual").notNullable().defaultTo(true); // creation is considered a "manual" rotation
+    });
+
+    await createOnUpdateTrigger(knex, TableName.SecretRotationV2);
+
+    await knex.schema.alterTable(TableName.SecretRotationV2, (t) => {
+      t.unique(["folderId", "name"]);
+    });
+  }
+
+  if (!(await knex.schema.hasTable(TableName.SecretRotationV2SecretMapping))) {
+    await knex.schema.createTable(TableName.SecretRotationV2SecretMapping, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("secretId").notNullable();
+      // scott: this is deferred to block secret deletion but not prevent folder/environment/project deletion
+      // ie, if rotation is being deleted as well we permit it, otherwise throw
+      t.foreign("secretId").references("id").inTable(TableName.SecretV2).deferrable("deferred");
+      t.uuid("rotationId").notNullable();
+      t.foreign("rotationId").references("id").inTable(TableName.SecretRotationV2).onDelete("CASCADE");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.SecretRotationV2SecretMapping);
+  await knex.schema.dropTableIfExists(TableName.SecretRotationV2);
+  await dropOnUpdateTrigger(knex, TableName.SecretRotationV2);
+}

backend/src/db/migrations/20250326171707_folder-last-secret-modified.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCol = await knex.schema.hasColumn(TableName.SecretFolder, "lastSecretModified");
+  if (!hasCol) {
+    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
+      t.datetime("lastSecretModified");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasCol = await knex.schema.hasColumn(TableName.SecretFolder, "lastSecretModified");
+  if (hasCol) {
+    await knex.schema.alterTable(TableName.SecretFolder, (t) => {
+      t.dropColumn("lastSecretModified");
+    });
+  }
+}

backend/src/db/migrations/utils/env-config.ts

@@ -0,0 +1,53 @@
+import { z } from "zod";
+
+import { zpStr } from "@app/lib/zod";
+
+const envSchema = z
+  .object({
+    DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")).default(
+      `postgresql://${process.env.DB_USER}:${process.env.DB_PASSWORD}@${process.env.DB_HOST}:${process.env.DB_PORT}/${process.env.DB_NAME}`
+    ),
+    DB_ROOT_CERT: zpStr(z.string().describe("Postgres database base64-encoded CA cert").optional()),
+    DB_HOST: zpStr(z.string().describe("Postgres database host").optional()),
+    DB_PORT: zpStr(z.string().describe("Postgres database port").optional()).default("5432"),
+    DB_USER: zpStr(z.string().describe("Postgres database username").optional()),
+    DB_PASSWORD: zpStr(z.string().describe("Postgres database password").optional()),
+    DB_NAME: zpStr(z.string().describe("Postgres database name").optional()),
+    // TODO(akhilmhdh): will be changed to one
+    ENCRYPTION_KEY: zpStr(z.string().optional()),
+    ROOT_ENCRYPTION_KEY: zpStr(z.string().optional()),
+    // HSM
+    HSM_LIB_PATH: zpStr(z.string().optional()),
+    HSM_PIN: zpStr(z.string().optional()),
+    HSM_KEY_LABEL: zpStr(z.string().optional()),
+    HSM_SLOT: z.coerce.number().optional().default(0)
+  })
+  // To ensure that basic encryption is always possible.
+  .refine(
+    (data) => Boolean(data.ENCRYPTION_KEY) || Boolean(data.ROOT_ENCRYPTION_KEY),
+    "Either ENCRYPTION_KEY or ROOT_ENCRYPTION_KEY must be defined."
+  )
+  .transform((data) => ({
+    ...data,
+    isHsmConfigured:
+      Boolean(data.HSM_LIB_PATH) && Boolean(data.HSM_PIN) && Boolean(data.HSM_KEY_LABEL) && data.HSM_SLOT !== undefined
+  }));
+
+export type TMigrationEnvConfig = z.infer<typeof envSchema>;
+
+export const getMigrationEnvConfig = () => {
+  const parsedEnv = envSchema.safeParse(process.env);
+  if (!parsedEnv.success) {
+    // eslint-disable-next-line no-console
+    console.error("Invalid environment variables. Check the error below");
+    // eslint-disable-next-line no-console
+    console.error(
+      "Infisical now automatically runs database migrations during boot up, so you no longer need to run them separately."
+    );
+    // eslint-disable-next-line no-console
+    console.error(parsedEnv.error.issues);
+    process.exit(-1);
+  }
+
+  return Object.freeze(parsedEnv.data);
+};

backend/src/db/migrations/utils/kms.ts

@@ -1,105 +0,0 @@
-import slugify from "@sindresorhus/slugify";
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-import { randomSecureBytes } from "@app/lib/crypto";
-import { symmetricCipherService, SymmetricEncryption } from "@app/lib/crypto/cipher";
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-
-const getInstanceRootKey = async (knex: Knex) => {
-  const encryptionKey = process.env.ENCRYPTION_KEY || process.env.ROOT_ENCRYPTION_KEY;
-  // if root key its base64 encoded
-  const isBase64 = !process.env.ENCRYPTION_KEY;
-  if (!encryptionKey) throw new Error("ENCRYPTION_KEY variable needed for migration");
-  const encryptionKeyBuffer = Buffer.from(encryptionKey, isBase64 ? "base64" : "utf8");
-
-  const KMS_ROOT_CONFIG_UUID = "00000000-0000-0000-0000-000000000000";
-  const kmsRootConfig = await knex(TableName.KmsServerRootConfig).where({ id: KMS_ROOT_CONFIG_UUID }).first();
-  const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
-  if (kmsRootConfig) {
-    const decryptedRootKey = cipher.decrypt(kmsRootConfig.encryptedRootKey, encryptionKeyBuffer);
-    // set the flag so that other instancen nodes can start
-    return decryptedRootKey;
-  }
-
-  const newRootKey = randomSecureBytes(32);
-  const encryptedRootKey = cipher.encrypt(newRootKey, encryptionKeyBuffer);
-  await knex(TableName.KmsServerRootConfig).insert({
-    encryptedRootKey,
-    // eslint-disable-next-line
-    // @ts-ignore id is kept as fixed for idempotence and to avoid race condition
-    id: KMS_ROOT_CONFIG_UUID
-  });
-  return encryptedRootKey;
-};
-
-export const getSecretManagerDataKey = async (knex: Knex, projectId: string) => {
-  const KMS_VERSION = "v01";
-  const KMS_VERSION_BLOB_LENGTH = 3;
-  const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
-  const project = await knex(TableName.Project).where({ id: projectId }).first();
-  if (!project) throw new Error("Missing project id");
-
-  const ROOT_ENCRYPTION_KEY = await getInstanceRootKey(knex);
-
-  let secretManagerKmsKey;
-  const projectSecretManagerKmsId = project?.kmsSecretManagerKeyId;
-  if (projectSecretManagerKmsId) {
-    const kmsDoc = await knex(TableName.KmsKey)
-      .leftJoin(TableName.InternalKms, `${TableName.KmsKey}.id`, `${TableName.InternalKms}.kmsKeyId`)
-      .where({ [`${TableName.KmsKey}.id` as "id"]: projectSecretManagerKmsId })
-      .first();
-    if (!kmsDoc) throw new Error("missing kms");
-    secretManagerKmsKey = cipher.decrypt(kmsDoc.encryptedKey, ROOT_ENCRYPTION_KEY);
-  } else {
-    const [kmsDoc] = await knex(TableName.KmsKey)
-      .insert({
-        name: slugify(alphaNumericNanoId(8).toLowerCase()),
-        orgId: project.orgId,
-        isReserved: false
-      })
-      .returning("*");
-
-    secretManagerKmsKey = randomSecureBytes(32);
-    const encryptedKeyMaterial = cipher.encrypt(secretManagerKmsKey, ROOT_ENCRYPTION_KEY);
-    await knex(TableName.InternalKms).insert({
-      version: 1,
-      encryptedKey: encryptedKeyMaterial,
-      encryptionAlgorithm: SymmetricEncryption.AES_GCM_256,
-      kmsKeyId: kmsDoc.id
-    });
-  }
-
-  const encryptedSecretManagerDataKey = project?.kmsSecretManagerEncryptedDataKey;
-  let dataKey: Buffer;
-  if (!encryptedSecretManagerDataKey) {
-    dataKey = randomSecureBytes();
-    // the below versioning we do it automatically in kms service
-    const unversionedDataKey = cipher.encrypt(dataKey, secretManagerKmsKey);
-    const versionBlob = Buffer.from(KMS_VERSION, "utf8"); // length is 3
-    await knex(TableName.Project)
-      .where({ id: projectId })
-      .update({
-        kmsSecretManagerEncryptedDataKey: Buffer.concat([unversionedDataKey, versionBlob])
-      });
-  } else {
-    const cipherTextBlob = encryptedSecretManagerDataKey.subarray(0, -KMS_VERSION_BLOB_LENGTH);
-    dataKey = cipher.decrypt(cipherTextBlob, secretManagerKmsKey);
-  }
-
-  return {
-    encryptor: ({ plainText }: { plainText: Buffer }) => {
-      const encryptedPlainTextBlob = cipher.encrypt(plainText, dataKey);
-
-      // Buffer#1 encrypted text + Buffer#2 version number
-      const versionBlob = Buffer.from(KMS_VERSION, "utf8"); // length is 3
-      const cipherTextBlob = Buffer.concat([encryptedPlainTextBlob, versionBlob]);
-      return { cipherTextBlob };
-    },
-    decryptor: ({ cipherTextBlob: versionedCipherTextBlob }: { cipherTextBlob: Buffer }) => {
-      const cipherTextBlob = versionedCipherTextBlob.subarray(0, -KMS_VERSION_BLOB_LENGTH);
-      const decryptedBlob = cipher.decrypt(cipherTextBlob, dataKey);
-      return decryptedBlob;
-    }
-  };
-};

