Add telemtry for Infisical PKI

.github/workflows/release_docker_k8_operator.yaml

@@ -4,10 +4,6 @@ on:
         tags:
             - "infisical-k8-operator/v*.*.*"
 
-permissions:
-    contents: write
-    pull-requests: write
-
 jobs:
     release-image:
         name: Generate Helm Chart PR

.infisicalignore

@@ -8,9 +8,3 @@ frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/S
 docs/mint.json:generic-api-key:651
 backend/src/ee/services/hsm/hsm-service.ts:generic-api-key:134
 docs/documentation/platform/audit-log-streams/audit-log-streams.mdx:generic-api-key:104
-docs/cli/commands/bootstrap.mdx:jwt:86
-docs/documentation/platform/audit-log-streams/audit-log-streams.mdx:generic-api-key:102
-docs/self-hosting/guides/automated-bootstrapping.mdx:jwt:74
-frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretDetailSidebar.tsx:generic-api-key:72
-k8-operator/config/samples/crd/pushsecret/source-secret-with-templating.yaml:private-key:11
-k8-operator/config/samples/crd/pushsecret/push-secret-with-template.yaml:private-key:52

backend/src/db/manual-migrations/partition-audit-logs.ts

@@ -16,7 +16,7 @@ const createAuditLogPartition = async (knex: Knex, startDate: Date, endDate: Dat
   const startDateStr = formatPartitionDate(startDate);
   const endDateStr = formatPartitionDate(endDate);
 
-  const partitionName = `${TableName.AuditLog}_${startDateStr.replaceAll("-", "")}_${endDateStr.replaceAll("-", "")}`;
+  const partitionName = `${TableName.AuditLog}_${startDateStr.replace(/-/g, "")}_${endDateStr.replace(/-/g, "")}`;
 
   await knex.schema.raw(
     `CREATE TABLE ${partitionName} PARTITION OF ${TableName.AuditLog} FOR VALUES FROM ('${startDateStr}') TO ('${endDateStr}')`

backend/src/db/migrations/20250313124706_add-privilege-upgrade-field.ts

@@ -1,30 +0,0 @@
-import { Knex } from "knex";
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.Organization, "shouldUseNewPrivilegeSystem"))) {
-    await knex.schema.alterTable(TableName.Organization, (t) => {
-      t.boolean("shouldUseNewPrivilegeSystem");
-      t.string("privilegeUpgradeInitiatedByUsername");
-      t.dateTime("privilegeUpgradeInitiatedAt");
-    });
-
-    await knex(TableName.Organization).update({
-      shouldUseNewPrivilegeSystem: false
-    });
-
-    await knex.schema.alterTable(TableName.Organization, (t) => {
-      t.boolean("shouldUseNewPrivilegeSystem").defaultTo(true).notNullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.Organization, "shouldUseNewPrivilegeSystem")) {
-    await knex.schema.alterTable(TableName.Organization, (t) => {
-      t.dropColumn("shouldUseNewPrivilegeSystem");
-      t.dropColumn("privilegeUpgradeInitiatedByUsername");
-      t.dropColumn("privilegeUpgradeInitiatedAt");
-    });
-  }
-}

backend/src/db/schemas/organizations.ts

@@ -23,9 +23,6 @@ export const OrganizationsSchema = z.object({
   defaultMembershipRole: z.string().default("member"),
   enforceMfa: z.boolean().default(false),
   selectedMfaMethod: z.string().nullable().optional(),
-  shouldUseNewPrivilegeSystem: z.boolean().default(true),
-  privilegeUpgradeInitiatedByUsername: z.string().nullable().optional(),
-  privilegeUpgradeInitiatedAt: z.date().nullable().optional(),
   allowSecretSharingOutsideOrganization: z.boolean().default(true).nullable().optional()
 });
 

backend/src/ee/routes/est/certificate-est-router.ts

@@ -16,7 +16,7 @@ export const registerCertificateEstRouter = async (server: FastifyZodProvider) =
       // for CSRs sent in PEM, we leave them as is
       // for CSRs sent in base64, we preprocess them to remove new lines and spaces
       if (!csrBody.includes("BEGIN CERTIFICATE REQUEST")) {
-        csrBody = csrBody.replaceAll("\n", "").replaceAll(" ", "");
+        csrBody = csrBody.replace(/\n/g, "").replace(/ /g, "");
       }
 
       done(null, csrBody);

backend/src/ee/routes/v1/ldap-router.ts

@@ -61,8 +61,8 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
           if (ldapConfig.groupSearchBase) {
             const groupFilter = "(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))";
             const groupSearchFilter = (ldapConfig.groupSearchFilter || groupFilter)
-              .replaceAll("{{.Username}}", user.uid)
-              .replaceAll("{{.UserDN}}", user.dn);
+              .replace(/{{\.Username}}/g, user.uid)
+              .replace(/{{\.UserDN}}/g, user.dn);
 
             if (!isValidLdapFilter(groupSearchFilter)) {
               throw new Error("Generated LDAP search filter is invalid.");

backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts

@@ -45,6 +45,7 @@ export const auditLogStreamServiceFactory = ({
   }: TCreateAuditLogStreamDTO) => {
     if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID attached to authentication token" });
 
+    const appCfg = getConfig();
     const plan = await licenseService.getPlan(actorOrgId);
     if (!plan.auditLogStreams) {
       throw new BadRequestError({
@@ -61,8 +62,9 @@ export const auditLogStreamServiceFactory = ({
     );
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Settings);
 
-    const appCfg = getConfig();
-    if (appCfg.isCloud) await blockLocalAndPrivateIpAddresses(url);
+    if (appCfg.isCloud) {
+      blockLocalAndPrivateIpAddresses(url);
+    }
 
     const totalStreams = await auditLogStreamDAL.find({ orgId: actorOrgId });
     if (totalStreams.length >= plan.auditLogStreamLimit) {
@@ -133,8 +135,9 @@ export const auditLogStreamServiceFactory = ({
     const { orgId } = logStream;
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Settings);
+
     const appCfg = getConfig();
-    if (url && appCfg.isCloud) await blockLocalAndPrivateIpAddresses(url);
+    if (url && appCfg.isCloud) blockLocalAndPrivateIpAddresses(url);
 
     // testing connection first
     const streamHeaders: RawAxiosRequestHeaders = { "Content-Type": "application/json" };

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -968,7 +968,6 @@ interface LoginIdentityOidcAuthEvent {
     identityId: string;
     identityOidcAuthId: string;
     identityAccessTokenId: string;
-    oidcClaimsReceived: Record<string, unknown>;
   };
 }
 

backend/src/ee/services/certificate-est/certificate-est-service.ts

@@ -1,6 +1,5 @@
 import * as x509 from "@peculiar/x509";
 
-import { extractX509CertFromChain } from "@app/lib/certificates/extract-certificate";
 import { BadRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { isCertChainValid } from "@app/services/certificate/certificate-fns";
 import { TCertificateAuthorityCertDALFactory } from "@app/services/certificate-authority/certificate-authority-cert-dal";
@@ -68,7 +67,9 @@ export const certificateEstServiceFactory = ({
 
     const certTemplate = await certificateTemplateDAL.findById(certificateTemplateId);
 
-    const leafCertificate = extractX509CertFromChain(decodeURIComponent(sslClientCert))?.[0];
+    const leafCertificate = decodeURIComponent(sslClientCert).match(
+      /-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g
+    )?.[0];
 
     if (!leafCertificate) {
       throw new UnauthorizedError({ message: "Missing client certificate" });
@@ -87,7 +88,10 @@ export const certificateEstServiceFactory = ({
     const verifiedChains = await Promise.all(
       caCertChains.map((chain) => {
         const caCert = new x509.X509Certificate(chain.certificate);
-        const caChain = extractX509CertFromChain(chain.certificateChain)?.map((c) => new x509.X509Certificate(c)) || [];
+        const caChain =
+          chain.certificateChain
+            .match(/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g)
+            ?.map((c) => new x509.X509Certificate(c)) || [];
 
         return isCertChainValid([cert, caCert, ...caChain]);
       })
@@ -168,15 +172,19 @@ export const certificateEstServiceFactory = ({
     }
 
     if (!estConfig.disableBootstrapCertValidation) {
-      const caCerts = extractX509CertFromChain(estConfig.caChain)?.map((cert) => {
-        return new x509.X509Certificate(cert);
-      });
+      const caCerts = estConfig.caChain
+        .match(/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g)
+        ?.map((cert) => {
+          return new x509.X509Certificate(cert);
+        });
 
       if (!caCerts) {
         throw new BadRequestError({ message: "Failed to parse certificate chain" });
       }
 
-      const leafCertificate = extractX509CertFromChain(decodeURIComponent(sslClientCert))?.[0];
+      const leafCertificate = decodeURIComponent(sslClientCert).match(
+        /-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g
+      )?.[0];
 
       if (!leafCertificate) {
         throw new BadRequestError({ message: "Missing client certificate" });
@@ -242,7 +250,13 @@ export const certificateEstServiceFactory = ({
       kmsService
     });
 
-    const certificates = extractX509CertFromChain(caCertChain).map((cert) => new x509.X509Certificate(cert));
+    const certificates = caCertChain
+      .match(/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g)
+      ?.map((cert) => new x509.X509Certificate(cert));
+
+    if (!certificates) {
+      throw new BadRequestError({ message: "Failed to parse certificate chain" });
+    }
 
     const caCertificate = new x509.X509Certificate(caCert);
     return convertRawCertsToPkcs7([caCertificate.rawData, ...certificates.map((cert) => cert.rawData)]);

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -183,7 +183,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       });
 
     const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease || dynamicSecretLease.dynamicSecret.folderId !== folder.id) {
+    if (!dynamicSecretLease) {
       throw new NotFoundError({ message: `Dynamic secret lease with ID '${leaseId}' not found` });
     }
 
@@ -256,7 +256,7 @@ export const dynamicSecretLeaseServiceFactory = ({
       });
 
     const dynamicSecretLease = await dynamicSecretLeaseDAL.findById(leaseId);
-    if (!dynamicSecretLease || dynamicSecretLease.dynamicSecret.folderId !== folder.id)
+    if (!dynamicSecretLease)
       throw new NotFoundError({ message: `Dynamic secret lease with ID '${leaseId}' not found` });
 
     const dynamicSecretCfg = dynamicSecretLease.dynamicSecret;

backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts

@@ -8,7 +8,7 @@ import { getDbConnectionHost } from "@app/lib/knex";
 
 export const verifyHostInputValidity = async (host: string, isGateway = false) => {
   const appCfg = getConfig();
-  // if (appCfg.NODE_ENV === "development") return ["host.docker.internal"]; // incase you want to remove this check in dev
+  // if (appCfg.NODE_ENV === "development") return; // incase you want to remove this check in dev
 
   const reservedHosts = [appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI)].concat(
     (appCfg.DB_READ_REPLICAS || []).map((el) => getDbConnectionHost(el.DB_CONNECTION_URI)),

backend/src/ee/services/dynamic-secret/providers/sap-ase.ts

@@ -95,7 +95,7 @@ export const SapAseProvider = (): TDynamicProviderFns => {
       password
     });
 
-    const queries = creationStatement.trim().replaceAll("\n", "").split(";").filter(Boolean);
+    const queries = creationStatement.trim().replace(/\n/g, "").split(";").filter(Boolean);
 
     for await (const query of queries) {
       // If it's an adduser query, we need to first call sp_addlogin on the MASTER database.
@@ -116,7 +116,7 @@ export const SapAseProvider = (): TDynamicProviderFns => {
       username
     });
 
-    const queries = revokeStatement.trim().replaceAll("\n", "").split(";").filter(Boolean);
+    const queries = revokeStatement.trim().replace(/\n/g, "").split(";").filter(Boolean);
 
     const client = await $getClient(providerInputs);
     const masterClient = await $getClient(providerInputs, true);

backend/src/ee/services/group/group-service.ts

@@ -3,7 +3,8 @@ import slugify from "@sindresorhus/slugify";
 
 import { OrgMembershipRole, TOrgRoles } from "@app/db/schemas";
 import { TOidcConfigDALFactory } from "@app/ee/services/oidc/oidc-config-dal";
-import { BadRequestError, NotFoundError, PermissionBoundaryError, UnauthorizedError } from "@app/lib/errors";
+import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
@@ -13,8 +14,7 @@ import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal
 import { TUserDALFactory } from "@app/services/user/user-dal";
 
 import { TLicenseServiceFactory } from "../license/license-service";
-import { OrgPermissionGroupActions, OrgPermissionSubjects } from "../permission/org-permission";
-import { constructPermissionErrorMessage, validatePrivilegeChangeOperation } from "../permission/permission-fns";
+import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import { TGroupDALFactory } from "./group-dal";
 import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "./group-fns";
@@ -67,14 +67,14 @@ export const groupServiceFactory = ({
   const createGroup = async ({ name, slug, role, actor, actorId, actorAuthMethod, actorOrgId }: TCreateGroupDTO) => {
     if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
 
-    const { permission, membership } = await permissionService.getOrgPermission(
+    const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
       actorOrgId,
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionGroupActions.Create, OrgPermissionSubjects.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Groups);
 
     const plan = await licenseService.getPlan(actorOrgId);
     if (!plan.groups)
@@ -87,26 +87,14 @@ export const groupServiceFactory = ({
       actorOrgId
     );
     const isCustomRole = Boolean(customRole);
-    if (role !== OrgMembershipRole.NoAccess) {
-      const permissionBoundary = validatePrivilegeChangeOperation(
-        membership.shouldUseNewPrivilegeSystem,
-        OrgPermissionGroupActions.GrantPrivileges,
-        OrgPermissionSubjects.Groups,
-        permission,
-        rolePermission
-      );
 
