Merge pull request #1782 from akhilmhdh/feat/privilege-identity-api-change

Privilege identity api change

.infisicalignore

@@ -2,5 +2,4 @@
 frontend/src/views/Project/MembersPage/components/IdentityTab/components/IdentityRoleForm/IdentityRbacSection.tsx:generic-api-key:206
 frontend/src/views/Project/MembersPage/components/IdentityTab/components/IdentityRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:304
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/MemberRbacSection.tsx:generic-api-key:206
-frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:292
-frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:451
+frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:292

backend/src/@types/fastify.d.ts

@@ -1,8 +1,6 @@
 import "fastify";
 
 import { TUsers } from "@app/db/schemas";
-import { TAccessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-service";
-import { TAccessApprovalRequestServiceFactory } from "@app/ee/services/access-approval-request/access-approval-request-service";
 import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
 import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
 import { TAuditLogStreamServiceFactory } from "@app/ee/services/audit-log-stream/audit-log-stream-service";
@@ -115,8 +113,6 @@ declare module "fastify" {
       identityAccessToken: TIdentityAccessTokenServiceFactory;
       identityProject: TIdentityProjectServiceFactory;
       identityUa: TIdentityUaServiceFactory;
-      accessApprovalPolicy: TAccessApprovalPolicyServiceFactory;
-      accessApprovalRequest: TAccessApprovalRequestServiceFactory;
       secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;
       secretApprovalRequest: TSecretApprovalRequestServiceFactory;
       secretRotation: TSecretRotationServiceFactory;

backend/src/@types/knex.d.ts

@@ -2,18 +2,6 @@ import { Knex } from "knex";
 
 import {
   TableName,
-  TAccessApprovalPolicies,
-  TAccessApprovalPoliciesApprovers,
-  TAccessApprovalPoliciesApproversInsert,
-  TAccessApprovalPoliciesApproversUpdate,
-  TAccessApprovalPoliciesInsert,
-  TAccessApprovalPoliciesUpdate,
-  TAccessApprovalRequests,
-  TAccessApprovalRequestsInsert,
-  TAccessApprovalRequestsReviewers,
-  TAccessApprovalRequestsReviewersInsert,
-  TAccessApprovalRequestsReviewersUpdate,
-  TAccessApprovalRequestsUpdate,
   TApiKeys,
   TApiKeysInsert,
   TApiKeysUpdate,
@@ -50,9 +38,6 @@ import {
   TGroupProjectMemberships,
   TGroupProjectMembershipsInsert,
   TGroupProjectMembershipsUpdate,
-  TGroupProjectUserAdditionalPrivilege,
-  TGroupProjectUserAdditionalPrivilegeInsert,
-  TGroupProjectUserAdditionalPrivilegeUpdate,
   TGroups,
   TGroupsInsert,
   TGroupsUpdate,
@@ -293,11 +278,6 @@ declare module "knex/types/tables" {
       TProjectUserMembershipRolesInsert,
       TProjectUserMembershipRolesUpdate
     >;
-    [TableName.GroupProjectUserAdditionalPrivilege]: Knex.CompositeTableType<
-      TGroupProjectUserAdditionalPrivilege,
-      TGroupProjectUserAdditionalPrivilegeInsert,
-      TGroupProjectUserAdditionalPrivilegeUpdate
-    >;
     [TableName.ProjectRoles]: Knex.CompositeTableType<TProjectRoles, TProjectRolesInsert, TProjectRolesUpdate>;
     [TableName.ProjectUserAdditionalPrivilege]: Knex.CompositeTableType<
       TProjectUserAdditionalPrivilege,
@@ -364,31 +344,6 @@ declare module "knex/types/tables" {
       TIdentityProjectAdditionalPrivilegeInsert,
       TIdentityProjectAdditionalPrivilegeUpdate
     >;
-
-    [TableName.AccessApprovalPolicy]: Knex.CompositeTableType<
-      TAccessApprovalPolicies,
-      TAccessApprovalPoliciesInsert,
-      TAccessApprovalPoliciesUpdate
-    >;
-
-    [TableName.AccessApprovalPolicyApprover]: Knex.CompositeTableType<
-      TAccessApprovalPoliciesApprovers,
-      TAccessApprovalPoliciesApproversInsert,
-      TAccessApprovalPoliciesApproversUpdate
-    >;
-
-    [TableName.AccessApprovalRequest]: Knex.CompositeTableType<
-      TAccessApprovalRequests,
-      TAccessApprovalRequestsInsert,
-      TAccessApprovalRequestsUpdate
-    >;
-
-    [TableName.AccessApprovalRequestReviewer]: Knex.CompositeTableType<
-      TAccessApprovalRequestsReviewers,
-      TAccessApprovalRequestsReviewersInsert,
-      TAccessApprovalRequestsReviewersUpdate
-    >;
-
     [TableName.ScimToken]: Knex.CompositeTableType<TScimTokens, TScimTokensInsert, TScimTokensUpdate>;
     [TableName.SecretApprovalPolicy]: Knex.CompositeTableType<
       TSecretApprovalPolicies,

backend/src/db/migrations/20240503201144_access-approval-policy.ts

@@ -1,41 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.AccessApprovalPolicy))) {
-    await knex.schema.createTable(TableName.AccessApprovalPolicy, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.integer("approvals").defaultTo(1).notNullable();
-      t.uuid("envId").notNullable();
-      t.string("secretPath");
-      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-    await createOnUpdateTrigger(knex, TableName.AccessApprovalPolicy);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.AccessApprovalPolicyApprover))) {
-    await knex.schema.createTable(TableName.AccessApprovalPolicyApprover, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-
-      t.uuid("approverUserId").nullable();
-      t.foreign("approverUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-
-      t.uuid("policyId").notNullable();
-      t.foreign("policyId").references("id").inTable(TableName.AccessApprovalPolicy).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-    await createOnUpdateTrigger(knex, TableName.AccessApprovalPolicyApprover);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.AccessApprovalPolicyApprover);
-  await knex.schema.dropTableIfExists(TableName.AccessApprovalPolicy);
-
-  await dropOnUpdateTrigger(knex, TableName.AccessApprovalPolicyApprover);
-  await dropOnUpdateTrigger(knex, TableName.AccessApprovalPolicy);
-}

backend/src/db/migrations/20240503202144_group-project-user-additional-privilege.ts

@@ -1,37 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.GroupProjectUserAdditionalPrivilege))) {
-    await knex.schema.createTable(TableName.GroupProjectUserAdditionalPrivilege, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("slug", 60).notNullable();
-
-      t.uuid("groupProjectMembershipId").notNullable();
-      t.foreign("groupProjectMembershipId")
-        .references("id")
-        .inTable(TableName.GroupProjectMembership)
-        .onDelete("CASCADE");
-
-      t.uuid("requestedByUserId").notNullable();
-      t.foreign("requestedByUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-
-      t.boolean("isTemporary").notNullable().defaultTo(false);
-      t.string("temporaryMode");
-      t.string("temporaryRange"); // could be cron or relative time like 1H or 1minute etc
-      t.datetime("temporaryAccessStartTime");
-      t.datetime("temporaryAccessEndTime");
-      t.jsonb("permissions").notNullable();
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.GroupProjectUserAdditionalPrivilege);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await dropOnUpdateTrigger(knex, TableName.GroupProjectUserAdditionalPrivilege);
-  await knex.schema.dropTableIfExists(TableName.GroupProjectUserAdditionalPrivilege);
-}

backend/src/db/migrations/20240503203144_access_approval_requests.ts

@@ -1,69 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.AccessApprovalRequest))) {
-    await knex.schema.createTable(TableName.AccessApprovalRequest, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-
-      t.uuid("policyId").notNullable();
-      t.foreign("policyId").references("id").inTable(TableName.AccessApprovalPolicy).onDelete("CASCADE");
-
-      t.uuid("projectUserPrivilegeId").nullable();
-      t.foreign("projectUserPrivilegeId")
-        .references("id")
-        .inTable(TableName.ProjectUserAdditionalPrivilege)
-        .onDelete("CASCADE");
-
-      t.uuid("groupProjectUserPrivilegeId").nullable();
-      t.foreign("groupProjectUserPrivilegeId")
-        .references("id")
-        .inTable(TableName.GroupProjectUserAdditionalPrivilege)
-        .onDelete("CASCADE");
-
-      t.uuid("requestedByUserId").notNullable();
-      t.foreign("requestedByUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-
-      t.uuid("projectMembershipId").nullable();
-      t.foreign("projectMembershipId").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
-
-      t.uuid("groupMembershipId").nullable();
-      t.foreign("groupMembershipId").references("id").inTable(TableName.GroupProjectMembership).onDelete("CASCADE");
-
-      // We use these values to create the actual privilege at a later point in time.
-      t.boolean("isTemporary").notNullable();
-      t.string("temporaryRange").nullable();
-
-      t.jsonb("permissions").notNullable();
-
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.AccessApprovalRequest);
-
-  if (!(await knex.schema.hasTable(TableName.AccessApprovalRequestReviewer))) {
-    await knex.schema.createTable(TableName.AccessApprovalRequestReviewer, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-
-      t.uuid("memberUserId").notNullable();
-      t.foreign("memberUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-
-      t.string("status").notNullable();
-      t.uuid("requestId").notNullable();
-      t.foreign("requestId").references("id").inTable(TableName.AccessApprovalRequest).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.AccessApprovalRequestReviewer);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.AccessApprovalRequestReviewer);
-  await knex.schema.dropTableIfExists(TableName.AccessApprovalRequest);
-
-  await dropOnUpdateTrigger(knex, TableName.AccessApprovalRequestReviewer);
-  await dropOnUpdateTrigger(knex, TableName.AccessApprovalRequest);
-}

backend/src/db/migrations/20240503204144_fix-db-reference-for-groups-and-project-memberships.ts

@@ -1,71 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  // SecretApprovalPolicyApprover, approverUserId
-  if (!(await knex.schema.hasColumn(TableName.SecretApprovalPolicyApprover, "approverUserId"))) {
-    await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (t) => {
-      t.uuid("approverId").nullable().alter();
-
-      t.uuid("approverUserId").nullable();
-      t.foreign("approverUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-
-  // SecretApprovalRequest, statusChangeByUserId
-  if (!(await knex.schema.hasColumn(TableName.SecretApprovalRequest, "statusChangeByUserId"))) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequest, (t) => {
-      t.uuid("statusChangeBy").nullable().alter();
-
-      t.uuid("statusChangeByUserId").nullable();
-      t.foreign("statusChangeByUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
-    });
-  }
-
-  // SecretApprovalRequest, committerUserId
-  if (!(await knex.schema.hasColumn(TableName.SecretApprovalRequest, "committerUserId"))) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequest, (t) => {
-      t.uuid("committerId").nullable().alter();
-
-      t.uuid("committerUserId").nullable();
-      t.foreign("committerUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-
-  // SecretApprovalRequestReviewer, memberUserId
-  if (!(await knex.schema.hasColumn(TableName.SecretApprovalRequestReviewer, "memberUserId"))) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (t) => {
-      t.uuid("member").nullable().alter();
-
-      t.uuid("memberUserId").nullable();
-      t.foreign("memberUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.SecretApprovalPolicyApprover, "approverUserId")) {
-    await knex.schema.alterTable(TableName.SecretApprovalPolicyApprover, (t) => {
-      t.dropColumn("approverUserId");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.SecretApprovalRequest, "statusChangeByUserId")) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequest, (t) => {
-      t.dropColumn("statusChangeByUserId");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.SecretApprovalRequest, "committerUserId")) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequest, (t) => {
-      t.dropColumn("committerUserId");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.SecretApprovalRequestReviewer, "memberUserId")) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequestReviewer, (t) => {
-      t.dropColumn("memberUserId");
-    });
-  }
-}

backend/src/db/schemas/access-approval-policies-approvers.ts

@@ -1,25 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const AccessApprovalPoliciesApproversSchema = z.object({
-  id: z.string().uuid(),
-  approverUserId: z.string().uuid().nullable().optional(),
-  policyId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TAccessApprovalPoliciesApprovers = z.infer<typeof AccessApprovalPoliciesApproversSchema>;
-export type TAccessApprovalPoliciesApproversInsert = Omit<
-  z.input<typeof AccessApprovalPoliciesApproversSchema>,
-  TImmutableDBKeys
->;
-export type TAccessApprovalPoliciesApproversUpdate = Partial<
-  Omit<z.input<typeof AccessApprovalPoliciesApproversSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/access-approval-policies.ts

@@ -1,24 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const AccessApprovalPoliciesSchema = z.object({
-  id: z.string().uuid(),
-  name: z.string(),
-  approvals: z.number().default(1),
-  envId: z.string().uuid(),
-  secretPath: z.string().nullable().optional(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TAccessApprovalPolicies = z.infer<typeof AccessApprovalPoliciesSchema>;
-export type TAccessApprovalPoliciesInsert = Omit<z.input<typeof AccessApprovalPoliciesSchema>, TImmutableDBKeys>;
-export type TAccessApprovalPoliciesUpdate = Partial<
-  Omit<z.input<typeof AccessApprovalPoliciesSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/access-approval-requests-reviewers.ts

@@ -1,26 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const AccessApprovalRequestsReviewersSchema = z.object({
-  id: z.string().uuid(),
-  memberUserId: z.string().uuid(),
-  status: z.string(),
-  requestId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TAccessApprovalRequestsReviewers = z.infer<typeof AccessApprovalRequestsReviewersSchema>;
-export type TAccessApprovalRequestsReviewersInsert = Omit<
-  z.input<typeof AccessApprovalRequestsReviewersSchema>,
-  TImmutableDBKeys
->;
-export type TAccessApprovalRequestsReviewersUpdate = Partial<
-  Omit<z.input<typeof AccessApprovalRequestsReviewersSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/access-approval-requests.ts

@@ -1,29 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const AccessApprovalRequestsSchema = z.object({
-  id: z.string().uuid(),
-  policyId: z.string().uuid(),
-  projectUserPrivilegeId: z.string().uuid().nullable().optional(),
-  groupProjectUserPrivilegeId: z.string().uuid().nullable().optional(),
-  requestedByUserId: z.string().uuid(),
-  projectMembershipId: z.string().uuid().nullable().optional(),
-  groupMembershipId: z.string().uuid().nullable().optional(),
-  isTemporary: z.boolean(),
-  temporaryRange: z.string().nullable().optional(),
-  permissions: z.unknown(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TAccessApprovalRequests = z.infer<typeof AccessApprovalRequestsSchema>;
-export type TAccessApprovalRequestsInsert = Omit<z.input<typeof AccessApprovalRequestsSchema>, TImmutableDBKeys>;
-export type TAccessApprovalRequestsUpdate = Partial<
-  Omit<z.input<typeof AccessApprovalRequestsSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/group-project-user-additional-privilege.ts

@@ -1,32 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const GroupProjectUserAdditionalPrivilegeSchema = z.object({
-  id: z.string().uuid(),
-  slug: z.string(),
-  groupProjectMembershipId: z.string().uuid(),
-  requestedByUserId: z.string().uuid(),
-  isTemporary: z.boolean().default(false),
-  temporaryMode: z.string().nullable().optional(),
-  temporaryRange: z.string().nullable().optional(),
-  temporaryAccessStartTime: z.date().nullable().optional(),
-  temporaryAccessEndTime: z.date().nullable().optional(),
-  permissions: z.unknown(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TGroupProjectUserAdditionalPrivilege = z.infer<typeof GroupProjectUserAdditionalPrivilegeSchema>;
-export type TGroupProjectUserAdditionalPrivilegeInsert = Omit<
-  z.input<typeof GroupProjectUserAdditionalPrivilegeSchema>,
-  TImmutableDBKeys
->;
-export type TGroupProjectUserAdditionalPrivilegeUpdate = Partial<
-  Omit<z.input<typeof GroupProjectUserAdditionalPrivilegeSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/index.ts

@@ -1,7 +1,3 @@
-export * from "./access-approval-policies";
-export * from "./access-approval-policies-approvers";
-export * from "./access-approval-requests";
-export * from "./access-approval-requests-reviewers";
 export * from "./api-keys";
 export * from "./audit-log-streams";
 export * from "./audit-logs";
@@ -14,7 +10,6 @@ export * from "./git-app-install-sessions";
 export * from "./git-app-org";
 export * from "./group-project-membership-roles";
 export * from "./group-project-memberships";
-export * from "./group-project-user-additional-privilege";
 export * from "./groups";
 export * from "./identities";
 export * from "./identity-access-tokens";

backend/src/db/schemas/models.ts

@@ -25,7 +25,6 @@ export enum TableName {
   ProjectMembership = "project_memberships",
   ProjectRoles = "project_roles",
   ProjectUserAdditionalPrivilege = "project_user_additional_privilege",
-  GroupProjectUserAdditionalPrivilege = "group_project_user_additional_privilege",
   ProjectUserMembershipRole = "project_user_membership_roles",
   ProjectKeys = "project_keys",
   Secret = "secrets",
@@ -51,10 +50,6 @@ export enum TableName {
   IdentityProjectMembershipRole = "identity_project_membership_role",
   IdentityProjectAdditionalPrivilege = "identity_project_additional_privilege",
   ScimToken = "scim_tokens",
-  AccessApprovalPolicy = "access_approval_policies",
-  AccessApprovalPolicyApprover = "access_approval_policies_approvers",
-  AccessApprovalRequest = "access_approval_requests",
-  AccessApprovalRequestReviewer = "access_approval_requests_reviewers",
   SecretApprovalPolicy = "secret_approval_policies",
   SecretApprovalPolicyApprover = "secret_approval_policies_approvers",
   SecretApprovalRequest = "secret_approval_requests",

backend/src/db/schemas/secret-approval-policies-approvers.ts

@@ -9,11 +9,10 @@ import { TImmutableDBKeys } from "./models";
 
 export const SecretApprovalPoliciesApproversSchema = z.object({
   id: z.string().uuid(),
-  approverId: z.string().uuid().nullable().optional(),
+  approverId: z.string().uuid(),
   policyId: z.string().uuid(),
   createdAt: z.date(),
-  updatedAt: z.date(),
-  approverUserId: z.string().uuid().nullable().optional()
+  updatedAt: z.date()
 });
 
 export type TSecretApprovalPoliciesApprovers = z.infer<typeof SecretApprovalPoliciesApproversSchema>;

backend/src/db/schemas/secret-approval-requests-reviewers.ts

@@ -9,12 +9,11 @@ import { TImmutableDBKeys } from "./models";
 
 export const SecretApprovalRequestsReviewersSchema = z.object({
   id: z.string().uuid(),
-  member: z.string().uuid().nullable().optional(),
+  member: z.string().uuid(),
   status: z.string(),
   requestId: z.string().uuid(),
   createdAt: z.date(),
-  updatedAt: z.date(),
-  memberUserId: z.string().uuid().nullable().optional()
+  updatedAt: z.date()
 });
 
 export type TSecretApprovalRequestsReviewers = z.infer<typeof SecretApprovalRequestsReviewersSchema>;

backend/src/db/schemas/secret-approval-requests.ts

@@ -16,11 +16,9 @@ export const SecretApprovalRequestsSchema = z.object({
   slug: z.string(),
   folderId: z.string().uuid(),
   statusChangeBy: z.string().uuid().nullable().optional(),
-  committerId: z.string().uuid().nullable().optional(),
+  committerId: z.string().uuid(),
   createdAt: z.date(),
-  updatedAt: z.date(),
-  statusChangeByUserId: z.string().uuid().nullable().optional(),
-  committerUserId: z.string().uuid().nullable().optional()
+  updatedAt: z.date()
 });
 
 export type TSecretApprovalRequests = z.infer<typeof SecretApprovalRequestsSchema>;

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -1,170 +0,0 @@
-import { nanoid } from "nanoid";
-import { z } from "zod";
-
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    url: "/",
-    method: "POST",
-    schema: {
-      body: z
-        .object({
-          projectSlug: z.string().trim(),
-          name: z.string().optional(),
-          secretPath: z.string().trim().default("/"),
-          environment: z.string(),
-          approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1)
-        })
-        .refine((data) => data.approvals <= data.approvers.length, {
-          path: ["approvals"],
-          message: "The number of approvals should be lower than the number of approvers."
-        }),
-      response: {
-        200: z.object({
-          approval: sapPubSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const approval = await server.services.accessApprovalPolicy.createAccessApprovalPolicy({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body,
-        projectSlug: req.body.projectSlug,
-        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`
-      });
-      return { approval };
-    }
-  });
-
-  server.route({
-    url: "/",
-    method: "GET",
-    schema: {
-      querystring: z.object({
-        projectSlug: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          approvals: sapPubSchema
-            .extend({ approvers: z.string().nullish().array(), secretPath: z.string().optional() })
-            .array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const approvals = await server.services.accessApprovalPolicy.getAccessApprovalPolicyByProjectSlug({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        projectSlug: req.query.projectSlug
-      });
-      return { approvals };
-    }
-  });
-
-  server.route({
-    url: "/count",
-    method: "GET",
-    schema: {
-      querystring: z.object({
-        projectSlug: z.string(),
-        envSlug: z.string()
-      }),
-      response: {
-        200: z.object({
-          count: z.number()
-        })
-      }
-    },
-
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { count } = await server.services.accessApprovalPolicy.getAccessPolicyCountByEnvSlug({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        projectSlug: req.query.projectSlug,
-        actorOrgId: req.permission.orgId,
-        envSlug: req.query.envSlug
-      });
-      return { count };
-    }
-  });
-
-  server.route({
-    url: "/:policyId",
-    method: "PATCH",
-    schema: {
-      params: z.object({
-        policyId: z.string()
-      }),
-      body: z
-        .object({
-          name: z.string().optional(),
-          secretPath: z
-            .string()
-            .trim()
-            .optional()
-            .transform((val) => (val === "" ? "/" : val)),
-          approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1)
-        })
-        .refine((data) => data.approvals <= data.approvers.length, {
-          path: ["approvals"],
-          message: "The number of approvals should be lower than the number of approvers."
-        }),
-      response: {
-        200: z.object({
-          approval: sapPubSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      await server.services.accessApprovalPolicy.updateAccessApprovalPolicy({
-        policyId: req.params.policyId,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        ...req.body
-      });
-    }
-  });
-
-  server.route({
-    url: "/:policyId",
-    method: "DELETE",
-    schema: {
-      params: z.object({
-        policyId: z.string()
-      }),
-      response: {
-        200: z.object({
-          approval: sapPubSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const approval = await server.services.accessApprovalPolicy.deleteAccessApprovalPolicy({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        policyId: req.params.policyId
-      });
-      return { approval };
-    }
-  });
-};

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -1,192 +0,0 @@
-import { z } from "zod";
-
-import { AccessApprovalRequestsReviewersSchema, AccessApprovalRequestsSchema } from "@app/db/schemas";
-import { ApprovalStatus } from "@app/ee/services/access-approval-request/access-approval-request-types";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-export const registerAccessApprovalRequestRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    url: "/",
-    method: "POST",
-    schema: {
-      body: z.object({
-        permissions: z.any().array(),
-        isTemporary: z.boolean(),
-        temporaryRange: z.string().optional()
-      }),
-      querystring: z.object({
-        projectSlug: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          approval: AccessApprovalRequestsSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { request } = await server.services.accessApprovalRequest.createAccessApprovalRequest({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        permissions: req.body.permissions,
-        actorOrgId: req.permission.orgId,
-        projectSlug: req.query.projectSlug,
-        temporaryRange: req.body.temporaryRange,
-        isTemporary: req.body.isTemporary
-      });
-      return { approval: request };
-    }
-  });
-
-  server.route({
-    url: "/count",
-    method: "GET",
-    schema: {
-      querystring: z.object({
-        projectSlug: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          pendingCount: z.number(),
-          finalizedCount: z.number()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { count } = await server.services.accessApprovalRequest.getCount({
-        projectSlug: req.query.projectSlug,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod
-      });
-
-      return { ...count };
-    }
-  });
-
-  server.route({
-    url: "/",
-    method: "GET",
-    schema: {
-      querystring: z.object({
-        projectSlug: z.string().trim(),
-        authorUserId: z.string().trim().optional(),
-        envSlug: z.string().trim().optional()
-      }),
-      response: {
-        200: z.object({
-          requests: AccessApprovalRequestsSchema.extend({
-            environmentName: z.string(),
-            isApproved: z.boolean(),
-            privilege: z
-              .object({
-                projectMembershipId: z.string().nullish(),
-                groupMembershipId: z.string().nullish(),
-                isTemporary: z.boolean(),
-                temporaryMode: z.string().nullish(),
-                temporaryRange: z.string().nullish(),
-                temporaryAccessStartTime: z.date().nullish(),
-                temporaryAccessEndTime: z.date().nullish(),
-                permissions: z.unknown()
-              })
-              .nullable(),
-            policy: z.object({
-              id: z.string(),
-              name: z.string(),
-              approvals: z.number(),
-              approvers: z.string().array(),
-              secretPath: z.string().nullish(),
-              envId: z.string()
-            }),
-            reviewers: z
-              .object({
-                member: z.string(),
-                status: z.string()
-              })
-              .array()
-          }).array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { requests } = await server.services.accessApprovalRequest.listApprovalRequests({
-        projectSlug: req.query.projectSlug,
-        envSlug: req.query.envSlug,
-        authorUserId: req.query.authorUserId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod
-      });
-
-      return { requests };
-    }
-  });
-
-  server.route({
-    url: "/:requestId",
-    method: "DELETE",
-    schema: {
-      params: z.object({
-        requestId: z.string().trim()
-      }),
-      querystring: z.object({
-        projectSlug: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          request: AccessApprovalRequestsSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { request } = await server.services.accessApprovalRequest.deleteAccessApprovalRequest({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        requestId: req.params.requestId,
-        projectSlug: req.query.projectSlug
-      });
-
-      return { request };
-    }
-  });
-
-  server.route({
-    url: "/:requestId/review",
-    method: "POST",
-    schema: {
-      params: z.object({
-        requestId: z.string().trim()
-      }),
-      body: z.object({
-        status: z.enum([ApprovalStatus.APPROVED, ApprovalStatus.REJECTED])
-      }),
-      response: {
-        200: z.object({
-          review: AccessApprovalRequestsReviewersSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const review = await server.services.accessApprovalRequest.reviewAccessRequest({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        requestId: req.params.requestId,
-        status: req.body.status
-      });
-
-      return { review };
-    }
-  });
-};

backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts

@@ -1,16 +1,14 @@
-import { MongoAbility, RawRuleOf } from "@casl/ability";
-import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
+import { packRules } from "@casl/ability/extra";
 import slugify from "@sindresorhus/slugify";
 import ms from "ms";
 import { z } from "zod";
 