backend/src/db/migrations/utils/ring-buffer.ts

@@ -0,0 +1,19 @@
+export const createCircularCache = <T>(bufferSize = 10) => {
+  const bufferItems: { id: string; item: T }[] = [];
+  let bufferIndex = 0;
+
+  const push = (id: string, item: T) => {
+    if (bufferItems.length < bufferSize) {
+      bufferItems.push({ id, item });
+    } else {
+      bufferItems[bufferIndex] = { id, item };
+    }
+    bufferIndex = (bufferIndex + 1) % bufferSize;
+  };
+
+  const getItem = (id: string) => {
+    return bufferItems.find((i) => i.id === id)?.item;
+  };
+
+  return { push, getItem };
+};

backend/src/db/migrations/utils/services.ts

@@ -0,0 +1,52 @@
+import { Knex } from "knex";
+
+import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
+import { hsmServiceFactory } from "@app/ee/services/hsm/hsm-service";
+import { TKeyStoreFactory } from "@app/keystore/keystore";
+import { internalKmsDALFactory } from "@app/services/kms/internal-kms-dal";
+import { kmskeyDALFactory } from "@app/services/kms/kms-key-dal";
+import { kmsRootConfigDALFactory } from "@app/services/kms/kms-root-config-dal";
+import { kmsServiceFactory } from "@app/services/kms/kms-service";
+import { orgDALFactory } from "@app/services/org/org-dal";
+import { projectDALFactory } from "@app/services/project/project-dal";
+
+import { TMigrationEnvConfig } from "./env-config";
+
+type TDependencies = {
+  envConfig: TMigrationEnvConfig;
+  db: Knex;
+  keyStore: TKeyStoreFactory;
+};
+
+export const getMigrationEncryptionServices = async ({ envConfig, db, keyStore }: TDependencies) => {
+  // eslint-disable-next-line no-param-reassign
+  const hsmModule = initializeHsmModule(envConfig);
+  hsmModule.initialize();
+
+  const hsmService = hsmServiceFactory({
+    hsmModule: hsmModule.getModule(),
+    envConfig
+  });
+
+  const orgDAL = orgDALFactory(db);
+  const kmsRootConfigDAL = kmsRootConfigDALFactory(db);
+  const kmsDAL = kmskeyDALFactory(db);
+  const internalKmsDAL = internalKmsDALFactory(db);
+  const projectDAL = projectDALFactory(db);
+
+  const kmsService = kmsServiceFactory({
+    kmsRootConfigDAL,
+    keyStore,
+    kmsDAL,
+    internalKmsDAL,
+    orgDAL,
+    projectDAL,
+    hsmService,
+    envConfig
+  });
+
+  await hsmService.startService();
+  await kmsService.startService();
+
+  return { kmsService };
+};

backend/src/db/rename-migrations-to-mjs.ts

@@ -0,0 +1,56 @@
+import path from "node:path";
+
+import dotenv from "dotenv";
+
+import { initAuditLogDbConnection, initDbConnection } from "./instance";
+
+const isProduction = process.env.NODE_ENV === "production";
+
+// Update with your config settings. .
+dotenv.config({
+  path: path.join(__dirname, "../../../.env.migration")
+});
+dotenv.config({
+  path: path.join(__dirname, "../../../.env")
+});
+
+const runRename = async () => {
+  if (!isProduction) return;
+  const migrationTable = "infisical_migrations";
+  const applicationDb = initDbConnection({
+    dbConnectionUri: process.env.DB_CONNECTION_URI as string,
+    dbRootCert: process.env.DB_ROOT_CERT
+  });
+
+  const auditLogDb = process.env.AUDIT_LOGS_DB_CONNECTION_URI
+    ? initAuditLogDbConnection({
+        dbConnectionUri: process.env.AUDIT_LOGS_DB_CONNECTION_URI,
+        dbRootCert: process.env.AUDIT_LOGS_DB_ROOT_CERT
+      })
+    : undefined;
+
+  const hasMigrationTable = await applicationDb.schema.hasTable(migrationTable);
+  if (hasMigrationTable) {
+    const firstFile = (await applicationDb(migrationTable).where({}).first()) as { name: string };
+    if (firstFile?.name?.includes(".ts")) {
+      await applicationDb(migrationTable).update({
+        name: applicationDb.raw("REPLACE(name, '.ts', '.mjs')")
+      });
+    }
+  }
+  if (auditLogDb) {
+    const hasMigrationTableInAuditLog = await auditLogDb.schema.hasTable(migrationTable);
+    if (hasMigrationTableInAuditLog) {
+      const firstFile = (await auditLogDb(migrationTable).where({}).first()) as { name: string };
+      if (firstFile?.name?.includes(".ts")) {
+        await auditLogDb(migrationTable).update({
+          name: auditLogDb.raw("REPLACE(name, '.ts', '.mjs')")
+        });
+      }
+    }
+  }
+  await applicationDb.destroy();
+  await auditLogDb?.destroy();
+};
+
+void runRename();

backend/src/db/schemas/access-approval-policies.ts

@@ -16,7 +16,8 @@ export const AccessApprovalPoliciesSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   enforcementLevel: z.string().default("hard"),
-  deletedAt: z.date().nullable().optional()
+  deletedAt: z.date().nullable().optional(),
+  allowedSelfApprovals: z.boolean().default(true)
 });
 
 export type TAccessApprovalPolicies = z.infer<typeof AccessApprovalPoliciesSchema>;

backend/src/db/schemas/app-connections.ts

@@ -19,7 +19,8 @@ export const AppConnectionsSchema = z.object({
   version: z.number().default(1),
   orgId: z.string().uuid(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  isPlatformManagedCredentials: z.boolean().default(false).nullable().optional()
 });
 
 export type TAppConnections = z.infer<typeof AppConnectionsSchema>;

backend/src/db/schemas/dynamic-secrets.ts

@@ -5,6 +5,8 @@
 
 import { z } from "zod";
 
+import { zodBuffer } from "@app/lib/zod";
+
 import { TImmutableDBKeys } from "./models";
 
 export const DynamicSecretsSchema = z.object({
@@ -14,16 +16,18 @@ export const DynamicSecretsSchema = z.object({
   type: z.string(),
   defaultTTL: z.string(),
   maxTTL: z.string().nullable().optional(),
-  inputIV: z.string(),
-  inputCiphertext: z.string(),
-  inputTag: z.string(),
+  inputIV: z.string().nullable().optional(),
+  inputCiphertext: z.string().nullable().optional(),
+  inputTag: z.string().nullable().optional(),
   algorithm: z.string().default("aes-256-gcm"),
   keyEncoding: z.string().default("utf8"),
   folderId: z.string().uuid(),
   status: z.string().nullable().optional(),
   statusDetails: z.string().nullable().optional(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  encryptedInput: zodBuffer,
+  projectGatewayId: z.string().uuid().nullable().optional()
 });
 
 export type TDynamicSecrets = z.infer<typeof DynamicSecretsSchema>;

backend/src/db/schemas/gateways.ts

@@ -0,0 +1,29 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const GatewaysSchema = z.object({
+  id: z.string().uuid(),
+  name: z.string(),
+  serialNumber: z.string(),
+  keyAlgorithm: z.string(),
+  issuedAt: z.date(),
+  expiration: z.date(),
+  heartbeat: z.date().nullable().optional(),
+  relayAddress: zodBuffer,
+  orgGatewayRootCaId: z.string().uuid(),
+  identityId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TGateways = z.infer<typeof GatewaysSchema>;
+export type TGatewaysInsert = Omit<z.input<typeof GatewaysSchema>, TImmutableDBKeys>;
+export type TGatewaysUpdate = Partial<Omit<z.input<typeof GatewaysSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-kubernetes-auths.ts

@@ -5,6 +5,8 @@
 
 import { z } from "zod";
 