-      if (!permissionBoundary.isValid)
-        throw new PermissionBoundaryError({
-          message: constructPermissionErrorMessage(
-            "Failed to create group",
-            membership.shouldUseNewPrivilegeSystem,
-            OrgPermissionGroupActions.GrantPrivileges,
-            OrgPermissionSubjects.Groups
-          ),
-          details: { missingPermissions: permissionBoundary.missingPermissions }
-        });
-    }
+    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
+    if (!permissionBoundary.isValid)
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to create a more privileged group",
+        details: { missingPermissions: permissionBoundary.missingPermissions }
+      });
 
     const group = await groupDAL.transaction(async (tx) => {
       const existingGroup = await groupDAL.findOne({ orgId: actorOrgId, name }, tx);
@@ -145,15 +133,14 @@ export const groupServiceFactory = ({
   }: TUpdateGroupDTO) => {
     if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
 
-    const { permission, membership } = await permissionService.getOrgPermission(
+    const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
       actorOrgId,
       actorAuthMethod,
       actorOrgId
     );
-
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionGroupActions.Edit, OrgPermissionSubjects.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Groups);
 
     const plan = await licenseService.getPlan(actorOrgId);
     if (!plan.groups)
@@ -174,21 +161,11 @@ export const groupServiceFactory = ({
       );
 
       const isCustomRole = Boolean(customOrgRole);
-      const permissionBoundary = validatePrivilegeChangeOperation(
-        membership.shouldUseNewPrivilegeSystem,
-        OrgPermissionGroupActions.GrantPrivileges,
-        OrgPermissionSubjects.Groups,
-        permission,
-        rolePermission
-      );
+      const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
       if (!permissionBoundary.isValid)
-        throw new PermissionBoundaryError({
-          message: constructPermissionErrorMessage(
-            "Failed to update group",
-            membership.shouldUseNewPrivilegeSystem,
-            OrgPermissionGroupActions.GrantPrivileges,
-            OrgPermissionSubjects.Groups
-          ),
+        throw new ForbiddenRequestError({
+          name: "PermissionBoundaryError",
+          message: "Failed to update a more privileged group",
           details: { missingPermissions: permissionBoundary.missingPermissions }
         });
       if (isCustomRole) customRole = customOrgRole;
@@ -238,7 +215,7 @@ export const groupServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionGroupActions.Delete, OrgPermissionSubjects.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Groups);
 
     const plan = await licenseService.getPlan(actorOrgId);
 
@@ -265,7 +242,7 @@ export const groupServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionGroupActions.Read, OrgPermissionSubjects.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Groups);
 
     const group = await groupDAL.findById(id);
     if (!group) {
@@ -298,7 +275,7 @@ export const groupServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionGroupActions.Read, OrgPermissionSubjects.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Groups);
 
     const group = await groupDAL.findOne({
       orgId: actorOrgId,
@@ -326,14 +303,14 @@ export const groupServiceFactory = ({
   const addUserToGroup = async ({ id, username, actor, actorId, actorAuthMethod, actorOrgId }: TAddUserToGroupDTO) => {
     if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
 
-    const { permission, membership } = await permissionService.getOrgPermission(
+    const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
       actorOrgId,
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionGroupActions.Edit, OrgPermissionSubjects.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Groups);
 
     // check if group with slug exists
     const group = await groupDAL.findOne({
@@ -361,22 +338,11 @@ export const groupServiceFactory = ({
     const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);
 
     // check if user has broader or equal to privileges than group
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      OrgPermissionGroupActions.AddMembers,
-      OrgPermissionSubjects.Groups,
-      permission,
-      groupRolePermission
-    );
-
+    const permissionBoundary = validatePermissionBoundary(permission, groupRolePermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to add user to more privileged group",
-          membership.shouldUseNewPrivilegeSystem,
-          OrgPermissionGroupActions.AddMembers,
-          OrgPermissionSubjects.Groups
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to add user to more privileged group",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
@@ -408,14 +374,14 @@ export const groupServiceFactory = ({
   }: TRemoveUserFromGroupDTO) => {
     if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
 
-    const { permission, membership } = await permissionService.getOrgPermission(
+    const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
       actorOrgId,
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionGroupActions.Edit, OrgPermissionSubjects.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Groups);
 
     // check if group with slug exists
     const group = await groupDAL.findOne({
@@ -443,21 +409,11 @@ export const groupServiceFactory = ({
     const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);
 
     // check if user has broader or equal to privileges than group
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      OrgPermissionGroupActions.RemoveMembers,
-      OrgPermissionSubjects.Groups,
-      permission,
-      groupRolePermission
-    );
+    const permissionBoundary = validatePermissionBoundary(permission, groupRolePermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to delete user from more privileged group",
-          membership.shouldUseNewPrivilegeSystem,
-          OrgPermissionGroupActions.RemoveMembers,
-          OrgPermissionSubjects.Groups
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to delete user from more privileged group",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 

backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts

@@ -2,7 +2,8 @@ import { ForbiddenError, subject } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
 
 import { ActionProjectType, TableName } from "@app/db/schemas";
-import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
+import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 import { unpackPermissions } from "@app/server/routes/sanitizedSchema/permission";
@@ -10,9 +11,8 @@ import { ActorType } from "@app/services/auth/auth-type";
 import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 
-import { constructPermissionErrorMessage, validatePrivilegeChangeOperation } from "../permission/permission-fns";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { ProjectPermissionIdentityActions, ProjectPermissionSub } from "../permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TIdentityProjectAdditionalPrivilegeV2DALFactory } from "./identity-project-additional-privilege-v2-dal";
 import {
   IdentityProjectAdditionalPrivilegeTemporaryMode,
@@ -65,10 +65,10 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionIdentityActions.Edit,
+      ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId })
     );
-    const { permission: targetIdentityPermission, membership } = await permissionService.getProjectPermission({
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
       actor: ActorType.IDENTITY,
       actorId: identityId,
       projectId: identityProjectMembership.projectId,
@@ -80,21 +80,11 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
     targetIdentityPermission.update(targetIdentityPermission.rules.concat(customPermission));
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      ProjectPermissionIdentityActions.GrantPrivileges,
-      ProjectPermissionSub.Identity,
-      permission,
-      targetIdentityPermission
-    );
+    const permissionBoundary = validatePermissionBoundary(permission, targetIdentityPermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to update more privileged identity",
-          membership.shouldUseNewPrivilegeSystem,
-          ProjectPermissionIdentityActions.GrantPrivileges,
-          ProjectPermissionSub.Identity
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to update more privileged identity",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
     validateHandlebarTemplate("Identity Additional Privilege Create", JSON.stringify(customPermission || []), {
@@ -164,10 +154,10 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionIdentityActions.Edit,
+      ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
     );
-    const { permission: targetIdentityPermission, membership } = await permissionService.getProjectPermission({
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
       actor: ActorType.IDENTITY,
       actorId: identityProjectMembership.identityId,
       projectId: identityProjectMembership.projectId,
@@ -179,21 +169,11 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
     targetIdentityPermission.update(targetIdentityPermission.rules.concat(data.permissions || []));
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      ProjectPermissionIdentityActions.GrantPrivileges,
-      ProjectPermissionSub.Identity,
-      permission,
-      targetIdentityPermission
-    );
+    const permissionBoundary = validatePermissionBoundary(permission, targetIdentityPermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to update more privileged identity",
-          membership.shouldUseNewPrivilegeSystem,
-          ProjectPermissionIdentityActions.GrantPrivileges,
-          ProjectPermissionSub.Identity
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to update more privileged identity",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
@@ -255,7 +235,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
         message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
       });
 
-    const { permission, membership } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId: identityProjectMembership.projectId,
@@ -264,7 +244,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionIdentityActions.Edit,
+      ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
     );
     const { permission: identityRolePermission } = await permissionService.getProjectPermission({
@@ -275,21 +255,11 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      ProjectPermissionIdentityActions.GrantPrivileges,
-      ProjectPermissionSub.Identity,
-      permission,
-      identityRolePermission
-    );
+    const permissionBoundary = validatePermissionBoundary(permission, identityRolePermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to update more privileged identity",
-          membership.shouldUseNewPrivilegeSystem,
-          ProjectPermissionIdentityActions.GrantPrivileges,
-          ProjectPermissionSub.Identity
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to update more privileged identity",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
@@ -325,7 +295,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionIdentityActions.Read,
+      ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
     );
 
@@ -360,7 +330,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionIdentityActions.Read,
+      ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
     );
 
@@ -396,7 +366,7 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionIdentityActions.Read,
+      ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
     );
 

backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts

@@ -2,7 +2,8 @@ import { ForbiddenError, MongoAbility, RawRuleOf, subject } from "@casl/ability"
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 
 import { ActionProjectType } from "@app/db/schemas";
-import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
+import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
@@ -10,13 +11,8 @@ import { ActorType } from "@app/services/auth/auth-type";
 import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 
-import { constructPermissionErrorMessage, validatePrivilegeChangeOperation } from "../permission/permission-fns";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import {
-  ProjectPermissionIdentityActions,
-  ProjectPermissionSet,
-  ProjectPermissionSub
-} from "../permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSet, ProjectPermissionSub } from "../permission/project-permission";
 import { TIdentityProjectAdditionalPrivilegeDALFactory } from "./identity-project-additional-privilege-dal";
 import {
   IdentityProjectAdditionalPrivilegeTemporaryMode,
@@ -68,7 +64,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
 
-    const { permission, membership } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId: identityProjectMembership.projectId,
@@ -76,9 +72,8 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionIdentityActions.Edit,
+      ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId })
     );
 
@@ -94,21 +89,11 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
     targetIdentityPermission.update(targetIdentityPermission.rules.concat(customPermission));
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      ProjectPermissionIdentityActions.GrantPrivileges,
-      ProjectPermissionSub.Identity,
-      permission,
-      targetIdentityPermission
-    );
+    const permissionBoundary = validatePermissionBoundary(permission, targetIdentityPermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to update more privileged identity",
-          membership.shouldUseNewPrivilegeSystem,
-          ProjectPermissionIdentityActions.GrantPrivileges,
-          ProjectPermissionSub.Identity
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to update more privileged identity",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
@@ -170,7 +155,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
 
-    const { permission, membership } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId: identityProjectMembership.projectId,
@@ -180,7 +165,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionIdentityActions.Edit,
+      ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId })
     );
 
@@ -196,21 +181,11 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
     targetIdentityPermission.update(targetIdentityPermission.rules.concat(data.permissions || []));
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      ProjectPermissionIdentityActions.GrantPrivileges,
-      ProjectPermissionSub.Identity,
-      permission,
-      targetIdentityPermission
-    );
+    const permissionBoundary = validatePermissionBoundary(permission, targetIdentityPermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to update more privileged identity",
-          membership.shouldUseNewPrivilegeSystem,
-          ProjectPermissionIdentityActions.GrantPrivileges,
-          ProjectPermissionSub.Identity
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to update more privileged identity",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
@@ -288,7 +263,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
 
-    const { permission, membership } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId: identityProjectMembership.projectId,
@@ -297,7 +272,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionIdentityActions.Edit,
+      ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId })
     );
 
@@ -309,21 +284,11 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      ProjectPermissionIdentityActions.GrantPrivileges,
-      ProjectPermissionSub.Identity,
-      permission,
-      identityRolePermission
-    );
+    const permissionBoundary = validatePermissionBoundary(permission, identityRolePermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to edit more privileged identity",
-          membership.shouldUseNewPrivilegeSystem,
-          ProjectPermissionIdentityActions.GrantPrivileges,
-          ProjectPermissionSub.Identity
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to edit more privileged identity",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
@@ -370,7 +335,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionIdentityActions.Read,
+      ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Identity, { identityId })
     );
 
@@ -414,7 +379,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionIdentityActions.Read,
+      ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Identity, { identityId })
     );
 

backend/src/ee/services/kmip/kmip-service.ts

@@ -4,9 +4,8 @@ import crypto, { KeyObject } from "crypto";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
-import { isValidIp } from "@app/lib/ip";
+import { isValidHostname, isValidIp } from "@app/lib/ip";
 import { ms } from "@app/lib/ms";
-import { isFQDN } from "@app/lib/validator/validate-url";
 import { constructPemChainFromCerts } from "@app/services/certificate/certificate-fns";
 import { CertExtendedKeyUsage, CertKeyAlgorithm, CertKeyUsage } from "@app/services/certificate/certificate-types";
 import {
@@ -666,7 +665,7 @@ export const kmipServiceFactory = ({
       .split(",")
       .map((name) => name.trim())
       .map((altName) => {
-        if (isFQDN(altName, { allow_wildcard: true })) {
+        if (isValidHostname(altName)) {
           return {
             type: "dns",
             value: altName

backend/src/ee/services/ldap-config/ldap-fns.ts

@@ -97,14 +97,12 @@ export const searchGroups = async (
 
         res.on("searchEntry", (entry) => {
           const dn = entry.dn.toString();
-          const cnStartIndex = dn.indexOf("cn=");
+          const regex = /cn=([^,]+)/;
+          const match = dn.match(regex);
+          // parse the cn from the dn
+          const cn = (match && match[1]) as string;
 
-          if (cnStartIndex !== -1) {
-            const valueStartIndex = cnStartIndex + 3;
-            const commaIndex = dn.indexOf(",", valueStartIndex);
-            const cn = dn.substring(valueStartIndex, commaIndex === -1 ? undefined : commaIndex);
-            groups.push({ dn, cn });
-          }
+          groups.push({ dn, cn });
         });
         res.on("error", (error) => {
           ldapClient.unbind();

backend/src/ee/services/permission/org-permission.ts

@@ -44,28 +44,6 @@ export enum OrgPermissionGatewayActions {
   DeleteGateways = "delete-gateways"
 }
 