-import { IdentityProjectAdditionalPrivilegeSchema } from "@app/db/schemas";
 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types";
-import { ProjectPermissionSet } from "@app/ee/services/permission/project-permission";
 import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { PermissionSchema, SanitizedIdentityPrivilegeSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: FastifyZodProvider) => {
@@ -41,11 +39,11 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
           })
           .optional()
           .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
-        permissions: z.any().array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions)
+        permissions: PermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions)
       }),
       response: {
         200: z.object({
-          privilege: IdentityProjectAdditionalPrivilegeSchema
+          privilege: SanitizedIdentityPrivilegeSchema
         })
       }
     },
@@ -92,7 +90,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
           })
           .optional()
           .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
-        permissions: z.any().array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions),
+        permissions: PermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions),
         temporaryMode: z
           .nativeEnum(IdentityProjectAdditionalPrivilegeTemporaryMode)
           .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.temporaryMode),
@@ -107,7 +105,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       }),
       response: {
         200: z.object({
-          privilege: IdentityProjectAdditionalPrivilegeSchema
+          privilege: SanitizedIdentityPrivilegeSchema
         })
       }
     },
@@ -157,7 +155,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
                 message: "Slug must be a valid slug"
               })
               .describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.newSlug),
-            permissions: z.any().array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
+            permissions: PermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
             isTemporary: z.boolean().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.isTemporary),
             temporaryMode: z
               .nativeEnum(IdentityProjectAdditionalPrivilegeTemporaryMode)
@@ -175,7 +173,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       }),
       response: {
         200: z.object({
-          privilege: IdentityProjectAdditionalPrivilegeSchema
+          privilege: SanitizedIdentityPrivilegeSchema
         })
       }
     },
@@ -219,7 +217,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       }),
       response: {
         200: z.object({
-          privilege: IdentityProjectAdditionalPrivilegeSchema
+          privilege: SanitizedIdentityPrivilegeSchema
         })
       }
     },
@@ -260,7 +258,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       }),
       response: {
         200: z.object({
-          privilege: IdentityProjectAdditionalPrivilegeSchema
+          privilege: SanitizedIdentityPrivilegeSchema
         })
       }
     },
@@ -293,16 +291,11 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       ],
       querystring: z.object({
         identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.LIST.identityId),
-        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.LIST.projectSlug),
-        unpacked: z
-          .enum(["false", "true"])
-          .transform((el) => el === "true")
-          .default("true")
-          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.LIST.unpacked)
+        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.LIST.projectSlug)
       }),
       response: {
         200: z.object({
-          privileges: IdentityProjectAdditionalPrivilegeSchema.array()
+          privileges: SanitizedIdentityPrivilegeSchema.array()
         })
       }
     },
@@ -315,15 +308,9 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
         actorOrgId: req.permission.orgId,
         ...req.query
       });
-      if (req.query.unpacked) {
-        return {
-          privileges: privileges.map(({ permissions, ...el }) => ({
-            ...el,
-            permissions: unpackRules(permissions as PackRule<RawRuleOf<MongoAbility<ProjectPermissionSet>>>[])
-          }))
-        };
-      }
-      return { privileges };
+      return {
+        privileges
+      };
     }
   });
 };

backend/src/ee/routes/v1/index.ts

@@ -1,6 +1,4 @@
 import { registerAuditLogStreamRouter } from "./audit-log-stream-router";
-import { registerAccessApprovalPolicyRouter } from "./access-approval-policy-router";
-import { registerAccessApprovalRequestRouter } from "./access-approval-request-router";
 import { registerDynamicSecretLeaseRouter } from "./dynamic-secret-lease-router";
 import { registerDynamicSecretRouter } from "./dynamic-secret-router";
 import { registerGroupRouter } from "./group-router";
@@ -43,9 +41,6 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
     prefix: "/secret-rotation-providers"
   });
 
-  await server.register(registerAccessApprovalPolicyRouter, { prefix: "/access-approvals/policies" });
-  await server.register(registerAccessApprovalRequestRouter, { prefix: "/access-approvals/requests" });
-
   await server.register(
     async (dynamicSecretRouter) => {
       await dynamicSecretRouter.register(registerDynamicSecretRouter);

backend/src/ee/routes/v1/secret-approval-policy-router.ts

@@ -130,7 +130,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
       }),
       response: {
         200: z.object({
-          approvals: sapPubSchema.merge(z.object({ approvers: z.string().nullish().array() })).array()
+          approvals: sapPubSchema.merge(z.object({ approvers: z.string().array() })).array()
         })
       }
     },
@@ -161,7 +161,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
       }),
       response: {
         200: z.object({
-          policy: sapPubSchema.merge(z.object({ approvers: z.string().nullish().array() })).optional()
+          policy: sapPubSchema.merge(z.object({ approvers: z.string().array() })).optional()
         })
       }
     },

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -197,7 +197,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
           type: isClosing ? EventType.SECRET_APPROVAL_CLOSED : EventType.SECRET_APPROVAL_REOPENED,
           // eslint-disable-next-line
           metadata: {
-            [isClosing ? ("closedBy" as const) : ("reopenedBy" as const)]: approval.statusChangeByUserId as string,
+            [isClosing ? ("closedBy" as const) : ("reopenedBy" as const)]: approval.statusChangeBy as string,
             secretApprovalRequestId: approval.id,
             secretApprovalRequestSlug: approval.slug
             // eslint-disable-next-line

backend/src/ee/services/access-approval-policy/access-approval-policy-approver-dal.ts

@@ -1,10 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TAccessApprovalPolicyApproverDALFactory = ReturnType<typeof accessApprovalPolicyApproverDALFactory>;
-
-export const accessApprovalPolicyApproverDALFactory = (db: TDbClient) => {
-  const accessApprovalPolicyApproverOrm = ormify(db, TableName.AccessApprovalPolicyApprover);
-  return { ...accessApprovalPolicyApproverOrm };
-};

backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts

@@ -1,76 +0,0 @@
-import { Knex } from "knex";
-
-import { TDbClient } from "@app/db";
-import { TableName, TAccessApprovalPolicies } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
-import { buildFindFilter, mergeOneToManyRelation, ormify, selectAllTableCols, TFindFilter } from "@app/lib/knex";
-
-export type TAccessApprovalPolicyDALFactory = ReturnType<typeof accessApprovalPolicyDALFactory>;
-
-export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
-  const accessApprovalPolicyOrm = ormify(db, TableName.AccessApprovalPolicy);
-
-  const accessApprovalPolicyFindQuery = async (tx: Knex, filter: TFindFilter<TAccessApprovalPolicies>) => {
-    const result = await tx(TableName.AccessApprovalPolicy)
-      // eslint-disable-next-line
-      .where(buildFindFilter(filter))
-      .join(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
-      .join(
-        TableName.AccessApprovalPolicyApprover,
-        `${TableName.AccessApprovalPolicy}.id`,
-        `${TableName.AccessApprovalPolicyApprover}.policyId`
-      )
-      .select(tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
-      .select(tx.ref("name").withSchema(TableName.Environment).as("envName"))
-      .select(tx.ref("slug").withSchema(TableName.Environment).as("envSlug"))
-      .select(tx.ref("id").withSchema(TableName.Environment).as("envId"))
-      .select(tx.ref("projectId").withSchema(TableName.Environment))
-      .select(selectAllTableCols(TableName.AccessApprovalPolicy));
-
-    return result;
-  };
-
-  const findById = async (id: string, tx?: Knex) => {
-    try {
-      const doc = await accessApprovalPolicyFindQuery(tx || db, {
-        [`${TableName.AccessApprovalPolicy}.id` as "id"]: id
-      });
-      const formatedDoc = mergeOneToManyRelation(
-        doc,
-        "id",
-        ({ approverUserId, envId, envName: name, envSlug: slug, ...el }) => ({
-          ...el,
-          envId,
-          environment: { id: envId, name, slug }
-        }),
-        ({ approverUserId }) => approverUserId,
-        "approvers"
-      );
-      return formatedDoc?.[0];
-    } catch (error) {
-      throw new DatabaseError({ error, name: "FindById" });
-    }
-  };
-
-  const find = async (filter: TFindFilter<TAccessApprovalPolicies & { projectId: string }>, tx?: Knex) => {
-    try {
-      const docs = await accessApprovalPolicyFindQuery(tx || db, filter);
-      const formatedDoc = mergeOneToManyRelation(
-        docs,
-        "id",
-        ({ approverUserId, envId, envName: name, envSlug: slug, ...el }) => ({
-          ...el,
-          envId,
-          environment: { id: envId, name, slug }
-        }),
-        ({ approverUserId }) => approverUserId,
-        "approvers"
-      );
-      return formatedDoc.map((policy) => ({ ...policy, secretPath: policy.secretPath || undefined }));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Find" });
-    }
-  };
-
-  return { ...accessApprovalPolicyOrm, find, findById };
-};

backend/src/ee/services/access-approval-policy/access-approval-policy-fns.ts

@@ -1,36 +0,0 @@
-import { ForbiddenError, subject } from "@casl/ability";
-
-import { BadRequestError } from "@app/lib/errors";
-import { ActorType } from "@app/services/auth/auth-type";
-
-import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
-import { TVerifyApprovers } from "./access-approval-policy-types";
-
-export const verifyApprovers = async ({
-  userIds,
-  projectId,
-  orgId,
-  envSlug,
-  actorAuthMethod,
-  secretPath,
-  permissionService
-}: TVerifyApprovers) => {
-  for await (const userId of userIds) {
-    try {
-      const { permission: approverPermission } = await permissionService.getProjectPermission(
-        ActorType.USER,
-        userId,
-        projectId,
-        actorAuthMethod,
-        orgId
-      );
-
-      ForbiddenError.from(approverPermission).throwUnlessCan(
-        ProjectPermissionActions.Create,
-        subject(ProjectPermissionSub.Secrets, { environment: envSlug, secretPath })
-      );
-    } catch (err) {
-      throw new BadRequestError({ message: "One or more approvers doesn't have access to be specified secret path" });
-    }
-  }
-};

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -1,271 +0,0 @@
-import { ForbiddenError } from "@casl/ability";
-
-import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { BadRequestError } from "@app/lib/errors";
-import { TProjectDALFactory } from "@app/services/project/project-dal";
-import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
-import { TUserDALFactory } from "@app/services/user/user-dal";
-
-import { TAccessApprovalPolicyApproverDALFactory } from "./access-approval-policy-approver-dal";
-import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
-import { verifyApprovers } from "./access-approval-policy-fns";
-import {
-  TCreateAccessApprovalPolicy,
-  TDeleteAccessApprovalPolicy,
-  TGetAccessPolicyCountByEnvironmentDTO,
-  TListAccessApprovalPoliciesDTO,
-  TUpdateAccessApprovalPolicy
-} from "./access-approval-policy-types";
-
-type TSecretApprovalPolicyServiceFactoryDep = {
-  projectDAL: TProjectDALFactory;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-  accessApprovalPolicyDAL: TAccessApprovalPolicyDALFactory;
-  projectEnvDAL: Pick<TProjectEnvDALFactory, "find" | "findOne">;
-  accessApprovalPolicyApproverDAL: TAccessApprovalPolicyApproverDALFactory;
-  userDAL: Pick<TUserDALFactory, "findUsersByProjectId">;
-};
-
-export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprovalPolicyServiceFactory>;
-
-export const accessApprovalPolicyServiceFactory = ({
-  accessApprovalPolicyDAL,
-  accessApprovalPolicyApproverDAL,
-  permissionService,
-  projectEnvDAL,
-  userDAL,
-  projectDAL
-}: TSecretApprovalPolicyServiceFactoryDep) => {
-  const createAccessApprovalPolicy = async ({
-    name,
-    actor,
-    actorId,
-    actorOrgId,
-    secretPath,
-    actorAuthMethod,
-    approvals,
-    approvers,
-    projectSlug,
-    environment
-  }: TCreateAccessApprovalPolicy) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    if (approvals > approvers.length)
-      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      project.id,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Create,
-      ProjectPermissionSub.SecretApproval
-    );
-    const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
-    if (!env) throw new BadRequestError({ message: "Environment not found" });
-
-    // We need to get the users by project ID to ensure they are part of the project.
-    const accessApproverUsers = await userDAL.findUsersByProjectId(
-      project.id,
-      approvers.map((approverUserId) => approverUserId)
-    );
-
-    if (accessApproverUsers.length !== approvers.length) {
-      throw new BadRequestError({ message: "Approver not found in project" });
-    }
-
-    await verifyApprovers({
-      projectId: project.id,
-      orgId: actorOrgId,
-      envSlug: environment,
-      secretPath,
-      actorAuthMethod,
-      permissionService,
-      userIds: accessApproverUsers.map((user) => user.id)
-    });
-
-    const accessApproval = await accessApprovalPolicyDAL.transaction(async (tx) => {
-      const doc = await accessApprovalPolicyDAL.create(
-        {
-          envId: env.id,
-          approvals,
-          secretPath,
-          name
-        },
-        tx
-      );
-      await accessApprovalPolicyApproverDAL.insertMany(
-        accessApproverUsers.map((user) => ({
-          approverUserId: user.id,
-          policyId: doc.id
-        })),
-        tx
-      );
-      return doc;
-    });
-    return { ...accessApproval, environment: env, projectId: project.id };
-  };
-
-  const getAccessApprovalPolicyByProjectSlug = async ({
-    actorId,
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    projectSlug
-  }: TListAccessApprovalPoliciesDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    // Anyone in the project should be able to get the policies.
-    /* const { permission } = */ await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      project.id,
-      actorAuthMethod,
-      actorOrgId
-    );
-    // ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
-
-    const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id });
-    return accessApprovalPolicies;
-  };
-
-  const updateAccessApprovalPolicy = async ({
-    policyId,
-    approvers,
-    secretPath,
-    name,
-    actorId,
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    approvals
-  }: TUpdateAccessApprovalPolicy) => {
-    const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
-    if (!accessApprovalPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      accessApprovalPolicy.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
-
-    const updatedPolicy = await accessApprovalPolicyDAL.transaction(async (tx) => {
-      const doc = await accessApprovalPolicyDAL.updateById(
-        accessApprovalPolicy.id,
-        {
-          approvals,
-          secretPath,
-          name
-        },
-        tx
-      );
-      if (approvers) {
-        // Find the workspace project memberships of the users passed in the approvers array
-        const secretApproverUsers = await userDAL.findUsersByProjectId(
-          accessApprovalPolicy.projectId,
-          approvers.map((approverUserId) => approverUserId)
-        );
-
-        await verifyApprovers({
-          projectId: accessApprovalPolicy.projectId,
-          orgId: actorOrgId,
-          envSlug: accessApprovalPolicy.environment.slug,
-          secretPath: doc.secretPath!,
-          actorAuthMethod,
-          permissionService,
-          userIds: secretApproverUsers.map((user) => user.id)
-        });
-
-        if (secretApproverUsers.length !== approvers.length)
-          throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
-        await accessApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
-        await accessApprovalPolicyApproverDAL.insertMany(
-          secretApproverUsers.map((user) => ({
-            approverUserId: user.id,
-            policyId: doc.id
-          })),
-          tx
-        );
-      }
-      return doc;
-    });
-    return {
-      ...updatedPolicy,
-      environment: accessApprovalPolicy.environment,
-      projectId: accessApprovalPolicy.projectId
-    };
-  };
-
-  const deleteAccessApprovalPolicy = async ({
-    policyId,
-    actor,
-    actorId,
-    actorAuthMethod,
-    actorOrgId
-  }: TDeleteAccessApprovalPolicy) => {
-    const policy = await accessApprovalPolicyDAL.findById(policyId);
-    if (!policy) throw new BadRequestError({ message: "Secret approval policy not found" });
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      policy.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Delete,
-      ProjectPermissionSub.SecretApproval
-    );
-
-    await accessApprovalPolicyDAL.deleteById(policyId);
-    return policy;
-  };
-
-  const getAccessPolicyCountByEnvSlug = async ({
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    projectSlug,
-    actorId,
-    envSlug
-  }: TGetAccessPolicyCountByEnvironmentDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    const { membership } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      project.id,
-      actorAuthMethod,
-      actorOrgId
-    );
-    if (!membership) throw new BadRequestError({ message: "User not found in project" });
-
-    const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });
-    if (!environment) throw new BadRequestError({ message: "Environment not found" });
-
-    const policies = await accessApprovalPolicyDAL.find({ envId: environment.id, projectId: project.id });
-    if (!policies) throw new BadRequestError({ message: "No policies found" });
-
-    return { count: policies.length };
-  };
-
-  return {
-    getAccessPolicyCountByEnvSlug,
-    createAccessApprovalPolicy,
-    deleteAccessApprovalPolicy,
-    updateAccessApprovalPolicy,
-    getAccessApprovalPolicyByProjectSlug
-  };
-};

backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@@ -1,44 +0,0 @@
-import { TProjectPermission } from "@app/lib/types";
-import { ActorAuthMethod } from "@app/services/auth/auth-type";
-
-import { TPermissionServiceFactory } from "../permission/permission-service";
-
-export type TVerifyApprovers = {
-  userIds: string[];
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-  envSlug: string;
-  actorAuthMethod: ActorAuthMethod;
-  secretPath: string;
-  projectId: string;
-  orgId: string;
-};
-
-export type TCreateAccessApprovalPolicy = {
-  approvals: number;
-  secretPath: string;
-  environment: string;
-  approvers: string[];
-  projectSlug: string;
-  name: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TUpdateAccessApprovalPolicy = {
-  policyId: string;
-  approvals?: number;
-  approvers?: string[];
-  secretPath?: string;
-  name?: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TDeleteAccessApprovalPolicy = {
-  policyId: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TGetAccessPolicyCountByEnvironmentDTO = {
-  envSlug: string;
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TListAccessApprovalPoliciesDTO = {
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;

backend/src/ee/services/access-approval-request/access-approval-request-dal.ts

@@ -1,378 +0,0 @@
-import { Knex } from "knex";
-
-import { TDbClient } from "@app/db";
-import { AccessApprovalRequestsSchema, TableName, TAccessApprovalRequests } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
-import { ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";
-
-import { ApprovalStatus } from "./access-approval-request-types";
-
-export type TAccessApprovalRequestDALFactory = ReturnType<typeof accessApprovalRequestDALFactory>;
-
-export const accessApprovalRequestDALFactory = (db: TDbClient) => {
-  const accessApprovalRequestOrm = ormify(db, TableName.AccessApprovalRequest);
-  const projectUserAdditionalPrivilegeOrm = ormify(db, TableName.ProjectUserAdditionalPrivilege);
-  const groupProjectUserAdditionalPrivilegeOrm = ormify(db, TableName.GroupProjectUserAdditionalPrivilege);
-
-  const deleteMany = async (filter: TFindFilter<TAccessApprovalRequests>, tx?: Knex) => {
-    const transaction = tx || (await db.transaction());
-
-    try {
-      const accessApprovalRequests = await accessApprovalRequestOrm.find(filter, { tx: transaction });
-
-      await projectUserAdditionalPrivilegeOrm.delete(
-        {
-          $in: {
-            id: accessApprovalRequests
-              .filter((req) => Boolean(req.projectUserPrivilegeId))
-              .map((req) => req.projectUserPrivilegeId!)
-          }
-        },
-        transaction
-      );
-
-      await groupProjectUserAdditionalPrivilegeOrm.delete(
-        {
-          $in: {
-            id: accessApprovalRequests
-              .filter((req) => Boolean(req.groupProjectUserPrivilegeId))
-              .map((req) => req.groupProjectUserPrivilegeId!)
-          }
-        },
-        transaction
-      );
-
-      return await accessApprovalRequestOrm.delete(filter, transaction);
-    } catch (error) {
-      throw new DatabaseError({ error, name: "DeleteManyAccessApprovalRequest" });
-    }
-  };
-
-  const findRequestsWithPrivilegeByPolicyIds = async (policyIds: string[]) => {
-    try {
-      const docs = await db(TableName.AccessApprovalRequest)
-        .whereIn(`${TableName.AccessApprovalRequest}.policyId`, policyIds)
-
-        .leftJoin(
-          TableName.ProjectUserAdditionalPrivilege,
-          `${TableName.AccessApprovalRequest}.projectUserPrivilegeId`,
-          `${TableName.ProjectUserAdditionalPrivilege}.id`
-        )
-        .leftJoin(
-          TableName.GroupProjectUserAdditionalPrivilege,
-          `${TableName.AccessApprovalRequest}.groupProjectUserPrivilegeId`,
-          `${TableName.GroupProjectUserAdditionalPrivilege}.id`
-        )
-        .leftJoin(
-          TableName.AccessApprovalPolicy,
-          `${TableName.AccessApprovalRequest}.policyId`,
-          `${TableName.AccessApprovalPolicy}.id`
-        )
-
-        .leftJoin(
-          TableName.AccessApprovalRequestReviewer,
-          `${TableName.AccessApprovalRequest}.id`,
-          `${TableName.AccessApprovalRequestReviewer}.requestId`
-        )
-        .leftJoin(
-          TableName.AccessApprovalPolicyApprover,
-          `${TableName.AccessApprovalPolicy}.id`,
-          `${TableName.AccessApprovalPolicyApprover}.policyId`
-        )
-
-        .leftJoin(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
-
-        .select(selectAllTableCols(TableName.AccessApprovalRequest))
-        .select(
-          db.ref("id").withSchema(TableName.AccessApprovalPolicy).as("policyId"),
-          db.ref("name").withSchema(TableName.AccessApprovalPolicy).as("policyName"),
-          db.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
-          db.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
-          db.ref("envId").withSchema(TableName.AccessApprovalPolicy).as("policyEnvId")
-        )
-
-        .select(db.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover))
-
-        .select(
-          db.ref("projectId").withSchema(TableName.Environment),
-          db.ref("slug").withSchema(TableName.Environment).as("envSlug"),
-          db.ref("name").withSchema(TableName.Environment).as("envName")
-        )
-
-        .select(
-          db.ref("memberUserId").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerUserId"),
-          db.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus")
-        )
-
-        // Project user additional privilege
-        .select(
-          db
-            .ref("projectMembershipId")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("projectPrivilegeProjectMembershipId"),
-
-          db.ref("isTemporary").withSchema(TableName.ProjectUserAdditionalPrivilege).as("projectPrivilegeIsTemporary"),
-
-          db
-            .ref("temporaryMode")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("projectPrivilegeTemporaryMode"),
-
-          db
-            .ref("temporaryRange")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("projectPrivilegeTemporaryRange"),
-
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("projectPrivilegeTemporaryAccessStartTime"),
-
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("projectPrivilegeTemporaryAccessEndTime"),
-
-          db.ref("permissions").withSchema(TableName.ProjectUserAdditionalPrivilege).as("projectPrivilegePermissions")
-        )
-        // Group project user additional privilege
-        .select(
-          db
-            .ref("groupProjectMembershipId")
-            .withSchema(TableName.GroupProjectUserAdditionalPrivilege)
-            .as("groupPrivilegeGroupProjectMembershipId"),
-
-          db
-            .ref("requestedByUserId")
-            .withSchema(TableName.GroupProjectUserAdditionalPrivilege)
-            .as("groupPrivilegeRequestedByUserId"),
-
-          db
-            .ref("isTemporary")
-            .withSchema(TableName.GroupProjectUserAdditionalPrivilege)
-            .as("groupPrivilegeIsTemporary"),
-
-          db
-            .ref("temporaryMode")
-            .withSchema(TableName.GroupProjectUserAdditionalPrivilege)
-            .as("groupPrivilegeTemporaryMode"),
-
-          db
-            .ref("temporaryRange")
-            .withSchema(TableName.GroupProjectUserAdditionalPrivilege)
-            .as("groupPrivilegeTemporaryRange"),
-
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.GroupProjectUserAdditionalPrivilege)
-            .as("groupPrivilegeTemporaryAccessStartTime"),
-
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.GroupProjectUserAdditionalPrivilege)
-            .as("groupPrivilegeTemporaryAccessEndTime"),
-          db
-            .ref("permissions")
-            .withSchema(TableName.GroupProjectUserAdditionalPrivilege)
-            .as("groupPrivilegePermissions")
-        )
-        .orderBy(`${TableName.AccessApprovalRequest}.createdAt`, "desc");
-
-      const projectUserFormattedDocs = sqlNestRelationships({
-        data: docs,
-        key: "id",
-        parentMapper: (doc) => ({
-          ...AccessApprovalRequestsSchema.parse(doc),
-          projectId: doc.projectId,
-          environment: doc.envSlug,
-          environmentName: doc.envName,
-          policy: {
-            id: doc.policyId,
-            name: doc.policyName,
-            approvals: doc.policyApprovals,
-            secretPath: doc.policySecretPath,
-            envId: doc.policyEnvId
-          },
-          // eslint-disable-next-line no-nested-ternary
-          privilege: doc.projectUserPrivilegeId
-            ? {
-                projectMembershipId: doc.projectMembershipId,
-                groupMembershipId: null,
-                requestedByUserId: null,
-                isTemporary: doc.projectPrivilegeIsTemporary,
-                temporaryMode: doc.projectPrivilegeTemporaryMode,
-                temporaryRange: doc.projectPrivilegeTemporaryRange,
-                temporaryAccessStartTime: doc.projectPrivilegeTemporaryAccessStartTime,
-                temporaryAccessEndTime: doc.projectPrivilegeTemporaryAccessEndTime,
-                permissions: doc.projectPrivilegePermissions
-              }
-            : doc.groupProjectUserPrivilegeId
-              ? {
-                  groupMembershipId: doc.groupPrivilegeGroupProjectMembershipId,
-                  requestedByUserId: doc.groupPrivilegeRequestedByUserId,
-                  projectMembershipId: null,
-                  isTemporary: doc.groupPrivilegeIsTemporary,
-                  temporaryMode: doc.groupPrivilegeTemporaryMode,
-                  temporaryRange: doc.groupPrivilegeTemporaryRange,
-                  temporaryAccessStartTime: doc.groupPrivilegeTemporaryAccessStartTime,
-                  temporaryAccessEndTime: doc.groupPrivilegeTemporaryAccessEndTime,
-                  permissions: doc.groupPrivilegePermissions
-                }
-              : null,
-
-          isApproved: Boolean(doc.projectUserPrivilegeId || doc.groupProjectUserPrivilegeId)
-        }),
-        childrenMapper: [
-          {
-            key: "reviewerUserId",
-            label: "reviewers" as const,
-            mapper: ({ reviewerUserId, reviewerStatus: status }) =>
-              reviewerUserId ? { member: reviewerUserId, status } : undefined
-          },
-          { key: "approverUserId", label: "approvers" as const, mapper: ({ approverUserId }) => approverUserId }
-        ]
-      });
-
-      if (!projectUserFormattedDocs) return [];
-
-      return projectUserFormattedDocs.map((doc) => ({
-        ...doc,
-        policy: { ...doc.policy, approvers: doc.approvers }
-      }));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "FindRequestsWithPrivilege" });
-    }
-  };
-
-  const findQuery = (filter: TFindFilter<TAccessApprovalRequests>, tx: Knex) =>
-    tx(TableName.AccessApprovalRequest)
-      .where(filter)
-      .join(
-        TableName.AccessApprovalPolicy,
-        `${TableName.AccessApprovalRequest}.policyId`,
-        `${TableName.AccessApprovalPolicy}.id`
-      )
-
-      .join(
-        TableName.AccessApprovalPolicyApprover,
-        `${TableName.AccessApprovalPolicy}.id`,
-        `${TableName.AccessApprovalPolicyApprover}.policyId`
-      )
-      .leftJoin(
-        TableName.AccessApprovalRequestReviewer,
-        `${TableName.AccessApprovalRequest}.id`,
-        `${TableName.AccessApprovalRequestReviewer}.requestId`
-      )
-
-      .leftJoin(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
-      .select(selectAllTableCols(TableName.AccessApprovalRequest))
-      .select(
-        tx.ref("memberUserId").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerUserId"),
-        tx.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus"),
-        tx.ref("id").withSchema(TableName.AccessApprovalPolicy).as("policyId"),
-        tx.ref("name").withSchema(TableName.AccessApprovalPolicy).as("policyName"),
-        tx.ref("projectId").withSchema(TableName.Environment),
-        tx.ref("slug").withSchema(TableName.Environment).as("environment"),
-        tx.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
-        tx.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
-        tx.ref("approverUserId").withSchema(TableName.AccessApprovalPolicyApprover)
-      );
-
-  const findById = async (id: string, tx?: Knex) => {
-    try {
-      const sql = findQuery({ [`${TableName.AccessApprovalRequest}.id` as "id"]: id }, tx || db);
-      const docs = await sql;
-      const formatedDoc = sqlNestRelationships({
-        data: docs,
-        key: "id",
-        parentMapper: (el) => ({
-          ...AccessApprovalRequestsSchema.parse(el),
-          projectId: el.projectId,
-          environment: el.environment,
-          policy: {
-            id: el.policyId,
-            name: el.policyName,
-            approvals: el.policyApprovals,
-            secretPath: el.policySecretPath
-          }
-        }),
-        childrenMapper: [
-          {
-            key: "reviewerUserId",
-            label: "reviewers" as const,
-            mapper: ({ reviewerUserId, reviewerStatus: status }) =>
-              reviewerUserId ? { member: reviewerUserId, status } : undefined
-          },
-          { key: "approverUserId", label: "approvers" as const, mapper: ({ approverUserId }) => approverUserId }
-        ]
-      });
-      if (!formatedDoc?.[0]) return;
-      return {
-        ...formatedDoc[0],
-        policy: { ...formatedDoc[0].policy, approvers: formatedDoc[0].approvers }
-      };
-    } catch (error) {
-      throw new DatabaseError({ error, name: "FindByIdAccessApprovalRequest" });
-    }
-  };
-
-  const getCount = async ({ projectId }: { projectId: string }) => {
-    try {
-      const accessRequests = await db(TableName.AccessApprovalRequest)
-        .leftJoin(
-          TableName.AccessApprovalPolicy,
-          `${TableName.AccessApprovalRequest}.policyId`,
-          `${TableName.AccessApprovalPolicy}.id`
-        )
-        .leftJoin(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
-        .leftJoin(
-          TableName.AccessApprovalRequestReviewer,
-          `${TableName.AccessApprovalRequest}.id`,
-          `${TableName.AccessApprovalRequestReviewer}.requestId`
-        )
-
-        .where(`${TableName.Environment}.projectId`, projectId)
-        .select(selectAllTableCols(TableName.AccessApprovalRequest))
-        .select(db.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus"))
-        .select(db.ref("memberUserId").withSchema(TableName.AccessApprovalRequestReviewer).as("memberUserId"));
-
-      const formattedRequests = sqlNestRelationships({
-        data: accessRequests,
-        key: "id",
-        parentMapper: (doc) => ({
-          ...AccessApprovalRequestsSchema.parse(doc)
-        }),
-        childrenMapper: [
-          {
-            key: "memberUserId",
-            label: "reviewers" as const,
-            mapper: ({ memberUserId, reviewerStatus: status }) =>
-              memberUserId ? { member: memberUserId, status } : undefined
-          }
-        ]
-      });
-
-      // an approval is pending if there is no reviewer rejections and no privilege ID is set
-      const pendingApprovals = formattedRequests.filter(
-        (req) =>
-          !req.projectUserPrivilegeId &&
-          !req.groupProjectUserPrivilegeId &&
-          !req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED)
-      );
-
-      // an approval is finalized if there are any rejections or a privilege ID is set
-      const finalizedApprovals = formattedRequests.filter(
-        (req) =>
-          req.projectUserPrivilegeId ||
-          req.groupProjectUserPrivilegeId ||
-          req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED)
-      );
-
-      return { pendingCount: pendingApprovals.length, finalizedCount: finalizedApprovals.length };
-    } catch (error) {
-      throw new DatabaseError({ error, name: "GetCountAccessApprovalRequest" });
-    }
-  };
-
-  return { ...accessApprovalRequestOrm, findById, findRequestsWithPrivilegeByPolicyIds, getCount, delete: deleteMany };
-};

backend/src/ee/services/access-approval-request/access-approval-request-fns.ts

@@ -1,53 +0,0 @@
-import { PackRule, unpackRules } from "@casl/ability/extra";
-
-import { UnauthorizedError } from "@app/lib/errors";
-
-import { TVerifyPermission } from "./access-approval-request-types";
-
-function filterUnique(value: string, index: number, array: string[]) {
-  return array.indexOf(value) === index;
-}
-
-export const verifyRequestedPermissions = ({ permissions }: TVerifyPermission) => {
-  const permission = unpackRules(
-    permissions as PackRule<{
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      conditions?: Record<string, any>;
-      action: string;
-      subject: [string];
-    }>[]
-  );
-
-  if (!permission || !permission.length) {
-    throw new UnauthorizedError({ message: "No permission provided" });
-  }
-
-  const requestedPermissions: string[] = [];
-
-  for (const p of permission) {
-    if (p.action[0] === "read") requestedPermissions.push("Read Access");
-    if (p.action[0] === "create") requestedPermissions.push("Create Access");
-    if (p.action[0] === "delete") requestedPermissions.push("Delete Access");
-    if (p.action[0] === "edit") requestedPermissions.push("Edit Access");
-  }
-
-  const firstPermission = permission[0];
-
-  // eslint-disable-next-line @typescript-eslint/no-unused-vars, @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-member-access
-  const permissionSecretPath = firstPermission.conditions?.secretPath?.$glob;
-  // eslint-disable-next-line @typescript-eslint/no-unused-vars, @typescript-eslint/no-unsafe-assignment
-  const permissionEnv = firstPermission.conditions?.environment;
-
-  if (!permissionEnv || typeof permissionEnv !== "string") {
-    throw new UnauthorizedError({ message: "Permission environment is not a string" });
-  }
-  if (!permissionSecretPath || typeof permissionSecretPath !== "string") {
-    throw new UnauthorizedError({ message: "Permission path is not a string" });
-  }
-
-  return {
-    envSlug: permissionEnv,
-    secretPath: permissionSecretPath,
-    accessTypes: requestedPermissions.filter(filterUnique)
-  };
-};

backend/src/ee/services/access-approval-request/access-approval-request-reviewer-dal.ts