+import { zodBuffer } from "@app/lib/zod";
+
 import { TImmutableDBKeys } from "./models";
 
 export const IdentityKubernetesAuthsSchema = z.object({
@@ -17,15 +19,17 @@ export const IdentityKubernetesAuthsSchema = z.object({
   updatedAt: z.date(),
   identityId: z.string().uuid(),
   kubernetesHost: z.string(),
-  encryptedCaCert: z.string(),
-  caCertIV: z.string(),
-  caCertTag: z.string(),
-  encryptedTokenReviewerJwt: z.string(),
-  tokenReviewerJwtIV: z.string(),
-  tokenReviewerJwtTag: z.string(),
+  encryptedCaCert: z.string().nullable().optional(),
+  caCertIV: z.string().nullable().optional(),
+  caCertTag: z.string().nullable().optional(),
+  encryptedTokenReviewerJwt: z.string().nullable().optional(),
+  tokenReviewerJwtIV: z.string().nullable().optional(),
+  tokenReviewerJwtTag: z.string().nullable().optional(),
   allowedNamespaces: z.string(),
   allowedNames: z.string(),
-  allowedAudience: z.string()
+  allowedAudience: z.string(),
+  encryptedKubernetesTokenReviewerJwt: zodBuffer.nullable().optional(),
+  encryptedKubernetesCaCertificate: zodBuffer.nullable().optional()
 });
 
 export type TIdentityKubernetesAuths = z.infer<typeof IdentityKubernetesAuthsSchema>;

backend/src/db/schemas/identity-oidc-auths.ts

@@ -5,6 +5,8 @@
 
 import { z } from "zod";
 
+import { zodBuffer } from "@app/lib/zod";
+
 import { TImmutableDBKeys } from "./models";
 
 export const IdentityOidcAuthsSchema = z.object({
@@ -15,15 +17,17 @@ export const IdentityOidcAuthsSchema = z.object({
   accessTokenTrustedIps: z.unknown(),
   identityId: z.string().uuid(),
   oidcDiscoveryUrl: z.string(),
-  encryptedCaCert: z.string(),
-  caCertIV: z.string(),
-  caCertTag: z.string(),
+  encryptedCaCert: z.string().nullable().optional(),
+  caCertIV: z.string().nullable().optional(),
+  caCertTag: z.string().nullable().optional(),
   boundIssuer: z.string(),
   boundAudiences: z.string(),
   boundClaims: z.unknown(),
   boundSubject: z.string().nullable().optional(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  encryptedCaCertificate: zodBuffer.nullable().optional(),
+  claimMetadataMapping: z.unknown().nullable().optional()
 });
 
 export type TIdentityOidcAuths = z.infer<typeof IdentityOidcAuthsSchema>;

backend/src/db/schemas/index.ts

@@ -3,6 +3,7 @@ export * from "./access-approval-policies-approvers";
 export * from "./access-approval-requests";
 export * from "./access-approval-requests-reviewers";
 export * from "./api-keys";
+export * from "./app-connections";
 export * from "./audit-log-streams";
 export * from "./audit-logs";
 export * from "./auth-token-sessions";
@@ -19,7 +20,9 @@ export * from "./certificate-templates";
 export * from "./certificates";
 export * from "./dynamic-secret-leases";
 export * from "./dynamic-secrets";
+export * from "./external-group-org-role-mappings";
 export * from "./external-kms";
+export * from "./gateways";
 export * from "./git-app-install-sessions";
 export * from "./git-app-org";
 export * from "./group-project-membership-roles";
@@ -45,6 +48,10 @@ export * from "./incident-contacts";
 export * from "./integration-auths";
 export * from "./integrations";
 export * from "./internal-kms";
+export * from "./kmip-client-certificates";
+export * from "./kmip-clients";
+export * from "./kmip-org-configs";
+export * from "./kmip-org-server-certificates";
 export * from "./kms-key-versions";
 export * from "./kms-keys";
 export * from "./kms-root-config";
@@ -53,6 +60,7 @@ export * from "./ldap-group-maps";
 export * from "./models";
 export * from "./oidc-configs";
 export * from "./org-bots";
+export * from "./org-gateway-config";
 export * from "./org-memberships";
 export * from "./org-roles";
 export * from "./organizations";
@@ -61,6 +69,7 @@ export * from "./pki-collection-items";
 export * from "./pki-collections";
 export * from "./project-bots";
 export * from "./project-environments";
+export * from "./project-gateways";
 export * from "./project-keys";
 export * from "./project-memberships";
 export * from "./project-roles";
@@ -90,13 +99,16 @@ export * from "./secret-references";
 export * from "./secret-references-v2";
 export * from "./secret-rotation-output-v2";
 export * from "./secret-rotation-outputs";
+export * from "./secret-rotation-v2-secret-mappings";
 export * from "./secret-rotations";
+export * from "./secret-rotations-v2";
 export * from "./secret-scanning-git-risks";
 export * from "./secret-sharing";
 export * from "./secret-snapshot-folders";
 export * from "./secret-snapshot-secrets";
 export * from "./secret-snapshot-secrets-v2";
 export * from "./secret-snapshots";
+export * from "./secret-syncs";
 export * from "./secret-tag-junction";
 export * from "./secret-tags";
 export * from "./secret-v2-tag-junction";

backend/src/db/schemas/kmip-client-certificates.ts

@@ -0,0 +1,23 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const KmipClientCertificatesSchema = z.object({
+  id: z.string().uuid(),
+  kmipClientId: z.string().uuid(),
+  serialNumber: z.string(),
+  keyAlgorithm: z.string(),
+  issuedAt: z.date(),
+  expiration: z.date()
+});
+
+export type TKmipClientCertificates = z.infer<typeof KmipClientCertificatesSchema>;
+export type TKmipClientCertificatesInsert = Omit<z.input<typeof KmipClientCertificatesSchema>, TImmutableDBKeys>;
+export type TKmipClientCertificatesUpdate = Partial<
+  Omit<z.input<typeof KmipClientCertificatesSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/kmip-clients.ts

@@ -0,0 +1,20 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const KmipClientsSchema = z.object({
+  id: z.string().uuid(),
+  name: z.string(),
+  permissions: z.string().array().nullable().optional(),
+  description: z.string().nullable().optional(),
+  projectId: z.string()
+});
+
+export type TKmipClients = z.infer<typeof KmipClientsSchema>;
+export type TKmipClientsInsert = Omit<z.input<typeof KmipClientsSchema>, TImmutableDBKeys>;
+export type TKmipClientsUpdate = Partial<Omit<z.input<typeof KmipClientsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/kmip-org-configs.ts

@@ -0,0 +1,39 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const KmipOrgConfigsSchema = z.object({
+  id: z.string().uuid(),
+  orgId: z.string().uuid(),
+  caKeyAlgorithm: z.string(),
+  rootCaIssuedAt: z.date(),
+  rootCaExpiration: z.date(),
+  rootCaSerialNumber: z.string(),
+  encryptedRootCaCertificate: zodBuffer,
+  encryptedRootCaPrivateKey: zodBuffer,
+  serverIntermediateCaIssuedAt: z.date(),
+  serverIntermediateCaExpiration: z.date(),
+  serverIntermediateCaSerialNumber: z.string().nullable().optional(),
+  encryptedServerIntermediateCaCertificate: zodBuffer,
+  encryptedServerIntermediateCaChain: zodBuffer,
+  encryptedServerIntermediateCaPrivateKey: zodBuffer,
+  clientIntermediateCaIssuedAt: z.date(),
+  clientIntermediateCaExpiration: z.date(),
+  clientIntermediateCaSerialNumber: z.string(),
+  encryptedClientIntermediateCaCertificate: zodBuffer,
+  encryptedClientIntermediateCaChain: zodBuffer,
+  encryptedClientIntermediateCaPrivateKey: zodBuffer,
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TKmipOrgConfigs = z.infer<typeof KmipOrgConfigsSchema>;
+export type TKmipOrgConfigsInsert = Omit<z.input<typeof KmipOrgConfigsSchema>, TImmutableDBKeys>;
+export type TKmipOrgConfigsUpdate = Partial<Omit<z.input<typeof KmipOrgConfigsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/kmip-org-server-certificates.ts

@@ -0,0 +1,29 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const KmipOrgServerCertificatesSchema = z.object({
+  id: z.string().uuid(),
+  orgId: z.string().uuid(),
+  commonName: z.string(),
+  altNames: z.string(),
+  serialNumber: z.string(),
+  keyAlgorithm: z.string(),
+  issuedAt: z.date(),
+  expiration: z.date(),
+  encryptedCertificate: zodBuffer,
+  encryptedChain: zodBuffer
+});
+
+export type TKmipOrgServerCertificates = z.infer<typeof KmipOrgServerCertificatesSchema>;
+export type TKmipOrgServerCertificatesInsert = Omit<z.input<typeof KmipOrgServerCertificatesSchema>, TImmutableDBKeys>;
+export type TKmipOrgServerCertificatesUpdate = Partial<
+  Omit<z.input<typeof KmipOrgServerCertificatesSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/ldap-configs.ts