-export enum OrgPermissionIdentityActions {
-  Read = "read",
-  Create = "create",
-  Edit = "edit",
-  Delete = "delete",
-  GrantPrivileges = "grant-privileges",
-  RevokeAuth = "revoke-auth",
-  CreateToken = "create-token",
-  GetToken = "get-token",
-  DeleteToken = "delete-token"
-}
-
-export enum OrgPermissionGroupActions {
-  Read = "read",
-  Create = "create",
-  Edit = "edit",
-  Delete = "delete",
-  GrantPrivileges = "grant-privileges",
-  AddMembers = "add-members",
-  RemoveMembers = "remove-members"
-}
-
 export enum OrgPermissionSubjects {
   Workspace = "workspace",
   Role = "role",
@@ -102,10 +80,10 @@ export type OrgPermissionSet =
   | [OrgPermissionActions, OrgPermissionSubjects.Sso]
   | [OrgPermissionActions, OrgPermissionSubjects.Scim]
   | [OrgPermissionActions, OrgPermissionSubjects.Ldap]
-  | [OrgPermissionGroupActions, OrgPermissionSubjects.Groups]
+  | [OrgPermissionActions, OrgPermissionSubjects.Groups]
   | [OrgPermissionActions, OrgPermissionSubjects.SecretScanning]
   | [OrgPermissionActions, OrgPermissionSubjects.Billing]
-  | [OrgPermissionIdentityActions, OrgPermissionSubjects.Identity]
+  | [OrgPermissionActions, OrgPermissionSubjects.Identity]
   | [OrgPermissionActions, OrgPermissionSubjects.Kms]
   | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
   | [OrgPermissionActions, OrgPermissionSubjects.ProjectTemplates]
@@ -278,28 +256,20 @@ const buildAdminPermission = () => {
   can(OrgPermissionActions.Edit, OrgPermissionSubjects.Ldap);
   can(OrgPermissionActions.Delete, OrgPermissionSubjects.Ldap);
 
-  can(OrgPermissionGroupActions.Read, OrgPermissionSubjects.Groups);
-  can(OrgPermissionGroupActions.Create, OrgPermissionSubjects.Groups);
-  can(OrgPermissionGroupActions.Edit, OrgPermissionSubjects.Groups);
-  can(OrgPermissionGroupActions.Delete, OrgPermissionSubjects.Groups);
-  can(OrgPermissionGroupActions.GrantPrivileges, OrgPermissionSubjects.Groups);
-  can(OrgPermissionGroupActions.AddMembers, OrgPermissionSubjects.Groups);
-  can(OrgPermissionGroupActions.RemoveMembers, OrgPermissionSubjects.Groups);
+  can(OrgPermissionActions.Read, OrgPermissionSubjects.Groups);
+  can(OrgPermissionActions.Create, OrgPermissionSubjects.Groups);
+  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Groups);
+  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Groups);
 
   can(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
   can(OrgPermissionActions.Create, OrgPermissionSubjects.Billing);
   can(OrgPermissionActions.Edit, OrgPermissionSubjects.Billing);
   can(OrgPermissionActions.Delete, OrgPermissionSubjects.Billing);
 
-  can(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
-  can(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);
-  can(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
-  can(OrgPermissionIdentityActions.Delete, OrgPermissionSubjects.Identity);
-  can(OrgPermissionIdentityActions.GrantPrivileges, OrgPermissionSubjects.Identity);
-  can(OrgPermissionIdentityActions.RevokeAuth, OrgPermissionSubjects.Identity);
-  can(OrgPermissionIdentityActions.CreateToken, OrgPermissionSubjects.Identity);
-  can(OrgPermissionIdentityActions.GetToken, OrgPermissionSubjects.Identity);
-  can(OrgPermissionIdentityActions.DeleteToken, OrgPermissionSubjects.Identity);
+  can(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+  can(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
+  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Identity);
 
   can(OrgPermissionActions.Read, OrgPermissionSubjects.Kms);
   can(OrgPermissionActions.Create, OrgPermissionSubjects.Kms);
@@ -346,7 +316,7 @@ const buildMemberPermission = () => {
 
   can(OrgPermissionActions.Create, OrgPermissionSubjects.Workspace);
   can(OrgPermissionActions.Read, OrgPermissionSubjects.Member);
-  can(OrgPermissionGroupActions.Read, OrgPermissionSubjects.Groups);
+  can(OrgPermissionActions.Read, OrgPermissionSubjects.Groups);
   can(OrgPermissionActions.Read, OrgPermissionSubjects.Role);
   can(OrgPermissionActions.Read, OrgPermissionSubjects.Settings);
   can(OrgPermissionActions.Read, OrgPermissionSubjects.Billing);
@@ -357,10 +327,10 @@ const buildMemberPermission = () => {
   can(OrgPermissionActions.Edit, OrgPermissionSubjects.SecretScanning);
   can(OrgPermissionActions.Delete, OrgPermissionSubjects.SecretScanning);
 
-  can(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
-  can(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);
-  can(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
-  can(OrgPermissionIdentityActions.Delete, OrgPermissionSubjects.Identity);
+  can(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+  can(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
+  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Identity);
 
   can(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
 

backend/src/ee/services/permission/permission-dal.ts

@@ -49,7 +49,6 @@ export const permissionDALFactory = (db: TDbClient) => {
         .join(TableName.Organization, `${TableName.Organization}.id`, `${TableName.OrgMembership}.orgId`)
         .select(
           selectAllTableCols(TableName.OrgMembership),
-          db.ref("shouldUseNewPrivilegeSystem").withSchema(TableName.Organization),
           db.ref("slug").withSchema(TableName.OrgRoles).withSchema(TableName.OrgRoles).as("customRoleSlug"),
           db.ref("permissions").withSchema(TableName.OrgRoles),
           db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
@@ -71,8 +70,7 @@ export const permissionDALFactory = (db: TDbClient) => {
           OrgMembershipsSchema.extend({
             permissions: z.unknown(),
             orgAuthEnforced: z.boolean().optional().nullable(),
-            customRoleSlug: z.string().optional().nullable(),
-            shouldUseNewPrivilegeSystem: z.boolean()
+            customRoleSlug: z.string().optional().nullable()
           }).parse(el),
         childrenMapper: [
           {
@@ -120,9 +118,7 @@ export const permissionDALFactory = (db: TDbClient) => {
         .select(selectAllTableCols(TableName.IdentityOrgMembership))
         .select(db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"))
         .select("permissions")
-        .select(db.ref("shouldUseNewPrivilegeSystem").withSchema(TableName.Organization))
         .first();
-
       return membership;
     } catch (error) {
       throw new DatabaseError({ error, name: "GetOrgIdentityPermission" });
@@ -672,8 +668,7 @@ export const permissionDALFactory = (db: TDbClient) => {
           db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
           db.ref("orgId").withSchema(TableName.Project),
           db.ref("type").withSchema(TableName.Project).as("projectType"),
-          db.ref("id").withSchema(TableName.Project).as("projectId"),
-          db.ref("shouldUseNewPrivilegeSystem").withSchema(TableName.Organization)
+          db.ref("id").withSchema(TableName.Project).as("projectId")
         );
 
       const [userPermission] = sqlNestRelationships({
@@ -689,8 +684,7 @@ export const permissionDALFactory = (db: TDbClient) => {
           groupMembershipCreatedAt,
           groupMembershipUpdatedAt,
           membershipUpdatedAt,
-          projectType,
-          shouldUseNewPrivilegeSystem
+          projectType
         }) => ({
           orgId,
           orgAuthEnforced,
@@ -700,8 +694,7 @@ export const permissionDALFactory = (db: TDbClient) => {
           projectType,
           id: membershipId || groupMembershipId,
           createdAt: membershipCreatedAt || groupMembershipCreatedAt,
-          updatedAt: membershipUpdatedAt || groupMembershipUpdatedAt,
-          shouldUseNewPrivilegeSystem
+          updatedAt: membershipUpdatedAt || groupMembershipUpdatedAt
         }),
         childrenMapper: [
           {
@@ -1002,7 +995,6 @@ export const permissionDALFactory = (db: TDbClient) => {
           `${TableName.IdentityProjectMembership}.projectId`,
           `${TableName.Project}.id`
         )
-        .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
         .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
           void queryBuilder
             .on(`${TableName.Identity}.id`, `${TableName.IdentityMetadata}.identityId`)
@@ -1020,7 +1012,6 @@ export const permissionDALFactory = (db: TDbClient) => {
           db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership).as("membershipUpdatedAt"),
           db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
           db.ref("permissions").withSchema(TableName.ProjectRoles),
-          db.ref("shouldUseNewPrivilegeSystem").withSchema(TableName.Organization),
           db.ref("id").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApId"),
           db.ref("permissions").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApPermissions"),
           db
@@ -1054,8 +1045,7 @@ export const permissionDALFactory = (db: TDbClient) => {
           membershipUpdatedAt,
           orgId,
           identityName,
-          projectType,
-          shouldUseNewPrivilegeSystem
+          projectType
         }) => ({
           id: membershipId,
           identityId,
@@ -1065,7 +1055,6 @@ export const permissionDALFactory = (db: TDbClient) => {
           updatedAt: membershipUpdatedAt,
           orgId,
           projectType,
-          shouldUseNewPrivilegeSystem,
           // just a prefilled value
           orgAuthEnforced: false
         }),

backend/src/ee/services/permission/permission-fns.ts

@@ -3,11 +3,9 @@ import { ForbiddenError, MongoAbility, PureAbility, subject } from "@casl/abilit
 import { z } from "zod";
 
 import { TOrganizations } from "@app/db/schemas";
-import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { ActorAuthMethod, AuthMethod } from "@app/services/auth/auth-type";
 
-import { OrgPermissionSet } from "./org-permission";
 import {
   ProjectPermissionSecretActions,
   ProjectPermissionSet,
@@ -147,57 +145,4 @@ const escapeHandlebarsMissingDict = (obj: Record<string, string>, key: string) =
   return new Proxy(obj, handler);
 };
 
-// This function serves as a transition layer between the old and new privilege management system
-// the old privilege management system is based on the actor having more privileges than the managed permission
-// the new privilege management system is based on the actor having the appropriate permission to perform the privilege change,
-// regardless of the actor's privilege level.
-const validatePrivilegeChangeOperation = (
-  shouldUseNewPrivilegeSystem: boolean,
-  opAction: OrgPermissionSet[0] | ProjectPermissionSet[0],
-  opSubject: OrgPermissionSet[1] | ProjectPermissionSet[1],
-  actorPermission: MongoAbility,
-  managedPermission: MongoAbility
-) => {
-  if (shouldUseNewPrivilegeSystem) {
-    if (actorPermission.can(opAction, opSubject)) {
-      return {
-        isValid: true,
-        missingPermissions: []
-      };
-    }
-
-    return {
-      isValid: false,
-      missingPermissions: [
-        {
-          action: opAction,
-          subject: opSubject
-        }
-      ]
-    };
-  }
-
-  // if not, we check if the actor is indeed more privileged than the managed permission - this is the old system
-  return validatePermissionBoundary(actorPermission, managedPermission);
-};
-
-const constructPermissionErrorMessage = (
-  baseMessage: string,
-  shouldUseNewPrivilegeSystem: boolean,
-  opAction: OrgPermissionSet[0] | ProjectPermissionSet[0],
-  opSubject: OrgPermissionSet[1] | ProjectPermissionSet[1]
-) => {
-  return `${baseMessage}${
-    shouldUseNewPrivilegeSystem
-      ? `. Actor is missing permission ${opAction as string} on ${opSubject as string}`
-      : ". Actor privilege level is not high enough to perform this action"
-  }`;
-};
-
-export {
-  constructPermissionErrorMessage,
-  escapeHandlebarsMissingDict,
-  isAuthMethodSaml,
-  validateOrgSSO,
-  validatePrivilegeChangeOperation
-};
+export { escapeHandlebarsMissingDict, isAuthMethodSaml, validateOrgSSO };

backend/src/ee/services/permission/permission-service.ts

@@ -397,18 +397,14 @@ export const permissionServiceFactory = ({
     const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
     return {
       permission: buildServiceTokenProjectPermission(scopes, serviceToken.permissions),
-      membership: {
-        shouldUseNewPrivilegeSystem: true
-      }
+      membership: undefined
     };
   };
 
   type TProjectPermissionRT<T extends ActorType> = T extends ActorType.SERVICE
     ? {
         permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
-        membership: {
-          shouldUseNewPrivilegeSystem: boolean;
-        };
+        membership: undefined;
         hasRole: (arg: string) => boolean;
       } // service token doesn't have both membership and roles
     : {
@@ -417,7 +413,6 @@ export const permissionServiceFactory = ({
           orgAuthEnforced: boolean | null | undefined;
           orgId: string;
           roles: Array<{ role: string }>;
-          shouldUseNewPrivilegeSystem: boolean;
         };
         hasRole: (role: string) => boolean;
       };

backend/src/ee/services/permission/project-permission.ts

@@ -43,30 +43,6 @@ export enum ProjectPermissionDynamicSecretActions {
   Lease = "lease"
 }
 