@@ -1,10 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TAccessApprovalRequestReviewerDALFactory = ReturnType<typeof accessApprovalRequestReviewerDALFactory>;
-
-export const accessApprovalRequestReviewerDALFactory = (db: TDbClient) => {
-  const secretApprovalRequestReviewerOrm = ormify(db, TableName.AccessApprovalRequestReviewer);
-  return secretApprovalRequestReviewerOrm;
-};

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -1,502 +0,0 @@
-import { ForbiddenError } from "@casl/ability";
-import slugify from "@sindresorhus/slugify";
-import ms from "ms";
-
-import { ProjectMembershipRole, TProjectUserAdditionalPrivilege } from "@app/db/schemas";
-import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { TProjectDALFactory } from "@app/services/project/project-dal";
-import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
-import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
-import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
-import { TUserDALFactory } from "@app/services/user/user-dal";
-
-import { TAccessApprovalPolicyApproverDALFactory } from "../access-approval-policy/access-approval-policy-approver-dal";
-import { TAccessApprovalPolicyDALFactory } from "../access-approval-policy/access-approval-policy-dal";
-import { verifyApprovers } from "../access-approval-policy/access-approval-policy-fns";
-import { TGroupProjectUserAdditionalPrivilegeDALFactory } from "../group-project-user-additional-privilege/group-project-user-additional-privilege-dal";
-import { TPermissionServiceFactory } from "../permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
-import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
-import { ProjectUserAdditionalPrivilegeTemporaryMode } from "../project-user-additional-privilege/project-user-additional-privilege-types";
-import { TAccessApprovalRequestDALFactory } from "./access-approval-request-dal";
-import { verifyRequestedPermissions } from "./access-approval-request-fns";
-import { TAccessApprovalRequestReviewerDALFactory } from "./access-approval-request-reviewer-dal";
-import {
-  ApprovalStatus,
-  TCreateAccessApprovalRequestDTO,
-  TDeleteApprovalRequestDTO,
-  TGetAccessRequestCountDTO,
-  TListApprovalRequestsDTO,
-  TReviewAccessRequestDTO
-} from "./access-approval-request-types";
-
-type TAccessApprovalRequestServiceFactoryDep = {
-  additionalPrivilegeDAL: Pick<TProjectUserAdditionalPrivilegeDALFactory, "create" | "findById" | "deleteById">;
-  groupAdditionalPrivilegeDAL: TGroupProjectUserAdditionalPrivilegeDALFactory;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-  accessApprovalPolicyApproverDAL: Pick<TAccessApprovalPolicyApproverDALFactory, "find">;
-  projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
-  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus" | "findProjectBySlug">;
-  accessApprovalRequestDAL: Pick<
-    TAccessApprovalRequestDALFactory,
-    | "create"
-    | "find"
-    | "findRequestsWithPrivilegeByPolicyIds"
-    | "findById"
-    | "transaction"
-    | "updateById"
-    | "findOne"
-    | "getCount"
-    | "deleteById"
-  >;
-  accessApprovalPolicyDAL: Pick<TAccessApprovalPolicyDALFactory, "findOne" | "find">;
-  accessApprovalRequestReviewerDAL: Pick<
-    TAccessApprovalRequestReviewerDALFactory,
-    "create" | "find" | "findOne" | "transaction"
-  >;
-  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findById">;
-  smtpService: Pick<TSmtpService, "sendMail">;
-  userDAL: Pick<
-    TUserDALFactory,
-    "findUserByProjectMembershipId" | "findUsersByProjectMembershipIds" | "findUsersByProjectId" | "findUserByProjectId"
-  >;
-};
-
-export type TAccessApprovalRequestServiceFactory = ReturnType<typeof accessApprovalRequestServiceFactory>;
-
-export const accessApprovalRequestServiceFactory = ({
-  projectDAL,
-  projectEnvDAL,
-  permissionService,
-  accessApprovalRequestDAL,
-  groupAdditionalPrivilegeDAL,
-  accessApprovalRequestReviewerDAL,
-  projectMembershipDAL,
-  accessApprovalPolicyDAL,
-  accessApprovalPolicyApproverDAL,
-  additionalPrivilegeDAL,
-  smtpService,
-  userDAL
-}: TAccessApprovalRequestServiceFactoryDep) => {
-  const createAccessApprovalRequest = async ({
-    isTemporary,
-    temporaryRange,
-    actorId,
-    permissions: requestedPermissions,
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    projectSlug
-  }: TCreateAccessApprovalRequestDTO) => {
-    const cfg = getConfig();
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new UnauthorizedError({ message: "Project not found" });
-
-    // Anyone can create an access approval request.
-    const { membership } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      project.id,
-      actorAuthMethod,
-      actorOrgId
-    );
-    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
-
-    await projectDAL.checkProjectUpgradeStatus(project.id);
-
-    const { envSlug, secretPath, accessTypes } = verifyRequestedPermissions({ permissions: requestedPermissions });
-    const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });
-
-    if (!environment) throw new UnauthorizedError({ message: "Environment not found" });
-
-    const policy = await accessApprovalPolicyDAL.findOne({
-      envId: environment.id,
-      secretPath
-    });
-    if (!policy) throw new UnauthorizedError({ message: "No policy matching criteria was found." });
-
-    const approvers = await accessApprovalPolicyApproverDAL.find({
-      policyId: policy.id
-    });
-
-    if (approvers.some((approver) => !approver.approverUserId)) {
-      throw new BadRequestError({ message: "Policy approvers must be assigned to users" });
-    }
-
-    const approverUsers = await userDAL.findUsersByProjectId(
-      project.id,
-      approvers.map((approver) => approver.approverUserId!)
-    );
-
-    const requestedByUser = await userDAL.findUserByProjectId(project.id, actorId);
-
-    if (!requestedByUser) throw new BadRequestError({ message: "User not found in project" });
-
-    const duplicateRequests = await accessApprovalRequestDAL.find({
-      policyId: policy.id,
-      requestedByUserId: actorId,
-      permissions: JSON.stringify(requestedPermissions),
-      isTemporary
-    });
-
-    if (duplicateRequests?.length > 0) {
-      for await (const duplicateRequest of duplicateRequests) {
-        let foundPrivilege: Pick<
-          TProjectUserAdditionalPrivilege,
-          "temporaryAccessEndTime" | "isTemporary" | "id"
-        > | null = null;
-
-        if (duplicateRequest.projectUserPrivilegeId) {
-          foundPrivilege = await additionalPrivilegeDAL.findById(duplicateRequest.projectUserPrivilegeId);
-        } else if (duplicateRequest.groupProjectUserPrivilegeId) {
-          foundPrivilege = await groupAdditionalPrivilegeDAL.findById(duplicateRequest.groupProjectUserPrivilegeId);
-        }
-
-        if (foundPrivilege) {
-          const isExpired = new Date() > new Date(foundPrivilege.temporaryAccessEndTime || ("" as string));
-
-          if (!isExpired || !foundPrivilege.isTemporary) {
-            throw new BadRequestError({ message: "You already have an active privilege with the same criteria" });
-          }
-        } else {
-          const reviewers = await accessApprovalRequestReviewerDAL.find({
-            requestId: duplicateRequest.id
-          });
-
-          const isRejected = reviewers.some((reviewer) => reviewer.status === ApprovalStatus.REJECTED);
-
-          if (!isRejected) {
-            throw new BadRequestError({ message: "You already have a pending access request with the same criteria" });
-          }
-        }
-      }
-    }
-
-    const approval = await accessApprovalRequestDAL.transaction(async (tx) => {
-      const requesterUser = await userDAL.findUserByProjectId(project.id, actorId);
-
-      if (!requesterUser?.projectMembershipId && !requesterUser?.groupProjectMembershipId) {
-        throw new BadRequestError({ message: "You don't have a membership for this project" });
-      }
-
-      const approvalRequest = await accessApprovalRequestDAL.create(
-        {
-          projectMembershipId: requesterUser.projectMembershipId || null,
-          groupMembershipId: requesterUser.groupProjectMembershipId || null,
-          policyId: policy.id,
-          requestedByUserId: actorId, // This is the user ID of the person who made the request
-          temporaryRange: temporaryRange || null,
-          permissions: JSON.stringify(requestedPermissions),
-          isTemporary
-        },
-        tx
-      );
-
-      await smtpService.sendMail({
-        recipients: approverUsers.filter((approver) => approver.email).map((approver) => approver.email!),
-        subjectLine: "Access Approval Request",
-
-        substitutions: {
-          projectName: project.name,
-          requesterFullName: `${requestedByUser.firstName} ${requestedByUser.lastName}`,
-          requesterEmail: requestedByUser.email,
-          isTemporary,
-          ...(isTemporary && {
-            expiresIn: ms(ms(temporaryRange || ""), { long: true })
-          }),
-          secretPath,
-          environment: envSlug,
-          permissions: accessTypes,
-          approvalUrl: `${cfg.SITE_URL}/project/${project.id}/approval`
-        },
-        template: SmtpTemplates.AccessApprovalRequest
-      });
-
-      return approvalRequest;
-    });
-
-    return { request: approval };
-  };
-
-  const deleteAccessApprovalRequest = async ({
-    projectSlug,
-    actor,
-    requestId,
-    actorOrgId,
-    actorId,
-    actorAuthMethod
-  }: TDeleteApprovalRequestDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new UnauthorizedError({ message: "Project not found" });
-
-    const { membership, permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      project.id,
-      actorAuthMethod,
-      actorOrgId
-    );
-    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
-
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Delete,
-      ProjectPermissionSub.SecretApproval
-    );
-
-    const accessApprovalRequest = await accessApprovalRequestDAL.findById(requestId);
-
-    if (!accessApprovalRequest?.projectUserPrivilegeId && !accessApprovalRequest?.groupProjectUserPrivilegeId) {
-      throw new BadRequestError({ message: "Access request must be approved to be deleted" });
-    }
-
-    if (accessApprovalRequest?.projectId !== project.id) {
-      throw new UnauthorizedError({ message: "Request not found in project" });
-    }
-
-    const approvers = await accessApprovalPolicyApproverDAL.find({
-      policyId: accessApprovalRequest.policyId
-    });
-
-    // make sure the actor (actorId) is an approver
-    if (!approvers.some((approver) => approver.approverUserId === actorId)) {
-      throw new UnauthorizedError({ message: "Only policy approvers can delete access requests" });
-    }
-
-    if (accessApprovalRequest.projectUserPrivilegeId) {
-      await additionalPrivilegeDAL.deleteById(accessApprovalRequest.projectUserPrivilegeId);
-    } else if (accessApprovalRequest.groupProjectUserPrivilegeId) {
-      await groupAdditionalPrivilegeDAL.deleteById(accessApprovalRequest.groupProjectUserPrivilegeId);
-    }
-
-    return { request: accessApprovalRequest };
-  };
-
-  const listApprovalRequests = async ({
-    projectSlug,
-    authorUserId,
-    envSlug,
-    actor,
-    actorOrgId,
-    actorId,
-    actorAuthMethod
-  }: TListApprovalRequestsDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new UnauthorizedError({ message: "Project not found" });
-
-    const { membership } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      project.id,
-      actorAuthMethod,
-      actorOrgId
-    );
-    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
-
-    const policies = await accessApprovalPolicyDAL.find({ projectId: project.id });
-    let requests = await accessApprovalRequestDAL.findRequestsWithPrivilegeByPolicyIds(policies.map((p) => p.id));
-
-    if (authorUserId) requests = requests.filter((request) => request.requestedByUserId === authorUserId);
-    if (envSlug) requests = requests.filter((request) => request.environment === envSlug);
-
-    return { requests };
-  };
-
-  const reviewAccessRequest = async ({
-    requestId,
-    actor,
-    status,
-    actorId,
-    actorAuthMethod,
-    actorOrgId
-  }: TReviewAccessRequestDTO) => {
-    const accessApprovalRequest = await accessApprovalRequestDAL.findById(requestId);
-    if (!accessApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
-
-    const { policy } = accessApprovalRequest;
-    const { membership, hasRole } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      accessApprovalRequest.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
-
-    if (
-      !hasRole(ProjectMembershipRole.Admin) &&
-      accessApprovalRequest.requestedByUserId !== actorId && // The request wasn't made by the current user
-      !policy.approvers.find((approverUserId) => approverUserId === membership.id) // The request isn't performed by an assigned approver
-    ) {
-      throw new UnauthorizedError({ message: "You are not authorized to approve this request" });
-    }
-
-    const reviewerProjectMembership = await projectMembershipDAL.findById(membership.id);
-
-    await verifyApprovers({
-      projectId: accessApprovalRequest.projectId,
-      orgId: actorOrgId,
-      envSlug: accessApprovalRequest.environment,
-      secretPath: accessApprovalRequest.policy.secretPath!,
-      actorAuthMethod,
-      permissionService,
-      userIds: [reviewerProjectMembership.userId]
-    });
-
-    const existingReviews = await accessApprovalRequestReviewerDAL.find({ requestId: accessApprovalRequest.id });
-    if (existingReviews.some((review) => review.status === ApprovalStatus.REJECTED)) {
-      throw new BadRequestError({ message: "The request has already been rejected by another reviewer" });
-    }
-
-    const reviewStatus = await accessApprovalRequestReviewerDAL.transaction(async (tx) => {
-      const review = await accessApprovalRequestReviewerDAL.findOne(
-        {
-          requestId: accessApprovalRequest.id,
-          memberUserId: actorId
-        },
-        tx
-      );
-      if (!review) {
-        const newReview = await accessApprovalRequestReviewerDAL.create(
-          {
-            status,
-            requestId: accessApprovalRequest.id,
-            memberUserId: actorId
-          },
-          tx
-        );
-
-        const allReviews = [...existingReviews, newReview];
-
-        const approvedReviews = allReviews.filter((r) => r.status === ApprovalStatus.APPROVED);
-
-        // approvals is the required number of approvals. If the number of approved reviews is equal to the number of required approvals, then the request is approved.
-        if (approvedReviews.length === policy.approvals) {
-          if (accessApprovalRequest.isTemporary && !accessApprovalRequest.temporaryRange) {
-            throw new BadRequestError({ message: "Temporary range is required for temporary access" });
-          }
-
-          let projectUserPrivilegeId: string | null = null;
-          let groupProjectMembershipId: string | null = null;
-
-          if (!accessApprovalRequest.groupMembershipId && !accessApprovalRequest.projectMembershipId) {
-            throw new BadRequestError({ message: "Project membership or group membership is required" });
-          }
-
-          // Permanent access
-          if (!accessApprovalRequest.isTemporary && !accessApprovalRequest.temporaryRange) {
-            if (accessApprovalRequest.groupMembershipId) {
-              // Group user privilege
-              const groupProjectUserAdditionalPrivilege = await groupAdditionalPrivilegeDAL.create(
-                {
-                  groupProjectMembershipId: accessApprovalRequest.groupMembershipId,
-                  requestedByUserId: accessApprovalRequest.requestedByUserId,
-                  slug: `requested-privilege-${slugify(alphaNumericNanoId(12))}`,
-                  permissions: JSON.stringify(accessApprovalRequest.permissions)
-                },
-                tx
-              );
-
-              groupProjectMembershipId = groupProjectUserAdditionalPrivilege.id;
-            } else {
-              // Project user privilege
-              const privilege = await additionalPrivilegeDAL.create(
-                {
-                  projectMembershipId: accessApprovalRequest.projectMembershipId!,
-                  slug: `requested-privilege-${slugify(alphaNumericNanoId(12))}`,
-                  permissions: JSON.stringify(accessApprovalRequest.permissions)
-                },
-                tx
-              );
-              projectUserPrivilegeId = privilege.id;
-            }
-          } else {
-            // Temporary access
-            const relativeTempAllocatedTimeInMs = ms(accessApprovalRequest.temporaryRange!);
-            const startTime = new Date();
-
-            if (accessApprovalRequest.groupMembershipId) {
-              //  Group user privilege
-              const groupProjectUserAdditionalPrivilege = await groupAdditionalPrivilegeDAL.create(
-                {
-                  groupProjectMembershipId: accessApprovalRequest.groupMembershipId,
-                  requestedByUserId: accessApprovalRequest.requestedByUserId,
-                  slug: `requested-privilege-${slugify(alphaNumericNanoId(12))}`,
-                  permissions: JSON.stringify(accessApprovalRequest.permissions),
-                  isTemporary: true,
-                  temporaryMode: ProjectUserAdditionalPrivilegeTemporaryMode.Relative,
-                  temporaryRange: accessApprovalRequest.temporaryRange!,
-                  temporaryAccessStartTime: startTime,
-                  temporaryAccessEndTime: new Date(new Date(startTime).getTime() + relativeTempAllocatedTimeInMs)
-                },
-                tx
-              );
-
-              groupProjectMembershipId = groupProjectUserAdditionalPrivilege.id;
-            } else {
-              const privilege = await additionalPrivilegeDAL.create(
-                {
-                  projectMembershipId: accessApprovalRequest.projectMembershipId!,
-                  slug: `requested-privilege-${slugify(alphaNumericNanoId(12))}`,
-                  permissions: JSON.stringify(accessApprovalRequest.permissions),
-                  isTemporary: true,
-                  temporaryMode: ProjectUserAdditionalPrivilegeTemporaryMode.Relative,
-                  temporaryRange: accessApprovalRequest.temporaryRange!,
-                  temporaryAccessStartTime: startTime,
-                  temporaryAccessEndTime: new Date(new Date(startTime).getTime() + relativeTempAllocatedTimeInMs)
-                },
-                tx
-              );
-              projectUserPrivilegeId = privilege.id;
-            }
-          }
-
-          if (projectUserPrivilegeId) {
-            await accessApprovalRequestDAL.updateById(accessApprovalRequest.id, { projectUserPrivilegeId }, tx);
-          } else if (groupProjectMembershipId) {
-            await accessApprovalRequestDAL.updateById(
-              accessApprovalRequest.id,
-              { groupProjectUserPrivilegeId: groupProjectMembershipId },
-              tx
-            );
-          } else {
-            throw new BadRequestError({ message: "No privilege was created" });
-          }
-        }
-
-        return newReview;
-      }
-      throw new BadRequestError({ message: "You have already reviewed this request" });
-    });
-
-    return reviewStatus;
-  };
-
-  const getCount = async ({ projectSlug, actor, actorAuthMethod, actorId, actorOrgId }: TGetAccessRequestCountDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new UnauthorizedError({ message: "Project not found" });
-
-    const { membership } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      project.id,
-      actorAuthMethod,
-      actorOrgId
-    );
-    if (!membership) throw new BadRequestError({ message: "User not found in project" });
-
-    const count = await accessApprovalRequestDAL.getCount({ projectId: project.id });
-
-    return { count };
-  };
-
-  return {
-    createAccessApprovalRequest,
-    listApprovalRequests,
-    reviewAccessRequest,
-    deleteAccessApprovalRequest,
-    getCount
-  };
-};

backend/src/ee/services/access-approval-request/access-approval-request-types.ts

@@ -1,38 +0,0 @@
-import { TProjectPermission } from "@app/lib/types";
-
-export enum ApprovalStatus {
-  PENDING = "pending",
-  APPROVED = "approved",
-  REJECTED = "rejected"
-}
-
-export type TVerifyPermission = {
-  permissions: unknown;
-};
-
-export type TGetAccessRequestCountDTO = {
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TReviewAccessRequestDTO = {
-  requestId: string;
-  status: ApprovalStatus;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TCreateAccessApprovalRequestDTO = {
-  projectSlug: string;
-  permissions: unknown;
-  isTemporary: boolean;
-  temporaryRange?: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TListApprovalRequestsDTO = {
-  projectSlug: string;
-  authorUserId?: string;
-  envSlug?: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TDeleteApprovalRequestDTO = {
-  requestId: string;
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -625,9 +625,9 @@ interface SecretApprovalReopened {
 interface SecretApprovalRequest {
   type: EventType.SECRET_APPROVAL_REQUEST;
   metadata: {
+    committedBy: string;
     secretApprovalRequestSlug: string;
     secretApprovalRequestId: string;
-    committedByUser?: string | null; // Needs to be nullable for backward compatibility
   };
 }
 

backend/src/ee/services/group-project-user-additional-privilege/group-project-user-additional-privilege-dal.ts

@@ -1,12 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TGroupProjectUserAdditionalPrivilegeDALFactory = ReturnType<
-  typeof groupProjectUserAdditionalPrivilegeDALFactory
->;
-
-export const groupProjectUserAdditionalPrivilegeDALFactory = (db: TDbClient) => {
-  const orm = ormify(db, TableName.GroupProjectUserAdditionalPrivilege);
-  return orm;
-};

backend/src/ee/services/group/group-dal.ts

@@ -5,78 +5,10 @@ import { TableName, TGroups } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { buildFindFilter, ormify, selectAllTableCols, TFindFilter, TFindOpt } from "@app/lib/knex";
 
-import { TUserGroupMembershipDALFactory } from "./user-group-membership-dal";
-
 export type TGroupDALFactory = ReturnType<typeof groupDALFactory>;
 
-export const groupDALFactory = (db: TDbClient, userGroupMembershipDAL: TUserGroupMembershipDALFactory) => {
+export const groupDALFactory = (db: TDbClient) => {
   const groupOrm = ormify(db, TableName.Groups);
-  const groupMembershipOrm = ormify(db, TableName.GroupProjectMembership);
-  const accessApprovalRequestOrm = ormify(db, TableName.AccessApprovalRequest);
-  const secretApprovalRequestOrm = ormify(db, TableName.SecretApprovalRequest);
-
-  const deleteMany = async (filterQuery: TFindFilter<TGroups>, tx?: Knex) => {
-    const transaction = tx || (await db.transaction());
-
-    // Find all memberships
-    const groups = await groupOrm.find(filterQuery, { tx: transaction });
-
-    for await (const group of groups) {
-      // Find all the group memberships of the groups (a group membership is which projects the group is a part of)
-      const groupProjectMemberships = await groupMembershipOrm.find(
-        { groupId: group.id },
-        {
-          tx: transaction
-        }
-      );
-
-      // For each of those group memberships, we need to find all the members of the group that don't have a regular membership in the project
-      for await (const groupMembership of groupProjectMemberships) {
-        const members = await userGroupMembershipDAL.findGroupMembersNotInProject(
-          group.id,
-          groupMembership.projectId,
-          transaction
-        );
-
-        // We then delete all the access approval requests and secret approval requests associated with these members
-        await accessApprovalRequestOrm.delete(
-          {
-            groupMembershipId: groupMembership.id,
-            $in: {
-              requestedByUserId: members.map(({ user }) => user.id)
-            }
-          },
-          transaction
-        );
-
-        const policies = await (tx || db)(TableName.SecretApprovalPolicy)
-          .join(TableName.Environment, `${TableName.SecretApprovalPolicy}.envId`, `${TableName.Environment}.id`)
-          .where(`${TableName.Environment}.projectId`, groupMembership.projectId)
-          .select(selectAllTableCols(TableName.SecretApprovalPolicy));
-
-        await secretApprovalRequestOrm.delete(
-          {
-            $in: {
-              policyId: policies.map(({ id }) => id),
-              committerUserId: members.map(({ user }) => user.id)
-            }
-          },
-          transaction
-        );
-      }
-    }
-
-    await groupOrm.delete(
-      {
-        $in: {
-          id: groups.map((group) => group.id)
-        }
-      },
-      transaction
-    );
-
-    return groups;
-  };
 
   const findGroups = async (filter: TFindFilter<TGroups>, { offset, limit, sort, tx }: TFindOpt<TGroups> = {}) => {
     try {
@@ -190,10 +122,9 @@ export const groupDALFactory = (db: TDbClient, userGroupMembershipDAL: TUserGrou
   };
 
   return {
-    ...groupOrm,
     findGroups,
     findByOrgId,
     findAllGroupMembers,
-    delete: deleteMany
+    ...groupOrm
   };
 };

backend/src/ee/services/group/group-fns.ts

@@ -266,9 +266,6 @@ export const removeUsersFromGroupByUserIds = async ({
   userIds,
   userDAL,
   userGroupMembershipDAL,
-  accessApprovalRequestDAL,
-  secretApprovalRequestDAL,
-  secretApprovalPolicyDAL,
   groupProjectDAL,
   projectKeyDAL,
   tx: outerTx
@@ -325,15 +322,19 @@ export const removeUsersFromGroupByUserIds = async ({
     });
 
     if (membersToRemoveFromGroupNonPending.length) {
-      const groupProjectMemberships = await groupProjectDAL.find(
-        {
-          groupId: group.id
-        },
-        { tx }
-      );
-
       // check which projects the group is part of
-      const projectIds = Array.from(new Set(groupProjectMemberships.map((gp) => gp.projectId)));
+      const projectIds = Array.from(
+        new Set(
+          (
+            await groupProjectDAL.find(
+              {
+                groupId: group.id
+              },
+              { tx }
+            )
+          ).map((gp) => gp.projectId)
+        )
+      );
 