@@ -5,6 +5,8 @@
 
 import { z } from "zod";
 
+import { zodBuffer } from "@app/lib/zod";
+
 import { TImmutableDBKeys } from "./models";
 
 export const LdapConfigsSchema = z.object({
@@ -12,22 +14,25 @@ export const LdapConfigsSchema = z.object({
   orgId: z.string().uuid(),
   isActive: z.boolean(),
   url: z.string(),
-  encryptedBindDN: z.string(),
-  bindDNIV: z.string(),
-  bindDNTag: z.string(),
-  encryptedBindPass: z.string(),
-  bindPassIV: z.string(),
-  bindPassTag: z.string(),
+  encryptedBindDN: z.string().nullable().optional(),
+  bindDNIV: z.string().nullable().optional(),
+  bindDNTag: z.string().nullable().optional(),
+  encryptedBindPass: z.string().nullable().optional(),
+  bindPassIV: z.string().nullable().optional(),
+  bindPassTag: z.string().nullable().optional(),
   searchBase: z.string(),
-  encryptedCACert: z.string(),
-  caCertIV: z.string(),
-  caCertTag: z.string(),
+  encryptedCACert: z.string().nullable().optional(),
+  caCertIV: z.string().nullable().optional(),
+  caCertTag: z.string().nullable().optional(),
   createdAt: z.date(),
   updatedAt: z.date(),
   groupSearchBase: z.string().default(""),
   groupSearchFilter: z.string().default(""),
   searchFilter: z.string().default(""),
-  uniqueUserAttribute: z.string().default("")
+  uniqueUserAttribute: z.string().default(""),
+  encryptedLdapBindDN: zodBuffer,
+  encryptedLdapBindPass: zodBuffer,
+  encryptedLdapCaCertificate: zodBuffer.nullable().optional()
 });
 
 export type TLdapConfigs = z.infer<typeof LdapConfigsSchema>;

backend/src/db/schemas/models.ts

@@ -113,6 +113,10 @@ export enum TableName {
   SecretApprovalRequestSecretTagV2 = "secret_approval_request_secret_tags_v2",
   SnapshotSecretV2 = "secret_snapshot_secrets_v2",
   ProjectSplitBackfillIds = "project_split_backfill_ids",
+  // Gateway
+  OrgGatewayConfig = "org_gateway_config",
+  Gateway = "gateways",
+  ProjectGateway = "project_gateways",
   // junction tables with tags
   SecretV2JnTag = "secret_v2_tag_junction",
   JnSecretTag = "secret_tag_junction",
@@ -132,7 +136,13 @@ export enum TableName {
   SlackIntegrations = "slack_integrations",
   ProjectSlackConfigs = "project_slack_configs",
   AppConnection = "app_connections",
-  SecretSync = "secret_syncs"
+  SecretSync = "secret_syncs",
+  KmipClient = "kmip_clients",
+  KmipOrgConfig = "kmip_org_configs",
+  KmipOrgServerCertificates = "kmip_org_server_certificates",
+  KmipClientCertificates = "kmip_client_certificates",
+  SecretRotationV2 = "secret_rotations_v2",
+  SecretRotationV2SecretMapping = "secret_rotation_v2_secret_mappings"
 }
 
 export type TImmutableDBKeys = "id" | "createdAt" | "updatedAt";
@@ -225,3 +235,8 @@ export enum ActionProjectType {
   // project operations that happen on all types
   Any = "any"
 }
+
+export enum SortDirection {
+  ASC = "asc",
+  DESC = "desc"
+}

backend/src/db/schemas/oidc-configs.ts

@@ -5,6 +5,8 @@
 
 import { z } from "zod";
 
+import { zodBuffer } from "@app/lib/zod";
+
 import { TImmutableDBKeys } from "./models";
 
 export const OidcConfigsSchema = z.object({
@@ -15,20 +17,22 @@ export const OidcConfigsSchema = z.object({
   jwksUri: z.string().nullable().optional(),
   tokenEndpoint: z.string().nullable().optional(),
   userinfoEndpoint: z.string().nullable().optional(),
-  encryptedClientId: z.string(),
+  encryptedClientId: z.string().nullable().optional(),
   configurationType: z.string(),
-  clientIdIV: z.string(),
-  clientIdTag: z.string(),
-  encryptedClientSecret: z.string(),
-  clientSecretIV: z.string(),
-  clientSecretTag: z.string(),
+  clientIdIV: z.string().nullable().optional(),
+  clientIdTag: z.string().nullable().optional(),
+  encryptedClientSecret: z.string().nullable().optional(),
+  clientSecretIV: z.string().nullable().optional(),
+  clientSecretTag: z.string().nullable().optional(),
   allowedEmailDomains: z.string().nullable().optional(),
   isActive: z.boolean(),
   createdAt: z.date(),
   updatedAt: z.date(),
   orgId: z.string().uuid(),
   lastUsed: z.date().nullable().optional(),
-  manageGroupMemberships: z.boolean().default(false)
+  manageGroupMemberships: z.boolean().default(false),
+  encryptedOidcClientId: zodBuffer,
+  encryptedOidcClientSecret: zodBuffer
 });
 
 export type TOidcConfigs = z.infer<typeof OidcConfigsSchema>;

backend/src/db/schemas/org-gateway-config.ts

@@ -0,0 +1,43 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const OrgGatewayConfigSchema = z.object({
+  id: z.string().uuid(),
+  rootCaKeyAlgorithm: z.string(),
+  rootCaIssuedAt: z.date(),
+  rootCaExpiration: z.date(),
+  rootCaSerialNumber: z.string(),
+  encryptedRootCaCertificate: zodBuffer,
+  encryptedRootCaPrivateKey: zodBuffer,
+  clientCaIssuedAt: z.date(),
+  clientCaExpiration: z.date(),
+  clientCaSerialNumber: z.string().nullable().optional(),
+  encryptedClientCaCertificate: zodBuffer,
+  encryptedClientCaPrivateKey: zodBuffer,
+  clientCertSerialNumber: z.string(),
+  clientCertKeyAlgorithm: z.string(),
+  clientCertIssuedAt: z.date(),
+  clientCertExpiration: z.date(),
+  encryptedClientCertificate: zodBuffer,
+  encryptedClientPrivateKey: zodBuffer,
+  gatewayCaIssuedAt: z.date(),
+  gatewayCaExpiration: z.date(),
+  gatewayCaSerialNumber: z.string(),
+  encryptedGatewayCaCertificate: zodBuffer,
+  encryptedGatewayCaPrivateKey: zodBuffer,
+  orgId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TOrgGatewayConfig = z.infer<typeof OrgGatewayConfigSchema>;
+export type TOrgGatewayConfigInsert = Omit<z.input<typeof OrgGatewayConfigSchema>, TImmutableDBKeys>;
+export type TOrgGatewayConfigUpdate = Partial<Omit<z.input<typeof OrgGatewayConfigSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/organizations.ts

@@ -22,7 +22,11 @@ export const OrganizationsSchema = z.object({
   kmsEncryptedDataKey: zodBuffer.nullable().optional(),
   defaultMembershipRole: z.string().default("member"),
   enforceMfa: z.boolean().default(false),
-  selectedMfaMethod: z.string().nullable().optional()
+  selectedMfaMethod: z.string().nullable().optional(),
+  allowSecretSharingOutsideOrganization: z.boolean().default(true).nullable().optional(),
+  shouldUseNewPrivilegeSystem: z.boolean().default(true),
+  privilegeUpgradeInitiatedByUsername: z.string().nullable().optional(),
+  privilegeUpgradeInitiatedAt: z.date().nullable().optional()
 });
 
 export type TOrganizations = z.infer<typeof OrganizationsSchema>;

backend/src/db/schemas/project-gateways.ts

@@ -0,0 +1,20 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ProjectGatewaysSchema = z.object({
+  id: z.string().uuid(),
+  projectId: z.string(),
+  gatewayId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TProjectGateways = z.infer<typeof ProjectGatewaysSchema>;
+export type TProjectGatewaysInsert = Omit<z.input<typeof ProjectGatewaysSchema>, TImmutableDBKeys>;
+export type TProjectGatewaysUpdate = Partial<Omit<z.input<typeof ProjectGatewaysSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/saml-configs.ts

@@ -5,6 +5,8 @@
 
 import { z } from "zod";
 