-export enum ProjectPermissionIdentityActions {
-  Read = "read",
-  Create = "create",
-  Edit = "edit",
-  Delete = "delete",
-  GrantPrivileges = "grant-privileges"
-}
-
-export enum ProjectPermissionMemberActions {
-  Read = "read",
-  Create = "create",
-  Edit = "edit",
-  Delete = "delete",
-  GrantPrivileges = "grant-privileges"
-}
-
-export enum ProjectPermissionGroupActions {
-  Read = "read",
-  Create = "create",
-  Edit = "edit",
-  Delete = "delete",
-  GrantPrivileges = "grant-privileges"
-}
-
 export enum ProjectPermissionSecretSyncActions {
   Read = "read",
   Create = "create",
@@ -174,8 +150,8 @@ export type ProjectPermissionSet =
     ]
   | [ProjectPermissionActions, ProjectPermissionSub.Role]
   | [ProjectPermissionActions, ProjectPermissionSub.Tags]
-  | [ProjectPermissionMemberActions, ProjectPermissionSub.Member]
-  | [ProjectPermissionGroupActions, ProjectPermissionSub.Groups]
+  | [ProjectPermissionActions, ProjectPermissionSub.Member]
+  | [ProjectPermissionActions, ProjectPermissionSub.Groups]
   | [ProjectPermissionActions, ProjectPermissionSub.Integrations]
   | [ProjectPermissionActions, ProjectPermissionSub.Webhooks]
   | [ProjectPermissionActions, ProjectPermissionSub.AuditLogs]
@@ -186,7 +162,7 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions, ProjectPermissionSub.SecretApproval]
   | [ProjectPermissionActions, ProjectPermissionSub.SecretRotation]
   | [
-      ProjectPermissionIdentityActions,
+      ProjectPermissionActions,
       ProjectPermissionSub.Identity | (ForcedSubject<ProjectPermissionSub.Identity> & IdentityManagementSubjectFields)
     ]
   | [ProjectPermissionActions, ProjectPermissionSub.CertificateAuthorities]
@@ -314,13 +290,13 @@ const GeneralPermissionSchema = [
   }),
   z.object({
     subject: z.literal(ProjectPermissionSub.Member).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionMemberActions).describe(
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
       "Describe what action an entity can take."
     )
   }),
   z.object({
     subject: z.literal(ProjectPermissionSub.Groups).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionGroupActions).describe(
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
       "Describe what action an entity can take."
     )
   }),
@@ -534,7 +510,7 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
   z.object({
     subject: z.literal(ProjectPermissionSub.Identity).describe("The entity this permission pertains to."),
     inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionIdentityActions).describe(
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
       "Describe what action an entity can take."
     ),
     conditions: IdentityManagementConditionSchema.describe(
@@ -555,9 +531,12 @@ const buildAdminPermissionRules = () => {
     ProjectPermissionSub.SecretImports,
     ProjectPermissionSub.SecretApproval,
     ProjectPermissionSub.SecretRotation,
+    ProjectPermissionSub.Member,
+    ProjectPermissionSub.Groups,
     ProjectPermissionSub.Role,
     ProjectPermissionSub.Integrations,
     ProjectPermissionSub.Webhooks,
+    ProjectPermissionSub.Identity,
     ProjectPermissionSub.ServiceTokens,
     ProjectPermissionSub.Settings,
     ProjectPermissionSub.Environments,
@@ -584,39 +563,6 @@ const buildAdminPermissionRules = () => {
     );
   });
 
-  can(
-    [
-      ProjectPermissionMemberActions.Create,
-      ProjectPermissionMemberActions.Edit,
-      ProjectPermissionMemberActions.Delete,
-      ProjectPermissionMemberActions.Read,
-      ProjectPermissionMemberActions.GrantPrivileges
-    ],
-    ProjectPermissionSub.Member
-  );
-
-  can(
-    [
-      ProjectPermissionGroupActions.Create,
-      ProjectPermissionGroupActions.Edit,
-      ProjectPermissionGroupActions.Delete,
-      ProjectPermissionGroupActions.Read,
-      ProjectPermissionGroupActions.GrantPrivileges
-    ],
-    ProjectPermissionSub.Groups
-  );
-
-  can(
-    [
-      ProjectPermissionIdentityActions.Create,
-      ProjectPermissionIdentityActions.Edit,
-      ProjectPermissionIdentityActions.Delete,
-      ProjectPermissionIdentityActions.Read,
-      ProjectPermissionIdentityActions.GrantPrivileges
-    ],
-    ProjectPermissionSub.Identity
-  );
-
   can(
     [
       ProjectPermissionSecretActions.DescribeAndReadValue,
@@ -731,9 +677,9 @@ const buildMemberPermissionRules = () => {
 
   can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.SecretRollback);
 
-  can([ProjectPermissionMemberActions.Read, ProjectPermissionMemberActions.Create], ProjectPermissionSub.Member);
+  can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.Member);
 
-  can([ProjectPermissionGroupActions.Read], ProjectPermissionSub.Groups);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.Groups);
 
   can(
     [
@@ -757,10 +703,10 @@ const buildMemberPermissionRules = () => {
 
   can(
     [
-      ProjectPermissionIdentityActions.Read,
-      ProjectPermissionIdentityActions.Edit,
-      ProjectPermissionIdentityActions.Create,
-      ProjectPermissionIdentityActions.Delete
+      ProjectPermissionActions.Read,
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
     ],
     ProjectPermissionSub.Identity
   );
@@ -874,12 +820,12 @@ const buildViewerPermissionRules = () => {
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
-  can(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
-  can(ProjectPermissionGroupActions.Read, ProjectPermissionSub.Groups);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.Groups);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.Webhooks);
-  can(ProjectPermissionIdentityActions.Read, ProjectPermissionSub.Identity);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.ServiceTokens);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.Settings);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.Environments);

backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts

@@ -2,20 +2,16 @@ import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 
 import { ActionProjectType, TableName } from "@app/db/schemas";
-import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
+import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
 
-import { constructPermissionErrorMessage, validatePrivilegeChangeOperation } from "../permission/permission-fns";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import {
-  ProjectPermissionMemberActions,
-  ProjectPermissionSet,
-  ProjectPermissionSub
-} from "../permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSet, ProjectPermissionSub } from "../permission/project-permission";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "./project-user-additional-privilege-dal";
 import {
   ProjectUserAdditionalPrivilegeTemporaryMode,
@@ -68,8 +64,8 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
-    const { permission: targetUserPermission, membership } = await permissionService.getProjectPermission({
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
+    const { permission: targetUserPermission } = await permissionService.getProjectPermission({
       actor: ActorType.USER,
       actorId: projectMembership.userId,
       projectId: projectMembership.projectId,
@@ -81,21 +77,11 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
     targetUserPermission.update(targetUserPermission.rules.concat(customPermission));
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      ProjectPermissionMemberActions.GrantPrivileges,
-      ProjectPermissionSub.Member,
-      permission,
-      targetUserPermission
-    );
+    const permissionBoundary = validatePermissionBoundary(permission, targetUserPermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to update more privileged user",
-          membership.shouldUseNewPrivilegeSystem,
-          ProjectPermissionMemberActions.GrantPrivileges,
-          ProjectPermissionSub.Member
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to update more privileged user",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
@@ -165,7 +151,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
         message: `Project membership for user with ID '${userPrivilege.userId}' not found in project with ID '${userPrivilege.projectId}'`
       });
 
-    const { permission, membership } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId: projectMembership.projectId,
@@ -173,7 +159,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
     const { permission: targetUserPermission } = await permissionService.getProjectPermission({
       actor: ActorType.USER,
       actorId: projectMembership.userId,
@@ -186,21 +172,11 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
     targetUserPermission.update(targetUserPermission.rules.concat(dto.permissions || []));
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      ProjectPermissionMemberActions.GrantPrivileges,
-      ProjectPermissionSub.Member,
-      permission,
-      targetUserPermission
-    );
+    const permissionBoundary = validatePermissionBoundary(permission, targetUserPermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to update more privileged user",
-          membership.shouldUseNewPrivilegeSystem,
-          ProjectPermissionMemberActions.GrantPrivileges,
-          ProjectPermissionSub.Member
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to update more privileged identity",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
@@ -277,7 +253,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
 
     const deletedPrivilege = await projectUserAdditionalPrivilegeDAL.deleteById(userPrivilege.id);
     return {
@@ -314,7 +290,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
 
     return {
       ...userPrivilege,
@@ -341,7 +317,7 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
 
     const userPrivileges = await projectUserAdditionalPrivilegeDAL.find(
       {

backend/src/ee/services/scim/scim-fns.ts

@@ -29,9 +29,15 @@ export const parseScimFilter = (filterToParse: string | undefined) => {
     attributeName = "name";
   }
 
-  return { [attributeName]: parsedValue.replaceAll('"', "") };
+  return { [attributeName]: parsedValue.replace(/"/g, "") };
 };
 
+export function extractScimValueFromPath(path: string): string | null {
+  const regex = /members\[value eq "([^"]+)"\]/;
+  const match = path.match(regex);
+  return match ? match[1] : null;
+}
+
 export const buildScimUser = ({
   orgMembershipId,
   username,

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-fn.ts

@@ -14,43 +14,16 @@ import { verifyHostInputValidity } from "../../dynamic-secret/dynamic-secret-fns
 import { TAssignOp, TDbProviderClients, TDirectAssignOp, THttpProviderFunction } from "../templates/types";
 import { TSecretRotationData, TSecretRotationDbFn } from "./secret-rotation-queue-types";
 
+const REGEX = /\${([^}]+)}/g;
 const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000;
 
-const replaceTemplateVariables = (str: string, getValue: (key: string) => unknown) => {
-  // Use array to collect pieces and join at the end (more efficient for large strings)
-  const parts: string[] = [];
-  let pos = 0;
-
-  while (pos < str.length) {
-    const start = str.indexOf("${", pos);
-    if (start === -1) {
-      parts.push(str.slice(pos));
-      break;
-    }
-
-    parts.push(str.slice(pos, start));
-    const end = str.indexOf("}", start + 2);
-
-    if (end === -1) {
-      parts.push(str.slice(start));
-      break;
-    }
-
-    const varName = str.slice(start + 2, end);
-    parts.push(String(getValue(varName)));
-    pos = end + 1;
-  }
-
-  return parts.join("");
-};
-
 export const interpolate = (data: any, getValue: (key: string) => unknown) => {
   if (!data) return;
 
   if (typeof data === "number") return data;
 
   if (typeof data === "string") {
-    return replaceTemplateVariables(data, getValue);
+    return data.replace(REGEX, (_a, b) => getValue(b) as string);
   }
 
   if (typeof data === "object" && Array.isArray(data)) {

backend/src/ee/services/secret-snapshot/snapshot-service-fns.ts

@@ -8,18 +8,7 @@ type GetFullFolderPath = {
 
 export const getFullFolderPath = async ({ folderDAL, folderId, envId }: GetFullFolderPath): Promise<string> => {
   // Helper function to remove duplicate slashes
-  const removeDuplicateSlashes = (path: string) => {
-    const chars = [];
-    let lastWasSlash = false;
-
-    for (let i = 0; i < path.length; i += 1) {
-      const char = path[i];
-      if (char !== "/" || !lastWasSlash) chars.push(char);
-      lastWasSlash = char === "/";
-    }
-
-    return chars.join("");
-  };
+  const removeDuplicateSlashes = (path: string) => path.replace(/\/{2,}/g, "/");
 
   // Fetch all folders at once based on environment ID to avoid multiple queries
   const folders = await folderDAL.find({ envId });

backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-validators.ts

@@ -1,34 +1,14 @@
-import { isIP } from "net";
-
-import { isFQDN } from "@app/lib/validator/validate-url";
-
 // Validates usernames or wildcard (*)
 export const isValidUserPattern = (value: string): boolean => {
-  // Length check before regex to prevent ReDoS
-  if (typeof value !== "string") return false;
-  if (value.length > 32) return false; // Maximum Linux username length
-  if (value === "*") return true; // Handle wildcard separately
-
-  // Simpler, more specific pattern for usernames
-  const userRegex = /^[a-z_][a-z0-9_-]*$/i;
+  // Matches valid Linux usernames or a wildcard (*)
+  const userRegex = /^(?:\*|[a-z_][a-z0-9_-]{0,31})$/;
   return userRegex.test(value);
 };
 
 // Validates hostnames, wildcard domains, or IP addresses
 export const isValidHostPattern = (value: string): boolean => {
-  // Input validation
-  if (typeof value !== "string") return false;
-
-  // Length check
-  if (value.length > 255) return false;
-
-  // Handle the wildcard case separately
-  if (value === "*") return true;
-
-  // Check for IP addresses using Node.js built-in functions
-  if (isIP(value)) return true;
-
-  return isFQDN(value, {
-    allow_wildcard: true
-  });
+  // Matches FQDNs, wildcard domains (*.example.com), IPv4, and IPv6 addresses
+  const hostRegex =
+    /^(?:\*|\*\.[a-z0-9-]+(?:\.[a-z0-9-]+)*|[a-z0-9-]+(?:\.[a-z0-9-]+)*|\d{1,3}(\.\d{1,3}){3}|([a-fA-F0-9:]+:+)+[a-fA-F0-9]+(?:%[a-zA-Z0-9]+)?)$/;
+  return hostRegex.test(value);
 };

backend/src/ee/services/ssh/ssh-certificate-authority-fns.ts

@@ -8,7 +8,6 @@ import { promisify } from "util";
 import { TSshCertificateTemplates } from "@app/db/schemas";
 import { BadRequestError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
-import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";
 import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 
 import {
@@ -19,7 +18,6 @@ import { SshCertType, TCreateSshCertDTO } from "./ssh-certificate-authority-type
 
 const execFileAsync = promisify(execFile);
 
-const EXEC_TIMEOUT_MS = 10000; // 10 seconds
 /* eslint-disable no-bitwise */
 export const createSshCertSerialNumber = () => {
   const randomBytes = crypto.randomBytes(8); // 8 bytes = 64 bits
@@ -66,9 +64,7 @@ export const createSshKeyPair = async (keyAlgorithm: CertKeyAlgorithm) => {
     // Generate the SSH key pair
     // The "-N ''" sets an empty passphrase
     // The keys are created in the temporary directory
-    await execFileAsync("ssh-keygen", ["-t", keyType, "-b", keyBits, "-f", privateKeyFile, "-N", ""], {
-      timeout: EXEC_TIMEOUT_MS
-    });
+    await execFileAsync("ssh-keygen", ["-t", keyType, "-b", keyBits, "-f", privateKeyFile, "-N", ""]);
 