       // TODO: this part can be optimized
       for await (const userId of userIds) {
@@ -352,35 +353,10 @@ export const removeUsersFromGroupByUserIds = async ({
           );
         }
 
-        await accessApprovalRequestDAL.delete(
-          {
-            $in: {
-              groupMembershipId: groupProjectMemberships
-                .filter((gp) => projectsToDeleteKeyFor.includes(gp.projectId))
-                .map((gp) => gp.id)
-            },
-            requestedByUserId: userId
-          },
-          tx
-        );
-
-        const projectSecretApprovalPolicies = await secretApprovalPolicyDAL.findByProjectIds(projectIds);
-        await secretApprovalRequestDAL.delete(
-          {
-            committerUserId: userId,
-            $in: {
-              policyId: projectSecretApprovalPolicies.map((p) => p.id)
-            }
-          },
-          tx
-        );
-
         await userGroupMembershipDAL.delete(
           {
             groupId: group.id,
-            $in: {
-              userId: membersToRemoveFromGroupNonPending.map((member) => member.id)
-            }
+            userId
           },
           tx
         );
@@ -388,15 +364,12 @@ export const removeUsersFromGroupByUserIds = async ({
     }
 
     if (membersToRemoveFromGroupPending.length) {
-      await userGroupMembershipDAL.delete(
-        {
-          groupId: group.id,
-          $in: {
-            userId: membersToRemoveFromGroupPending.map((member) => member.id)
-          }
-        },
-        tx
-      );
+      await userGroupMembershipDAL.delete({
+        groupId: group.id,
+        $in: {
+          userId: membersToRemoveFromGroupPending.map((member) => member.id)
+        }
+      });
     }
 
     return membersToRemoveFromGroupNonPending.concat(membersToRemoveFromGroupPending);

backend/src/ee/services/group/group-service.ts

@@ -12,12 +12,9 @@ import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal
 import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 
-import { TAccessApprovalRequestDALFactory } from "../access-approval-request/access-approval-request-dal";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { TSecretApprovalPolicyDALFactory } from "../secret-approval-policy/secret-approval-policy-dal";
-import { TSecretApprovalRequestDALFactory } from "../secret-approval-request/secret-approval-request-dal";
 import { TGroupDALFactory } from "./group-dal";
 import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "./group-fns";
 import {
@@ -44,9 +41,6 @@ type TGroupServiceFactoryDep = {
   projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "delete" | "findLatestProjectKey" | "insertMany">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission" | "getOrgPermissionByRole">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-  secretApprovalRequestDAL: Pick<TSecretApprovalRequestDALFactory, "delete">;
-  accessApprovalRequestDAL: Pick<TAccessApprovalRequestDALFactory, "delete">;
-  secretApprovalPolicyDAL: Pick<TSecretApprovalPolicyDALFactory, "findByProjectIds">;
 };
 
 export type TGroupServiceFactory = ReturnType<typeof groupServiceFactory>;
@@ -56,9 +50,6 @@ export const groupServiceFactory = ({
   groupDAL,
   groupProjectDAL,
   orgDAL,
-  secretApprovalRequestDAL,
-  secretApprovalPolicyDAL,
-  accessApprovalRequestDAL,
   userGroupMembershipDAL,
   projectDAL,
   projectBotDAL,
@@ -337,9 +328,6 @@ export const groupServiceFactory = ({
       group,
       userIds: [user.id],
       userDAL,
-      accessApprovalRequestDAL,
-      secretApprovalPolicyDAL,
-      secretApprovalRequestDAL,
       userGroupMembershipDAL,
       groupProjectDAL,
       projectKeyDAL

backend/src/ee/services/group/group-types.ts

@@ -10,10 +10,6 @@ import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal
 import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 
-import { TAccessApprovalRequestDALFactory } from "../access-approval-request/access-approval-request-dal";
-import { TSecretApprovalPolicyDALFactory } from "../secret-approval-policy/secret-approval-policy-dal";
-import { TSecretApprovalRequestDALFactory } from "../secret-approval-request/secret-approval-request-dal";
-
 export type TCreateGroupDTO = {
   name: string;
   slug?: string;
@@ -81,9 +77,6 @@ export type TRemoveUsersFromGroupByUserIds = {
   group: TGroups;
   userIds: string[];
   userDAL: Pick<TUserDALFactory, "find" | "transaction">;
-  accessApprovalRequestDAL: Pick<TAccessApprovalRequestDALFactory, "delete">;
-  secretApprovalRequestDAL: Pick<TSecretApprovalRequestDALFactory, "delete">;
-  secretApprovalPolicyDAL: Pick<TSecretApprovalPolicyDALFactory, "findByProjectIds">;
   userGroupMembershipDAL: Pick<TUserGroupMembershipDALFactory, "find" | "filterProjectsByUserMembership" | "delete">;
   groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
   projectKeyDAL: Pick<TProjectKeyDALFactory, "delete">;

backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts

@@ -1,5 +1,7 @@
-import { ForbiddenError } from "@casl/ability";
+import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
+import { PackRule, unpackRules } from "@casl/ability/extra";
 import ms from "ms";
+import { z } from "zod";
 
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
@@ -8,7 +10,7 @@ import { TIdentityProjectDALFactory } from "@app/services/identity-project/ident
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSet, ProjectPermissionSub } from "../permission/project-permission";
 import { TIdentityProjectAdditionalPrivilegeDALFactory } from "./identity-project-additional-privilege-dal";
 import {
   IdentityProjectAdditionalPrivilegeTemporaryMode,
@@ -30,6 +32,27 @@ export type TIdentityProjectAdditionalPrivilegeServiceFactory = ReturnType<
   typeof identityProjectAdditionalPrivilegeServiceFactory
 >;
 
+// TODO(akhilmhdh): move this to more centralized
+export const UnpackedPermissionSchema = z.object({
+  subject: z.union([z.string().min(1), z.string().array()]).optional(),
+  action: z.union([z.string().min(1), z.string().array()]),
+  conditions: z
+    .object({
+      environment: z.string().optional(),
+      secretPath: z
+        .object({
+          $glob: z.string().min(1)
+        })
+        .optional()
+    })
+    .optional()
+});
+
+const unpackPermissions = (permissions: unknown) =>
+  UnpackedPermissionSchema.array().parse(
+    unpackRules((permissions || []) as PackRule<RawRuleOf<MongoAbility<ProjectPermissionSet>>>[])
+  );
+
 export const identityProjectAdditionalPrivilegeServiceFactory = ({
   identityProjectAdditionalPrivilegeDAL,
   identityProjectDAL,
@@ -86,7 +109,10 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
         slug,
         permissions: customPermission
       });
-      return additionalPrivilege;
+      return {
+        ...additionalPrivilege,
+        permissions: unpackPermissions(additionalPrivilege.permissions)
+      };
     }
 
     const relativeTempAllocatedTimeInMs = ms(dto.temporaryRange);
@@ -100,7 +126,10 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       temporaryAccessStartTime: new Date(dto.temporaryAccessStartTime),
       temporaryAccessEndTime: new Date(new Date(dto.temporaryAccessStartTime).getTime() + relativeTempAllocatedTimeInMs)
     });
-    return additionalPrivilege;
+    return {
+      ...additionalPrivilege,
+      permissions: unpackPermissions(additionalPrivilege.permissions)
+    };
   };
 
   const updateBySlug = async ({
@@ -163,7 +192,11 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
         temporaryAccessStartTime: new Date(temporaryAccessStartTime || ""),
         temporaryAccessEndTime: new Date(new Date(temporaryAccessStartTime || "").getTime() + ms(temporaryRange || ""))
       });
-      return additionalPrivilege;
+      return {
+        ...additionalPrivilege,
+
+        permissions: unpackPermissions(additionalPrivilege.permissions)
+      };
     }
 
     const additionalPrivilege = await identityProjectAdditionalPrivilegeDAL.updateById(identityPrivilege.id, {
@@ -174,7 +207,11 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       temporaryRange: null,
       temporaryMode: null
     });
-    return additionalPrivilege;
+    return {
+      ...additionalPrivilege,
+
+      permissions: unpackPermissions(additionalPrivilege.permissions)
+    };
   };
 
   const deleteBySlug = async ({
@@ -220,7 +257,11 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     if (!identityPrivilege) throw new BadRequestError({ message: "Identity additional privilege not found" });
 
     const deletedPrivilege = await identityProjectAdditionalPrivilegeDAL.deleteById(identityPrivilege.id);
-    return deletedPrivilege;
+    return {
+      ...deletedPrivilege,
+
+      permissions: unpackPermissions(deletedPrivilege.permissions)
+    };
   };
 
   const getPrivilegeDetailsBySlug = async ({
@@ -254,7 +295,10 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     });
     if (!identityPrivilege) throw new BadRequestError({ message: "Identity additional privilege not found" });
 
-    return identityPrivilege;
+    return {
+      ...identityPrivilege,
+      permissions: unpackPermissions(identityPrivilege.permissions)
+    };
   };
 
   const listIdentityProjectPrivileges = async ({
@@ -284,7 +328,11 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     const identityPrivileges = await identityProjectAdditionalPrivilegeDAL.find({
       projectMembershipId: identityProjectMembership.id
     });
-    return identityPrivileges;
+    return identityPrivileges.map((el) => ({
+      ...el,
+
+      permissions: unpackPermissions(el.permissions)
+    }));
   };
 
   return {

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -26,12 +26,9 @@ import { TUserDALFactory } from "@app/services/user/user-dal";
 import { normalizeUsername } from "@app/services/user/user-fns";
 import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
 
-import { TAccessApprovalRequestDALFactory } from "../access-approval-request/access-approval-request-dal";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { TSecretApprovalPolicyDALFactory } from "../secret-approval-policy/secret-approval-policy-dal";
-import { TSecretApprovalRequestDALFactory } from "../secret-approval-request/secret-approval-request-dal";
 import { TLdapConfigDALFactory } from "./ldap-config-dal";
 import {
   TCreateLdapCfgDTO,
@@ -70,9 +67,6 @@ type TLdapConfigServiceFactoryDep = {
   userAliasDAL: Pick<TUserAliasDALFactory, "create" | "findOne">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-  accessApprovalRequestDAL: Pick<TAccessApprovalRequestDALFactory, "delete">;
-  secretApprovalRequestDAL: Pick<TSecretApprovalRequestDALFactory, "delete">;
-  secretApprovalPolicyDAL: Pick<TSecretApprovalPolicyDALFactory, "findByProjectIds">;
 };
 
 export type TLdapConfigServiceFactory = ReturnType<typeof ldapConfigServiceFactory>;
@@ -84,9 +78,6 @@ export const ldapConfigServiceFactory = ({
   orgBotDAL,
   groupDAL,
   groupProjectDAL,
-  accessApprovalRequestDAL,
-  secretApprovalPolicyDAL,
-  secretApprovalRequestDAL,
   projectKeyDAL,
   projectDAL,
   projectBotDAL,
@@ -533,10 +524,7 @@ export const ldapConfigServiceFactory = ({
               group,
               userIds: [newUser.id],
               userDAL,
-              secretApprovalRequestDAL,
-              accessApprovalRequestDAL,
               userGroupMembershipDAL,
-              secretApprovalPolicyDAL,
               groupProjectDAL,
               projectKeyDAL,
               tx

backend/src/ee/services/license/license-service.ts

@@ -121,8 +121,8 @@ export const licenseServiceFactory = ({
 
         if (isValidOfflineLicense) {
           onPremFeatures = contents.license.features;
-          instanceType = InstanceType.EnterpriseOnPremOffline;
-          logger.info(`Instance type: ${InstanceType.EnterpriseOnPremOffline}`);
+          instanceType = InstanceType.EnterpriseOnPrem;
+          logger.info(`Instance type: ${InstanceType.EnterpriseOnPrem}`);
           isValidLicense = true;
           return;
         }

backend/src/ee/services/license/license-types.ts

@@ -3,7 +3,6 @@ import { TOrgPermission } from "@app/lib/types";
 export enum InstanceType {
   OnPrem = "self-hosted",
   EnterpriseOnPrem = "enterprise-self-hosted",
-  EnterpriseOnPremOffline = "enterprise-self-hosted-offline",
   Cloud = "cloud"
 }
 

backend/src/ee/services/permission/permission-dal.ts

@@ -62,11 +62,6 @@ export const permissionDALFactory = (db: TDbClient) => {
           `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
           `${TableName.GroupProjectMembership}.id`
         )
-        .leftJoin(
-          TableName.GroupProjectUserAdditionalPrivilege,
-          `${TableName.GroupProjectUserAdditionalPrivilege}.groupProjectMembershipId`,
-          `${TableName.GroupProjectMembership}.id`
-        )
         .leftJoin(
           TableName.ProjectRoles,
           `${TableName.GroupProjectMembershipRole}.customRoleId`,
@@ -82,34 +77,11 @@ export const permissionDALFactory = (db: TDbClient) => {
           db.ref("projectId").withSchema(TableName.GroupProjectMembership),
           db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
           db.ref("orgId").withSchema(TableName.Project),
-          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
-          db.ref("permissions").withSchema(TableName.ProjectRoles)
+          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug")
         )
-        .where(`${TableName.GroupProjectMembership}.projectId`, projectId)
-        .select(
-          db.ref("projectId").withSchema(TableName.GroupProjectMembership).as("groupMembershipProjectId"),
-          db.ref("id").withSchema(TableName.GroupProjectUserAdditionalPrivilege).as("userApId"),
-          db.ref("permissions").withSchema(TableName.GroupProjectUserAdditionalPrivilege).as("userApPermissions"),
-          db.ref("temporaryMode").withSchema(TableName.GroupProjectUserAdditionalPrivilege).as("userApTemporaryMode"),
-          db.ref("isTemporary").withSchema(TableName.GroupProjectUserAdditionalPrivilege).as("userApIsTemporary"),
-          db.ref("temporaryRange").withSchema(TableName.GroupProjectUserAdditionalPrivilege).as("userApTemporaryRange"),
-          db.ref("groupProjectMembershipId").withSchema(TableName.GroupProjectUserAdditionalPrivilege),
-          db
-            .ref("requestedByUserId")
-            .withSchema(TableName.GroupProjectUserAdditionalPrivilege)
-            .as("userApRequestedByUserId"),
+        .select("permissions");
 
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.GroupProjectUserAdditionalPrivilege)
-            .as("userApTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.GroupProjectUserAdditionalPrivilege)
-            .as("userApTemporaryAccessEndTime")
-        );
-
-      const projectMemberDocs = await db(TableName.ProjectMembership)
+      const docs = await db(TableName.ProjectMembership)
         .join(
           TableName.ProjectUserMembershipRole,
           `${TableName.ProjectUserMembershipRole}.projectMembershipId`,
@@ -155,7 +127,7 @@ export const permissionDALFactory = (db: TDbClient) => {
         );
 
       const permission = sqlNestRelationships({
-        data: projectMemberDocs,
+        data: docs,
         key: "projectId",
         parentMapper: ({ orgId, orgAuthEnforced, membershipId, membershipCreatedAt, membershipUpdatedAt }) => ({
           orgId,
@@ -222,33 +194,6 @@ export const permissionDALFactory = (db: TDbClient) => {
                     permissions: z.unknown(),
                     customRoleSlug: z.string().optional().nullable()
                   }).parse(data)
-              },
-              {
-                key: "userApId",
-                label: "additionalPrivileges" as const,
-                mapper: ({
-                  groupMembershipProjectId,
-                  groupProjectMembershipId,
-                  userApId,
-                  userApPermissions,
-                  userApRequestedByUserId,
-                  userApIsTemporary,
-                  userApTemporaryMode,
-                  userApTemporaryRange,
-                  userApTemporaryAccessEndTime,
-                  userApTemporaryAccessStartTime
-                }) => ({
-                  groupProjectMembershipId,
-                  groupMembershipProjectId,
-                  id: userApId,
-                  userId: userApRequestedByUserId,
-                  permissions: userApPermissions,
-                  temporaryRange: userApTemporaryRange,
-                  temporaryMode: userApTemporaryMode,
-                  temporaryAccessEndTime: userApTemporaryAccessEndTime,
-                  temporaryAccessStartTime: userApTemporaryAccessStartTime,
-                  isTemporary: userApIsTemporary
-                })
               }
             ]
           })
@@ -269,24 +214,15 @@ export const permissionDALFactory = (db: TDbClient) => {
             !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
         ) ?? [];
 
-      const activeAdditionalPrivileges =
-        permission?.[0]?.additionalPrivileges?.filter(
-          ({ isTemporary, temporaryAccessEndTime }) =>
-            !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-        ) ?? [];
-      const activeGroupAdditionalPrivileges =
-        groupPermission?.[0]?.additionalPrivileges?.filter(
-          ({ isTemporary, temporaryAccessEndTime, groupProjectMembershipId, groupMembershipProjectId, userId: user }) =>
-            groupMembershipProjectId === projectId &&
-            !!groupProjectMembershipId &&
-            user === userId &&
-            (!isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime))
-        ) ?? [];
+      const activeAdditionalPrivileges = permission?.[0]?.additionalPrivileges?.filter(
+        ({ isTemporary, temporaryAccessEndTime }) =>
+          !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+      );
 
       return {
         ...(permission[0] || groupPermission[0]),
         roles: [...activeRoles, ...activeGroupRoles],
-        additionalPrivileges: [...activeAdditionalPrivileges, ...activeGroupAdditionalPrivileges]
+        additionalPrivileges: activeAdditionalPrivileges
       };
     } catch (error) {
       throw new DatabaseError({ error, name: "GetProjectPermission" });

backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts

@@ -90,10 +90,6 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     const userPrivilege = await projectUserAdditionalPrivilegeDAL.findById(privilegeId);
     if (!userPrivilege) throw new BadRequestError({ message: "User additional privilege not found" });
 
-    // This is fine. This service is only used for direct user privileges, not group-based privileges
-    if (!userPrivilege.projectMembershipId)
-      throw new BadRequestError({ message: "Operation not supported for groups" });
-
     const projectMembership = await projectMembershipDAL.findById(userPrivilege.projectMembershipId);
     if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
 
@@ -142,10 +138,6 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     const userPrivilege = await projectUserAdditionalPrivilegeDAL.findById(privilegeId);
     if (!userPrivilege) throw new BadRequestError({ message: "User additional privilege not found" });
 
-    // This is fine. This service is only used for direct user privileges, not group-based privileges
-    if (!userPrivilege.projectMembershipId)
-      throw new BadRequestError({ message: "Operation not supported for groups" });
-
     const projectMembership = await projectMembershipDAL.findById(userPrivilege.projectMembershipId);
     if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
 
@@ -172,10 +164,6 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     const userPrivilege = await projectUserAdditionalPrivilegeDAL.findById(privilegeId);
     if (!userPrivilege) throw new BadRequestError({ message: "User additional privilege not found" });
 
-    // This is fine. This service is only used for direct user privileges, not group-based privileges
-    if (!userPrivilege.projectMembershipId)
-      throw new BadRequestError({ message: "Operation not supported for groups" });
-
     const projectMembership = await projectMembershipDAL.findById(userPrivilege.projectMembershipId);
     if (!projectMembership) throw new BadRequestError({ message: "Project membership not found" });
 

backend/src/ee/services/scim/scim-service.ts

@@ -22,12 +22,9 @@ import { TProjectMembershipDALFactory } from "@app/services/project-membership/p
 import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 
-import { TAccessApprovalRequestDALFactory } from "../access-approval-request/access-approval-request-dal";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { TSecretApprovalPolicyDALFactory } from "../secret-approval-policy/secret-approval-policy-dal";
-import { TSecretApprovalRequestDALFactory } from "../secret-approval-request/secret-approval-request-dal";
 import { buildScimGroup, buildScimGroupList, buildScimUser, buildScimUserList } from "./scim-fns";
 import {
   TCreateScimGroupDTO,
@@ -67,9 +64,6 @@ type TScimServiceFactoryDep = {
   projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
-  secretApprovalRequestDAL: Pick<TSecretApprovalRequestDALFactory, "delete">;
-  accessApprovalRequestDAL: Pick<TAccessApprovalRequestDALFactory, "delete">;
-  secretApprovalPolicyDAL: Pick<TSecretApprovalPolicyDALFactory, "findByProjectIds">;
   smtpService: TSmtpService;
 };
 
@@ -87,9 +81,6 @@ export const scimServiceFactory = ({
   userGroupMembershipDAL,
   projectKeyDAL,
   projectBotDAL,
-  accessApprovalRequestDAL,
-  secretApprovalRequestDAL,
-  secretApprovalPolicyDAL,
   permissionService,
   smtpService
 }: TScimServiceFactoryDep) => {
@@ -719,9 +710,6 @@ export const scimServiceFactory = ({
             userIds: toRemoveUserIds,
             userDAL,
             userGroupMembershipDAL,
-            secretApprovalPolicyDAL,
-            accessApprovalRequestDAL,
-            secretApprovalRequestDAL,
             groupProjectDAL,
             projectKeyDAL,
             tx

backend/src/ee/services/secret-approval-policy/secret-approval-policy-dal.ts

@@ -20,7 +20,7 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
         `${TableName.SecretApprovalPolicy}.id`,
         `${TableName.SecretApprovalPolicyApprover}.policyId`
       )
-      .select(tx.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover))
+      .select(tx.ref("approverId").withSchema(TableName.SecretApprovalPolicyApprover))
       .select(tx.ref("name").withSchema(TableName.Environment).as("envName"))
       .select(tx.ref("slug").withSchema(TableName.Environment).as("envSlug"))
       .select(tx.ref("id").withSchema(TableName.Environment).as("envId"))
@@ -33,18 +33,18 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
       const doc = await sapFindQuery(tx || db, {
         [`${TableName.SecretApprovalPolicy}.id` as "id"]: id
       });
-      const formattedDoc = mergeOneToManyRelation(
+      const formatedDoc = mergeOneToManyRelation(
         doc,
         "id",
-        ({ approverUserId, envId, envName: name, envSlug: slug, ...el }) => ({
+        ({ approverId, envId, envName: name, envSlug: slug, ...el }) => ({
           ...el,
           envId,
           environment: { id: envId, name, slug }
         }),
-        ({ approverUserId }) => approverUserId,
+        ({ approverId }) => approverId,
         "approvers"
       );
-      return formattedDoc?.[0];
+      return formatedDoc?.[0];
     } catch (error) {
       throw new DatabaseError({ error, name: "FindById" });
     }
@@ -53,31 +53,22 @@ export const secretApprovalPolicyDALFactory = (db: TDbClient) => {
   const find = async (filter: TFindFilter<TSecretApprovalPolicies & { projectId: string }>, tx?: Knex) => {
     try {
       const docs = await sapFindQuery(tx || db, filter);
-      const formattedDoc = mergeOneToManyRelation(
+      const formatedDoc = mergeOneToManyRelation(
         docs,
         "id",
-        ({ approverUserId, envId, envName: name, envSlug: slug, ...el }) => ({
+        ({ approverId, envId, envName: name, envSlug: slug, ...el }) => ({
           ...el,
           envId,
           environment: { id: envId, name, slug }
         }),
-        ({ approverUserId }) => approverUserId,
+        ({ approverId }) => approverId,
         "approvers"
       );
-      return formattedDoc;
+      return formatedDoc;
     } catch (error) {
       throw new DatabaseError({ error, name: "Find" });
     }
   };
 
-  const findByProjectIds = async (projectIds: string[], tx?: Knex) => {
-    const policies = await (tx || db)(TableName.SecretApprovalPolicy)
-      .join(TableName.Environment, `${TableName.SecretApprovalPolicy}.envId`, `${TableName.Environment}.id`)
-      .whereIn(`${TableName.Environment}.projectId`, projectIds)
-      .select(selectAllTableCols(TableName.SecretApprovalPolicy));
-
-    return policies;
-  };
-
-  return { ...secretApprovalPolicyOrm, findById, find, findByProjectIds };
+  return { ...secretApprovalPolicyOrm, findById, find };
 };

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -7,7 +7,6 @@ import { BadRequestError } from "@app/lib/errors";
 import { containsGlobPatterns } from "@app/lib/picomatch";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
-import { TUserDALFactory } from "@app/services/user/user-dal";
 
 import { TSecretApprovalPolicyApproverDALFactory } from "./secret-approval-policy-approver-dal";
 import { TSecretApprovalPolicyDALFactory } from "./secret-approval-policy-dal";
@@ -30,7 +29,6 @@ type TSecretApprovalPolicyServiceFactoryDep = {
   projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
   secretApprovalPolicyApproverDAL: TSecretApprovalPolicyApproverDALFactory;
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find">;
-  userDAL: Pick<TUserDALFactory, "findUsersByProjectId" | "findUserByProjectId">;
 };
 
 export type TSecretApprovalPolicyServiceFactory = ReturnType<typeof secretApprovalPolicyServiceFactory>;
@@ -40,7 +38,7 @@ export const secretApprovalPolicyServiceFactory = ({
   permissionService,
   secretApprovalPolicyApproverDAL,
   projectEnvDAL,
-  userDAL
+  projectMembershipDAL
 }: TSecretApprovalPolicyServiceFactoryDep) => {
   const createSecretApprovalPolicy = async ({
     name,
@@ -71,12 +69,11 @@ export const secretApprovalPolicyServiceFactory = ({
     const env = await projectEnvDAL.findOne({ slug: environment, projectId });
     if (!env) throw new BadRequestError({ message: "Environment not found" });
 
-    const secretApproverUsers = await userDAL.findUsersByProjectId(
+    const secretApprovers = await projectMembershipDAL.find({
       projectId,
-      approvers.map((approverUserId) => approverUserId)
-    );
-
-    if (secretApproverUsers.length !== approvers.length)
+      $in: { id: approvers }
+    });
+    if (secretApprovers.length !== approvers.length)
       throw new BadRequestError({ message: "Approver not found in project" });
 
     const secretApproval = await secretApprovalPolicyDAL.transaction(async (tx) => {
@@ -90,8 +87,8 @@ export const secretApprovalPolicyServiceFactory = ({
         tx
       );
       await secretApprovalPolicyApproverDAL.insertMany(
-        secretApproverUsers.map(({ id }) => ({
-          approverUserId: id,
+        secretApprovers.map(({ id }) => ({
+          approverId: id,
           policyId: doc.id
         })),
         tx
@@ -135,19 +132,21 @@ export const secretApprovalPolicyServiceFactory = ({
         tx
       );
       if (approvers) {
-        const secretApproverUsers = await userDAL.findUsersByProjectId(
-          secretApprovalPolicy.projectId,
-          approvers.map((approverUserId) => approverUserId)
+        const secretApprovers = await projectMembershipDAL.find(
+          {
+            projectId: secretApprovalPolicy.projectId,
+            $in: { id: approvers }
+          },
+          { tx }
         );
-
-        if (secretApproverUsers.length !== approvers.length)
+        if (secretApprovers.length !== approvers.length)
           throw new BadRequestError({ message: "Approver not found in project" });
-        if (doc.approvals > secretApproverUsers.length)
+        if (doc.approvals > secretApprovers.length)
           throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
         await secretApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
         await secretApprovalPolicyApproverDAL.insertMany(
-          secretApproverUsers.map((user) => ({
-            approverUserId: user.id,
+          secretApprovers.map(({ id }) => ({
+            approverId: id,
             policyId: doc.id
           })),
           tx

backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts

@@ -16,7 +16,7 @@ export type TSecretApprovalRequestDALFactory = ReturnType<typeof secretApprovalR
 
 type TFindQueryFilter = {
   projectId: string;
-  actorId: string;
+  membershipId: string;
   status?: RequestState;
   environment?: string;
   committer?: string;
@@ -49,7 +49,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
       )
       .select(selectAllTableCols(TableName.SecretApprovalRequest))
       .select(
-        tx.ref("memberUserId").withSchema(TableName.SecretApprovalRequestReviewer).as("reviewerMemberId"),
+        tx.ref("member").withSchema(TableName.SecretApprovalRequestReviewer).as("reviewerMemberId"),
         tx.ref("status").withSchema(TableName.SecretApprovalRequestReviewer).as("reviewerStatus"),
         tx.ref("id").withSchema(TableName.SecretApprovalPolicy).as("policyId"),
         tx.ref("name").withSchema(TableName.SecretApprovalPolicy).as("policyName"),
@@ -57,14 +57,14 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         tx.ref("slug").withSchema(TableName.Environment).as("environment"),
         tx.ref("secretPath").withSchema(TableName.SecretApprovalPolicy).as("policySecretPath"),
         tx.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
-        tx.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover)
+        tx.ref("approverId").withSchema(TableName.SecretApprovalPolicyApprover)
       );
 
   const findById = async (id: string, tx?: Knex) => {
     try {
       const sql = findQuery({ [`${TableName.SecretApprovalRequest}.id` as "id"]: id }, tx || db);
       const docs = await sql;
-      const formattedDoc = sqlNestRelationships({
+      const formatedDoc = sqlNestRelationships({
         data: docs,
         key: "id",
         parentMapper: (el) => ({
@@ -84,20 +84,20 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             label: "reviewers" as const,
             mapper: ({ reviewerMemberId: member, reviewerStatus: status }) => (member ? { member, status } : undefined)
           },
-          { key: "approverUserId", label: "approvers" as const, mapper: ({ approverUserId }) => approverUserId }
+          { key: "approverId", label: "approvers" as const, mapper: ({ approverId }) => approverId }
         ]
       });
-      if (!formattedDoc?.[0]) return;
+      if (!formatedDoc?.[0]) return;
       return {
-        ...formattedDoc[0],
-        policy: { ...formattedDoc[0].policy, approvers: formattedDoc[0].approvers }
+        ...formatedDoc[0],
+        policy: { ...formatedDoc[0].policy, approvers: formatedDoc[0].approvers }
       };
     } catch (error) {
       throw new DatabaseError({ error, name: "FindByIdSAR" });
     }
   };
 