+import { zodBuffer } from "@app/lib/zod";
+
 import { TImmutableDBKeys } from "./models";
 
 export const SamlConfigsSchema = z.object({
@@ -23,7 +25,10 @@ export const SamlConfigsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   orgId: z.string().uuid(),
-  lastUsed: z.date().nullable().optional()
+  lastUsed: z.date().nullable().optional(),
+  encryptedSamlEntryPoint: zodBuffer,
+  encryptedSamlIssuer: zodBuffer,
+  encryptedSamlCertificate: zodBuffer
 });
 
 export type TSamlConfigs = z.infer<typeof SamlConfigsSchema>;

backend/src/db/schemas/secret-approval-policies.ts

@@ -16,7 +16,8 @@ export const SecretApprovalPoliciesSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   enforcementLevel: z.string().default("hard"),
-  deletedAt: z.date().nullable().optional()
+  deletedAt: z.date().nullable().optional(),
+  allowedSelfApprovals: z.boolean().default(true)
 });
 
 export type TSecretApprovalPolicies = z.infer<typeof SecretApprovalPoliciesSchema>;

backend/src/db/schemas/secret-approval-requests-reviewers.ts

@@ -13,7 +13,8 @@ export const SecretApprovalRequestsReviewersSchema = z.object({
   requestId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  reviewerUserId: z.string().uuid()
+  reviewerUserId: z.string().uuid(),
+  comment: z.string().nullable().optional()
 });
 
 export type TSecretApprovalRequestsReviewers = z.infer<typeof SecretApprovalRequestsReviewersSchema>;

backend/src/db/schemas/secret-folders.ts

@@ -15,7 +15,9 @@ export const SecretFoldersSchema = z.object({
   updatedAt: z.date(),
   envId: z.string().uuid(),
   parentId: z.string().uuid().nullable().optional(),
-  isReserved: z.boolean().default(false).nullable().optional()
+  isReserved: z.boolean().default(false).nullable().optional(),
+  description: z.string().nullable().optional(),
+  lastSecretModified: z.date().nullable().optional()
 });
 
 export type TSecretFolders = z.infer<typeof SecretFoldersSchema>;

backend/src/db/schemas/secret-rotation-v2-secret-mappings.ts

@@ -0,0 +1,23 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SecretRotationV2SecretMappingsSchema = z.object({
+  id: z.string().uuid(),
+  secretId: z.string().uuid(),
+  rotationId: z.string().uuid()
+});
+
+export type TSecretRotationV2SecretMappings = z.infer<typeof SecretRotationV2SecretMappingsSchema>;
+export type TSecretRotationV2SecretMappingsInsert = Omit<
+  z.input<typeof SecretRotationV2SecretMappingsSchema>,
+  TImmutableDBKeys
+>;
+export type TSecretRotationV2SecretMappingsUpdate = Partial<
+  Omit<z.input<typeof SecretRotationV2SecretMappingsSchema>, TImmutableDBKeys>
+>;

backend/src/db/schemas/secret-rotations-v2.ts

@@ -0,0 +1,39 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const SecretRotationsV2Schema = z.object({
+  id: z.string().uuid(),
+  name: z.string(),
+  description: z.string().nullable().optional(),
+  type: z.string(),
+  parameters: z.unknown(),
+  secretsMapping: z.unknown(),
+  encryptedGeneratedCredentials: zodBuffer,
+  isAutoRotationEnabled: z.boolean().default(true),
+  activeIndex: z.number().default(0),
+  folderId: z.string().uuid(),
+  connectionId: z.string().uuid(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  rotationInterval: z.number(),
+  rotateAtUtc: z.unknown(),
+  rotationStatus: z.string(),
+  lastRotationAttemptedAt: z.date(),
+  lastRotatedAt: z.date(),
+  encryptedLastRotationMessage: zodBuffer.nullable().optional(),
+  lastRotationJobId: z.string().nullable().optional(),
+  nextRotationAt: z.date().nullable().optional(),
+  isLastRotationManual: z.boolean().default(true)
+});
+
+export type TSecretRotationsV2 = z.infer<typeof SecretRotationsV2Schema>;
+export type TSecretRotationsV2Insert = Omit<z.input<typeof SecretRotationsV2Schema>, TImmutableDBKeys>;
+export type TSecretRotationsV2Update = Partial<Omit<z.input<typeof SecretRotationsV2Schema>, TImmutableDBKeys>>;

backend/src/db/schemas/secret-rotations.ts

@@ -5,6 +5,8 @@
 
 import { z } from "zod";
 
+import { zodBuffer } from "@app/lib/zod";
+
 import { TImmutableDBKeys } from "./models";
 
 export const SecretRotationsSchema = z.object({
@@ -22,7 +24,8 @@ export const SecretRotationsSchema = z.object({
   keyEncoding: z.string().nullable().optional(),
   envId: z.string().uuid(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  encryptedRotationData: zodBuffer
 });
 
 export type TSecretRotations = z.infer<typeof SecretRotationsSchema>;

backend/src/db/schemas/secret-sharing.ts

@@ -26,7 +26,8 @@ export const SecretSharingSchema = z.object({
   lastViewedAt: z.date().nullable().optional(),
   password: z.string().nullable().optional(),
   encryptedSecret: zodBuffer.nullable().optional(),
-  identifier: z.string().nullable().optional()
+  identifier: z.string().nullable().optional(),
+  type: z.string().default("share")
 });
 
 export type TSecretSharing = z.infer<typeof SecretSharingSchema>;

backend/src/db/schemas/secret-versions-v2.ts

@@ -25,7 +25,10 @@ export const SecretVersionsV2Schema = z.object({
   folderId: z.string().uuid(),
   userId: z.string().uuid().nullable().optional(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  userActorId: z.string().uuid().nullable().optional(),
+  identityActorId: z.string().uuid().nullable().optional(),
+  actorType: z.string().nullable().optional()
 });
 
 export type TSecretVersionsV2 = z.infer<typeof SecretVersionsV2Schema>;

backend/src/db/schemas/super-admin.ts

@@ -23,7 +23,10 @@ export const SuperAdminSchema = z.object({
   defaultAuthOrgId: z.string().uuid().nullable().optional(),
   enabledLoginMethods: z.string().array().nullable().optional(),
   encryptedSlackClientId: zodBuffer.nullable().optional(),
-  encryptedSlackClientSecret: zodBuffer.nullable().optional()
+  encryptedSlackClientSecret: zodBuffer.nullable().optional(),
+  authConsentContent: z.string().nullable().optional(),
+  pageFrameContent: z.string().nullable().optional(),
+  adminIdentityIds: z.string().array().nullable().optional()
 });
 
 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;

backend/src/db/schemas/webhooks.ts

@@ -5,12 +5,14 @@
 
 import { z } from "zod";
 
+import { zodBuffer } from "@app/lib/zod";
+
 import { TImmutableDBKeys } from "./models";
 
 export const WebhooksSchema = z.object({
   id: z.string().uuid(),
   secretPath: z.string().default("/"),
-  url: z.string(),
+  url: z.string().nullable().optional(),
   lastStatus: z.string().nullable().optional(),
   lastRunErrorMessage: z.string().nullable().optional(),
   isDisabled: z.boolean().default(false),
@@ -25,7 +27,9 @@ export const WebhooksSchema = z.object({
   urlCipherText: z.string().nullable().optional(),
   urlIV: z.string().nullable().optional(),
   urlTag: z.string().nullable().optional(),
-  type: z.string().default("general").nullable().optional()
+  type: z.string().default("general").nullable().optional(),
+  encryptedPassKey: zodBuffer.nullable().optional(),
+  encryptedUrl: zodBuffer
 });
 
 export type TWebhooks = z.infer<typeof WebhooksSchema>;

backend/src/ee/routes/est/certificate-est-router.ts

@@ -16,7 +16,7 @@ export const registerCertificateEstRouter = async (server: FastifyZodProvider) =
       // for CSRs sent in PEM, we leave them as is
       // for CSRs sent in base64, we preprocess them to remove new lines and spaces
       if (!csrBody.includes("BEGIN CERTIFICATE REQUEST")) {
-        csrBody = csrBody.replace(/\n/g, "").replace(/ /g, "");
+        csrBody = csrBody.replaceAll("\n", "").replaceAll(" ", "");
       }
 
       done(null, csrBody);