     // Read the generated keys
     const publicKey = await fs.readFile(publicKeyFile, "utf8");
@@ -91,10 +87,7 @@ export const getSshPublicKey = async (privateKey: string) => {
     await fs.writeFile(privateKeyFile, privateKey, { mode: 0o600 });
 
     // Run ssh-keygen to extract the public key
-    const { stdout } = await execFileAsync("ssh-keygen", ["-y", "-f", privateKeyFile], {
-      encoding: "utf8",
-      timeout: EXEC_TIMEOUT_MS
-    });
+    const { stdout } = await execFileAsync("ssh-keygen", ["-y", "-f", privateKeyFile], { encoding: "utf8" });
     return stdout.trim();
   } finally {
     // Ensure that files and the temporary directory are cleaned up
@@ -150,14 +143,7 @@ export const validateSshCertificatePrincipals = (
     }
 
     // restrict allowed characters to letters, digits, dot, underscore, and hyphen
-    if (
-      !characterValidator([
-        CharacterType.AlphaNumeric,
-        CharacterType.Period,
-        CharacterType.Underscore,
-        CharacterType.Hyphen
-      ])(sanitized)
-    ) {
+    if (!/^[A-Za-z0-9._-]+$/.test(sanitized)) {
       throw new BadRequestError({
         message: `Principal '${sanitized}' contains invalid characters. Allowed: alphanumeric, '.', '_', '-'.`
       });
@@ -280,8 +266,8 @@ export const validateSshCertificateTtl = (template: TSshCertificateTemplates, tt
  * that it only contains alphanumeric characters with no spaces.
  */
 export const validateSshCertificateKeyId = (keyId: string) => {
-  const regex = characterValidator([CharacterType.AlphaNumeric, CharacterType.Hyphen]);
-  if (!regex(keyId)) {
+  const regex = /^[A-Za-z0-9-]+$/;
+  if (!regex.test(keyId)) {
     throw new BadRequestError({
       message:
         "Failed to validate Key ID because it can only contain alphanumeric characters and hyphens, with no spaces."
@@ -312,7 +298,7 @@ const validateSshPublicKey = async (publicKey: string) => {
 
   try {
     await fs.writeFile(pubKeyFile, publicKey, { mode: 0o600 });
-    await execFileAsync("ssh-keygen", ["-l", "-f", pubKeyFile], { timeout: EXEC_TIMEOUT_MS });
+    await execFileAsync("ssh-keygen", ["-l", "-f", pubKeyFile]);
   } catch (error) {
     throw new BadRequestError({
       message: "Failed to validate SSH public key format: could not be parsed."
@@ -377,7 +363,7 @@ export const createSshCert = async ({
     await fs.writeFile(privateKeyFile, caPrivateKey, { mode: 0o600 });
 
     // Execute the signing process
-    await execFileAsync("ssh-keygen", sshKeygenArgs, { encoding: "utf8", timeout: EXEC_TIMEOUT_MS });
+    await execFileAsync("ssh-keygen", sshKeygenArgs, { encoding: "utf8" });
 
     // Read the signed public key from the generated cert file
     const signedPublicKey = await fs.readFile(signedPublicKeyFile, "utf8");

backend/src/lib/axios/digest-auth.ts

@@ -28,8 +28,8 @@ export const createDigestAuthRequestInterceptor = (
       nc += 1;
       const nonceCount = nc.toString(16).padStart(8, "0");
       const cnonce = crypto.randomBytes(24).toString("hex");
-      const realm = authDetails.find((el) => el[0].toLowerCase().indexOf("realm") > -1)?.[1]?.replaceAll('"', "") || "";
-      const nonce = authDetails.find((el) => el[0].toLowerCase().indexOf("nonce") > -1)?.[1]?.replaceAll('"', "") || "";
+      const realm = authDetails.find((el) => el[0].toLowerCase().indexOf("realm") > -1)?.[1].replace(/"/g, "");
+      const nonce = authDetails.find((el) => el[0].toLowerCase().indexOf("nonce") > -1)?.[1].replace(/"/g, "");
       const ha1 = crypto.createHash("md5").update(`${username}:${realm}:${password}`).digest("hex");
       const path = opts.url;
 

backend/src/lib/base64/index.ts

@@ -1,35 +1,26 @@
-type Base64Options = {
-  urlSafe?: boolean;
-  padding?: boolean;
-};
-
-const base64WithPadding = /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/;
-const base64WithoutPadding = /^[A-Za-z0-9+/]+$/;
-const base64UrlWithPadding = /^(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})$/;
-const base64UrlWithoutPadding = /^[A-Za-z0-9_-]+$/;
-
-export const isBase64 = (str: string, options: Base64Options = {}): boolean => {
-  if (typeof str !== "string") {
-    throw new TypeError("Expected a string");
+// Credit: https://github.com/miguelmota/is-base64
+export const isBase64 = (
+  v: string,
+  opts = { allowEmpty: false, mimeRequired: false, allowMime: true, paddingRequired: false }
+) => {
+  if (opts.allowEmpty === false && v === "") {
+    return false;
   }
 
-  // Default padding to true unless urlSafe is true
-  const opts: Base64Options = {
-    urlSafe: false,
-    padding: options.urlSafe === undefined ? true : !options.urlSafe,
-    ...options
-  };
+  let regex = "(?:[A-Za-z0-9+\\/]{4})*(?:[A-Za-z0-9+\\/]{2}==|[A-Za-z0-9+/]{3}=)?";
+  const mimeRegex = "(data:\\w+\\/[a-zA-Z\\+\\-\\.]+;base64,)";
 
-  if (str === "") return true;
-
-  let regex;
-  if (opts.urlSafe) {
-    regex = opts.padding ? base64UrlWithPadding : base64UrlWithoutPadding;
-  } else {
-    regex = opts.padding ? base64WithPadding : base64WithoutPadding;
+  if (opts.mimeRequired === true) {
+    regex = mimeRegex + regex;
+  } else if (opts.allowMime === true) {
+    regex = `${mimeRegex}?${regex}`;
   }
 
-  return (!opts.padding || str.length % 4 === 0) && regex.test(str);
+  if (opts.paddingRequired === false) {
+    regex = "(?:[A-Za-z0-9+\\/]{4})*(?:[A-Za-z0-9+\\/]{2}(==)?|[A-Za-z0-9+\\/]{3}=?)?";
+  }
+
+  return new RegExp(`^${regex}$`, "gi").test(v);
 };
 
 export const getBase64SizeInBytes = (base64String: string) => {

backend/src/lib/certificates/extract-certificate.test.ts

@@ -1,42 +0,0 @@
-import { extractX509CertFromChain } from "./extract-certificate";
-
-describe("Extract Certificate Payload", () => {
-  test("Single chain", () => {
-    const payload = `-----BEGIN CERTIFICATE-----
-MIIEZzCCA0+gAwIBAgIUDk9+HZcMHppiNy0TvoBg8/aMEqIwDQYJKoZIhvcNAQEL
-BQAwDTELMAkGA1UEChMCUEgwHhcNMjQxMDI1MTU0MjAzWhcNMjUxMDI1MjE0MjAz
------END CERTIFICATE-----`;
-    const result = extractX509CertFromChain(payload);
-    expect(result).toBeDefined();
-    expect(result?.length).toBe(1);
-    expect(result?.[0]).toEqual(payload);
-  });
-
-  test("Multiple chain", () => {
-    const payload = `-----BEGIN CERTIFICATE-----
-MIIEZzCCA0+gAwIBAgIUDk9+HZcMHppiNy0TvoBg8/aMEqIwDQYJKoZIhvcNAQEL
-BQAwDTELMAkGA1UEChMCUEgwHhcNMjQxMDI1MTU0MjAzWhcNMjUxMDI1MjE0MjAz
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIEZzCCA0+gAwIBAgIUDk9+HZcMHppiNy0TvoBg8/aMEqIwDQYJKoZIhvcNAQEL
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIEZzCCA0+gAwIBAgIUDk9+HZcMHppiNy0TvoBg8/aMEqIwDQYJKoZIhvcNAQEL
------END CERTIFICATE-----`;
-    const result = extractX509CertFromChain(payload);
-    expect(result).toBeDefined();
-    expect(result?.length).toBe(3);
-    expect(result).toEqual([
-      `-----BEGIN CERTIFICATE-----
-MIIEZzCCA0+gAwIBAgIUDk9+HZcMHppiNy0TvoBg8/aMEqIwDQYJKoZIhvcNAQEL
-BQAwDTELMAkGA1UEChMCUEgwHhcNMjQxMDI1MTU0MjAzWhcNMjUxMDI1MjE0MjAz
------END CERTIFICATE-----`,
-      `-----BEGIN CERTIFICATE-----
-MIIEZzCCA0+gAwIBAgIUDk9+HZcMHppiNy0TvoBg8/aMEqIwDQYJKoZIhvcNAQEL
------END CERTIFICATE-----`,
-      `-----BEGIN CERTIFICATE-----
-MIIEZzCCA0+gAwIBAgIUDk9+HZcMHppiNy0TvoBg8/aMEqIwDQYJKoZIhvcNAQEL
------END CERTIFICATE-----`
-    ]);
-  });
-});

backend/src/lib/certificates/extract-certificate.ts

@@ -1,51 +0,0 @@
-import { BadRequestError } from "../errors";
-
-export const extractX509CertFromChain = (certificateChain: string): string[] => {
-  if (!certificateChain) {
-    throw new BadRequestError({
-      message: "Certificate chain is empty or undefined"
-    });
-  }
-
-  const certificates: string[] = [];
-  let currentPosition = 0;
-  const chainLength = certificateChain.length;
-
-  while (currentPosition < chainLength) {
-    // Find the start of a certificate
-    const beginMarker = "-----BEGIN CERTIFICATE-----";
-    const startIndex = certificateChain.indexOf(beginMarker, currentPosition);
-
-    if (startIndex === -1) {
-      break; // No more certificates found
-    }
-
-    // Find the end of the certificate
-    const endMarker = "-----END CERTIFICATE-----";
-    const endIndex = certificateChain.indexOf(endMarker, startIndex);
-
-    if (endIndex === -1) {
-      throw new BadRequestError({
-        message: "Malformed certificate chain: Found BEGIN marker without matching END marker"
-      });
-    }
-
-    // Extract the complete certificate including markers
-    const completeEndIndex = endIndex + endMarker.length;
-    const certificate = certificateChain.substring(startIndex, completeEndIndex);
-
-    // Add the extracted certificate to our results
-    certificates.push(certificate);
-
-    // Move position to after this certificate
-    currentPosition = completeEndIndex;
-  }
-
-  if (certificates.length === 0) {
-    throw new BadRequestError({
-      message: "No valid certificates found in the chain"
-    });
-  }
-
-  return certificates;
-};

backend/src/lib/errors/index.ts

@@ -68,23 +68,6 @@ export class ForbiddenRequestError extends Error {
   }
 }
 
-export class PermissionBoundaryError extends ForbiddenRequestError {
-  constructor({
-    message,
-    name,
-    error,
-    details
-  }: {
-    message?: string;
-    name?: string;
-    error?: unknown;
-    details?: unknown;
-  }) {
-    super({ message, name, error, details });
-    this.name = "PermissionBoundaryError";
-  }
-}
-
 export class BadRequestError extends Error {
   name: string;
 

backend/src/lib/ip/index.ts

@@ -107,6 +107,12 @@ export const isValidIp = (ip: string) => {
   return net.isIPv4(ip) || net.isIPv6(ip);
 };
 
+export const isValidHostname = (name: string) => {
+  const hostnameRegex = /^(?!:\/\/)(\*\.)?([a-zA-Z0-9-_]{1,63}\.?)+(?!:\/\/)([a-zA-Z]{2,63})$/;
+
+  return hostnameRegex.test(name);
+};
+
 export type TIp = {
   ipAddress: string;
   type: IPType;

backend/src/lib/validator/validate-folder-name.ts

@@ -1,11 +1,5 @@
-import { CharacterType, characterValidator } from "./validate-string";
-
 // regex to allow only alphanumeric, dash, underscore
-export const isValidFolderName = characterValidator([
-  CharacterType.AlphaNumeric,
-  CharacterType.Hyphen,
-  CharacterType.Underscore
-]);
+export const isValidFolderName = (name: string) => /^[a-zA-Z0-9-_]+$/.test(name);
 
 export const isValidSecretPath = (path: string) =>
   path

backend/src/lib/validator/validate-string.test.ts

@@ -1,23 +0,0 @@
-import { CharacterType, characterValidator } from "./validate-string";
-
-describe("validate-string", () => {
-  test("Check alphabets", () => {
-    expect(characterValidator([CharacterType.Alphabets])("hello")).toBeTruthy();
-    expect(characterValidator([CharacterType.Alphabets])("hello world")).toBeFalsy();
-    expect(characterValidator([CharacterType.Alphabets, CharacterType.Spaces])("hello world")).toBeTruthy();
-  });
-
-  test("Check numbers", () => {
-    expect(characterValidator([CharacterType.Numbers])("1234567890")).toBeTruthy();
-    expect(characterValidator([CharacterType.AlphaNumeric])("helloWORLD1234567890")).toBeTruthy();
-    expect(characterValidator([CharacterType.AlphaNumeric])("helloWORLD1234567890-")).toBeFalsy();
-  });
-
-  test("Check special characters", () => {
-    expect(characterValidator([CharacterType.AlphaNumeric, CharacterType.Hyphen])("Hello-World")).toBeTruthy();
-    expect(characterValidator([CharacterType.AlphaNumeric, CharacterType.Plus])("Hello+World")).toBeTruthy();
-    expect(characterValidator([CharacterType.AlphaNumeric, CharacterType.Underscore])("Hello_World")).toBeTruthy();
-    expect(characterValidator([CharacterType.AlphaNumeric, CharacterType.Colon])("Hello:World")).toBeTruthy();
-    expect(characterValidator([CharacterType.AlphaNumeric, CharacterType.Underscore])("Hello World")).toBeFalsy();
-  });
-});