-  const findProjectRequestCount = async (projectId: string, approverUserId: string, tx?: Knex) => {
+  const findProjectRequestCount = async (projectId: string, membershipId: string, tx?: Knex) => {
     try {
       const docs = await (tx || db)
         .with(
@@ -110,12 +110,12 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
               `${TableName.SecretApprovalRequest}.policyId`,
               `${TableName.SecretApprovalPolicyApprover}.policyId`
             )
-            .where({ [`${TableName.Environment}.projectId` as "projectId"]: projectId })
+            .where({ projectId })
             .andWhere(
               (bd) =>
                 void bd
-                  .where(`${TableName.SecretApprovalPolicyApprover}.approverUserId`, approverUserId)
-                  .orWhere(`${TableName.SecretApprovalRequest}.committerUserId`, approverUserId)
+                  .where(`${TableName.SecretApprovalPolicyApprover}.approverId`, membershipId)
+                  .orWhere(`${TableName.SecretApprovalRequest}.committerId`, membershipId)
             )
             .select("status", `${TableName.SecretApprovalRequest}.id`)
             .groupBy(`${TableName.SecretApprovalRequest}.id`, "status")
@@ -142,7 +142,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
   };
 
   const findByProjectId = async (
-    { status, limit = 20, offset = 0, projectId, committer, environment, actorId }: TFindQueryFilter,
+    { status, limit = 20, offset = 0, projectId, committer, environment, membershipId }: TFindQueryFilter,
     tx?: Knex
   ) => {
     try {
@@ -173,21 +173,21 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         )
         .where(
           stripUndefinedInWhere({
-            [`${TableName.Environment}.projectId`]: projectId,
+            projectId,
             [`${TableName.Environment}.slug` as "slug"]: environment,
             [`${TableName.SecretApprovalRequest}.status`]: status,
-            committerUserId: committer
+            committerId: committer
           })
         )
         .andWhere(
           (bd) =>
             void bd
-              .where(`${TableName.SecretApprovalPolicyApprover}.approverUserId`, actorId)
-              .orWhere(`${TableName.SecretApprovalRequest}.committerUserId`, actorId)
+              .where(`${TableName.SecretApprovalPolicyApprover}.approverId`, membershipId)
+              .orWhere(`${TableName.SecretApprovalRequest}.committerId`, membershipId)
         )
         .select(selectAllTableCols(TableName.SecretApprovalRequest))
         .select(
-          db.ref("projectId").withSchema(TableName.Environment).as("envProjectId"),
+          db.ref("projectId").withSchema(TableName.Environment),
           db.ref("slug").withSchema(TableName.Environment).as("environment"),
           db.ref("id").withSchema(TableName.SecretApprovalRequestReviewer).as("reviewerMemberId"),
           db.ref("status").withSchema(TableName.SecretApprovalRequestReviewer).as("reviewerStatus"),
@@ -201,7 +201,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           ),
           db.ref("secretPath").withSchema(TableName.SecretApprovalPolicy).as("policySecretPath"),
           db.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
-          db.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover)
+          db.ref("approverId").withSchema(TableName.SecretApprovalPolicyApprover)
         )
         .orderBy("createdAt", "desc");
 
@@ -217,7 +217,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         parentMapper: (el) => ({
           ...SecretApprovalRequestsSchema.parse(el),
           environment: el.environment,
-          projectId: el.envProjectId,
+          projectId: el.projectId,
           policy: {
             id: el.policyId,
             name: el.policyName,
@@ -232,9 +232,9 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             mapper: ({ reviewerMemberId: member, reviewerStatus: s }) => (member ? { member, status: s } : undefined)
           },
           {
-            key: "approverUserId",
+            key: "approverId",
             label: "approvers" as const,
-            mapper: ({ approverUserId }) => approverUserId
+            mapper: ({ approverId }) => approverId
           },
           {
             key: "commitId",

backend/src/ee/services/secret-approval-request/secret-approval-request-secret-dal.ts

@@ -113,7 +113,7 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
           db.ref("secretCommentTag").withSchema(TableName.SecretVersion).as("secVerCommentTag"),
           db.ref("secretCommentCiphertext").withSchema(TableName.SecretVersion).as("secVerCommentCiphertext")
         );
-      const formattedDoc = sqlNestRelationships({
+      const formatedDoc = sqlNestRelationships({
         data: doc,
         key: "id",
         parentMapper: (data) => SecretApprovalRequestsSecretsSchema.omit({ secretVersion: true }).parse(data),
@@ -212,7 +212,7 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
           }
         ]
       });
-      return formattedDoc?.map(({ secret, secretVersion, ...el }) => ({
+      return formatedDoc?.map(({ secret, secretVersion, ...el }) => ({
         ...el,
         secret: secret?.[0],
         secretVersion: secretVersion?.[0]

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -85,7 +85,7 @@ export const secretApprovalRequestServiceFactory = ({
   const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
     if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
 
-    await permissionService.getProjectPermission(
+    const { membership } = await permissionService.getProjectPermission(
       actor as ActorType.USER,
       actorId,
       projectId,
@@ -93,7 +93,7 @@ export const secretApprovalRequestServiceFactory = ({
       actorOrgId
     );
 
-    const count = await secretApprovalRequestDAL.findProjectRequestCount(projectId, actorId);
+    const count = await secretApprovalRequestDAL.findProjectRequestCount(projectId, membership.id);
     return count;
   };
 
@@ -111,14 +111,19 @@ export const secretApprovalRequestServiceFactory = ({
   }: TListApprovalsDTO) => {
     if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
 
-    await permissionService.getProjectPermission(actor, actorId, projectId, actorAuthMethod, actorOrgId);
-
+    const { membership } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId
+    );
     const approvals = await secretApprovalRequestDAL.findByProjectId({
       projectId,
       committer,
       environment,
       status,
-      actorId,
+      membershipId: membership.id,
       limit,
       offset
     });
@@ -138,7 +143,7 @@ export const secretApprovalRequestServiceFactory = ({
     if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
 
     const { policy } = secretApprovalRequest;
-    const { hasRole } = await permissionService.getProjectPermission(
+    const { membership, hasRole } = await permissionService.getProjectPermission(
       actor,
       actorId,
       secretApprovalRequest.projectId,
@@ -147,8 +152,8 @@ export const secretApprovalRequestServiceFactory = ({
     );
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
-      secretApprovalRequest.committerUserId !== actorId &&
-      !policy.approvers.find((approverUserId) => approverUserId === actorId)
+      secretApprovalRequest.committerId !== membership.id &&
+      !policy.approvers.find((approverId) => approverId === membership.id)
     ) {
       throw new UnauthorizedError({ message: "User has no access" });
     }
@@ -173,7 +178,7 @@ export const secretApprovalRequestServiceFactory = ({
     if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });
 
     const { policy } = secretApprovalRequest;
-    const { hasRole } = await permissionService.getProjectPermission(
+    const { membership, hasRole } = await permissionService.getProjectPermission(
       ActorType.USER,
       actorId,
       secretApprovalRequest.projectId,
@@ -182,8 +187,8 @@ export const secretApprovalRequestServiceFactory = ({
     );
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
-      secretApprovalRequest.committerUserId !== actorId &&
-      !policy.approvers.find((approverUserId) => approverUserId === actorId)
+      secretApprovalRequest.committerId !== membership.id &&
+      !policy.approvers.find((approverId) => approverId === membership.id)
     ) {
       throw new UnauthorizedError({ message: "User has no access" });
     }
@@ -191,7 +196,7 @@ export const secretApprovalRequestServiceFactory = ({
       const review = await secretApprovalRequestReviewerDAL.findOne(
         {
           requestId: secretApprovalRequest.id,
-          memberUserId: actorId
+          member: membership.id
         },
         tx
       );
@@ -200,7 +205,7 @@ export const secretApprovalRequestServiceFactory = ({
           {
             status,
             requestId: secretApprovalRequest.id,
-            memberUserId: actorId
+            member: membership.id
           },
           tx
         );
@@ -223,7 +228,7 @@ export const secretApprovalRequestServiceFactory = ({
     if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });
 
     const { policy } = secretApprovalRequest;
-    const { hasRole } = await permissionService.getProjectPermission(
+    const { membership, hasRole } = await permissionService.getProjectPermission(
       ActorType.USER,
       actorId,
       secretApprovalRequest.projectId,
@@ -232,8 +237,8 @@ export const secretApprovalRequestServiceFactory = ({
     );
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
-      secretApprovalRequest.committerUserId !== actorId &&
-      !policy.approvers.find((approverUserId) => approverUserId === actorId)
+      secretApprovalRequest.committerId !== membership.id &&
+      !policy.approvers.find((approverId) => approverId === membership.id)
     ) {
       throw new UnauthorizedError({ message: "User has no access" });
     }
@@ -246,9 +251,8 @@ export const secretApprovalRequestServiceFactory = ({
 
     const updatedRequest = await secretApprovalRequestDAL.updateById(secretApprovalRequest.id, {
       status,
-      statusChangeByUserId: actorId
+      statusChangeBy: membership.id
     });
-
     return { ...secretApprovalRequest, ...updatedRequest };
   };
 
@@ -264,7 +268,7 @@ export const secretApprovalRequestServiceFactory = ({
     if (actor !== ActorType.USER) throw new BadRequestError({ message: "Must be a user" });
 
     const { policy, folderId, projectId } = secretApprovalRequest;
-    const { hasRole } = await permissionService.getProjectPermission(
+    const { membership, hasRole } = await permissionService.getProjectPermission(
       ActorType.USER,
       actorId,
       projectId,
@@ -274,8 +278,8 @@ export const secretApprovalRequestServiceFactory = ({
 
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
-      secretApprovalRequest.committerUserId !== actorId &&
-      !policy.approvers.find((approverUserId) => approverUserId === actorId)
+      secretApprovalRequest.committerId !== membership.id &&
+      !policy.approvers.find((approverId) => approverId === membership.id)
     ) {
       throw new UnauthorizedError({ message: "User has no access" });
     }
@@ -286,7 +290,7 @@ export const secretApprovalRequestServiceFactory = ({
     const hasMinApproval =
       secretApprovalRequest.policy.approvals <=
       secretApprovalRequest.policy.approvers.filter(
-        (approverUserId) => reviewers[approverUserId.toString()] === ApprovalStatus.APPROVED
+        (approverId) => reviewers[approverId.toString()] === ApprovalStatus.APPROVED
       ).length;
 
     if (!hasMinApproval) throw new BadRequestError({ message: "Doesn't have minimum approvals needed" });
@@ -441,7 +445,7 @@ export const secretApprovalRequestServiceFactory = ({
           conflicts: JSON.stringify(conflicts),
           hasMerged: true,
           status: RequestState.Closed,
-          statusChangeByUserId: actorId
+          statusChangeBy: membership.id
         },
         tx
       );
@@ -476,7 +480,7 @@ export const secretApprovalRequestServiceFactory = ({
   }: TGenerateSecretApprovalRequestDTO) => {
     if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
 
-    const { permission } = await permissionService.getProjectPermission(
+    const { permission, membership } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
@@ -630,7 +634,7 @@ export const secretApprovalRequestServiceFactory = ({
           policyId: policy.id,
           status: "open",
           hasMerged: false,
-          committerUserId: actorId
+          committerId: membership.id
         },
         tx
       );

backend/src/lib/api-docs/constants.ts

@@ -272,6 +272,7 @@ export const SECRETS = {
 
 export const RAW_SECRETS = {
   LIST: {
+    expand: "Whether or not to expand secret references",
     recursive:
       "Whether or not to fetch all secrets from the specified base path, and all of its subdirectories. Note, the max depth is 20 deep.",
     workspaceId: "The ID of the project to list secrets from.",
@@ -467,9 +468,18 @@ export const IDENTITY_ADDITIONAL_PRIVILEGE = {
     identityId: "The ID of the identity to delete.",
     slug: "The slug of the privilege to create.",
     permissions: `The permission object for the privilege.
-1. [["read", "secrets", {environment: "dev", secretPath: {$glob: "/"}}]]
-2. [["read", "secrets", {environment: "dev"}], ["create", "secrets", {environment: "dev"}]]
-2. [["read", "secrets", {environment: "dev"}]]
+- Read secrets
+\`\`\`
+{ "permissions": [{"action": "read", "subject": "secrets"]}
+\`\`\`
+- Read and Write secrets
+\`\`\`
+{ "permissions": [{"action": "read", "subject": "secrets"], {"action": "write", "subject": "secrets"]}
+\`\`\`
+- Read secrets scoped to an environment and secret path
+\`\`\`
+- { "permissions": [{"action": "read", "subject": "secrets", "conditions": { "environment": "dev", "secretPath": { "$glob": "/" } }}] }
+\`\`\`
 `,
     isPackPermission: "Whether the server should pack(compact) the permission object.",
     isTemporary: "Whether the privilege is temporary.",
@@ -483,11 +493,19 @@ export const IDENTITY_ADDITIONAL_PRIVILEGE = {
     slug: "The slug of the privilege to update.",
     newSlug: "The new slug of the privilege to update.",
     permissions: `The permission object for the privilege.
-1. [["read", "secrets", {environment: "dev", secretPath: {$glob: "/"}}]]
-2. [["read", "secrets", {environment: "dev"}], ["create", "secrets", {environment: "dev"}]]
-2. [["read", "secrets", {environment: "dev"}]]
+- Read secrets
+\`\`\`
+{ "permissions": [{"action": "read", "subject": "secrets"]}
+\`\`\`
+- Read and Write secrets
+\`\`\`
+{ "permissions": [{"action": "read", "subject": "secrets"], {"action": "write", "subject": "secrets"]}
+\`\`\`
+- Read secrets scoped to an environment and secret path
+\`\`\`
+- { "permissions": [{"action": "read", "subject": "secrets", "conditions": { "environment": "dev", "secretPath": { "$glob": "/" } }}] }
+\`\`\`
 `,
-    isPackPermission: "Whether the server should pack(compact) the permission object.",
     isTemporary: "Whether the privilege is temporary.",
     temporaryMode: "Type of temporary access given. Types: relative",
     temporaryRange: "TTL for the temporay time. Eg: 1m, 1h, 1d",

backend/src/server/plugins/auth/inject-identity.ts

@@ -108,7 +108,6 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
     if (req.url.includes("/api/v3/auth/")) {
       return;
     }
-
     if (!authMode) return;
 
     switch (authMode) {

backend/src/server/routes/index.ts

@@ -2,12 +2,6 @@ import { Knex } from "knex";
 import { z } from "zod";
 
 import { registerV1EERoutes } from "@app/ee/routes/v1";
-import { accessApprovalPolicyApproverDALFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-approver-dal";
-import { accessApprovalPolicyDALFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-dal";
-import { accessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-service";
-import { accessApprovalRequestDALFactory } from "@app/ee/services/access-approval-request/access-approval-request-dal";
-import { accessApprovalRequestReviewerDALFactory } from "@app/ee/services/access-approval-request/access-approval-request-reviewer-dal";
-import { accessApprovalRequestServiceFactory } from "@app/ee/services/access-approval-request/access-approval-request-service";
 import { auditLogDALFactory } from "@app/ee/services/audit-log/audit-log-dal";
 import { auditLogQueueServiceFactory } from "@app/ee/services/audit-log/audit-log-queue";
 import { auditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
@@ -22,7 +16,6 @@ import { dynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secre
 import { groupDALFactory } from "@app/ee/services/group/group-dal";
 import { groupServiceFactory } from "@app/ee/services/group/group-service";
 import { userGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
-import { groupProjectUserAdditionalPrivilegeDALFactory } from "@app/ee/services/group-project-user-additional-privilege/group-project-user-additional-privilege-dal";
 import { identityProjectAdditionalPrivilegeDALFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-dal";
 import { identityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { ldapConfigDALFactory } from "@app/ee/services/ldap-config/ldap-config-dal";
@@ -212,14 +205,6 @@ export const registerRoutes = async (
   const scimDAL = scimDALFactory(db);
   const ldapConfigDAL = ldapConfigDALFactory(db);
   const ldapGroupMapDAL = ldapGroupMapDALFactory(db);
-
-  const accessApprovalPolicyDAL = accessApprovalPolicyDALFactory(db);
-  const accessApprovalRequestDAL = accessApprovalRequestDALFactory(db);
-  const accessApprovalPolicyApproverDAL = accessApprovalPolicyApproverDALFactory(db);
-  const accessApprovalRequestReviewerDAL = accessApprovalRequestReviewerDALFactory(db);
-
-  const groupProjectUserAdditionalPrivilegeDAL = groupProjectUserAdditionalPrivilegeDALFactory(db);
-
   const sapApproverDAL = secretApprovalPolicyApproverDALFactory(db);
   const secretApprovalPolicyDAL = secretApprovalPolicyDALFactory(db);
   const secretApprovalRequestDAL = secretApprovalRequestDALFactory(db);
@@ -233,10 +218,10 @@ export const registerRoutes = async (
 
   const gitAppInstallSessionDAL = gitAppInstallSessionDALFactory(db);
   const gitAppOrgDAL = gitAppDALFactory(db);
-  const userGroupMembershipDAL = userGroupMembershipDALFactory(db);
-  const groupDAL = groupDALFactory(db, userGroupMembershipDAL);
+  const groupDAL = groupDALFactory(db);
   const groupProjectDAL = groupProjectDALFactory(db);
   const groupProjectMembershipRoleDAL = groupProjectMembershipRoleDALFactory(db);
+  const userGroupMembershipDAL = userGroupMembershipDALFactory(db);
   const secretScanningDAL = secretScanningDALFactory(db);
   const licenseDAL = licenseDALFactory(db);
   const dynamicSecretDAL = dynamicSecretDALFactory(db);
@@ -274,11 +259,9 @@ export const registerRoutes = async (
     projectMembershipDAL,
     projectEnvDAL,
     secretApprovalPolicyApproverDAL: sapApproverDAL,
-    userDAL,
     permissionService,
     secretApprovalPolicyDAL
   });
-
   const samlService = samlConfigServiceFactory({
     permissionService,
     orgBotDAL,
@@ -292,13 +275,10 @@ export const registerRoutes = async (
     groupDAL,
     groupProjectDAL,
     orgDAL,
-    secretApprovalPolicyDAL,
     userGroupMembershipDAL,
     projectDAL,
     projectBotDAL,
     projectKeyDAL,
-    secretApprovalRequestDAL,
-    accessApprovalRequestDAL,
     permissionService,
     licenseService
   });
@@ -306,10 +286,7 @@ export const registerRoutes = async (
     groupDAL,
     groupProjectDAL,
     groupProjectMembershipRoleDAL,
-    secretApprovalPolicyDAL,
-    secretApprovalRequestDAL,
     userGroupMembershipDAL,
-    accessApprovalRequestDAL,
     projectDAL,
     projectKeyDAL,
     projectBotDAL,
@@ -324,10 +301,7 @@ export const registerRoutes = async (
     projectDAL,
     projectMembershipDAL,
     groupDAL,
-    secretApprovalPolicyDAL,
     groupProjectDAL,
-    secretApprovalRequestDAL,
-    accessApprovalRequestDAL,
     userGroupMembershipDAL,
     projectKeyDAL,
     projectBotDAL,
@@ -340,10 +314,7 @@ export const registerRoutes = async (
     ldapGroupMapDAL,
     orgDAL,
     orgBotDAL,
-    secretApprovalPolicyDAL,
     groupDAL,
-    secretApprovalRequestDAL,
-    accessApprovalRequestDAL,
     groupProjectDAL,
     projectKeyDAL,
     projectDAL,
@@ -435,7 +406,6 @@ export const registerRoutes = async (
     projectUserMembershipRoleDAL,
     projectDAL,
     permissionService,
-    groupProjectDAL,
     projectBotDAL,
     orgDAL,
     userDAL,
@@ -610,31 +580,6 @@ export const registerRoutes = async (
     secretVersionTagDAL,
     secretQueueService
   });
-
-  const accessApprovalPolicyService = accessApprovalPolicyServiceFactory({
-    accessApprovalPolicyDAL,
-    accessApprovalPolicyApproverDAL,
-    permissionService,
-    projectEnvDAL,
-    userDAL,
-    projectDAL
-  });
-
-  const accessApprovalRequestService = accessApprovalRequestServiceFactory({
-    projectDAL,
-    permissionService,
-    accessApprovalRequestReviewerDAL,
-    additionalPrivilegeDAL: projectUserAdditionalPrivilegeDAL,
-    groupAdditionalPrivilegeDAL: groupProjectUserAdditionalPrivilegeDAL,
-    projectMembershipDAL,
-    accessApprovalPolicyDAL,
-    accessApprovalRequestDAL,
-    projectEnvDAL,
-    userDAL,
-    smtpService,
-    accessApprovalPolicyApproverDAL
-  });
-
   const secretRotationQueue = secretRotationQueueFactory({
     telemetryService,
     secretRotationDAL,
@@ -771,8 +716,6 @@ export const registerRoutes = async (
     identityProject: identityProjectService,
     identityUa: identityUaService,
     secretApprovalPolicy: sapService,
-    accessApprovalPolicy: accessApprovalPolicyService,
-    accessApprovalRequest: accessApprovalRequestService,
     secretApprovalRequest: sarService,
     secretRotation: secretRotationService,
     dynamicSecret: dynamicSecretService,

backend/src/server/routes/sanitizedSchemas.ts

@@ -2,10 +2,12 @@ import { z } from "zod";
 
 import {
   DynamicSecretsSchema,
+  IdentityProjectAdditionalPrivilegeSchema,
   IntegrationAuthsSchema,
   SecretApprovalPoliciesSchema,
   UsersSchema
 } from "@app/db/schemas";
+import { UnpackedPermissionSchema } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 
 // sometimes the return data must be santizied to avoid leaking important values
 // always prefer pick over omit in zod
@@ -62,6 +64,35 @@ export const secretRawSchema = z.object({
   secretComment: z.string().optional()
 });
 
+export const PermissionSchema = z.object({
+  action: z
+    .string()
+    .min(1)
+    .describe("Describe what action an entity can take. Possible actions: create, edit, delete, and read"),
+  subject: z
+    .string()
+    .min(1)
+    .describe("The entity this permission pertains to. Possible options: secrets, environments"),
+  conditions: z
+    .object({
+      environment: z.string().describe("The environment slug this permission should allow.").optional(),
+      secretPath: z
+        .object({
+          $glob: z
+            .string()
+            .min(1)
+            .describe("The secret path this permission should allow. Can be a glob pattern such as /folder-name/*/** ")
+        })
+        .optional()
+    })
+    .describe("When specified, only matching conditions will be allowed to access given resource.")
+    .optional()
+});
+
+export const SanitizedIdentityPrivilegeSchema = IdentityProjectAdditionalPrivilegeSchema.extend({
+  permissions: UnpackedPermissionSchema.array()
+});
+
 export const SanitizedDynamicSecretSchema = DynamicSecretsSchema.omit({
   inputIV: true,
   inputTag: true,

backend/src/server/routes/v1/project-router.ts

@@ -68,16 +68,9 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
       params: z.object({
         workspaceId: z.string().trim()
       }),
-      querystring: z.object({
-        includeGroupMembers: z
-          .enum(["true", "false"])
-          .default("false")
-          .transform((value) => value === "true")
-      }),
       response: {
         200: z.object({
           users: ProjectMembershipsSchema.extend({
-            isGroupMember: z.boolean(),
             user: UsersSchema.pick({
               email: true,
               username: true,
@@ -111,7 +104,6 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         actorId: req.permission.id,
         actor: req.permission.type,
         actorAuthMethod: req.permission.authMethod,
-        includeGroupMembers: req.query.includeGroupMembers,
         projectId: req.params.workspaceId,
         actorOrgId: req.permission.orgId
       });

backend/src/server/routes/v3/secret-router.ts

@@ -166,6 +166,11 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         workspaceSlug: z.string().trim().optional().describe(RAW_SECRETS.LIST.workspaceSlug),
         environment: z.string().trim().optional().describe(RAW_SECRETS.LIST.environment),
         secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.LIST.secretPath),
+        expandSecretReferences: z
+          .enum(["true", "false"])
+          .default("false")
+          .transform((value) => value === "true")
+          .describe(RAW_SECRETS.LIST.expand),
         recursive: z
           .enum(["true", "false"])
           .default("false")
@@ -233,6 +238,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         actor: req.permission.type,
         actorOrgId: req.permission.orgId,
         environment,
+        expandSecretReferences: req.query.expandSecretReferences,
         actorAuthMethod: req.permission.authMethod,
         projectId: workspaceId,
         path: secretPath,
@@ -915,7 +921,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
             event: {
               type: EventType.SECRET_APPROVAL_REQUEST,
               metadata: {
-                committedByUser: approval.committerUserId,
+                committedBy: approval.committerId,
                 secretApprovalRequestId: approval.id,
                 secretApprovalRequestSlug: approval.slug
               }
@@ -1099,7 +1105,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
             event: {
               type: EventType.SECRET_APPROVAL_REQUEST,
               metadata: {
-                committedByUser: approval.committerUserId,
+                committedBy: approval.committerId,
                 secretApprovalRequestId: approval.id,
                 secretApprovalRequestSlug: approval.slug
               }
@@ -1230,13 +1236,14 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
               ]
             }
           });
+
           await server.services.auditLog.createAuditLog({
             projectId: req.body.workspaceId,
             ...req.auditLogInfo,
             event: {
               type: EventType.SECRET_APPROVAL_REQUEST,
               metadata: {
-                committedByUser: approval.committerUserId,
+                committedBy: approval.committerId,
                 secretApprovalRequestId: approval.id,
                 secretApprovalRequestSlug: approval.slug
               }
@@ -1362,7 +1369,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
             event: {
               type: EventType.SECRET_APPROVAL_REQUEST,
               metadata: {
-                committedByUser: approval.committerUserId,
+                committedBy: approval.committerId,
                 secretApprovalRequestId: approval.id,
                 secretApprovalRequestSlug: approval.slug
               }
@@ -1489,7 +1496,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
             event: {
               type: EventType.SECRET_APPROVAL_REQUEST,
               metadata: {
-                committedByUser: approval.committerUserId,
+                committedBy: approval.committerId,
                 secretApprovalRequestId: approval.id,
                 secretApprovalRequestSlug: approval.slug
               }
@@ -1603,7 +1610,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
             event: {
               type: EventType.SECRET_APPROVAL_REQUEST,
               metadata: {
-                committedByUser: approval.committerUserId,
+                committedBy: approval.committerId,
                 secretApprovalRequestId: approval.id,
                 secretApprovalRequestSlug: approval.slug
               }

backend/src/services/group-project/group-project-dal.ts

@@ -1,7 +1,7 @@
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
-import { TableName, TUserEncryptionKeys } from "@app/db/schemas";
+import { TableName } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
 import { ormify, sqlNestRelationships } from "@app/lib/knex";
 
@@ -10,100 +10,6 @@ export type TGroupProjectDALFactory = ReturnType<typeof groupProjectDALFactory>;
 export const groupProjectDALFactory = (db: TDbClient) => {
   const groupProjectOrm = ormify(db, TableName.GroupProjectMembership);
 