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -29,7 +29,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
           .array()
           .min(1, { message: "At least one approver should be provided" }),
         approvals: z.number().min(1).default(1),
-        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
+        allowedSelfApprovals: z.boolean().default(true)
       }),
       response: {
         200: z.object({
@@ -147,7 +148,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
           .array()
           .min(1, { message: "At least one approver should be provided" }),
         approvals: z.number().min(1).optional(),
-        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
+        enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard),
+        allowedSelfApprovals: z.boolean().default(true)
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -110,7 +110,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
               secretPath: z.string().nullish(),
               envId: z.string(),
               enforcementLevel: z.string(),
-              deletedAt: z.date().nullish()
+              deletedAt: z.date().nullish(),
+              allowedSelfApprovals: z.boolean()
             }),
             reviewers: z
               .object({

backend/src/ee/routes/v1/dynamic-secret-lease-router.ts

@@ -1,10 +1,10 @@
-import ms from "ms";
 import { z } from "zod";
 
 import { DynamicSecretLeasesSchema } from "@app/db/schemas";
 import { DYNAMIC_SECRET_LEASES } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedDynamicSecretSchema } from "@app/server/routes/sanitizedSchemas";

backend/src/ee/routes/v1/dynamic-secret-router.ts

@@ -1,4 +1,3 @@
-import ms from "ms";
 import { z } from "zod";
 
 import { DynamicSecretLeasesSchema } from "@app/db/schemas";
@@ -6,6 +5,7 @@ import { DynamicSecretProviderSchema } from "@app/ee/services/dynamic-secret/pro
 import { DYNAMIC_SECRETS } from "@app/lib/api-docs";
 import { daysToMillisecond } from "@app/lib/dates";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";

backend/src/ee/routes/v1/gateway-router.ts

@@ -0,0 +1,265 @@
+import { z } from "zod";
+
+import { GatewaysSchema } from "@app/db/schemas";
+import { isValidIp } from "@app/lib/ip";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { slugSchema } from "@app/server/lib/schemas";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+const SanitizedGatewaySchema = GatewaysSchema.pick({
+  id: true,
+  identityId: true,
+  name: true,
+  createdAt: true,
+  updatedAt: true,
+  issuedAt: true,
+  serialNumber: true,
+  heartbeat: true
+});
+
+const isValidRelayAddress = (relayAddress: string) => {
+  const [ip, port] = relayAddress.split(":");
+  return isValidIp(ip) && Number(port) <= 65535 && Number(port) >= 40000;
+};
+
+export const registerGatewayRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/register-identity",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          turnServerUsername: z.string(),
+          turnServerPassword: z.string(),
+          turnServerRealm: z.string(),
+          turnServerAddress: z.string(),
+          infisicalStaticIp: z.string().optional()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const relayDetails = await server.services.gateway.getGatewayRelayDetails(
+        req.permission.id,
+        req.permission.orgId,
+        req.permission.authMethod
+      );
+      return relayDetails;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/exchange-cert",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        relayAddress: z.string().refine(isValidRelayAddress, { message: "Invalid relay address" })
+      }),
+      response: {
+        200: z.object({
+          serialNumber: z.string(),
+          privateKey: z.string(),
+          certificate: z.string(),
+          certificateChain: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const gatewayCertificates = await server.services.gateway.exchangeAllocatedRelayAddress({
+        identityOrg: req.permission.orgId,
+        identityId: req.permission.id,
+        relayAddress: req.body.relayAddress,
+        identityOrgAuthMethod: req.permission.authMethod
+      });
+      return gatewayCertificates;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/heartbeat",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      await server.services.gateway.heartbeat({
+        orgPermission: req.permission
+      });
+      return { message: "Successfully registered heartbeat" };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      querystring: z.object({
+        projectId: z.string().optional()
+      }),
+      response: {
+        200: z.object({
+          gateways: SanitizedGatewaySchema.extend({
+            identity: z.object({
+              name: z.string(),
+              id: z.string()
+            }),
+            projects: z
+              .object({
+                name: z.string(),
+                id: z.string(),
+                slug: z.string()
+              })
+              .array()
+          }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN, AuthMode.JWT]),
+    handler: async (req) => {
+      const gateways = await server.services.gateway.listGateways({
+        orgPermission: req.permission
+      });
+      return { gateways };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/projects/:projectId",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        projectId: z.string()
+      }),
+      response: {
+        200: z.object({
+          gateways: SanitizedGatewaySchema.extend({
+            identity: z.object({
+              name: z.string(),
+              id: z.string()
+            }),
+            projectGatewayId: z.string()
+          }).array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN, AuthMode.JWT]),
+    handler: async (req) => {
+      const gateways = await server.services.gateway.getProjectGateways({
+        projectId: req.params.projectId,
+        projectPermission: req.permission
+      });
+      return { gateways };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:id",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: z.object({
+          gateway: SanitizedGatewaySchema.extend({
+            identity: z.object({
+              name: z.string(),
+              id: z.string()
+            })
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN, AuthMode.JWT]),
+    handler: async (req) => {
+      const gateway = await server.services.gateway.getGatewayById({
+        orgPermission: req.permission,
+        id: req.params.id
+      });
+      return { gateway };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/:id",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string()
+      }),
+      body: z.object({
+        name: slugSchema({ field: "name" }).optional(),
+        projectIds: z.string().array().optional()
+      }),
+      response: {
+        200: z.object({
+          gateway: SanitizedGatewaySchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN, AuthMode.JWT]),
+    handler: async (req) => {
+      const gateway = await server.services.gateway.updateGatewayById({
+        orgPermission: req.permission,
+        id: req.params.id,
+        name: req.body.name,
+        projectIds: req.body.projectIds
+      });
+      return { gateway };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:id",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: z.object({
+          gateway: SanitizedGatewaySchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN, AuthMode.JWT]),
+    handler: async (req) => {
+      const gateway = await server.services.gateway.deleteGatewayById({
+        orgPermission: req.permission,
+        id: req.params.id
+      });
+      return { gateway };
+    }
+  });
+};

backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts

@@ -1,11 +1,11 @@
 import slugify from "@sindresorhus/slugify";
-import ms from "ms";
 import { z } from "zod";
 
 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types";
 import { backfillPermissionV1SchemaToV2Schema } from "@app/ee/services/permission/project-permission";
 import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { UnauthorizedError } from "@app/lib/errors";
+import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";

backend/src/ee/routes/v1/index.ts

@@ -7,8 +7,11 @@ import { registerCaCrlRouter } from "./certificate-authority-crl-router";
 import { registerDynamicSecretLeaseRouter } from "./dynamic-secret-lease-router";
 import { registerDynamicSecretRouter } from "./dynamic-secret-router";
 import { registerExternalKmsRouter } from "./external-kms-router";
+import { registerGatewayRouter } from "./gateway-router";
 import { registerGroupRouter } from "./group-router";
 import { registerIdentityProjectAdditionalPrivilegeRouter } from "./identity-project-additional-privilege-router";
+import { registerKmipRouter } from "./kmip-router";
+import { registerKmipSpecRouter } from "./kmip-spec-router";
 import { registerLdapRouter } from "./ldap-router";
 import { registerLicenseRouter } from "./license-router";
 import { registerOidcRouter } from "./oidc-router";
@@ -65,6 +68,8 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
     { prefix: "/dynamic-secrets" }
   );
 
+  await server.register(registerGatewayRouter, { prefix: "/gateways" });
+
   await server.register(
     async (pkiRouter) => {
       await pkiRouter.register(registerCaCrlRouter, { prefix: "/crl" });
@@ -110,4 +115,12 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
   });
 
   await server.register(registerProjectTemplateRouter, { prefix: "/project-templates" });
+
+  await server.register(
+    async (kmipRouter) => {
+      await kmipRouter.register(registerKmipRouter);
+      await kmipRouter.register(registerKmipSpecRouter, { prefix: "/spec" });
+    },
+    { prefix: "/kmip" }
+  );
 };