backend/src/lib/validator/validate-string.ts

@@ -1,101 +0,0 @@
-export enum CharacterType {
-  Alphabets = "alphabets",
-  Numbers = "numbers",
-  AlphaNumeric = "alpha-numeric",
-  Spaces = "spaces",
-  SpecialCharacters = "specialCharacters",
-  Punctuation = "punctuation",
-  Period = "period", // .
-  Underscore = "underscore", // _
-  Colon = "colon", // :
-  ForwardSlash = "forwardSlash", // /
-  Equals = "equals", // =
-  Plus = "plus", // +
-  Hyphen = "hyphen", // -
-  At = "at", // @
-  // Additional individual characters that might be useful
-  Asterisk = "asterisk", // *
-  Ampersand = "ampersand", // &
-  Question = "question", // ?
-  Hash = "hash", // #
-  Percent = "percent", // %
-  Dollar = "dollar", // $
-  Caret = "caret", // ^
-  Backtick = "backtick", // `
-  Pipe = "pipe", // |
-  Backslash = "backslash", // \
-  OpenParen = "openParen", // (
-  CloseParen = "closeParen", // )
-  OpenBracket = "openBracket", // [
-  CloseBracket = "closeBracket", // ]
-  OpenBrace = "openBrace", // {
-  CloseBrace = "closeBrace", // }
-  LessThan = "lessThan", // <
-  GreaterThan = "greaterThan", // >
-  SingleQuote = "singleQuote", // '
-  DoubleQuote = "doubleQuote", // "
-  Comma = "comma", // ,
-  Semicolon = "semicolon", // ;
-  Exclamation = "exclamation" // !
-}
-
-/**
- * Validates if a string contains only specific types of characters
- */
-export const characterValidator = (allowedCharacters: CharacterType[]) => {
-  // Create a regex pattern based on allowed character types
-  const patternMap: Record<CharacterType, string> = {
-    [CharacterType.Alphabets]: "a-zA-Z",
-    [CharacterType.Numbers]: "0-9",
-    [CharacterType.AlphaNumeric]: "a-zA-Z0-9",
-    [CharacterType.Spaces]: "\\s",
-    [CharacterType.SpecialCharacters]: "!@#$%^&*()_+\\-=\\[\\]{}|;:'\",.<>/?\\\\",
-    [CharacterType.Punctuation]: "\\.\\,\\;\\:\\!\\?",
-    [CharacterType.Colon]: "\\:",
-    [CharacterType.ForwardSlash]: "\\/",
-    [CharacterType.Underscore]: "_",
-    [CharacterType.Hyphen]: "\\-",
-    [CharacterType.Period]: "\\.",
-    [CharacterType.Equals]: "=",
-    [CharacterType.Plus]: "\\+",
-    [CharacterType.At]: "@",
-    [CharacterType.Asterisk]: "\\*",
-    [CharacterType.Ampersand]: "&",
-    [CharacterType.Question]: "\\?",
-    [CharacterType.Hash]: "#",
-    [CharacterType.Percent]: "%",
-    [CharacterType.Dollar]: "\\$",
-    [CharacterType.Caret]: "\\^",
-    [CharacterType.Backtick]: "`",
-    [CharacterType.Pipe]: "\\|",
-    [CharacterType.Backslash]: "\\\\",
-    [CharacterType.OpenParen]: "\\(",
-    [CharacterType.CloseParen]: "\\)",
-    [CharacterType.OpenBracket]: "\\[",
-    [CharacterType.CloseBracket]: "\\]",
-    [CharacterType.OpenBrace]: "\\{",
-    [CharacterType.CloseBrace]: "\\}",
-    [CharacterType.LessThan]: "<",
-    [CharacterType.GreaterThan]: ">",
-    [CharacterType.SingleQuote]: "'",
-    [CharacterType.DoubleQuote]: '\\"',
-    [CharacterType.Comma]: ",",
-    [CharacterType.Semicolon]: ";",
-    [CharacterType.Exclamation]: "!"
-  };
-
-  // Combine patterns from allowed characters
-  const combinedPattern = allowedCharacters.map((char) => patternMap[char]).join("");
-
-  // Create a regex that matches only the allowed characters
-  const regex = new RegExp(`^[${combinedPattern}]+$`);
-
-  /**
-   * Validates if the input string contains only the allowed character types
-   * @param input String to validate
-   * @returns Boolean indicating if the string is valid
-   */
-  return function validate(input: string): boolean {
-    return regex.test(input);
-  };
-};

backend/src/lib/validator/validate-url.test.ts

@@ -1,15 +0,0 @@
-import { isFQDN } from "./validate-url";
-
-describe("isFQDN", () => {
-  test("Non wildcard", () => {
-    expect(isFQDN("www.example.com")).toBeTruthy();
-  });
-
-  test("Wildcard", () => {
-    expect(isFQDN("*.example.com", { allow_wildcard: true })).toBeTruthy();
-  });
-
-  test("Wildcard FQDN fails on option allow_wildcard false", () => {
-    expect(isFQDN("*.example.com")).toBeFalsy();
-  });
-});

backend/src/lib/validator/validate-url.ts

@@ -1,117 +1,18 @@
-import dns from "node:dns/promises";
-
-import { isIPv4 } from "net";
-
+import { getConfig } from "../config/env";
 import { BadRequestError } from "../errors";
-import { isPrivateIp } from "../ip/ipRange";
 
-export const blockLocalAndPrivateIpAddresses = async (url: string) => {
+export const blockLocalAndPrivateIpAddresses = (url: string) => {
   const validUrl = new URL(url);
-  const inputHostIps: string[] = [];
-  if (isIPv4(validUrl.host)) {
-    inputHostIps.push(validUrl.host);
-  } else {
-    if (validUrl.host === "localhost" || validUrl.host === "host.docker.internal") {
-      throw new BadRequestError({ message: "Local IPs not allowed as URL" });
-    }
-    const resolvedIps = await dns.resolve4(validUrl.host);
-    inputHostIps.push(...resolvedIps);
-  }
-  const isInternalIp = inputHostIps.some((el) => isPrivateIp(el));
-  if (isInternalIp) throw new BadRequestError({ message: "Local IPs not allowed as URL" });
-};
-
-type FQDNOptions = {
-  require_tld?: boolean;
-  allow_underscores?: boolean;
-  allow_trailing_dot?: boolean;
-  allow_numeric_tld?: boolean;
-  allow_wildcard?: boolean;
-  ignore_max_length?: boolean;
-};
-
-const defaultFqdnOptions: FQDNOptions = {
-  require_tld: true,
-  allow_underscores: false,
-  allow_trailing_dot: false,
-  allow_numeric_tld: false,
-  allow_wildcard: false,
-  ignore_max_length: false
-};
-
-// credits: https://github.com/validatorjs/validator.js/blob/f5da7fb6ed59b94695e6fcb2e970c80029509919/src/lib/isFQDN.js#L13
-export const isFQDN = (str: string, options: FQDNOptions = {}): boolean => {
-  if (typeof str !== "string") {
-    throw new TypeError("Expected a string");
-  }
-
-  // Apply default options
-  const opts: FQDNOptions = {
-    ...defaultFqdnOptions,
-    ...options
-  };
-
-  let testStr = str;
-  /* Remove the optional trailing dot before checking validity */
-  if (opts.allow_trailing_dot && str[str.length - 1] === ".") {
-    testStr = testStr.substring(0, str.length - 1);
-  }
-
-  /* Remove the optional wildcard before checking validity */
-  if (opts.allow_wildcard === true && str.indexOf("*.") === 0) {
-    testStr = testStr.substring(2);
-  }
-
-  const parts = testStr.split(".");
-  const tld = parts[parts.length - 1];
-
-  if (opts.require_tld) {
-    // disallow fqdns without tld
-    if (parts.length < 2) {
-      return false;
-    }
-
-    if (
-      !opts.allow_numeric_tld &&
-      !/^([a-z\u00A1-\u00A8\u00AA-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]{2,}|xn[a-z0-9-]{2,})$/i.test(tld)
-    ) {
-      return false;
-    }
-
-    // disallow spaces
-    if (/\s/.test(tld)) {
-      return false;
-    }
-  }
-
-  // reject numeric TLDs
-  if (!opts.allow_numeric_tld && /^\d+$/.test(tld)) {
-    return false;
-  }
-
-  return parts.every((part) => {
-    if (part.length > 63 && !opts.ignore_max_length) {
-      return false;
-    }
-
-    if (!/^[a-z_\u00a1-\uffff0-9-]+$/i.test(part)) {
-      return false;
-    }
-
-    // disallow full-width chars
-    if (/[\uff01-\uff5e]/.test(part)) {
-      return false;
-    }
-
-    // disallow parts starting or ending with hyphen
-    if (/^-|-$/.test(part)) {
-      return false;
-    }
-
-    if (!opts.allow_underscores && /_/.test(part)) {
-      return false;
-    }
-
-    return true;
-  });
+  const appCfg = getConfig();
+  // on cloud local ips are not allowed
+  if (
+    appCfg.isCloud &&
+    (validUrl.host === "host.docker.internal" ||
+      validUrl.host.match(/^10\.\d+\.\d+\.\d+/) ||
+      validUrl.host.match(/^192\.168\.\d+\.\d+/))
+  )
+    throw new BadRequestError({ message: "Local IPs not allowed as URL" });
+
+  if (validUrl.host === "localhost" || validUrl.host === "127.0.0.1")
+    throw new BadRequestError({ message: "Localhost not allowed" });
 };

backend/src/server/lib/schemas.ts

@@ -1,8 +1,6 @@
 import slugify from "@sindresorhus/slugify";
 import { z } from "zod";
 
-import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";
-
 interface SlugSchemaInputs {
   min?: number;
   max?: number;
@@ -29,13 +27,4 @@ export const GenericResourceNameSchema = z
   .trim()
   .min(1, { message: "Name must be at least 1 character" })
   .max(64, { message: "Name must be 64 or fewer characters" })
-  .refine(
-    (val) =>
-      characterValidator([
-        CharacterType.AlphaNumeric,
-        CharacterType.Hyphen,
-        CharacterType.Underscore,
-        CharacterType.Spaces
-      ])(val),
-    "Name can only contain alphanumeric characters, dashes, underscores, and spaces"
-  );
+  .regex(/^[a-zA-Z0-9\-_\s]+$/, "Name can only contain alphanumeric characters, dashes, underscores, and spaces");

backend/src/server/plugins/error-handler.ts

@@ -13,7 +13,6 @@ import {
   InternalServerError,
   NotFoundError,
   OidcAuthError,
-  PermissionBoundaryError,
   RateLimitError,
   ScimRequestError,
   UnauthorizedError
@@ -118,7 +117,7 @@ export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider
           conditions: el.conditions
         }))
       });
-    } else if (error instanceof ForbiddenRequestError || error instanceof PermissionBoundaryError) {
+    } else if (error instanceof ForbiddenRequestError) {
       void res.status(HttpStatusCodes.Forbidden).send({
         reqId: req.id,
         statusCode: HttpStatusCodes.Forbidden,

backend/src/server/routes/v1/certificate-authority-router.ts

@@ -6,6 +6,7 @@ import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { CERTIFICATE_AUTHORITIES } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { CertExtendedKeyUsage, CertKeyAlgorithm, CertKeyUsage } from "@app/services/certificate/certificate-types";
@@ -14,6 +15,7 @@ import {
   validateAltNamesField,
   validateCaDateField
 } from "@app/services/certificate-authority/certificate-authority-validators";
+import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
 export const registerCaRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -649,6 +651,16 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
         }
       });
 
+      await server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.IssueCert,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          caId: ca.id,
+          commonName: req.body.commonName,
+          ...req.auditLogInfo
+        }
+      });
+
       return {
         certificate,
         certificateChain,
@@ -707,7 +719,7 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { certificate, certificateChain, issuingCaCertificate, serialNumber, ca } =
+      const { certificate, certificateChain, issuingCaCertificate, serialNumber, ca, commonName } =
         await server.services.certificateAuthority.signCertFromCa({
           isInternal: false,
           caId: req.params.caId,
@@ -731,6 +743,16 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
         }
       });
 
+      await server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.SignCert,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          caId: ca.id,
+          commonName,
+          ...req.auditLogInfo
+        }
+      });
+
       return {
         certificate: certificate.toString("pem"),
         certificateChain,

backend/src/server/routes/v1/certificate-router.ts

@@ -5,6 +5,7 @@ import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { CERTIFICATE_AUTHORITIES, CERTIFICATES } from "@app/lib/api-docs";
 import { ms } from "@app/lib/ms";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { CertExtendedKeyUsage, CertKeyUsage, CrlReason } from "@app/services/certificate/certificate-types";
@@ -12,6 +13,7 @@ import {
   validateAltNamesField,
   validateCaDateField
 } from "@app/services/certificate-authority/certificate-authority-validators";
+import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
 export const registerCertRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -150,6 +152,17 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
         }
       });
 
+      await server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.IssueCert,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          caId: req.body.caId,
+          certificateTemplateId: req.body.certificateTemplateId,
+          commonName: req.body.commonName,
+          ...req.auditLogInfo
+        }
+      });
+
       return {
         certificate,
         certificateChain,
@@ -228,7 +241,7 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      const { certificate, certificateChain, issuingCaCertificate, serialNumber, ca } =
+      const { certificate, certificateChain, issuingCaCertificate, serialNumber, ca, commonName } =
         await server.services.certificateAuthority.signCertFromCa({
           isInternal: false,
           actor: req.permission.type,
@@ -251,6 +264,17 @@ export const registerCertRouter = async (server: FastifyZodProvider) => {
         }
       });
 