-  // The GroupProjectMembership table has a reference to the project (projectId) AND the group (groupId).
-  // We need to join the GroupProjectMembership table with the Groups table to get the group name and slug.
-  // We also need to join the GroupProjectMembershipRole table to get the role of the group in the project.
-  const findAllProjectGroupMembers = async (projectId: string) => {
-    const docs = await db(TableName.UserGroupMembership)
-      // Join the GroupProjectMembership table with the Groups table to get the group name and slug.
-      .join(
-        TableName.GroupProjectMembership,
-        `${TableName.UserGroupMembership}.groupId`,
-        `${TableName.GroupProjectMembership}.groupId` // this gives us access to the project id in the group membership
-      )
-      .where(`${TableName.GroupProjectMembership}.projectId`, projectId)
-
-      .join(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
-      .join<TUserEncryptionKeys>(
-        TableName.UserEncryptionKey,
-        `${TableName.UserEncryptionKey}.userId`,
-        `${TableName.Users}.id`
-      )
-      .join(
-        TableName.GroupProjectMembershipRole,
-        `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
-        `${TableName.GroupProjectMembership}.id`
-      )
-      .leftJoin(
-        TableName.ProjectRoles,
-        `${TableName.GroupProjectMembershipRole}.customRoleId`,
-        `${TableName.ProjectRoles}.id`
-      )
-      .select(
-        db.ref("id").withSchema(TableName.GroupProjectMembership),
-        db.ref("isGhost").withSchema(TableName.Users),
-        db.ref("username").withSchema(TableName.Users),
-        db.ref("email").withSchema(TableName.Users),
-        db.ref("publicKey").withSchema(TableName.UserEncryptionKey),
-        db.ref("firstName").withSchema(TableName.Users),
-        db.ref("lastName").withSchema(TableName.Users),
-        db.ref("id").withSchema(TableName.Users).as("userId"),
-        db.ref("role").withSchema(TableName.GroupProjectMembershipRole),
-        db.ref("id").withSchema(TableName.GroupProjectMembershipRole).as("membershipRoleId"),
-        db.ref("customRoleId").withSchema(TableName.GroupProjectMembershipRole),
-        db.ref("name").withSchema(TableName.ProjectRoles).as("customRoleName"),
-        db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
-        db.ref("temporaryMode").withSchema(TableName.GroupProjectMembershipRole),
-        db.ref("isTemporary").withSchema(TableName.GroupProjectMembershipRole),
-        db.ref("temporaryRange").withSchema(TableName.GroupProjectMembershipRole),
-        db.ref("temporaryAccessStartTime").withSchema(TableName.GroupProjectMembershipRole),
-        db.ref("temporaryAccessEndTime").withSchema(TableName.GroupProjectMembershipRole)
-      )
-      .where({ isGhost: false });
-
-    const members = sqlNestRelationships({
-      data: docs,
-      parentMapper: ({ email, firstName, username, lastName, publicKey, isGhost, id, userId }) => ({
-        isGroupMember: true,
-        id,
-        userId,
-        projectId,
-        user: { email, username, firstName, lastName, id: userId, publicKey, isGhost }
-      }),
-      key: "id",
-      childrenMapper: [
-        {
-          label: "roles" as const,
-          key: "membershipRoleId",
-          mapper: ({
-            role,
-            customRoleId,
-            customRoleName,
-            customRoleSlug,
-            membershipRoleId,
-            temporaryRange,
-            temporaryMode,
-            temporaryAccessEndTime,
-            temporaryAccessStartTime,
-            isTemporary
-          }) => ({
-            id: membershipRoleId,
-            role,
-            customRoleId,
-            customRoleName,
-            customRoleSlug,
-            temporaryRange,
-            temporaryMode,
-            temporaryAccessEndTime,
-            temporaryAccessStartTime,
-            isTemporary
-          })
-        }
-      ]
-    });
-    return members;
-  };
-
   const findByProjectId = async (projectId: string, tx?: Knex) => {
     try {
       const docs = await (tx || db)(TableName.GroupProjectMembership)
@@ -189,5 +95,5 @@ export const groupProjectDALFactory = (db: TDbClient) => {
     }
   };
 
-  return { ...groupProjectOrm, findByProjectId, findAllProjectGroupMembers };
+  return { ...groupProjectOrm, findByProjectId };
 };

backend/src/services/group-project/group-project-service.ts

@@ -2,11 +2,8 @@ import { ForbiddenError } from "@casl/ability";
 import ms from "ms";
 
 import { ProjectMembershipRole, SecretKeyEncoding } from "@app/db/schemas";
-import { TAccessApprovalRequestDALFactory } from "@app/ee/services/access-approval-request/access-approval-request-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { TSecretApprovalPolicyDALFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-dal";
-import { TSecretApprovalRequestDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-dal";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { decryptAsymmetric, encryptAsymmetric } from "@app/lib/crypto";
 import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
@@ -42,9 +39,6 @@ type TGroupProjectServiceFactoryDep = {
   projectBotDAL: TProjectBotDALFactory;
   groupDAL: Pick<TGroupDALFactory, "findOne">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getProjectPermissionByRole">;
-  accessApprovalRequestDAL: Pick<TAccessApprovalRequestDALFactory, "delete">;
-  secretApprovalPolicyDAL: Pick<TSecretApprovalPolicyDALFactory, "findByProjectIds">;
-  secretApprovalRequestDAL: Pick<TSecretApprovalRequestDALFactory, "delete">;
 };
 
 export type TGroupProjectServiceFactory = ReturnType<typeof groupProjectServiceFactory>;
@@ -54,9 +48,6 @@ export const groupProjectServiceFactory = ({
   groupProjectDAL,
   groupProjectMembershipRoleDAL,
   userGroupMembershipDAL,
-  secretApprovalRequestDAL,
-  secretApprovalPolicyDAL,
-  accessApprovalRequestDAL,
   projectDAL,
   projectKeyDAL,
   projectBotDAL,
@@ -286,8 +277,7 @@ export const groupProjectServiceFactory = ({
     if (!group) throw new BadRequestError({ message: `Failed to find group with slug ${groupSlug}` });
 
     const groupProjectMembership = await groupProjectDAL.findOne({ groupId: group.id, projectId: project.id });
-    if (!groupProjectMembership.id)
-      throw new BadRequestError({ message: `Failed to find group with slug ${groupSlug}` });
+    if (!groupProjectMembership) throw new BadRequestError({ message: `Failed to find group with slug ${groupSlug}` });
 
     const { permission } = await permissionService.getProjectPermission(
       actor,
@@ -299,34 +289,8 @@ export const groupProjectServiceFactory = ({
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Groups);
 
     const deletedProjectGroup = await groupProjectDAL.transaction(async (tx) => {
-      // This is group members that do not have individual access to the project (A.K.A members that don't have a normal project membership)
       const groupMembers = await userGroupMembershipDAL.findGroupMembersNotInProject(group.id, project.id, tx);
 
-      // Delete all access approvals by the group members
-
-      await accessApprovalRequestDAL.delete(
-        {
-          groupMembershipId: groupProjectMembership.id,
-          $in: {
-            requestedByUserId: groupMembers.map((member) => member.user.id)
-          }
-        },
-        tx
-      );
-
-      const secretApprovalPolicies = await secretApprovalPolicyDAL.findByProjectIds([project.id], tx);
-
-      // Delete any secret approvals by the group members
-      await secretApprovalRequestDAL.delete(
-        {
-          $in: {
-            policyId: secretApprovalPolicies.map((policy) => policy.id),
-            committerUserId: groupMembers.map((member) => member.user.id)
-          }
-        },
-        tx
-      );
-
       if (groupMembers.length) {
         await projectKeyDAL.delete(
           {

backend/src/services/project-membership/project-membership-dal.ts

@@ -1,74 +1,12 @@
-import { Knex } from "knex";
-import { Tables } from "knex/types/tables";
-
 import { TDbClient } from "@app/db";
 import { TableName, TUserEncryptionKeys } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";
+import { ormify, selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";
 
 export type TProjectMembershipDALFactory = ReturnType<typeof projectMembershipDALFactory>;
 
 export const projectMembershipDALFactory = (db: TDbClient) => {
-  const projectMembershipOrm = ormify(db, TableName.ProjectMembership);
-  const accessApprovalRequestOrm = ormify(db, TableName.AccessApprovalRequest);
-  const secretApprovalRequestOrm = ormify(db, TableName.SecretApprovalRequest);
-
-  const deleteMany = async (filter: TFindFilter<Tables[TableName.ProjectMembership]["base"]>, tx?: Knex) => {
-    const handleDeletion = async (processedTx: Knex) => {
-      // Find all memberships
-      const memberships = await projectMembershipOrm.find(filter, {
-        tx: processedTx
-      });
-
-      // Delete all access approvals in this project from the users attached to these memberships
-      await accessApprovalRequestOrm.delete(
-        {
-          $in: {
-            projectMembershipId: memberships.map((membership) => membership.id)
-          }
-        },
-        processedTx
-      );
-
-      for await (const membership of memberships) {
-        const allPoliciesInProject = await (tx || db)(TableName.SecretApprovalRequest)
-          .join(TableName.SecretFolder, `${TableName.SecretApprovalRequest}.folderId`, `${TableName.SecretFolder}.id`)
-          .join(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
-          .join(
-            TableName.SecretApprovalPolicy,
-            `${TableName.SecretApprovalRequest}.policyId`,
-            `${TableName.SecretApprovalPolicy}.id`
-          )
-          .where({ [`${TableName.Environment}.projectId` as "projectId"]: membership.projectId })
-          .where({ [`${TableName.SecretApprovalRequest}.committerUserId` as "committerUserId"]: membership.userId })
-          .select(db.ref("id").withSchema(TableName.SecretApprovalPolicy).as("policyId"));
-
-        await secretApprovalRequestOrm.delete(
-          {
-            $in: {
-              policyId: allPoliciesInProject.map((policy) => policy.policyId)
-            },
-            committerUserId: membership.userId
-          },
-          processedTx
-        );
-        // Delete the actual project memberships
-        await projectMembershipOrm.delete(
-          {
-            id: membership.id
-          },
-          processedTx
-        );
-      }
-
-      return memberships;
-    };
-
-    if (tx) {
-      return handleDeletion(tx);
-    }
-    return db.transaction(handleDeletion);
-  };
+  const projectMemberOrm = ormify(db, TableName.ProjectMembership);
 
   // special query
   const findAllProjectMembers = async (projectId: string) => {
@@ -116,7 +54,6 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
       const members = sqlNestRelationships({
         data: docs,
         parentMapper: ({ email, firstName, username, lastName, publicKey, isGhost, id, userId }) => ({
-          isGroupMember: false,
           id,
           userId,
           projectId,
@@ -215,9 +152,8 @@ export const projectMembershipDALFactory = (db: TDbClient) => {
   };
 
   return {
-    ...projectMembershipOrm,
+    ...projectMemberOrm,
     findAllProjectMembers,
-    delete: deleteMany,
     findProjectGhostUser,
     findMembershipsByUsername,
     findProjectMembershipsByUserId

backend/src/services/project-membership/project-membership-service.ts

@@ -19,7 +19,6 @@ import { groupBy } from "@app/lib/fn";
 
 import { TUserGroupMembershipDALFactory } from "../../ee/services/group/user-group-membership-dal";
 import { ActorType } from "../auth/auth-type";
-import { TGroupProjectDALFactory } from "../group-project/group-project-dal";
 import { TOrgDALFactory } from "../org/org-dal";
 import { TProjectDALFactory } from "../project/project-dal";
 import { assignWorkspaceKeysToMembers } from "../project/project-fns";
@@ -53,7 +52,6 @@ type TProjectMembershipServiceFactoryDep = {
   projectDAL: Pick<TProjectDALFactory, "findById" | "findProjectGhostUser" | "transaction">;
   projectKeyDAL: Pick<TProjectKeyDALFactory, "findLatestProjectKey" | "delete" | "insertMany">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-  groupProjectDAL: TGroupProjectDALFactory;
 };
 
 export type TProjectMembershipServiceFactory = ReturnType<typeof projectMembershipServiceFactory>;
@@ -63,7 +61,6 @@ export const projectMembershipServiceFactory = ({
   projectMembershipDAL,
   projectUserMembershipRoleDAL,
   smtpService,
-  groupProjectDAL,
   projectRoleDAL,
   projectBotDAL,
   orgDAL,
@@ -77,7 +74,6 @@ export const projectMembershipServiceFactory = ({
     actorId,
     actor,
     actorOrgId,
-    includeGroupMembers,
     actorAuthMethod,
     projectId
   }: TGetProjectMembershipDTO) => {
@@ -90,20 +86,7 @@ export const projectMembershipServiceFactory = ({
     );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
 
-    const projectMembers = await projectMembershipDAL.findAllProjectMembers(projectId);
-
-    if (includeGroupMembers) {
-      const groupMembers = await groupProjectDAL.findAllProjectGroupMembers(projectId);
-      const allMembers = [...projectMembers, ...groupMembers];
-
-      // Ensure the userId is unique
-      const membersIds = new Set(allMembers.map((entity) => entity.user.id));
-      const uniqueMembers = allMembers.filter((entity) => membersIds.has(entity.user.id));
-
-      return uniqueMembers;
-    }
-
-    return projectMembers;
+    return projectMembershipDAL.findAllProjectMembers(projectId);
   };
 
   const addUsersToProject = async ({

backend/src/services/project-membership/project-membership-types.ts

@@ -1,8 +1,6 @@
 import { TProjectPermission } from "@app/lib/types";
 
-export type TGetProjectMembershipDTO = {
-  includeGroupMembers?: boolean;
-} & TProjectPermission;
+export type TGetProjectMembershipDTO = TProjectPermission;
 export enum ProjectUserMembershipTemporaryMode {
   Relative = "relative"
 }

backend/src/services/secret/secret-service.ts

@@ -27,6 +27,7 @@ import {
   fnSecretBlindIndexCheck,
   fnSecretBulkInsert,
   fnSecretBulkUpdate,
+  interpolateSecrets,
   recursivelyGetSecretPaths
 } from "./secret-fns";
 import { TSecretQueueFactory } from "./secret-queue";
@@ -885,6 +886,7 @@ export const secretServiceFactory = ({
     actorAuthMethod,
     environment,
     includeImports,
+    expandSecretReferences,
     recursive
   }: TGetSecretsRawDTO) => {
     const botKey = await projectBotService.getBotKey(projectId);
@@ -902,17 +904,66 @@ export const secretServiceFactory = ({
       recursive
     });
 
-    return {
-      secrets: secrets.map((el) => decryptSecretRaw(el, botKey)),
-      imports: (imports || [])?.map(({ secrets: importedSecrets, ...el }) => ({
-        ...el,
-        secrets: importedSecrets.map((sec) =>
-          decryptSecretRaw(
-            { ...sec, environment: el.environment, workspace: projectId, secretPath: el.secretPath },
-            botKey
-          )
+    const decryptedSecrets = secrets.map((el) => decryptSecretRaw(el, botKey));
+    const decryptedImports = (imports || [])?.map(({ secrets: importedSecrets, ...el }) => ({
+      ...el,
+      secrets: importedSecrets.map((sec) =>
+        decryptSecretRaw(
+          { ...sec, environment: el.environment, workspace: projectId, secretPath: el.secretPath },
+          botKey
         )
-      }))
+      )
+    }));
+
+    if (expandSecretReferences) {
+      const expandSecrets = interpolateSecrets({
+        folderDAL,
+        projectId,
+        secretDAL,
+        secretEncKey: botKey
+      });
+
+      const batchSecretsExpand = async (
+        secretBatch: {
+          secretKey: string;
+          secretValue: string;
+          secretComment?: string;
+        }[]
+      ) => {
+        const secretRecord: Record<
+          string,
+          {
+            value: string;
+            comment?: string;
+            skipMultilineEncoding?: boolean;
+          }
+        > = {};
+
+        secretBatch.forEach((decryptedSecret) => {
+          secretRecord[decryptedSecret.secretKey] = {
+            value: decryptedSecret.secretValue,
+            comment: decryptedSecret.secretComment
+          };
+        });
+
+        await expandSecrets(secretRecord);
+
+        secretBatch.forEach((decryptedSecret, index) => {
+          // eslint-disable-next-line no-param-reassign
+          secretBatch[index].secretValue = secretRecord[decryptedSecret.secretKey].value;
+        });
+      };
+
+      // expand secrets
+      await batchSecretsExpand(decryptedSecrets);
+
+      // expand imports by batch
+      await Promise.all(decryptedImports.map((decryptedImport) => batchSecretsExpand(decryptedImport.secrets)));
+    }
+
+    return {
+      secrets: decryptedSecrets,
+      imports: decryptedImports
     };
   };
 

backend/src/services/secret/secret-types.ts

@@ -138,6 +138,7 @@ export type TDeleteBulkSecretDTO = {
 } & TProjectPermission;
 
 export type TGetSecretsRawDTO = {
+  expandSecretReferences?: boolean;
   path: string;
   environment: string;
   includeImports?: boolean;

backend/src/services/smtp/smtp-service.ts

@@ -20,7 +20,6 @@ export enum SmtpTemplates {
   EmailVerification = "emailVerification.handlebars",
   SecretReminder = "secretReminder.handlebars",
   EmailMfa = "emailMfa.handlebars",
-  AccessApprovalRequest = "accessApprovalRequest.handlebars",
   HistoricalSecretList = "historicalSecretLeakIncident.handlebars",
   NewDeviceJoin = "newDevice.handlebars",
   OrgInvite = "organizationInvitation.handlebars",

backend/src/services/smtp/templates/accessApprovalRequest.handlebars

@@ -1,50 +0,0 @@
-<html>
-
-  <head>
-    <meta charset="utf-8" />
-    <meta http-equiv="x-ua-compatible" content="ie=edge" />
-    <title>Access Approval Request</title>
-  </head>
-
-  <body>
-    <h2>Infisical</h2>
-    <h2>New access approval request pending your review</h2>
-    <p>You have a new access approval request pending review in project "{{projectName}}".</p>
-
-    <p>
-      {{requesterFullName}}
-      ({{requesterEmail}}) has requested
-      {{#if isTemporary}}
-        temporary
-      {{else}}
-        permanent
-      {{/if}}
-      access to
-      {{secretPath}}
-      in the
-      {{environment}}
-      environment.
-
-      {{#if isTemporary}}
-        <br />
-        This access will expire
-        {{expiresIn}}
-        after it has been approved.
-      {{/if}}
-    </p>
-    <p>
-      The following permissions are requested:
-      <ul>
-        {{#each permissions}}
-          <li>{{this}}</li>
-        {{/each}}
-      </ul>
-    </p>
-
-    <p>
-      View the request and approve or deny it
-      <a href="{{approvalUrl}}">here</a>.
-    </p>
-  </body>
-
-</html>

backend/src/services/user/user-dal.ts

@@ -10,7 +10,7 @@ import {
   TUserEncryptionKeysUpdate
 } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { ormify, selectAllTableCols } from "@app/lib/knex";
+import { ormify } from "@app/lib/knex";
 
 export type TUserDALFactory = ReturnType<typeof userDALFactory>;
 
@@ -63,99 +63,6 @@ export const userDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findUsersByProjectId = async (projectId: string, userIds: string[]) => {
-    try {
-      const projectMembershipQuery = await db(TableName.ProjectMembership)
-        .where({ projectId })
-        .whereIn("userId", userIds)
-        .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
-        .select(selectAllTableCols(TableName.Users))
-        .select(db.ref("id").withSchema(TableName.ProjectMembership).as("projectMembershipId"));
-
-      const groupMembershipQuery = await db(TableName.UserGroupMembership)
-        .whereIn("userId", userIds)
-        .join(
-          TableName.GroupProjectMembership,
-          `${TableName.UserGroupMembership}.groupId`,
-          `${TableName.GroupProjectMembership}.groupId` // this gives us access to the project id in the group membership
-        )
-        .where(`${TableName.GroupProjectMembership}.projectId`, projectId)
-        .join(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
-        .select(selectAllTableCols(TableName.Users))
-        .select(db.ref("id").withSchema(TableName.GroupProjectMembership).as("groupProjectMembershipId"));
-
-      const projectMembershipUsers = projectMembershipQuery.map((user) => ({
-        ...user,
-        projectMembershipId: user.projectMembershipId,
-        userGroupMembershipId: null
-      }));
-
-      const groupMembershipUsers = groupMembershipQuery.map((user) => ({
-        ...user,
-        projectMembershipId: null,
-        groupProjectMembershipId: user.groupProjectMembershipId
-      }));
-
-      // return [...projectMembershipUsers, ...groupMembershipUsers];
-
-      // There may be duplicates in the results since a user can have both a project membership, and access through a group, so we need to filter out potential duplicates.
-      // We should prioritize project memberships over group memberships.
-      const memberships = [...projectMembershipUsers, ...groupMembershipUsers];
-
-      const uniqueMemberships = memberships.filter((user, index) => {
-        const firstIndex = memberships.findIndex((u) => u.id === user.id);
-        return firstIndex === index;
-      });
-
-      return uniqueMemberships;
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Find users by project id" });
-    }
-  };
-
-  // if its a group membership, it should have a isGroupMembership flag
-  const findUserByProjectId = async (projectId: string, userId: string) => {
-    try {
-      const projectMembership = await db(TableName.ProjectMembership)
-        .where({ projectId, userId })
-        .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
-        .select(selectAllTableCols(TableName.Users))
-        .select(db.ref("id").withSchema(TableName.ProjectMembership).as("projectMembershipId"))
-        .first();
-
-      const groupProjectMembership = await db(TableName.UserGroupMembership)
-        .where({ userId })
-        .join(
-          TableName.GroupProjectMembership,
-          `${TableName.UserGroupMembership}.groupId`,
-          `${TableName.GroupProjectMembership}.groupId` // this gives us access to the project id in the group membership
-        )
-        .where(`${TableName.GroupProjectMembership}.projectId`, projectId)
-        .join(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
-        .select(selectAllTableCols(TableName.Users))
-        .select(db.ref("id").withSchema(TableName.GroupProjectMembership).as("groupProjectMembershipId"))
-        .first();
-
-      if (projectMembership) {
-        return {
-          ...projectMembership,
-          projectMembershipId: projectMembership.projectMembershipId,
-          groupProjectMembershipId: null
-        };
-      }
-
-      if (groupProjectMembership) {
-        return {
-          ...groupProjectMembership,
-          projectMembershipId: null,
-          groupProjectMembershipId: groupProjectMembership.groupProjectMembershipId
-        };
-      }
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Find user by project id" });
-    }
-  };
-
   const findUserByProjectMembershipId = async (projectMembershipId: string) => {
     try {
       return await db(TableName.ProjectMembership)
@@ -167,17 +74,6 @@ export const userDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findUsersByProjectMembershipIds = async (projectMembershipIds: string[]) => {
-    try {
-      return await db(TableName.ProjectMembership)
-        .whereIn(`${TableName.ProjectMembership}.id`, projectMembershipIds)
-        .join(TableName.Users, `${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`)
-        .select("*");
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Find users by project membership ids" });
-    }
-  };
-
   const createUserEncryption = async (data: TUserEncryptionKeysInsert, tx?: Knex) => {
     try {
       const [userEnc] = await (tx || db)(TableName.UserEncryptionKey).insert(data).returning("*");
@@ -239,14 +135,11 @@ export const userDALFactory = (db: TDbClient) => {
   return {
     ...userOrm,
     findUserByUsername,
-    findUsersByProjectId,
-    findUserByProjectId,
     findUserEncKeyByUsername,
     findUserEncKeyByUserIdsBatch,
     findUserEncKeyByUserId,
     updateUserEncryptionByUserId,
     findUserByProjectMembershipId,
-    findUsersByProjectMembershipIds,
     upsertUserEncryptionKey,
     createUserEncryption,
     findOneUserAction,

docs/self-hosting/deployment-options/docker-compose.mdx

@@ -2,8 +2,7 @@
 title: "Docker Compose"
 description: "Read how to run Infisical with Docker Compose template."
 ---
-Install Infisical using Docker compose. This self hosting method contains all of the required components needed 
-to run a functional instance of Infisical.
+This self hosting guide will walk you though the steps to self host Infisical using Docker compose.
 
 ## Prerequisites
 - [Docker](https://docs.docker.com/engine/install/)
@@ -80,4 +79,4 @@ docker-compose -f docker-compose.prod.yml up
 
 Your Infisical instance should now be running on port `80`. To access your instance, visit `http://localhost:80`.
 