backend/src/ee/routes/v1/kmip-router.ts

@@ -0,0 +1,428 @@
+import { z } from "zod";
+
+import { KmipClientsSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { KmipPermission } from "@app/ee/services/kmip/kmip-enum";
+import { KmipClientOrderBy } from "@app/ee/services/kmip/kmip-types";
+import { ms } from "@app/lib/ms";
+import { OrderByDirection } from "@app/lib/types";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
+import { validateAltNamesField } from "@app/services/certificate-authority/certificate-authority-validators";
+
+const KmipClientResponseSchema = KmipClientsSchema.pick({
+  projectId: true,
+  name: true,
+  id: true,
+  description: true,
+  permissions: true
+});
+
+export const registerKmipRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/clients",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        projectId: z.string(),
+        name: z.string().trim().min(1),
+        description: z.string().optional(),
+        permissions: z.nativeEnum(KmipPermission).array()
+      }),
+      response: {
+        200: KmipClientResponseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const kmipClient = await server.services.kmip.createKmipClient({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: kmipClient.projectId,
+        event: {
+          type: EventType.CREATE_KMIP_CLIENT,
+          metadata: {
+            id: kmipClient.id,
+            name: kmipClient.name,
+            permissions: (kmipClient.permissions ?? []) as KmipPermission[]
+          }
+        }
+      });
+
+      return kmipClient;
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/clients/:id",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string()
+      }),
+      body: z.object({
+        name: z.string().trim().min(1),
+        description: z.string().optional(),
+        permissions: z.nativeEnum(KmipPermission).array()
+      }),
+      response: {
+        200: KmipClientResponseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const kmipClient = await server.services.kmip.updateKmipClient({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.params,
+        ...req.body
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: kmipClient.projectId,
+        event: {
+          type: EventType.UPDATE_KMIP_CLIENT,
+          metadata: {
+            id: kmipClient.id,
+            name: kmipClient.name,
+            permissions: (kmipClient.permissions ?? []) as KmipPermission[]
+          }
+        }
+      });
+
+      return kmipClient;
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/clients/:id",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: KmipClientResponseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const kmipClient = await server.services.kmip.deleteKmipClient({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.params
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: kmipClient.projectId,
+        event: {
+          type: EventType.DELETE_KMIP_CLIENT,
+          metadata: {
+            id: kmipClient.id
+          }
+        }
+      });
+
+      return kmipClient;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/clients/:id",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: KmipClientResponseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const kmipClient = await server.services.kmip.getKmipClient({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.params
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: kmipClient.projectId,
+        event: {
+          type: EventType.GET_KMIP_CLIENT,
+          metadata: {
+            id: kmipClient.id
+          }
+        }
+      });
+
+      return kmipClient;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/clients",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "List KMIP clients",
+      querystring: z.object({
+        projectId: z.string(),
+        offset: z.coerce.number().min(0).optional().default(0),
+        limit: z.coerce.number().min(1).max(100).optional().default(100),
+        orderBy: z.nativeEnum(KmipClientOrderBy).optional().default(KmipClientOrderBy.Name),
+        orderDirection: z.nativeEnum(OrderByDirection).optional().default(OrderByDirection.ASC),
+        search: z.string().trim().optional()
+      }),
+      response: {
+        200: z.object({
+          kmipClients: KmipClientResponseSchema.array(),
+          totalCount: z.number()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { kmipClients, totalCount } = await server.services.kmip.listKmipClientsByProjectId({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.query
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.query.projectId,
+        event: {
+          type: EventType.GET_KMIP_CLIENTS,
+          metadata: {
+            ids: kmipClients.map((key) => key.id)
+          }
+        }
+      });
+
+      return { kmipClients, totalCount };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/clients/:id/certificates",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string()
+      }),
+      body: z.object({
+        keyAlgorithm: z.nativeEnum(CertKeyAlgorithm),
+        ttl: z.string().refine((val) => ms(val) > 0, "TTL must be a positive number")
+      }),
+      response: {
+        200: z.object({
+          serialNumber: z.string(),
+          certificateChain: z.string(),
+          certificate: z.string(),
+          privateKey: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const certificate = await server.services.kmip.createKmipClientCertificate({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        clientId: req.params.id,
+        ...req.body
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: certificate.projectId,
+        event: {
+          type: EventType.CREATE_KMIP_CLIENT_CERTIFICATE,
+          metadata: {
+            clientId: req.params.id,
+            serialNumber: certificate.serialNumber,
+            ttl: req.body.ttl,
+            keyAlgorithm: req.body.keyAlgorithm
+          }
+        }
+      });
+
+      return certificate;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        caKeyAlgorithm: z.nativeEnum(CertKeyAlgorithm)
+      }),
+      response: {
+        200: z.object({
+          serverCertificateChain: z.string(),
+          clientCertificateChain: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const chains = await server.services.kmip.setupOrgKmip({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.SETUP_KMIP,
+          metadata: {
+            keyAlgorithm: req.body.caKeyAlgorithm
+          }
+        }
+      });
+
+      return chains;
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          serverCertificateChain: z.string(),
+          clientCertificateChain: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const kmip = await server.services.kmip.getOrgKmip({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.GET_KMIP,
+          metadata: {
+            id: kmip.id
+          }
+        }
+      });
+
+      return kmip;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/server-registration",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        hostnamesOrIps: validateAltNamesField,
+        commonName: z.string().trim().min(1).optional(),
+        keyAlgorithm: z.nativeEnum(CertKeyAlgorithm).optional().default(CertKeyAlgorithm.RSA_2048),
+        ttl: z.string().refine((val) => ms(val) > 0, "TTL must be a positive number")
+      }),
+      response: {
+        200: z.object({
+          clientCertificateChain: z.string(),
+          certificateChain: z.string(),
+          certificate: z.string(),
+          privateKey: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const configs = await server.services.kmip.registerServer({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.REGISTER_KMIP_SERVER,
+          metadata: {
+            serverCertificateSerialNumber: configs.serverCertificateSerialNumber,
+            hostnamesOrIps: req.body.hostnamesOrIps,
+            commonName: req.body.commonName ?? "kmip-server",
+            keyAlgorithm: req.body.keyAlgorithm,
+            ttl: req.body.ttl
+          }
+        }
+      });
+
+      return configs;
+    }
+  });
+};

backend/src/ee/routes/v1/kmip-spec-router.ts

@@ -0,0 +1,477 @@
+import z from "zod";
+
+import { KmsKeysSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { SymmetricEncryption } from "@app/lib/crypto/cipher";
+import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { ActorType, AuthMode } from "@app/services/auth/auth-type";
+
+export const registerKmipSpecRouter = async (server: FastifyZodProvider) => {
+  server.decorateRequest("kmipUser", null);
+
+  server.addHook("onRequest", async (req) => {
+    const clientId = req.headers["x-kmip-client-id"] as string;
+    const projectId = req.headers["x-kmip-project-id"] as string;
+    const clientCertSerialNumber = req.headers["x-kmip-client-certificate-serial-number"] as string;
+    const serverCertSerialNumber = req.headers["x-kmip-server-certificate-serial-number"] as string;
+
+    if (!serverCertSerialNumber) {
+      throw new ForbiddenRequestError({
+        message: "Missing server certificate serial number from request"
+      });
+    }
+
+    if (!clientCertSerialNumber) {
+      throw new ForbiddenRequestError({
+        message: "Missing client certificate serial number from request"
+      });
+    }
+
+    if (!clientId) {
+      throw new ForbiddenRequestError({
+        message: "Missing client ID from request"
+      });
+    }
+
+    if (!projectId) {
+      throw new ForbiddenRequestError({
+        message: "Missing project ID from request"
+      });
+    }
+
+    // TODO: assert that server certificate used is not revoked
+    // TODO: assert that client certificate used is not revoked
+
+    const kmipClient = await server.store.kmipClient.findByProjectAndClientId(projectId, clientId);
+
+    if (!kmipClient) {
+      throw new NotFoundError({
+        message: "KMIP client cannot be found."
+      });
+    }
+
+    if (kmipClient.orgId !== req.permission.orgId) {
+      throw new ForbiddenRequestError({
+        message: "Client specified in the request does not belong in the organization"
+      });
+    }
+
+    req.kmipUser = {
+      projectId,
+      clientId,
+      name: kmipClient.name
+    };
+  });
+
+  server.route({
+    method: "POST",
+    url: "/create",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for creating managed objects",
+      body: z.object({
+        algorithm: z.nativeEnum(SymmetricEncryption)
+      }),
+      response: {
+        200: KmsKeysSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const object = await server.services.kmipOperation.create({
+        ...req.kmipUser,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        algorithm: req.body.algorithm
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_CREATE,
+          metadata: {
+            id: object.id,
+            algorithm: req.body.algorithm
+          }
+        }
+      });
+
+      return object;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/get",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for getting managed objects",
+      body: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: z.object({
+          id: z.string(),
+          value: z.string(),
+          algorithm: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const object = await server.services.kmipOperation.get({
+        ...req.kmipUser,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.body.id
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_GET,
+          metadata: {
+            id: object.id
+          }
+        }
+      });
+
+      return object;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/get-attributes",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for getting attributes of managed object",
+      body: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: z.object({
+          id: z.string(),
+          algorithm: z.string(),
+          isActive: z.boolean(),
+          createdAt: z.date(),
+          updatedAt: z.date()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const object = await server.services.kmipOperation.getAttributes({
+        ...req.kmipUser,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.body.id
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_GET_ATTRIBUTES,
+          metadata: {
+            id: object.id
+          }
+        }
+      });
+
+      return object;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/destroy",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for destroying managed objects",
+      body: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: z.object({
+          id: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const object = await server.services.kmipOperation.destroy({
+        ...req.kmipUser,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.body.id
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_DESTROY,
+          metadata: {
+            id: object.id
+          }
+        }
+      });
+
+      return object;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/activate",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for activating managed object",
+      body: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: z.object({
+          id: z.string(),
+          isActive: z.boolean()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const object = await server.services.kmipOperation.activate({
+        ...req.kmipUser,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.body.id
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_ACTIVATE,
+          metadata: {
+            id: object.id
+          }
+        }
+      });
+
+      return object;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/revoke",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for revoking managed object",
+      body: z.object({
+        id: z.string()
+      }),
+      response: {
+        200: z.object({
+          id: z.string(),
+          updatedAt: z.date()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const object = await server.services.kmipOperation.revoke({
+        ...req.kmipUser,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.body.id
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_REVOKE,
+          metadata: {
+            id: object.id
+          }
+        }
+      });
+
+      return object;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/locate",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for locating managed objects",
+      response: {
+        200: z.object({
+          objects: z
+            .object({
+              id: z.string(),
+              name: z.string(),
+              isActive: z.boolean(),
+              algorithm: z.string(),
+              createdAt: z.date(),
+              updatedAt: z.date()
+            })
+            .array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const objects = await server.services.kmipOperation.locate({
+        ...req.kmipUser,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_LOCATE,
+          metadata: {
+            ids: objects.map((obj) => obj.id)
+          }
+        }
+      });
+
+      return {
+        objects
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/register",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "KMIP endpoint for registering managed object",
+      body: z.object({
+        key: z.string(),
+        name: z.string(),
+        algorithm: z.nativeEnum(SymmetricEncryption)
+      }),
+      response: {
+        200: z.object({
+          id: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const object = await server.services.kmipOperation.register({
+        ...req.kmipUser,
+        ...req.body,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId: req.kmipUser.projectId,
+        actor: {
+          type: ActorType.KMIP_CLIENT,
+          metadata: {
+            clientId: req.kmipUser.clientId,
+            name: req.kmipUser.name
+          }
+        },
+        event: {
+          type: EventType.KMIP_OPERATION_REGISTER,
+          metadata: {
+            id: object.id,
+            algorithm: req.body.algorithm,
+            name: object.name
+          }
+        }
+      });
+
+      return object;
+    }
+  });
+};