+      await server.services.telemetry.sendPostHogEvents({
+        event: PostHogEventTypes.SignCert,
+        distinctId: getTelemetryDistinctId(req),
+        properties: {
+          caId: req.body.caId,
+          certificateTemplateId: req.body.certificateTemplateId,
+          commonName,
+          ...req.auditLogInfo
+        }
+      });
+
       return {
         certificate: certificate.toString("pem"),
         certificateChain,

backend/src/server/routes/v1/identity-oidc-auth-router.ts

@@ -32,8 +32,6 @@ const IdentityOidcAuthResponseSchema = IdentityOidcAuthsSchema.pick({
   caCert: z.string()
 });
 
-const MAX_OIDC_CLAIM_SIZE = 32_768;
-
 export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "POST",
@@ -57,7 +55,7 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
       }
     },
     handler: async (req) => {
-      const { identityOidcAuth, accessToken, identityAccessToken, identityMembershipOrg, oidcTokenData } =
+      const { identityOidcAuth, accessToken, identityAccessToken, identityMembershipOrg } =
         await server.services.identityOidcAuth.login({
           identityId: req.body.identityId,
           jwt: req.body.jwt
@@ -71,11 +69,7 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
           metadata: {
             identityId: identityOidcAuth.identityId,
             identityAccessTokenId: identityAccessToken.id,
-            identityOidcAuthId: identityOidcAuth.id,
-            oidcClaimsReceived:
-              Buffer.from(JSON.stringify(oidcTokenData), "utf8").byteLength < MAX_OIDC_CLAIM_SIZE
-                ? oidcTokenData
-                : { payload: "Error: Payload exceeds 32KB, provided oidc claim not recorded in audit log." }
+            identityOidcAuthId: identityOidcAuth.id
           }
         }
       });

backend/src/server/routes/v1/organization-router.ts

@@ -4,6 +4,7 @@ import {
   AuditLogsSchema,
   GroupsSchema,
   IncidentContactsSchema,
+  OrganizationsSchema,
   OrgMembershipsSchema,
   OrgRolesSchema,
   UsersSchema
@@ -56,7 +57,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          organization: sanitizedOrganizationSchema
+          organization: OrganizationsSchema
         })
       }
     },
@@ -262,7 +263,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
       response: {
         200: z.object({
           message: z.string(),
-          organization: sanitizedOrganizationSchema
+          organization: OrganizationsSchema
         })
       }
     },

backend/src/server/routes/v2/organization-router.ts

@@ -1,6 +1,7 @@
 import { z } from "zod";
 
 import {
+  OrganizationsSchema,
   OrgMembershipsSchema,
   ProjectMembershipsSchema,
   ProjectsSchema,
@@ -14,7 +15,6 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { GenericResourceNameSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
-import { sanitizedOrganizationSchema } from "@app/services/org/org-schema";
 
 export const registerOrgRouter = async (server: FastifyZodProvider) => {
   server.route({
@@ -335,7 +335,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          organization: sanitizedOrganizationSchema
+          organization: OrganizationsSchema
         })
       }
     },
@@ -365,7 +365,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          organization: sanitizedOrganizationSchema,
+          organization: OrganizationsSchema,
           accessToken: z.string()
         })
       }
@@ -396,30 +396,4 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
       return { organization, accessToken: tokens.accessToken };
     }
   });
-
-  server.route({
-    method: "POST",
-    url: "/privilege-system-upgrade",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      response: {
-        200: z.object({
-          organization: sanitizedOrganizationSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const organization = await server.services.org.upgradePrivilegeSystem({
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        orgId: req.permission.orgId
-      });
-
-      return { organization };
-    }
-  });
 };

backend/src/services/certificate-authority/certificate-authority-service.ts

@@ -7,11 +7,9 @@ import { z } from "zod";
 import { ActionProjectType, ProjectType, TCertificateAuthorities, TCertificateTemplates } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { extractX509CertFromChain } from "@app/lib/certificates/extract-certificate";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
-import { isFQDN } from "@app/lib/validator/validate-url";
 import { TCertificateBodyDALFactory } from "@app/services/certificate/certificate-body-dal";
 import { TCertificateDALFactory } from "@app/services/certificate/certificate-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -60,6 +58,7 @@ import {
   TSignIntermediateDTO,
   TUpdateCaDTO
 } from "./certificate-authority-types";
+import { hostnameRegex } from "./certificate-authority-validators";
 
 type TCertificateAuthorityServiceFactoryDep = {
   certificateAuthorityDAL: Pick<
@@ -1018,7 +1017,9 @@ export const certificateAuthorityServiceFactory = ({
     const maxPathLength = certObj.getExtension(x509.BasicConstraintsExtension)?.pathLength;
 
     // validate imported certificate and certificate chain
-    const certificates = extractX509CertFromChain(certificateChain)?.map((cert) => new x509.X509Certificate(cert));
+    const certificates = certificateChain
+      .match(/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g)
+      ?.map((cert) => new x509.X509Certificate(cert));
 
     if (!certificates) throw new BadRequestError({ message: "Failed to parse certificate chain" });
 
@@ -1324,7 +1325,7 @@ export const certificateAuthorityServiceFactory = ({
           }
 
           // check if the altName is a valid hostname
-          if (isFQDN(altName, { allow_wildcard: true })) {
+          if (hostnameRegex.test(altName)) {
             return {
               type: "dns",
               value: altName
@@ -1701,7 +1702,7 @@ export const certificateAuthorityServiceFactory = ({
           }
 
           // check if the altName is a valid hostname
-          if (isFQDN(altName, { allow_wildcard: true })) {
+          if (hostnameRegex.test(altName)) {
             return {
               type: "dns",
               value: altName
@@ -1818,7 +1819,8 @@ export const certificateAuthorityServiceFactory = ({
       certificateChain: `${issuingCaCertificate}\n${caCertChain}`.trim(),
       issuingCaCertificate,
       serialNumber,
-      ca
+      ca,
+      commonName: cn
     };
   };
 

backend/src/services/certificate-authority/certificate-authority-validators.ts

@@ -1,7 +1,6 @@
 import { z } from "zod";
 
 import { isValidIp } from "@app/lib/ip";
-import { isFQDN } from "@app/lib/validator/validate-url";
 
 const isValidDate = (dateString: string) => {
   const date = new Date(dateString);
@@ -10,6 +9,7 @@ const isValidDate = (dateString: string) => {
 
 export const validateCaDateField = z.string().trim().refine(isValidDate, { message: "Invalid date format" });
 
+export const hostnameRegex = /^(?!:\/\/)(\*\.)?([a-zA-Z0-9-_]{1,63}\.?)+(?!:\/\/)([a-zA-Z]{2,63})$/;
 export const validateAltNamesField = z
   .string()
   .trim()
@@ -27,7 +27,7 @@ export const validateAltNamesField = z
       if (data === "") return true;
       // Split and validate each alt name
       return data.split(", ").every((name) => {
-        return isFQDN(name, { allow_wildcard: true }) || z.string().email().safeParse(name).success || isValidIp(name);
+        return hostnameRegex.test(name) || z.string().email().safeParse(name).success || isValidIp(name);
       });
     },
     {

backend/src/services/certificate-template/certificate-template-fns.ts

@@ -11,7 +11,6 @@ export const validateCertificateDetailsAgainstTemplate = (
   },
   template: TCertificateTemplates
 ) => {
-  // these are validated in router using validateTemplateRegexField
   const commonNameRegex = new RegExp(template.commonName);
   if (!commonNameRegex.test(cert.commonName)) {
     throw new BadRequestError({

backend/src/services/certificate-template/certificate-template-service.ts

@@ -6,7 +6,6 @@ import { ActionProjectType, TCertificateTemplateEstConfigsUpdate } from "@app/db
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { extractX509CertFromChain } from "@app/lib/certificates/extract-certificate";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 
@@ -282,7 +281,9 @@ export const certificateTemplateServiceFactory = ({
       });
 
       // validate CA chain
-      const certificates = extractX509CertFromChain(caChain)?.map((cert) => new x509.X509Certificate(cert));
+      const certificates = caChain
+        .match(/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g)
+        ?.map((cert) => new x509.X509Certificate(cert));
 
       if (!certificates) {
         throw new BadRequestError({ message: "Failed to parse certificate chain" });
@@ -378,7 +379,9 @@ export const certificateTemplateServiceFactory = ({
     };
 
     if (caChain) {
-      const certificates = extractX509CertFromChain(caChain)?.map((cert) => new x509.X509Certificate(cert));
+      const certificates = caChain
+        .match(/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g)
+        ?.map((cert) => new x509.X509Certificate(cert));
 
       if (!certificates) {
         throw new BadRequestError({ message: "Failed to parse certificate chain" });

backend/src/services/certificate-template/certificate-template-validators.ts

@@ -1,27 +1,13 @@
 import safe from "safe-regex";
 import z from "zod";
 
-import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";
-
 export const validateTemplateRegexField = z
   .string()
   .min(1)
   .max(100)
-  .refine(
-    (val) =>
-      characterValidator([
-        CharacterType.AlphaNumeric,
-        CharacterType.Spaces, // (space)
-        CharacterType.Asterisk, // *
-        CharacterType.At, // @
-        CharacterType.Hyphen, // -
-        CharacterType.Period, // .
-        CharacterType.Backslash // \
-      ])(val),
-    {
-      message: "Invalid pattern: only alphanumeric characters, spaces, *, ., @, -, and \\ are allowed."
-    }
-  )
+  .regex(/^[a-zA-Z0-9 *@\-\\.\\]+$/, {
+    message: "Invalid pattern: only alphanumeric characters, spaces, *, ., @, -, and \\ are allowed."
+  })
   // we ensure that the inputted pattern is computationally safe by limiting star height to 1
   .refine((v) => safe(v), {
     message: "Unsafe REGEX pattern"

backend/src/services/group-project/group-project-service.ts

@@ -1,15 +1,12 @@
 import { ForbiddenError } from "@casl/ability";
 
 import { ActionProjectType, ProjectMembershipRole, SecretKeyEncoding, TGroups } from "@app/db/schemas";
-import {
-  constructPermissionErrorMessage,
-  validatePrivilegeChangeOperation
-} from "@app/ee/services/permission/permission-fns";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionGroupActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { decryptAsymmetric, encryptAsymmetric } from "@app/lib/crypto";
 import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
-import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
 import { ms } from "@app/lib/ms";
 import { isUuidV4 } from "@app/lib/validator";
@@ -73,7 +70,7 @@ export const groupProjectServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Failed to find project with ID ${projectId}` });
     if (project.version < 2) throw new BadRequestError({ message: `Failed to add group to E2EE project` });
 
-    const { permission, membership } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId,
@@ -81,7 +78,7 @@ export const groupProjectServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Create, ProjectPermissionSub.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Groups);
 
     let group: TGroups | null = null;
     if (isUuidV4(groupIdOrName)) {
@@ -105,21 +102,11 @@ export const groupProjectServiceFactory = ({
         project.id
       );
 
-      const permissionBoundary = validatePrivilegeChangeOperation(
-        membership.shouldUseNewPrivilegeSystem,
-        ProjectPermissionGroupActions.GrantPrivileges,
-        ProjectPermissionSub.Groups,
-        permission,
-        rolePermission
-      );
+      const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
       if (!permissionBoundary.isValid)
-        throw new PermissionBoundaryError({
-          message: constructPermissionErrorMessage(
-            "Failed to assign group to role",
-            membership.shouldUseNewPrivilegeSystem,
-            ProjectPermissionGroupActions.GrantPrivileges,
-            ProjectPermissionSub.Groups
-          ),
+        throw new ForbiddenRequestError({
+          name: "PermissionBoundaryError",
+          message: "Failed to assign group to a more privileged role",
           details: { missingPermissions: permissionBoundary.missingPermissions }
         });
     }
@@ -261,7 +248,7 @@ export const groupProjectServiceFactory = ({
 
     if (!project) throw new NotFoundError({ message: `Failed to find project with ID ${projectId}` });
 
-    const { permission, membership } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId,
@@ -269,7 +256,7 @@ export const groupProjectServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Edit, ProjectPermissionSub.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Groups);
 
     const group = await groupDAL.findOne({ orgId: actorOrgId, id: groupId });
     if (!group) throw new NotFoundError({ message: `Failed to find group with ID ${groupId}` });
@@ -282,21 +269,11 @@ export const groupProjectServiceFactory = ({
         requestedRoleChange,
         project.id
       );
-      const permissionBoundary = validatePrivilegeChangeOperation(
-        membership.shouldUseNewPrivilegeSystem,
-        ProjectPermissionGroupActions.GrantPrivileges,
-        ProjectPermissionSub.Groups,
-        permission,
-        rolePermission
-      );
+      const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
       if (!permissionBoundary.isValid)
-        throw new PermissionBoundaryError({
-          message: constructPermissionErrorMessage(
-            "Failed to assign group to role",
-            membership.shouldUseNewPrivilegeSystem,
-            ProjectPermissionGroupActions.GrantPrivileges,
-            ProjectPermissionSub.Groups
-          ),
+        throw new ForbiddenRequestError({
+          name: "PermissionBoundaryError",
+          message: "Failed to assign group to a more privileged role",
           details: { missingPermissions: permissionBoundary.missingPermissions }
         });
     }
@@ -383,7 +360,7 @@ export const groupProjectServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Delete, ProjectPermissionSub.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Groups);
 
     const deletedProjectGroup = await groupProjectDAL.transaction(async (tx) => {
       const groupMembers = await userGroupMembershipDAL.findGroupMembersNotInProject(group.id, project.id, tx);
@@ -428,7 +405,7 @@ export const groupProjectServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Read, ProjectPermissionSub.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Groups);
 
     const groupMemberships = await groupProjectDAL.findByProjectId(project.id);
     return groupMemberships;
@@ -456,7 +433,7 @@ export const groupProjectServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionGroupActions.Read, ProjectPermissionSub.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Groups);
 
     const [groupMembership] = await groupProjectDAL.findByProjectId(project.id, {
       groupId

backend/src/services/identity-aws-auth/identity-aws-auth-service.ts

@@ -5,14 +5,11 @@ import jwt from "jsonwebtoken";
 
 import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionIdentityActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
-import {
-  constructPermissionErrorMessage,
-  validatePrivilegeChangeOperation
-} from "@app/ee/services/permission/permission-fns";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, NotFoundError, PermissionBoundaryError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 
 import { ActorType, AuthTokenType } from "../auth/auth-type";
@@ -42,31 +39,6 @@ type TIdentityAwsAuthServiceFactoryDep = {
 
 export type TIdentityAwsAuthServiceFactory = ReturnType<typeof identityAwsAuthServiceFactory>;
 