-![self host sign up](/images/self-hosting/applicable-to-all/selfhost-signup.png)
+![self host sign up](/images/self-hosting/applicable-to-all/selfhost-signup.png)

frontend/package-lock.json

@@ -4,6 +4,7 @@
   "requires": true,
   "packages": {
     "": {
+      "name": "frontend",
       "dependencies": {
         "@casl/ability": "^6.5.0",
         "@casl/react": "^3.1.0",
@@ -12165,9 +12166,9 @@
       "dev": true
     },
     "node_modules/ejs": {
-      "version": "3.1.9",
-      "resolved": "https://registry.npmjs.org/ejs/-/ejs-3.1.9.tgz",
-      "integrity": "sha512-rC+QVNMJWv+MtPgkt0y+0rVEIdbtxVADApW9JXrUVlzHetgcyczP/E7DJmWJ4fJCZF2cPcBk0laWO9ZHMG3DmQ==",
+      "version": "3.1.10",
+      "resolved": "https://registry.npmjs.org/ejs/-/ejs-3.1.10.tgz",
+      "integrity": "sha512-UeJmFfOrAQS8OJWPZ4qtgHyWExa088/MtK5UEyoJGFH67cDEXkZSviOiKRCZ4Xij0zxI3JECgYs3oKx+AizQBA==",
       "dev": true,
       "dependencies": {
         "jake": "^10.8.5"
@@ -22439,9 +22440,9 @@
       }
     },
     "node_modules/tar": {
-      "version": "6.2.0",
-      "resolved": "https://registry.npmjs.org/tar/-/tar-6.2.0.tgz",
-      "integrity": "sha512-/Wo7DcT0u5HUV486xg675HtjNd3BXZ6xDbzsCUZPt5iw8bTQ63bP0Raut3mvro9u+CUyq7YQd8Cx55fsZXxqLQ==",
+      "version": "6.2.1",
+      "resolved": "https://registry.npmjs.org/tar/-/tar-6.2.1.tgz",
+      "integrity": "sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==",
       "dev": true,
       "dependencies": {
         "chownr": "^2.0.0",

frontend/src/components/permissions/PermissionDeniedBanner.tsx

@@ -17,20 +17,23 @@ export const PermissionDeniedBanner = ({ containerClassName, className, children
         containerClassName
       )}
     >
-      <div className={twMerge("rounded-md bg-mineshaft-800 p-16 text-bunker-300", className)}>
-        <div className="flex items-end space-x-12">
-          <div>
-            <FontAwesomeIcon icon={faLock} size="6x" />
-          </div>
-          <div>
-            <div className="mb-2 text-4xl font-medium">Access Restricted</div>
-            {children || (
-              <div className="text-sm">
-                Your role has limited permissions, please <br /> contact your administrator to gain
-                access
-              </div>
-            )}
-          </div>
+      <div
+        className={twMerge(
+          "flex items-end space-x-12 rounded-md bg-mineshaft-800 p-16 text-bunker-300",
+          className
+        )}
+      >
+        <div>
+          <FontAwesomeIcon icon={faLock} size="6x" />
+        </div>
+        <div>
+          <div className="mb-2 text-4xl font-medium">Access Restricted</div>
+          {children || (
+            <div className="text-sm">
+              Your role has limited permissions, please <br /> contact your administrator to gain
+              access
+            </div>
+          )}
         </div>
       </div>
     </div>

frontend/src/components/v2/Badge/Badge.tsx

@@ -1,32 +0,0 @@
-import { cva, VariantProps } from "cva";
-import { twMerge } from "tailwind-merge";
-
-interface IProps {
-  children: React.ReactNode;
-  className?: string;
-}
-
-const badgeVariants = cva(
-  [
-    "inline-block cursor-default rounded-md bg-yellow/20 px-1.5 pb-[0.03rem] pt-[0.04rem] text-xs text-yellow opacity-80 hover:opacity-100"
-  ],
-  {
-    variants: {
-      variant: {
-        primary: "bg-yellow/20 text-yellow",
-        danger: "bg-red/20 text-red",
-        success: "bg-green/20 text-green"
-      }
-    }
-  }
-);
-
-export type BadgeProps = VariantProps<typeof badgeVariants> & IProps;
-
-export const Badge = ({ children, className, variant }: BadgeProps) => {
-  return (
-    <div className={twMerge(badgeVariants({ variant: variant || "primary" }), className)}>
-      {children}
-    </div>
-  );
-};

frontend/src/components/v2/Badge/index.tsx

@@ -1 +0,0 @@
-export { Badge } from "./Badge";

frontend/src/components/v2/Button/Button.tsx

@@ -29,7 +29,7 @@ const buttonVariants = cva(
       colorSchema: {
         primary: ["bg-primary", "text-black", "border-primary bg-opacity-90 hover:bg-opacity-100"],
         secondary: ["bg-mineshaft", "text-gray-300", "border-mineshaft hover:bg-opacity-80"],
-        danger: ["!bg-red", "!text-white", "!border-red hover:!bg-opacity-90"],
+        danger: ["bg-red", "text-white", "border-red hover:bg-opacity-90"],
         gray: ["bg-bunker-500", "text-bunker-200"]
       },
       variant: {

frontend/src/components/v2/Divider/Divider.tsx

@@ -1,13 +0,0 @@
-import { twMerge } from "tailwind-merge";
-
-interface IProps {
-  className?: string;
-}
-
-export const Divider = ({ className }: IProps): JSX.Element => {
-  return (
-    <div className={twMerge("flex items-center px-2 opacity-50", className)}>
-      <div aria-hidden="true" className="h-5 w-full grow border border-t border-mineshaft-200" />
-    </div>
-  );
-};

frontend/src/components/v2/Divider/index.tsx

@@ -1 +0,0 @@
-export { Divider } from "./Divider";

frontend/src/components/v2/SecretPathInput/SecretPathInput.tsx

@@ -46,14 +46,6 @@ export const SecretPathInput = ({
     setInputValue(propValue ?? "/");
   }, [propValue]);
 
-  useEffect(() => {
-    if (environment) {
-      setInputValue("/");
-      setSecretPath("/");
-      onChange?.("/");
-    }
-  }, [environment]);
-
   useEffect(() => {
     // update secret path if input is valid
     if (
@@ -158,9 +150,8 @@ export const SecretPathInput = ({
               key={`secret-reference-secret-${i + 1}`}
             >
               <div
-                className={`${
-                  highlightedIndex === i ? "bg-gray-600" : ""
-                } text-md relative mb-0.5 flex w-full cursor-pointer select-none items-center justify-between rounded-md px-2 py-1 outline-none transition-all hover:bg-mineshaft-500 data-[highlighted]:bg-mineshaft-500`}
+                className={`${highlightedIndex === i ? "bg-gray-600" : ""
+                  } text-md relative mb-0.5 flex w-full cursor-pointer select-none items-center justify-between rounded-md px-2 py-1 outline-none transition-all hover:bg-mineshaft-500 data-[highlighted]:bg-mineshaft-500`}
               >
                 <div className="flex gap-2">
                   <div className="flex items-center text-yellow-700">

frontend/src/components/v2/Select/Select.tsx

@@ -41,22 +41,18 @@ export const Select = forwardRef<HTMLButtonElement, SelectProps>(
           ref={ref}
           className={twMerge(
             `inline-flex items-center justify-between rounded-md
-            bg-mineshaft-900 px-3 py-2 font-inter text-sm font-normal text-bunker-200 outline-none focus:bg-mineshaft-700/80 data-[placeholder]:text-mineshaft-200`,
-            className,
-            isDisabled && "cursor-not-allowed opacity-50"
+            bg-mineshaft-900 px-3 py-2 font-inter text-sm font-normal text-bunker-200 outline-none data-[placeholder]:text-mineshaft-200 focus:bg-mineshaft-700/80`,
+            className
           )}
         >
           <SelectPrimitive.Value placeholder={placeholder}>
             {props.icon ? <FontAwesomeIcon icon={props.icon} /> : placeholder}
           </SelectPrimitive.Value>
-
-          <SelectPrimitive.Icon className="ml-3">
-            <FontAwesomeIcon
-              icon={faCaretDown}
-              size="sm"
-              className={twMerge(isDisabled && "opacity-30")}
-            />
-          </SelectPrimitive.Icon>
+          {!isDisabled && (
+            <SelectPrimitive.Icon className="ml-3">
+              <FontAwesomeIcon icon={faCaretDown} size="sm" />
+            </SelectPrimitive.Icon>
+          )}
         </SelectPrimitive.Trigger>
         <SelectPrimitive.Portal>
           <SelectPrimitive.Content

frontend/src/hooks/api/accessApproval/index.tsx

@@ -1,14 +0,0 @@
-export {
-  useCreateAccessApprovalPolicy,
-  useCreateAccessRequest,
-  useDeleteAccessApprovalPolicy,
-  useDeleteAccessApprovalRequest,
-  useReviewAccessRequest,
-  useUpdateAccessApprovalPolicy
-} from "./mutation";
-export {
-  useGetAccessApprovalPolicies,
-  useGetAccessApprovalRequests,
-  useGetAccessPolicyApprovalCount,
-  useGetAccessRequestsCount
-} from "./queries";

frontend/src/hooks/api/accessApproval/mutation.tsx

@@ -1,142 +0,0 @@
-import { packRules } from "@casl/ability/extra";
-import { useMutation, useQueryClient } from "@tanstack/react-query";
-
-import { apiRequest } from "@app/config/request";
-
-import { accessApprovalKeys } from "./queries";
-import {
-  TAccessApproval,
-  TCreateAccessPolicyDTO,
-  TCreateAccessRequestDTO,
-  TDeleteSecretPolicyDTO,
-  TUpdateAccessPolicyDTO
-} from "./types";
-
-export const useCreateAccessApprovalPolicy = () => {
-  const queryClient = useQueryClient();
-
-  return useMutation<{}, {}, TCreateAccessPolicyDTO>({
-    mutationFn: async ({ environment, projectSlug, approvals, approvers, name, secretPath }) => {
-      const { data } = await apiRequest.post("/api/v1/access-approvals/policies", {
-        environment,
-        projectSlug,
-        approvals,
-        approvers,
-        secretPath,
-        name
-      });
-      return data;
-    },
-    onSuccess: (_, { projectSlug }) => {
-      queryClient.invalidateQueries(accessApprovalKeys.getAccessApprovalPolicies(projectSlug));
-    }
-  });
-};
-
-export const useUpdateAccessApprovalPolicy = () => {
-  const queryClient = useQueryClient();
-
-  return useMutation<{}, {}, TUpdateAccessPolicyDTO>({
-    mutationFn: async ({ id, approvers, approvals, name, secretPath }) => {
-      const { data } = await apiRequest.patch(`/api/v1/access-approvals/policies/${id}`, {
-        approvals,
-        approvers,
-        secretPath,
-        name
-      });
-      return data;
-    },
-    onSuccess: (_, { projectSlug }) => {
-      queryClient.invalidateQueries(accessApprovalKeys.getAccessApprovalPolicies(projectSlug));
-    }
-  });
-};
-
-export const useDeleteAccessApprovalPolicy = () => {
-  const queryClient = useQueryClient();
-
-  return useMutation<{}, {}, TDeleteSecretPolicyDTO>({
-    mutationFn: async ({ id }) => {
-      const { data } = await apiRequest.delete(`/api/v1/access-approvals/policies/${id}`);
-      return data;
-    },
-    onSuccess: (_, { projectSlug }) => {
-      queryClient.invalidateQueries(accessApprovalKeys.getAccessApprovalPolicies(projectSlug));
-    }
-  });
-};
-
-export const useDeleteAccessApprovalRequest = () => {
-  const queryClient = useQueryClient();
-
-  return useMutation<{}, {}, { requestId: string; projectSlug: string }>({
-    mutationFn: async ({ requestId, projectSlug }) => {
-      const { data } = await apiRequest.delete(`/api/v1/access-approvals/requests/${requestId}`, {
-        params: {
-          projectSlug
-        }
-      });
-      return data;
-    },
-    onSuccess: (_, { projectSlug }) => {
-      queryClient.invalidateQueries(accessApprovalKeys.getAccessApprovalRequests(projectSlug));
-      queryClient.invalidateQueries(accessApprovalKeys.getAccessApprovalRequestCount(projectSlug));
-    }
-  });
-};
-
-export const useCreateAccessRequest = () => {
-  const queryClient = useQueryClient();
-  return useMutation<{}, {}, TCreateAccessRequestDTO>({
-    mutationFn: async ({ projectSlug, ...request }) => {
-      const { data } = await apiRequest.post<TAccessApproval>(
-        "/api/v1/access-approvals/requests",
-        {
-          ...request,
-          permissions: request.permissions ? packRules(request.permissions) : undefined
-        },
-        {
-          params: {
-            projectSlug
-          }
-        }
-      );
-
-      return data;
-    },
-    onSuccess: (_, { projectSlug }) => {
-      queryClient.invalidateQueries(accessApprovalKeys.getAccessApprovalRequestCount(projectSlug));
-    }
-  });
-};
-
-export const useReviewAccessRequest = () => {
-  const queryClient = useQueryClient();
-  return useMutation<
-    {},
-    {},
-    {
-      requestId: string;
-      status: "approved" | "rejected";
-      projectSlug: string;
-      envSlug?: string;
-      requestedBy?: string;
-    }
-  >({
-    mutationFn: async ({ requestId, status }) => {
-      const { data } = await apiRequest.post(
-        `/api/v1/access-approvals/requests/${requestId}/review`,
-        {
-          status
-        }
-      );
-      return data;
-    },
-    onSuccess: (_, { projectSlug, envSlug, requestedBy }) => {
-      queryClient.invalidateQueries(
-        accessApprovalKeys.getAccessApprovalRequests(projectSlug, envSlug, requestedBy)
-      );
-      queryClient.invalidateQueries(accessApprovalKeys.getAccessApprovalRequestCount(projectSlug));
-    }
-  });
-};

frontend/src/hooks/api/accessApproval/queries.tsx

@@ -1,155 +0,0 @@
-import { PackRule, unpackRules } from "@casl/ability/extra";
-import { useQuery, UseQueryOptions } from "@tanstack/react-query";
-
-import { apiRequest } from "@app/config/request";
-
-import { TProjectPermission } from "../roles/types";
-import {
-  TAccessApprovalPolicy,
-  TAccessApprovalRequest,
-  TAccessRequestCount,
-  TGetAccessApprovalRequestsDTO,
-  TGetAccessPolicyApprovalCountDTO
-} from "./types";
-
-export const accessApprovalKeys = {
-  getAccessApprovalPolicies: (projectSlug: string) =>
-    [{ projectSlug }, "access-approval-policies"] as const,
-  getAccessApprovalPolicyOfABoard: (workspaceId: string, environment: string) =>
-    [{ workspaceId, environment }, "access-approval-policy"] as const,
-
-  getAccessApprovalRequests: (projectSlug: string, envSlug?: string, requestedBy?: string) =>
-    [{ projectSlug, envSlug, requestedBy }, "access-approvals-requests"] as const,
-  getAccessApprovalRequestCount: (projectSlug: string) =>
-    [{ projectSlug }, "access-approval-request-count"] as const
-};
-
-export const fetchPolicyApprovalCount = async ({
-  projectSlug,
-  envSlug
-}: TGetAccessPolicyApprovalCountDTO) => {
-  const { data } = await apiRequest.get<{ count: number }>(
-    "/api/v1/access-approvals/policies/count",
-    {
-      params: { projectSlug, envSlug }
-    }
-  );
-  return data.count;
-};
-
-export const useGetAccessPolicyApprovalCount = ({
-  projectSlug,
-  envSlug,
-  options = {}
-}: TGetAccessPolicyApprovalCountDTO & {
-  options?: UseQueryOptions<
-    number,
-    unknown,
-    number,
-    ReturnType<typeof accessApprovalKeys.getAccessApprovalPolicies>
-  >;
-}) =>
-  useQuery({
-    queryFn: () => fetchPolicyApprovalCount({ projectSlug, envSlug }),
-    ...options,
-    enabled: Boolean(projectSlug) && (options?.enabled ?? true)
-  });
-
-const fetchApprovalPolicies = async ({ projectSlug }: TGetAccessApprovalRequestsDTO) => {
-  const { data } = await apiRequest.get<{ approvals: TAccessApprovalPolicy[] }>(
-    "/api/v1/access-approvals/policies",
-    { params: { projectSlug } }
-  );
-  return data.approvals;
-};
-
-const fetchApprovalRequests = async ({
-  projectSlug,
-  envSlug,
-  authorUserId
-}: TGetAccessApprovalRequestsDTO) => {
-  const { data } = await apiRequest.get<{ requests: TAccessApprovalRequest[] }>(
-    "/api/v1/access-approvals/requests",
-    { params: { projectSlug, envSlug, authorUserId } }
-  );
-
-  return data.requests.map((request) => ({
-    ...request,
-
-    privilege: request.privilege
-      ? {
-          ...request.privilege,
-          permissions: unpackRules(
-            request.privilege.permissions as unknown as PackRule<TProjectPermission>[]
-          )
-        }
-      : null,
-    permissions: unpackRules(request.permissions as unknown as PackRule<TProjectPermission>[])
-  }));
-};
-
-const fetchAccessRequestsCount = async (projectSlug: string) => {
-  const { data } = await apiRequest.get<TAccessRequestCount>(
-    "/api/v1/access-approvals/requests/count",
-    { params: { projectSlug } }
-  );
-  return data;
-};
-
-export const useGetAccessRequestsCount = ({
-  projectSlug,
-  options = {}
-}: TGetAccessApprovalRequestsDTO & {
-  options?: UseQueryOptions<
-    TAccessRequestCount,
-    unknown,
-    { pendingCount: number; finalizedCount: number },
-    ReturnType<typeof accessApprovalKeys.getAccessApprovalRequestCount>
-  >;
-}) =>
-  useQuery({
-    queryKey: accessApprovalKeys.getAccessApprovalRequestCount(projectSlug),
-    queryFn: () => fetchAccessRequestsCount(projectSlug),
-    ...options,
-    enabled: Boolean(projectSlug) && (options?.enabled ?? true)
-  });
-
-export const useGetAccessApprovalPolicies = ({
-  projectSlug,
-  envSlug,
-  authorUserId,
-  options = {}
-}: TGetAccessApprovalRequestsDTO & {
-  options?: UseQueryOptions<
-    TAccessApprovalPolicy[],
-    unknown,
-    TAccessApprovalPolicy[],
-    ReturnType<typeof accessApprovalKeys.getAccessApprovalPolicies>
-  >;
-}) =>
-  useQuery({
-    queryKey: accessApprovalKeys.getAccessApprovalPolicies(projectSlug),
-    queryFn: () => fetchApprovalPolicies({ projectSlug, envSlug, authorUserId }),
-    ...options,
-    enabled: Boolean(projectSlug) && (options?.enabled ?? true)
-  });
-
-export const useGetAccessApprovalRequests = ({
-  projectSlug,
-  envSlug,
-  authorUserId,
-  options = {}
-}: TGetAccessApprovalRequestsDTO & {
-  options?: UseQueryOptions<
-    TAccessApprovalRequest[],
-    unknown,
-    TAccessApprovalRequest[],
-    ReturnType<typeof accessApprovalKeys.getAccessApprovalRequests>
-  >;
-}) =>
-  useQuery({
-    queryKey: accessApprovalKeys.getAccessApprovalRequests(projectSlug, envSlug, authorUserId),
-    queryFn: () => fetchApprovalRequests({ projectSlug, envSlug, authorUserId }),
-    ...options,
-    enabled: Boolean(projectSlug) && (options?.enabled ?? true)
-  });

frontend/src/hooks/api/accessApproval/types.ts

@@ -1,142 +0,0 @@
-import { TProjectPermission } from "../roles/types";
-import { WorkspaceEnv } from "../workspace/types";
-
-export type TAccessApprovalPolicy = {
-  id: string;
-  name: string;
-  approvals: number;
-  secretPath: string;
-  envId: string;
-  workspace: string;
-  environment: WorkspaceEnv;
-  projectId: string;
-  approvers: string[];
-};
-
-export type TAccessApprovalRequest = {
-  id: string;
-  policyId: string;
-  privilegeId: string | null;
-  requestedByUserId: string;
-  groupMembershipId: string | null;
-  projectMembershipId: string | null;
-  createdAt: Date;
-  updatedAt: Date;
-  isTemporary: boolean;
-  temporaryRange: string | null | undefined;
-
-  permissions: TProjectPermission[] | null;
-
-  // Computed
-  environmentName: string;
-  isApproved: boolean;
-
-  privilege: {
-    groupMembershipId: string | null;
-    projectMembershipId: string | null;
-    isTemporary: boolean;
-    temporaryMode?: string | null;
-    temporaryRange?: string | null;
-    temporaryAccessStartTime?: Date | null;
-    temporaryAccessEndTime?: Date | null;
-    permissions: TProjectPermission[];
-    isApproved: boolean;
-  } | null;
-
-  policy: {
-    id: string;
-    name: string;
-    approvals: number;
-    approvers: string[];
-    secretPath?: string | null;
-    envId: string;
-  };
-
-  reviewers: {
-    member: string;
-    status: string;
-  }[];
-};
-
-export type TAccessApproval = {
-  id: string;
-  policyId: string;
-  privilegeId: string;
-  requestedBy: string;
-};
-
-export type TAccessRequestCount = {
-  pendingCount: number;
-  finalizedCount: number;
-};
-
-export type TProjectUserPrivilege = {
-  projectMembershipId: string;
-  slug: string;
-  id: string;
-  createdAt: Date;
-  updatedAt: Date;
-  permissions?: TProjectPermission[];
-} & (
-  | {
-      isTemporary: true;
-      temporaryMode: string;
-      temporaryRange: string;
-      temporaryAccessStartTime: string;
-      temporaryAccessEndTime?: string;
-    }
-  | {
-      isTemporary: false;
-      temporaryMode?: null;
-      temporaryRange?: null;
-      temporaryAccessStartTime?: null;
-      temporaryAccessEndTime?: null;
-    }
-);
-
-export type TCreateAccessRequestDTO = {
-  projectSlug: string;
-} & Omit<TProjectUserPrivilege, "id" | "createdAt" | "updatedAt" | "slug" | "projectMembershipId">;
-
-export type TGetAccessApprovalRequestsDTO = {
-  projectSlug: string;
-  envSlug?: string;
-  authorUserId?: string;
-};
-
-export type TGetAccessPolicyApprovalCountDTO = {
-  projectSlug: string;
-  envSlug: string;
-};
-
-export type TGetSecretApprovalPolicyOfBoardDTO = {
-  workspaceId: string;
-  environment: string;
-  secretPath: string;
-};
-
-export type TCreateAccessPolicyDTO = {
-  projectSlug: string;
-  name?: string;
-  environment: string;
-  approvers?: string[];
-  approvals?: number;
-  secretPath?: string;
-};
-
-export type TUpdateAccessPolicyDTO = {
-  id: string;
-  name?: string;
-  approvers?: string[];
-  secretPath?: string;
-  environment?: string;
-  approvals?: number;
-  // for invalidating list
-  projectSlug: string;
-};
-
-export type TDeleteSecretPolicyDTO = {
-  id: string;
-  // for invalidating list
-  projectSlug: string;
-};

frontend/src/hooks/api/auditLogs/constants.tsx

@@ -26,7 +26,7 @@ export const eventToNameMap: { [K in EventType]: string } = {
   [EventType.CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET]: "Create universal auth client secret",
   [EventType.REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET]: "Revoke universal auth client secret",
   [EventType.GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS]: "Get universal auth client secrets",
-  [EventType.SECRET_APPROVAL_REQUEST_CREATED]: "Secret approval request created",
+  [EventType.GET_IDENTITY_UNIVERSAL_AUTH]: "Get universal auth",
   [EventType.CREATE_ENVIRONMENT]: "Create environment",
   [EventType.UPDATE_ENVIRONMENT]: "Update environment",
   [EventType.DELETE_ENVIRONMENT]: "Delete environment",

frontend/src/hooks/api/auditLogs/enums.tsx

@@ -56,6 +56,5 @@ export enum EventType {
   UPDATE_SECRET_IMPORT = "update-secret-import",
   DELETE_SECRET_IMPORT = "delete-secret-import",
   UPDATE_USER_WORKSPACE_ROLE = "update-user-workspace-role",
-  UPDATE_USER_WORKSPACE_DENIED_PERMISSIONS = "update-user-workspace-denied-permissions",
-  SECRET_APPROVAL_REQUEST_CREATED = "secret-approval-request"
+  UPDATE_USER_WORKSPACE_DENIED_PERMISSIONS = "update-user-workspace-denied-permissions"
 }

frontend/src/hooks/api/auditLogs/types.tsx

@@ -42,16 +42,6 @@ interface GetSecretsEvent {
   };
 }
 
-interface SecretApprovalRequestCreatedEvent {
-  type: EventType.SECRET_APPROVAL_REQUEST_CREATED;
-  metadata: {
-    secretApprovalRequestId: string;
-    secretApprovalRequestSlug: string;
-    committedByUser?: string;
-    committedBy?: undefined;
-  };
-}
-
 interface GetSecretEvent {
   type: EventType.GET_SECRET;
   metadata: {
@@ -475,7 +465,6 @@ interface UpdateUserDeniedPermissions {
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
-  | SecretApprovalRequestCreatedEvent
   | CreateSecretEvent
   | UpdateSecretEvent
   | DeleteSecretEvent

frontend/src/hooks/api/identityProjectAdditionalPrivilege/queries.tsx

@@ -1,9 +1,7 @@
-import { PackRule, unpackRules } from "@casl/ability/extra";
 import { useQuery } from "@tanstack/react-query";
 
 import { apiRequest } from "@app/config/request";
 
-import { TProjectPermission } from "../roles/types";
 import {
   TGetIdentityProejctPrivilegeDetails as TGetIdentityProjectPrivilegeDetails,
   TIdentityProjectPrivilege,
@@ -36,17 +34,14 @@ export const useGetIdentityProjectPrivilegeDetails = ({
       const {
         data: { privilege }
       } = await apiRequest.get<{
-        privilege: Omit<TIdentityProjectPrivilege, "permissions"> & { permissions: unknown };
+        privilege: TIdentityProjectPrivilege;
       }>(`/api/v1/additional-privilege/identity/${privilegeSlug}`, {
         params: {
           identityId,
           projectSlug
         }
       });
-      return {
-        ...privilege,
-        permissions: unpackRules(privilege.permissions as PackRule<TProjectPermission>[])
-      };
+      return privilege;
     }
   });
 };
@@ -62,16 +57,11 @@ export const useListIdentityProjectPrivileges = ({
       const {
         data: { privileges }
       } = await apiRequest.get<{
-        privileges: Array<
-          Omit<TIdentityProjectPrivilege, "permissions"> & { permissions: unknown }
-        >;
+        privileges: Array<TIdentityProjectPrivilege>;
       }>("/api/v1/additional-privilege/identity", {
-        params: { identityId, projectSlug, unpacked: false }
+        params: { identityId, projectSlug }
       });
-      return privileges.map((el) => ({
-        ...el,
-        permissions: unpackRules(el.permissions as PackRule<TProjectPermission>[])
-      }));
+      return privileges;
     }
   });
 };

frontend/src/hooks/api/index.tsx

@@ -1,4 +1,3 @@
-export * from "./accessApproval";
 export * from "./admin";
 export * from "./apiKeys";
 export * from "./auditLogs";

frontend/src/hooks/api/roles/types.ts

@@ -41,7 +41,7 @@ export type TPermission = {
 export type TProjectPermission = {
   conditions?: Record<string, any>;
   action: string;
-  subject: [string];
+  subject: string | string[];
 };
 
 export type TGetUserOrgPermissionsDTO = {

frontend/src/hooks/api/secretApprovalRequest/types.ts

@@ -46,7 +46,7 @@ export type TSecretApprovalRequest<J extends unknown = EncryptedSecret> = {
   id: string;
   slug: string;
   createdAt: string;
-  committerUserId: string;
+  committerId: string;
   reviewers: {
     member: string;
     status: ApprovalStatus;
@@ -58,7 +58,7 @@ export type TSecretApprovalRequest<J extends unknown = EncryptedSecret> = {
   hasMerged: boolean;
   status: "open" | "close";
   policy: TSecretApprovalPolicy;
-  statusChangeByUserId: string;
+  statusChangeBy: string;
   conflicts: Array<{ secretId: string; op: CommitType.UPDATE }>;
   commits: ({
     // if there is no secret means it was creation

frontend/src/hooks/api/types.ts

@@ -1,6 +1,5 @@
 import { ZodIssue } from "zod";
 
-export type { TAccessApprovalPolicy } from "./accessApproval/types";
 export type { TAuditLogStream } from "./auditLogStreams/types";
 export type { GetAuthTokenAPI } from "./auth/types";
 export type { IncidentContact } from "./incidentContacts/types";
@@ -50,13 +49,13 @@ export enum ApiErrorTypes {
 
 export type TApiErrors =
   | {
-      error: ApiErrorTypes.ValidationError;
-      message: ZodIssue[];
-      statusCode: 403;
-    }
+    error: ApiErrorTypes.ValidationError;
+    message: ZodIssue[];
+    statusCode: 403;
+  }
   | { error: ApiErrorTypes.ForbiddenError; message: string; statusCode: 401 }
   | {
-      statusCode: 400;
-      message: string;
-      error: ApiErrorTypes.BadRequestError;
-    };
+    statusCode: 400;
+    message: string;
+    error: ApiErrorTypes.BadRequestError;
+  };

frontend/src/hooks/api/users/types.ts

@@ -75,7 +75,6 @@ export type TWorkspaceUser = {
     id: string;
     publicKey: string;
   };
-  isGroupMember?: boolean;
   inviteEmail: string;
   organization: string;
   roles: (

frontend/src/hooks/api/workspace/queries.tsx

@@ -307,19 +307,14 @@ export const useDeleteWsEnvironment = () => {
   });
 };
 
-export const useGetWorkspaceUsers = (workspaceId: string, includeGroupMembers?: boolean) => {
+export const useGetWorkspaceUsers = (workspaceId: string) => {
   return useQuery({
     queryKey: workspaceKeys.getWorkspaceUsers(workspaceId),
     queryFn: async () => {
       const {
         data: { users }
       } = await apiRequest.get<{ users: TWorkspaceUser[] }>(
-        `/api/v1/workspace/${workspaceId}/users`,
-        {
-          params: {
-            includeGroupMembers
-          }
-        }
+        `/api/v1/workspace/${workspaceId}/users`
       );
       return users;
     },

frontend/src/layouts/AppLayout/AppLayout.tsx

@@ -5,7 +5,7 @@
 /* eslint-disable no-var */
 /* eslint-disable func-names */
 
-import { useEffect, useMemo } from "react";
+import { useEffect } from "react";
 import { Controller, useForm } from "react-hook-form";
 import { useTranslation } from "react-i18next";
 import Image from "next/image";
@@ -64,7 +64,6 @@ import {
   fetchOrgUsers,
   useAddUserToWsNonE2EE,
   useCreateWorkspace,
-  useGetAccessRequestsCount,
   useGetOrgTrialUrl,
   useGetSecretApprovalRequestCount,
   useGetUserAction,
@@ -116,7 +115,7 @@ type TAddProjectFormData = yup.InferType<typeof formSchema>;
 
 export const AppLayout = ({ children }: LayoutProps) => {
   const router = useRouter();
-
+  
   const { mutateAsync } = useGetOrgTrialUrl();
 
   const { workspaces, currentWorkspace } = useWorkspace();
@@ -125,15 +124,9 @@ export const AppLayout = ({ children }: LayoutProps) => {
   const { user } = useUser();
   const { subscription } = useSubscription();
   const workspaceId = currentWorkspace?.id || "";
-  const projectSlug = currentWorkspace?.slug || "";
   const { data: updateClosed } = useGetUserAction("december_update_closed");
 
   const { data: secretApprovalReqCount } = useGetSecretApprovalRequestCount({ workspaceId });
-  const { data: accessApprovalRequestCount } = useGetAccessRequestsCount({ projectSlug });
-
-  const pendingRequestsCount = useMemo(() => {
-    return (secretApprovalReqCount?.open || 0) + (accessApprovalRequestCount?.pendingCount || 0);
-  }, [secretApprovalReqCount, accessApprovalRequestCount]);
 
   const isAddingProjectsAllowed = subscription?.workspaceLimit
     ? subscription.workspacesUsed < subscription.workspaceLimit
@@ -561,13 +554,10 @@ export const AppLayout = ({ children }: LayoutProps) => {
                             }
                             icon="system-outline-189-domain-verification"
                           >
-                            Approvals
-                            {Boolean(
-                              secretApprovalReqCount?.open ||
-                                accessApprovalRequestCount?.pendingCount
-                            ) && (
+                            Secret Approvals
+                            {Boolean(secretApprovalReqCount?.open) && (
                               <span className="ml-2 rounded border border-primary-400 bg-primary-600 py-0.5 px-1 text-xs font-semibold text-black">
-                                {pendingRequestsCount}
+                                {secretApprovalReqCount?.open}
                               </span>
                             )}
                           </MenuItem>

frontend/src/lib/fn/debounce.ts

@@ -0,0 +1,15 @@
+export const debounce = <F extends (...args: any[]) => any>(
+  func: F,
+  delay: number
+): ((...args: Parameters<F>) => void) => {
+  let timeoutId: ReturnType<typeof setTimeout> | null;
+  return function debounced(...args: Parameters<F>) {
+    if (timeoutId) {
+      clearTimeout(timeoutId);
+    }
+    timeoutId = setTimeout(() => {
+      func(...args);
+      timeoutId = null;
+    }, delay);
+  };
+};

frontend/src/pages/login/select-organization.tsx

@@ -35,6 +35,8 @@ export default function LoginPage() {
   const selectOrg = useSelectOrganization();
   const { user, isLoading: userLoading } = useUser();
 