backend/src/ee/routes/v1/ldap-router.ts

@@ -14,7 +14,7 @@ import { FastifyRequest } from "fastify";
 import LdapStrategy from "passport-ldapauth";
 import { z } from "zod";
 
-import { LdapConfigsSchema, LdapGroupMapsSchema } from "@app/db/schemas";
+import { LdapGroupMapsSchema } from "@app/db/schemas";
 import { TLDAPConfig } from "@app/ee/services/ldap-config/ldap-config-types";
 import { isValidLdapFilter, searchGroups } from "@app/ee/services/ldap-config/ldap-fns";
 import { getConfig } from "@app/lib/config/env";
@@ -22,6 +22,7 @@ import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { SanitizedLdapConfigSchema } from "@app/server/routes/sanitizedSchema/directory-config";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 export const registerLdapRouter = async (server: FastifyZodProvider) => {
@@ -60,8 +61,8 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
           if (ldapConfig.groupSearchBase) {
             const groupFilter = "(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))";
             const groupSearchFilter = (ldapConfig.groupSearchFilter || groupFilter)
-              .replace(/{{\.Username}}/g, user.uid)
-              .replace(/{{\.UserDN}}/g, user.dn);
+              .replaceAll("{{.Username}}", user.uid)
+              .replaceAll("{{.UserDN}}", user.dn);
 
             if (!isValidLdapFilter(groupSearchFilter)) {
               throw new Error("Generated LDAP search filter is invalid.");
@@ -187,7 +188,7 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
         caCert: z.string().trim().default("")
       }),
       response: {
-        200: LdapConfigsSchema
+        200: SanitizedLdapConfigSchema
       }
     },
     handler: async (req) => {
@@ -228,7 +229,7 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
         .partial()
         .merge(z.object({ organizationId: z.string() })),
       response: {
-        200: LdapConfigsSchema
+        200: SanitizedLdapConfigSchema
       }
     },
     handler: async (req) => {

backend/src/ee/routes/v1/oidc-router.ts

@@ -11,13 +11,28 @@ import fastifySession from "@fastify/session";
 import RedisStore from "connect-redis";
 import { z } from "zod";
 
-import { OidcConfigsSchema } from "@app/db/schemas/oidc-configs";
+import { OidcConfigsSchema } from "@app/db/schemas";
 import { OIDCConfigurationType } from "@app/ee/services/oidc/oidc-config-types";
 import { getConfig } from "@app/lib/config/env";
 import { authRateLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
+const SanitizedOidcConfigSchema = OidcConfigsSchema.pick({
+  id: true,
+  issuer: true,
+  authorizationEndpoint: true,
+  configurationType: true,
+  discoveryURL: true,
+  jwksUri: true,
+  tokenEndpoint: true,
+  userinfoEndpoint: true,
+  orgId: true,
+  isActive: true,
+  allowedEmailDomains: true,
+  manageGroupMemberships: true
+});
+
 export const registerOidcRouter = async (server: FastifyZodProvider) => {
   const appCfg = getConfig();
   const passport = new Authenticator({ key: "oidc", userProperty: "passportUser" });
@@ -142,7 +157,7 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
         orgSlug: z.string().trim()
       }),
       response: {
-        200: OidcConfigsSchema.pick({
+        200: SanitizedOidcConfigSchema.pick({
           id: true,
           issuer: true,
           authorizationEndpoint: true,
@@ -214,7 +229,7 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
         .partial()
         .merge(z.object({ orgSlug: z.string() })),
       response: {
-        200: OidcConfigsSchema.pick({
+        200: SanitizedOidcConfigSchema.pick({
           id: true,
           issuer: true,
           authorizationEndpoint: true,
@@ -327,20 +342,7 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
           }
         }),
       response: {
-        200: OidcConfigsSchema.pick({
-          id: true,
-          issuer: true,
-          authorizationEndpoint: true,
-          configurationType: true,
-          discoveryURL: true,
-          jwksUri: true,
-          tokenEndpoint: true,
-          userinfoEndpoint: true,
-          orgId: true,
-          isActive: true,
-          allowedEmailDomains: true,
-          manageGroupMemberships: true
-        })
+        200: SanitizedOidcConfigSchema
       }
     },
 

backend/src/ee/routes/v1/project-template-router.ts

@@ -9,7 +9,7 @@ import { ProjectTemplates } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
+import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 const MAX_JSON_SIZE_LIMIT_IN_BYTES = 32_768;

backend/src/ee/routes/v1/saml-router.ts

@@ -12,20 +12,20 @@ import { MultiSamlStrategy } from "@node-saml/passport-saml";
 import { FastifyRequest } from "fastify";
 import { z } from "zod";
 
-import { SamlConfigsSchema } from "@app/db/schemas";
 import { SamlProviders, TGetSamlCfgDTO } from "@app/ee/services/saml-config/saml-config-types";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { SanitizedSamlConfigSchema } from "@app/server/routes/sanitizedSchema/directory-config";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 type TSAMLConfig = {
   callbackUrl: string;
   entryPoint: string;
   issuer: string;
-  cert: string;
+  idpCert: string;
   audience: string;
   wantAuthnResponseSigned?: boolean;
   wantAssertionsSigned?: boolean;
@@ -72,7 +72,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
               callbackUrl: `${appCfg.SITE_URL}/api/v1/sso/saml2/${ssoConfig.id}`,
               entryPoint: ssoConfig.entryPoint,
               issuer: ssoConfig.issuer,
-              cert: ssoConfig.cert,
+              idpCert: ssoConfig.cert,
               audience: appCfg.SITE_URL || ""
             };
             if (ssoConfig.authProvider === SamlProviders.JUMPCLOUD_SAML) {
@@ -298,19 +298,25 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
         cert: z.string()
       }),
       response: {
-        200: SamlConfigsSchema
+        200: SanitizedSamlConfigSchema
       }
     },
     handler: async (req) => {
-      const saml = await server.services.saml.createSamlCfg({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        orgId: req.body.organizationId,
-        ...req.body
+      const { isActive, authProvider, issuer, entryPoint, cert } = req.body;
+      const { permission } = req;
+
+      return server.services.saml.createSamlCfg({
+        isActive,
+        authProvider,
+        issuer,
+        entryPoint,
+        idpCert: cert,
+        actor: permission.type,
+        actorId: permission.id,
+        actorAuthMethod: permission.authMethod,
+        actorOrgId: permission.orgId,
+        orgId: req.body.organizationId
       });
-      return saml;
     }
   });
 
@@ -333,19 +339,25 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
         .partial()
         .merge(z.object({ organizationId: z.string() })),
       response: {
-        200: SamlConfigsSchema
+        200: SanitizedSamlConfigSchema
       }
     },
     handler: async (req) => {
-      const saml = await server.services.saml.updateSamlCfg({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        orgId: req.body.organizationId,
-        ...req.body
+      const { isActive, authProvider, issuer, entryPoint, cert } = req.body;
+      const { permission } = req;
+
+      return server.services.saml.updateSamlCfg({
+        isActive,
+        authProvider,
+        issuer,
+        entryPoint,
+        idpCert: cert,
+        actor: permission.type,
+        actorId: permission.id,
+        actorAuthMethod: permission.authMethod,
+        actorOrgId: permission.orgId,
+        orgId: req.body.organizationId
       });
-      return saml;
     }
   });
 };