+  
+
   const queryParams = new URLSearchParams(window.location.search);
 
   const logout = useLogoutUser(true);
@@ -151,7 +153,7 @@ export default function LoginPage() {
 
             <div className="space-y-1">
               <p className="text-md text-center text-gray-500">
-                You&lsquo;re currently logged in as <strong>{user.username}</strong>
+                You&lsquo;re currently logged in as <strong>{user.email}</strong>
               </p>
               <p className="text-md text-center text-gray-500">
                 Not you?{" "}

frontend/src/pages/project/[id]/secrets/v2/[env].tsx

@@ -1,27 +0,0 @@
-import { useTranslation } from "react-i18next";
-import Head from "next/head";
-
-import { SecretMainPage } from "@app/views/SecretMainPage";
-
-const Dashboard = () => {
-  const { t } = useTranslation();
-
-  return (
-    <>
-      <Head>
-        <title>{t("common.head-title", { title: t("dashboard.title") })}</title>
-        <link rel="icon" href="/infisical.ico" />
-        <meta property="og:image" content="/images/message.png" />
-        <meta property="og:title" content={String(t("dashboard.og-title"))} />
-        <meta name="og:description" content={String(t("dashboard.og-description"))} />
-      </Head>
-      <div className="h-full">
-        <SecretMainPage />
-      </div>
-    </>
-  );
-};
-
-export default Dashboard;
-
-Dashboard.requireAuth = true;

frontend/src/views/Project/AuditLogsPage/components/LogsTableRow.tsx

@@ -38,13 +38,6 @@ export const LogsTableRow = ({ auditLog }: Props) => {
 
   const renderMetadata = (event: Event) => {
     switch (event.type) {
-      case EventType.SECRET_APPROVAL_REQUEST_CREATED:
-        return (
-          <Td>
-            <p>{`Request ID: ${event.metadata.secretApprovalRequestId}`}</p>
-            <p>{`Request slug: ${event.metadata.secretApprovalRequestSlug}`}</p>
-          </Td>
-        );
       case EventType.GET_SECRETS:
         return (
           <Td>

frontend/src/views/Project/MembersPage/components/IdentityTab/components/IdentityRoleForm/SpecificPrivilegeSection.tsx

@@ -142,7 +142,7 @@ const SpecificPrivilegeSecretForm = ({
             .filter(({ allowed }) => allowed)
             .map(({ action }) => ({
               action,
-              subject: [ProjectPermissionSub.Secrets],
+              subject: ProjectPermissionSub.Secrets,
               conditions
             }))
         },
@@ -477,7 +477,7 @@ export const SpecificPrivilegeSection = ({ identityId }: Props) => {
         permissions: [
           {
             action: ProjectPermissionActions.Read,
-            subject: [ProjectPermissionSub.Secrets],
+            subject: ProjectPermissionSub.Secrets,
             conditions: {
               environment: currentWorkspace?.environments?.[0].slug
             }
@@ -512,6 +512,7 @@ export const SpecificPrivilegeSection = ({ identityId }: Props) => {
           ?.filter(({ permissions }) =>
             permissions?.[0]?.subject?.includes(ProjectPermissionSub.Secrets)
           )
+          .sort((a, b) => a.id.localeCompare(b.id))
           ?.map((privilege) => (
             <SpecificPrivilegeSecretForm
               privilege={privilege as TProjectUserPrivilege}

frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx

@@ -1,11 +1,9 @@
-import { useMemo } from "react";
 import { Controller, useForm } from "react-hook-form";
 import {
   faArrowRotateLeft,
   faCaretDown,
   faCheck,
   faClock,
-  faLockOpen,
   faPlus,
   faTrash
 } from "@fortawesome/free-solid-svg-icons";
@@ -46,13 +44,11 @@ import {
 import { usePopUp } from "@app/hooks";
 import {
   TProjectUserPrivilege,
-  useCreateAccessRequest,
   useCreateProjectUserAdditionalPrivilege,
   useDeleteProjectUserAdditionalPrivilege,
   useListProjectUserPrivileges,
   useUpdateProjectUserAdditionalPrivilege
 } from "@app/hooks/api";
-import { TAccessApprovalPolicy } from "@app/hooks/api/types";
 
 const secretPermissionSchema = z.object({
   secretPath: z.string().optional(),
@@ -74,105 +70,51 @@ const secretPermissionSchema = z.object({
   ])
 });
 type TSecretPermissionForm = z.infer<typeof secretPermissionSchema>;
-export const SpecificPrivilegeSecretForm = ({
-  privilege,
-  policies,
-  onClose
-}: {
-  privilege?: TProjectUserPrivilege;
-  policies?: TAccessApprovalPolicy[];
-  onClose?: () => void;
-}) => {
+const SpecificPrivilegeSecretForm = ({ privilege }: { privilege: TProjectUserPrivilege }) => {
   const { currentWorkspace } = useWorkspace();
-
   const { popUp, handlePopUpOpen, handlePopUpToggle, handlePopUpClose } = usePopUp([
-    "deletePrivilege",
-    "requestAccess"
+    "deletePrivilege"
   ] as const);
   const { permission } = useProjectPermission();
-  const isMemberEditDisabled =
-    permission.cannot(ProjectPermissionActions.Edit, ProjectPermissionSub.Member) && !!privilege;
+  const isMemberEditDisabled = permission.cannot(
+    ProjectPermissionActions.Edit,
+    ProjectPermissionSub.Member
+  );
 
   const updateUserPrivilege = useUpdateProjectUserAdditionalPrivilege();
   const deleteUserPrivilege = useDeleteProjectUserAdditionalPrivilege();
-  const requestAccess = useCreateAccessRequest();
 
   const privilegeForm = useForm<TSecretPermissionForm>({
     resolver: zodResolver(secretPermissionSchema),
     values: {
-      ...(privilege
-        ? {
-            environmentSlug: privilege.permissions?.[0]?.conditions?.environment,
-            // secret path will be inside $glob operator
-            secretPath: privilege.permissions?.[0]?.conditions?.secretPath?.$glob || "",
-            read: privilege.permissions?.some(({ action }) =>
-              action.includes(ProjectPermissionActions.Read)
-            ),
-            edit: privilege.permissions?.some(({ action }) =>
-              action.includes(ProjectPermissionActions.Edit)
-            ),
-            create: privilege.permissions?.some(({ action }) =>
-              action.includes(ProjectPermissionActions.Create)
-            ),
-            delete: privilege.permissions?.some(({ action }) =>
-              action.includes(ProjectPermissionActions.Delete)
-            ),
-            // zod will pick it
-            temporaryAccess: privilege
-          }
-        : {
-            environmentSlug: currentWorkspace?.environments?.[0].slug!,
-            read: false,
-            edit: false,
-            create: false,
-            delete: false,
-            temporaryAccess: {
-              isTemporary: false
-            }
-          })
+      environmentSlug: privilege.permissions?.[0]?.conditions?.environment,
+      // secret path will be inside $glob operator
+      secretPath: privilege.permissions?.[0]?.conditions?.secretPath?.$glob || "",
+      read: privilege.permissions?.some(({ action }) =>
+        action.includes(ProjectPermissionActions.Read)
+      ),
+      edit: privilege.permissions?.some(({ action }) =>
+        action.includes(ProjectPermissionActions.Edit)
+      ),
+      create: privilege.permissions?.some(({ action }) =>
+        action.includes(ProjectPermissionActions.Create)
+      ),
+      delete: privilege.permissions?.some(({ action }) =>
+        action.includes(ProjectPermissionActions.Delete)
+      ),
+      // zod will pick it
+      temporaryAccess: privilege
     }
   });
 
   const temporaryAccessField = privilegeForm.watch("temporaryAccess");
-  const selectedEnvironment = privilegeForm.watch("environmentSlug");
-  const secretPath = privilegeForm.watch("secretPath");
-
-  const readAccess = privilegeForm.watch("read");
-  const createAccess = privilegeForm.watch("create");
-  const editAccess = privilegeForm.watch("edit");
-  const deleteAccess = privilegeForm.watch("delete");
-
-  const accessSelected = readAccess || createAccess || editAccess || deleteAccess;
-
-  const selectablePaths = useMemo(() => {
-    if (!policies) return [];
-    const environmentPolicies = policies.filter(
-      (policy) => policy.environment.slug === selectedEnvironment
-    );
-
-    privilegeForm.setValue("secretPath", "", {
-      shouldValidate: true
-    });
-
-    return [...environmentPolicies.map((policy) => policy.secretPath)];
-  }, [policies, selectedEnvironment]);
-
+  const selectedEnvironmentSlug = privilegeForm.watch("environmentSlug");
   const isTemporary = temporaryAccessField?.isTemporary;
   const isExpired =
     temporaryAccessField.isTemporary &&
     new Date() > new Date(temporaryAccessField.temporaryAccessEndTime || "");
 
   const handleUpdatePrivilege = async (data: TSecretPermissionForm) => {
-    if (!privilege) {
-      createNotification({
-        type: "error",
-        text: "No privilege to update found.",
-        title: "Error"
-      });
-
-      return;
-    }
-
     if (updateUserPrivilege.isLoading) return;
     try {
       const actions = [
@@ -210,15 +152,6 @@ export const SpecificPrivilegeSecretForm = ({
   };
 
   const handleDeletePrivilege = async () => {
-    if (!privilege) {
-      createNotification({
-        type: "error",
-        text: "No privilege to delete found.",
-        title: "Error"
-      });
-      return;
-    }
-
     if (deleteUserPrivilege.isLoading) return;
     try {
       await deleteUserPrivilege.mutateAsync({
@@ -237,100 +170,35 @@ export const SpecificPrivilegeSecretForm = ({
     }
   };
 
-  // This is used for requesting access additional privileges, not directly creating a privilege!
-  const handleRequestAccess = async (data: TSecretPermissionForm) => {
-    if (!policies) return;
-    if (!currentWorkspace) {
-      createNotification({
-        type: "error",
-        text: "No workspace found.",
-        title: "Error"
-      });
-      return;
-    }
-
-    if (!data.secretPath) {
-      createNotification({
-        type: "error",
-        text: "Please select a secret path",
-        title: "Error"
-      });
-      return;
-    }
-
-    const actions = [
-      { action: ProjectPermissionActions.Read, allowed: data.read },
-      { action: ProjectPermissionActions.Create, allowed: data.create },
-      { action: ProjectPermissionActions.Delete, allowed: data.delete },
-      { action: ProjectPermissionActions.Edit, allowed: data.edit }
-    ];
-    const conditions: Record<string, any> = { environment: data.environmentSlug };
-    if (data.secretPath) {
-      conditions.secretPath = { $glob: data.secretPath };
-    }
-    await requestAccess.mutateAsync({
-      ...data,
-      ...(data.temporaryAccess.isTemporary && {
-        temporaryRange: data.temporaryAccess.temporaryRange
-      }),
-      projectSlug: currentWorkspace.slug,
-      isTemporary: data.temporaryAccess.isTemporary,
-      permissions: actions
-        .filter(({ allowed }) => allowed)
-        .map(({ action }) => ({
-          action,
-          subject: [ProjectPermissionSub.Secrets],
-          conditions
-        }))
-    });
-
-    createNotification({
-      type: "success",
-      text: "Successfully requested access"
-    });
-    privilegeForm.reset();
-    if (onClose) onClose();
-  };
-
-  const handleSubmit = async (data: TSecretPermissionForm) => {
-    if (privilege) {
-      handleUpdatePrivilege(data);
-    } else {
-      handleRequestAccess(data);
-    }
-  };
-
   const getAccessLabel = (exactTime = false) => {
     if (isExpired) return "Access expired";
     if (!temporaryAccessField?.isTemporary) return "Permanent";
-
-    if (exactTime && !policies) {
+    if (exactTime)
       return `Until ${format(
         new Date(temporaryAccessField.temporaryAccessEndTime || ""),
         "yyyy-MM-dd HH:mm:ss"
       )}`;
-    }
     return formatDistance(new Date(temporaryAccessField.temporaryAccessEndTime || ""), new Date());
   };
 
   return (
-    <div className="mt-4 w-full">
-      <form onSubmit={privilegeForm.handleSubmit(handleSubmit)}>
-        <div className={twMerge("flex items-start gap-4", !privilege && "flex-wrap")}>
+    <div className="mt-4">
+      <form onSubmit={privilegeForm.handleSubmit(handleUpdatePrivilege)}>
+        <div className="flex items-start space-x-4">
           <Controller
             control={privilegeForm.control}
             name="environmentSlug"
             render={({ field: { onChange, ...field } }) => (
-              <FormControl label="Environment">
+              <FormControl label="Env">
                 <Select
                   {...field}
                   isDisabled={isMemberEditDisabled}
                   className="bg-mineshaft-600 hover:bg-mineshaft-500"
                   onValueChange={(e) => onChange(e)}
                 >
-                  {currentWorkspace?.environments?.map(({ slug, id, name }) => (
+                  {currentWorkspace?.environments?.map(({ slug, id }) => (
                     <SelectItem value={slug} key={id}>
-                      {name}
+                      {slug}
                     </SelectItem>
                   ))}
                 </Select>
@@ -340,43 +208,16 @@ export const SpecificPrivilegeSecretForm = ({
           <Controller
             control={privilegeForm.control}
             name="secretPath"
-            render={({ field }) => {
-              if (policies) {
-                return (
-                  <Tooltip
-                    isDisabled={!!selectablePaths.length}
-                    content="The selected environment doesn't have any policies."
-                  >
-                    <div>
-                      <FormControl label="Secret Path">
-                        <Select
-                          {...field}
-                          isDisabled={isMemberEditDisabled || !selectablePaths.length}
-                          className="w-48"
-                          onValueChange={(e) => field.onChange(e)}
-                        >
-                          {selectablePaths.map((path) => (
-                            <SelectItem value={path} key={path}>
-                              {path}
-                            </SelectItem>
-                          ))}
-                        </Select>
-                      </FormControl>
-                    </div>
-                  </Tooltip>
-                );
-              }
-              return (
-                <FormControl label="Secret Path">
-                  <SecretPathInput
-                    {...field}
-                    isDisabled={isMemberEditDisabled}
-                    containerClassName="w-48"
-                    environment={selectedEnvironment}
-                  />
-                </FormControl>
-              );
-            }}
+            render={({ field }) => (
+              <FormControl label="Secret Path">
+                <SecretPathInput
+                  {...field}
+                  isDisabled={isMemberEditDisabled}
+                  containerClassName="w-48"
+                  environment={selectedEnvironmentSlug}
+                />
+              </FormControl>
+            )}
           />
           <div className="flex flex-grow justify-between">
             <Controller
@@ -444,7 +285,7 @@ export const SpecificPrivilegeSecretForm = ({
               )}
             />
           </div>
-          <div className="mt-6 flex items-center space-x-2">
+          <div className="mt-7 flex items-center space-x-2">
             <Popover>
               <PopoverTrigger disabled={isMemberEditDisabled}>
                 <div>
@@ -460,7 +301,7 @@ export const SpecificPrivilegeSecretForm = ({
                         isExpired && "text-red-600"
                       )}
                     >
-                      {getAccessLabel(false)}
+                      {getAccessLabel()}
                     </Button>
                   </Tooltip>
                 </div>
@@ -521,9 +362,8 @@ export const SpecificPrivilegeSecretForm = ({
                         );
                       }}
                     >
-                      {temporaryAccessField.isTemporary && !policies ? "Restart" : "Grant"}
+                      {temporaryAccessField.isTemporary ? "Restart" : "Grant"}
                     </Button>
-
                     {temporaryAccessField.isTemporary && (
                       <Button
                         size="xs"
@@ -535,15 +375,14 @@ export const SpecificPrivilegeSecretForm = ({
                           });
                         }}
                       >
-                        Cancel
+                        Revoke Access
                       </Button>
                     )}
                   </div>
                 </div>
               </PopoverContent>
             </Popover>
-            {/* eslint-disable-next-line no-nested-ternary */}
-            {privilegeForm.formState.isDirty && privilege ? (
+            {privilegeForm.formState.isDirty ? (
               <>
                 <Tooltip content="Cancel" className="mr-4">
                   <IconButton
@@ -574,8 +413,7 @@ export const SpecificPrivilegeSecretForm = ({
                   </IconButton>
                 </Tooltip>
               </>
-            ) : // eslint-disable-next-line no-nested-ternary
-            privilege ? (
+            ) : (
               <Tooltip
                 content={isMemberEditDisabled ? "Access restricted" : "Delete"}
                 className="mr-4"
@@ -590,28 +428,9 @@ export const SpecificPrivilegeSecretForm = ({
                   <FontAwesomeIcon icon={faTrash} />
                 </IconButton>
               </Tooltip>
-            ) : (
-              <div />
             )}
           </div>
         </div>
-        {!!policies && (
-          <Button
-            type="submit"
-            isLoading={privilegeForm.formState.isSubmitting || requestAccess.isLoading}
-            isDisabled={
-              isMemberEditDisabled ||
-              !policies.length ||
-              !privilegeForm.formState.isValid ||
-              !secretPath ||
-              !accessSelected
-            }
-            className="mt-4"
-            leftIcon={<FontAwesomeIcon icon={faLockOpen} />}
-          >
-            Request access
-          </Button>
-        )}
       </form>
       <DeleteActionModal
         isOpen={popUp.deletePrivilege.isOpen}
@@ -676,6 +495,7 @@ export const SpecificPrivilegeSection = ({ membershipId }: Props) => {
           ?.filter(({ permissions }) =>
             permissions?.[0]?.subject?.includes(ProjectPermissionSub.Secrets)
           )
+          .sort((a, b) => a.id.localeCompare(b.id))
           ?.map((privilege) => (
             <SpecificPrivilegeSecretForm
               privilege={privilege as TProjectUserPrivilege}

frontend/src/views/SecretApprovalPage/SecretApprovalPage.tsx

@@ -3,31 +3,25 @@ import { faArrowUpRightFromSquare } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
 import { Tab, TabList, TabPanel, Tabs } from "@app/components/v2";
-import { Divider } from "@app/components/v2/Divider";
 import { useWorkspace } from "@app/context";
 
-import { AccessApprovalPolicyList } from "./components/AccessApprovalPolicyList";
-import { AccessApprovalRequest } from "./components/AccessApprovalRequest";
 import { SecretApprovalPolicyList } from "./components/SecretApprovalPolicyList";
 import { SecretApprovalRequest } from "./components/SecretApprovalRequest";
 
 enum TabSection {
-  SecretApprovalRequests = "approval-requests",
-  SecretPolicies = "approval-rules",
-  ResourcePolicies = "resource-rules",
-  ResourceApprovalRequests = "resource-requests"
+  ApprovalRequests = "approval-requests",
+  Rules = "approval-rules"
 }
 
 export const SecretApprovalPage = () => {
   const { currentWorkspace } = useWorkspace();
-  const projectId = currentWorkspace?.id || "";
-  const projectSlug = currentWorkspace?.slug || "";
+  const workspaceId = currentWorkspace?.id || "";
 
   return (
     <div className="container mx-auto h-full w-full max-w-7xl bg-bunker-800 px-6 text-white">
       <div className="flex items-center justify-between py-6">
         <div className="flex w-full flex-col">
-          <h2 className="text-3xl font-semibold text-gray-200">Approval Workflows</h2>
+          <h2 className="text-3xl font-semibold text-gray-200">Secret Approval Workflows</h2>
           <p className="text-bunker-300">
             Create approval policies for any modifications to secrets in sensitive environments and
             folders.
@@ -45,26 +39,16 @@ export const SecretApprovalPage = () => {
           </Link>
         </div>
       </div>
-      <Tabs defaultValue={TabSection.SecretApprovalRequests}>
+      <Tabs defaultValue={TabSection.ApprovalRequests}>
         <TabList>
-          <Tab value={TabSection.SecretApprovalRequests}>Secret Requests</Tab>
-          <Tab value={TabSection.SecretPolicies}>Secret Policies</Tab>
-          <Divider />
-          <Tab value={TabSection.ResourceApprovalRequests}>Access Requests</Tab>
-          <Tab value={TabSection.ResourcePolicies}>Access Request Policies</Tab>
+          <Tab value={TabSection.ApprovalRequests}>Secret PRs</Tab>
+          <Tab value={TabSection.Rules}>Policies</Tab>
         </TabList>
-        <TabPanel value={TabSection.SecretApprovalRequests}>
+        <TabPanel value={TabSection.ApprovalRequests}>
           <SecretApprovalRequest />
         </TabPanel>
-        <TabPanel value={TabSection.SecretPolicies}>
-          <SecretApprovalPolicyList workspaceId={projectId} />
-        </TabPanel>
-
-        <TabPanel value={TabSection.ResourceApprovalRequests}>
-          <AccessApprovalRequest projectId={projectId} projectSlug={projectSlug} />
-        </TabPanel>
-        <TabPanel value={TabSection.ResourcePolicies}>
-          <AccessApprovalPolicyList workspaceId={projectId} />
+        <TabPanel value={TabSection.Rules}>
+          <SecretApprovalPolicyList workspaceId={workspaceId} />
         </TabPanel>
       </Tabs>
     </div>

frontend/src/views/SecretApprovalPage/components/AccessApprovalPolicyList/AccessApprovalPolicyList.tsx

@@ -1,174 +0,0 @@
-import { faFileShield, faPlus } from "@fortawesome/free-solid-svg-icons";
-import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
-
-import { createNotification } from "@app/components/notifications";
-import { ProjectPermissionCan } from "@app/components/permissions";
-import {
-  Button,
-  DeleteActionModal,
-  EmptyState,
-  Table,
-  TableContainer,
-  TableSkeleton,
-  TBody,
-  Td,
-  Th,
-  THead,
-  Tr,
-  UpgradePlanModal
-} from "@app/components/v2";
-import {
-  ProjectPermissionActions,
-  ProjectPermissionSub,
-  useProjectPermission,
-  useSubscription,
-  useWorkspace
-} from "@app/context";
-import { usePopUp } from "@app/hooks";
-import { useDeleteAccessApprovalPolicy, useGetWorkspaceUsers } from "@app/hooks/api";
-import { useGetAccessApprovalPolicies } from "@app/hooks/api/accessApproval/queries";
-import { TAccessApprovalPolicy } from "@app/hooks/api/types";
-
-import { AccessApprovalPolicyRow } from "./components/AccessApprovalPolicyRow";
-import { AccessPolicyForm } from "./components/AccessPolicyModal";
-
-interface IProps {
-  workspaceId: string;
-}
-
-export const AccessApprovalPolicyList = ({ workspaceId }: IProps) => {
-  const { handlePopUpToggle, handlePopUpOpen, handlePopUpClose, popUp } = usePopUp([
-    "secretPolicyForm",
-    "deletePolicy",
-    "upgradePlan"
-  ] as const);
-  const { permission } = useProjectPermission();
-  const { subscription } = useSubscription();
-  const { currentWorkspace } = useWorkspace();
-
-  const { data: members } = useGetWorkspaceUsers(workspaceId);
-  const { data: policies, isLoading: isPoliciesLoading } = useGetAccessApprovalPolicies({
-    projectSlug: currentWorkspace?.slug as string,
-    options: {
-      enabled:
-        permission.can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval) &&
-        !!currentWorkspace?.slug
-    }
-  });
-
-  const { mutateAsync: deleteSecretApprovalPolicy } = useDeleteAccessApprovalPolicy();
-
-  const handleDeletePolicy = async () => {
-    const { id } = popUp.deletePolicy.data as TAccessApprovalPolicy;
-    if (!currentWorkspace?.slug) return;
-
-    try {
-      await deleteSecretApprovalPolicy({
-        projectSlug: currentWorkspace?.slug,
-        id
-      });
-      createNotification({
-        type: "success",
-        text: "Successfully deleted policy"
-      });
-      handlePopUpClose("deletePolicy");
-    } catch (err) {
-      console.log(err);
-      createNotification({
-        type: "error",
-        text: "Failed  to delete policy"
-      });
-    }
-  };
-
-  return (
-    <div>
-      <div className="mb-6 flex items-end justify-between">
-        <div className="flex flex-col">
-          <span className="text-xl font-semibold text-mineshaft-100">Access Request Policies</span>
-          <div className="mt-2 text-sm text-bunker-300">
-            Implement secret request policies for specific secrets and environments.
-          </div>
-        </div>
-        <div>
-          <ProjectPermissionCan
-            I={ProjectPermissionActions.Create}
-            a={ProjectPermissionSub.SecretApproval}
-          >
-            {(isAllowed) => (
-              <Button
-                onClick={() => {
-                  if (subscription && !subscription?.secretApproval) {
-                    handlePopUpOpen("upgradePlan");
-                    return;
-                  }
-                  handlePopUpOpen("secretPolicyForm");
-                }}
-                leftIcon={<FontAwesomeIcon icon={faPlus} />}
-                isDisabled={!isAllowed}
-              >
-                Create policy
-              </Button>
-            )}
-          </ProjectPermissionCan>
-        </div>
-      </div>
-      <TableContainer>
-        <Table>
-          <THead>
-            <Tr>
-              <Th>Name</Th>
-              <Th>Environment</Th>
-              <Th>Secret Path</Th>
-              <Th>Eligible Approvers</Th>
-              <Th>Approval Required</Th>
-              <Th />
-            </Tr>
-          </THead>
-          <TBody>
-            {isPoliciesLoading && (
-              <TableSkeleton columns={6} innerKey="secret-policies" className="bg-mineshaft-700" />
-            )}
-            {!isPoliciesLoading && !policies?.length && (
-              <Tr>
-                <Td colSpan={6}>
-                  <EmptyState title="No policies found" icon={faFileShield} />
-                </Td>
-              </Tr>
-            )}
-            {!!currentWorkspace &&
-              policies?.map((policy) => (
-                <AccessApprovalPolicyRow
-                  projectSlug={currentWorkspace.slug}
-                  policy={policy}
-                  key={policy.id}
-                  members={members}
-                  onEdit={() => handlePopUpOpen("secretPolicyForm", policy)}
-                  onDelete={() => handlePopUpOpen("deletePolicy", policy)}
-                />
-              ))}
-          </TBody>
-        </Table>
-      </TableContainer>
-      <AccessPolicyForm
-        projectSlug={currentWorkspace?.slug!}
-        isOpen={popUp.secretPolicyForm.isOpen}
-        onToggle={(isOpen) => handlePopUpToggle("secretPolicyForm", isOpen)}
-        members={members}
-        editValues={popUp.secretPolicyForm.data as TAccessApprovalPolicy}
-      />
-      <DeleteActionModal
-        isOpen={popUp.deletePolicy.isOpen}
-        deleteKey="remove"
-        title="Do you want to remove this policy?"
-        onChange={(isOpen) => handlePopUpToggle("deletePolicy", isOpen)}
-        onDeleteApproved={handleDeletePolicy}
-      />
-      <UpgradePlanModal
-        isOpen={popUp.upgradePlan.isOpen}
-        onOpenChange={(isOpen) => handlePopUpToggle("upgradePlan", isOpen)}
-        text="You can add secret approval policy if you switch to Infisical's Enterprise  plan."
-      />
-    </div>
-  );
-};