-const awsRegionFromHeader = (authorizationHeader: string): string | null => {
-  // https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html
-  // The Authorization header takes the following form.
-  //  Authorization: AWS4-HMAC-SHA256
-  //	Credential=AKIAIOSFODNN7EXAMPLE/20230719/us-east-1/sts/aws4_request,
-  // 	SignedHeaders=content-length;content-type;host;x-amz-date,
-  //	Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024
-  //
-  // The credential is in the form of "<your-access-key-id>/<date>/<aws-region>/<aws-service>/aws4_request"
-  try {
-    const fields = authorizationHeader.split(" ");
-    for (const field of fields) {
-      if (field.startsWith("Credential=")) {
-        const parts = field.split("/");
-        if (parts.length >= 3) {
-          return parts[2];
-        }
-      }
-    }
-  } catch {
-    return null;
-  }
-  return null;
-};
-
 export const identityAwsAuthServiceFactory = ({
   identityAccessTokenDAL,
   identityAwsAuthDAL,
@@ -85,9 +57,6 @@ export const identityAwsAuthServiceFactory = ({
     const headers: TAwsGetCallerIdentityHeaders = JSON.parse(Buffer.from(iamRequestHeaders, "base64").toString());
     const body: string = Buffer.from(iamRequestBody, "base64").toString();
 
-    const region = headers.Authorization ? awsRegionFromHeader(headers.Authorization) : null;
-    const url = region ? `https://sts.${region}.amazonaws.com` : identityAwsAuth.stsEndpoint;
-
     const {
       data: {
         GetCallerIdentityResponse: {
@@ -96,7 +65,7 @@ export const identityAwsAuthServiceFactory = ({
       }
     }: { data: TGetCallerIdentityResponse } = await axios({
       method: iamHttpRequestMethod,
-      url,
+      url: headers?.Host ? `https://${headers.Host}` : identityAwsAuth.stsEndpoint,
       headers,
       data: body
     });
@@ -124,8 +93,7 @@ export const identityAwsAuthServiceFactory = ({
         .some((principalArn) => {
           // convert wildcard ARN to a regular expression: "arn:aws:iam::123456789012:*" -> "^arn:aws:iam::123456789012:.*$"
           // considers exact matches + wildcard matches
-          // heavily validated in router
-          const regex = new RegExp(`^${principalArn.replaceAll("*", ".*")}$`);
+          const regex = new RegExp(`^${principalArn.replace(/\*/g, ".*")}$`);
           return regex.test(extractPrincipalArn(Arn));
         });
 
@@ -207,7 +175,7 @@ export const identityAwsAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
 
     const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
     const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
@@ -286,7 +254,7 @@ export const identityAwsAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
 
     const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
     const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
@@ -340,7 +308,7 @@ export const identityAwsAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
     return { ...awsIdentityAuth, orgId: identityMembershipOrg.orgId };
   };
 
@@ -358,14 +326,14 @@ export const identityAwsAuthServiceFactory = ({
         message: "The identity does not have aws auth"
       });
     }
-    const { permission, membership } = await permissionService.getOrgPermission(
+    const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
       identityMembershipOrg.orgId,
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
 
     const { permission: rolePermission } = await permissionService.getOrgPermission(
       ActorType.IDENTITY,
@@ -375,22 +343,11 @@ export const identityAwsAuthServiceFactory = ({
       actorOrgId
     );
 
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      OrgPermissionIdentityActions.RevokeAuth,
-      OrgPermissionSubjects.Identity,
-      permission,
-      rolePermission
-    );
-
+    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to revoke aws auth of identity with more privileged role",
-          membership.shouldUseNewPrivilegeSystem,
-          OrgPermissionIdentityActions.RevokeAuth,
-          OrgPermissionSubjects.Identity
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to revoke aws auth of identity with more privileged role",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 

backend/src/services/identity-aws-auth/identity-aws-auth-validators.ts

@@ -1,8 +1,6 @@
-import safe from "safe-regex";
 import { z } from "zod";
 
 const twelveDigitRegex = /^\d{12}$/;
-// akhilmhdh: change this to a normal function later. Checked no redosable at the moment
 const arnRegex = /^arn:aws:iam::\d{12}:(user\/[a-zA-Z0-9_.@+*/-]+|role\/[a-zA-Z0-9_.@+*/-]+|\*)$/;
 
 export const validateAccountIds = z
@@ -44,8 +42,7 @@ export const validatePrincipalArns = z
       // Split the string by commas to check each supposed ARN
       const arns = data.split(",");
       // Return true only if every item matches one of the allowed ARN formats
-      // and checks whether the provided regex is safe
-      return arns.map((el) => el.trim()).every((arn) => safe(`^${arn.replaceAll("*", ".*")}$`) && arnRegex.test(arn));
+      return arns.every((arn) => arnRegex.test(arn.trim()));
     },
     {
       message:

backend/src/services/identity-azure-auth/identity-azure-auth-service.ts

@@ -3,14 +3,11 @@ import jwt from "jsonwebtoken";
 
 import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionIdentityActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
-import {
-  constructPermissionErrorMessage,
-  validatePrivilegeChangeOperation
-} from "@app/ee/services/permission/permission-fns";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, NotFoundError, PermissionBoundaryError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 
 import { ActorType, AuthTokenType } from "../auth/auth-type";
@@ -150,7 +147,7 @@ export const identityAzureAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
 
     const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
     const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
@@ -228,7 +225,7 @@ export const identityAzureAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
 
     const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
     const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
@@ -284,7 +281,7 @@ export const identityAzureAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
 
     return { ...identityAzureAuth, orgId: identityMembershipOrg.orgId };
   };
@@ -303,14 +300,14 @@ export const identityAzureAuthServiceFactory = ({
         message: "The identity does not have azure auth"
       });
     }
-    const { permission, membership } = await permissionService.getOrgPermission(
+    const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
       identityMembershipOrg.orgId,
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
 
     const { permission: rolePermission } = await permissionService.getOrgPermission(
       ActorType.IDENTITY,
@@ -319,21 +316,11 @@ export const identityAzureAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      OrgPermissionIdentityActions.RevokeAuth,
-      OrgPermissionSubjects.Identity,
-      permission,
-      rolePermission
-    );
+    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to revoke azure auth of identity with more privileged role",
-          membership.shouldUseNewPrivilegeSystem,
-          OrgPermissionIdentityActions.RevokeAuth,
-          OrgPermissionSubjects.Identity
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to revoke azure auth of identity with more privileged role",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 

backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts

@@ -3,14 +3,11 @@ import jwt from "jsonwebtoken";
 
 import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionIdentityActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
-import {
-  constructPermissionErrorMessage,
-  validatePrivilegeChangeOperation
-} from "@app/ee/services/permission/permission-fns";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, NotFoundError, PermissionBoundaryError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 
 import { ActorType, AuthTokenType } from "../auth/auth-type";
@@ -191,7 +188,7 @@ export const identityGcpAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
 
     const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
     const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
@@ -271,7 +268,7 @@ export const identityGcpAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
 
     const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
     const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
@@ -329,7 +326,7 @@ export const identityGcpAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
 
     return { ...identityGcpAuth, orgId: identityMembershipOrg.orgId };
   };
@@ -349,14 +346,14 @@ export const identityGcpAuthServiceFactory = ({
         message: "The identity does not have gcp auth"
       });
     }
-    const { permission, membership } = await permissionService.getOrgPermission(
+    const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
       identityMembershipOrg.orgId,
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
 
     const { permission: rolePermission } = await permissionService.getOrgPermission(
       ActorType.IDENTITY,
@@ -365,21 +362,11 @@ export const identityGcpAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      OrgPermissionIdentityActions.RevokeAuth,
-      OrgPermissionSubjects.Identity,
-      permission,
-      rolePermission
-    );
+    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to revoke gcp auth of identity with more privileged role",
-          membership.shouldUseNewPrivilegeSystem,
-          OrgPermissionIdentityActions.RevokeAuth,
-          OrgPermissionSubjects.Identity
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to revoke gcp auth of identity with more privileged role",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 

backend/src/services/identity-jwt-auth/identity-jwt-auth-service.ts

@@ -5,20 +5,11 @@ import { JwksClient } from "jwks-rsa";
 
 import { IdentityAuthMethod, TIdentityJwtAuthsUpdate } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionIdentityActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
-import {
-  constructPermissionErrorMessage,
-  validatePrivilegeChangeOperation
-} from "@app/ee/services/permission/permission-fns";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { getConfig } from "@app/lib/config/env";
-import {
-  BadRequestError,
-  ForbiddenRequestError,
-  NotFoundError,
-  PermissionBoundaryError,
-  UnauthorizedError
-} from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 import { getStringValueByDot } from "@app/lib/template/dot-access";
 
@@ -287,7 +278,7 @@ export const identityJwtAuthServiceFactory = ({
       actorOrgId
     );
 
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
 
     const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
     const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
@@ -390,7 +381,7 @@ export const identityJwtAuthServiceFactory = ({
       actorOrgId
     );
 
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
 
     const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
     const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
@@ -479,7 +470,7 @@ export const identityJwtAuthServiceFactory = ({
       actorOrgId
     );
 
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
 
     const identityJwtAuth = await identityJwtAuthDAL.findOne({ identityId });
 
@@ -513,7 +504,7 @@ export const identityJwtAuthServiceFactory = ({
       });
     }
 
-    const { permission, membership } = await permissionService.getOrgPermission(
+    const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
       identityMembershipOrg.orgId,
@@ -521,7 +512,7 @@ export const identityJwtAuthServiceFactory = ({
       actorOrgId
     );
 
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
 
     const { permission: rolePermission } = await permissionService.getOrgPermission(
       ActorType.IDENTITY,
@@ -531,21 +522,11 @@ export const identityJwtAuthServiceFactory = ({
       actorOrgId
     );
 
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      OrgPermissionIdentityActions.RevokeAuth,
-      OrgPermissionSubjects.Identity,
-      permission,
-      rolePermission
-    );
+    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to revoke jwt auth of identity with more privileged role",
-          membership.shouldUseNewPrivilegeSystem,
-          OrgPermissionIdentityActions.RevokeAuth,
-          OrgPermissionSubjects.Identity
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to revoke jwt auth of identity with more privileged role",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts

@@ -5,14 +5,11 @@ import jwt from "jsonwebtoken";
 
 import { IdentityAuthMethod, TIdentityKubernetesAuthsUpdate } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionIdentityActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
-import {
-  constructPermissionErrorMessage,
-  validatePrivilegeChangeOperation
-} from "@app/ee/services/permission/permission-fns";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, NotFoundError, PermissionBoundaryError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 
 import { ActorType, AuthTokenType } from "../auth/auth-type";
@@ -260,7 +257,7 @@ export const identityKubernetesAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
 
     const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
     const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
@@ -353,7 +350,7 @@ export const identityKubernetesAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
 
     const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
     const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
@@ -449,7 +446,7 @@ export const identityKubernetesAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
 
     const { decryptor } = await kmsService.createCipherPairWithDataKey({
       type: KmsDataKey.Organization,
@@ -486,14 +483,14 @@ export const identityKubernetesAuthServiceFactory = ({
         message: "The identity does not have kubernetes auth"
       });
     }
-    const { permission, membership } = await permissionService.getOrgPermission(
+    const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
       identityMembershipOrg.orgId,
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
 
     const { permission: rolePermission } = await permissionService.getOrgPermission(
       ActorType.IDENTITY,
@@ -502,21 +499,11 @@ export const identityKubernetesAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      OrgPermissionIdentityActions.RevokeAuth,
-      OrgPermissionSubjects.Identity,
-      permission,
-      rolePermission
-    );
+    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to revoke kubernetes auth of identity with more privileged role",
-          membership.shouldUseNewPrivilegeSystem,
-          OrgPermissionIdentityActions.RevokeAuth,
-          OrgPermissionSubjects.Identity
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to revoke kubernetes auth of identity with more privileged role",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 

backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts

@@ -6,20 +6,11 @@ import { JwksClient } from "jwks-rsa";
 
 import { IdentityAuthMethod, TIdentityOidcAuthsUpdate } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionIdentityActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
-import {
-  constructPermissionErrorMessage,
-  validatePrivilegeChangeOperation
-} from "@app/ee/services/permission/permission-fns";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { getConfig } from "@app/lib/config/env";
-import {
-  BadRequestError,
-  ForbiddenRequestError,
-  NotFoundError,
-  PermissionBoundaryError,
-  UnauthorizedError
-} from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 import { getStringValueByDot } from "@app/lib/template/dot-access";
 
@@ -213,7 +204,7 @@ export const identityOidcAuthServiceFactory = ({
           }
     );
 
-    return { accessToken, identityOidcAuth, identityAccessToken, identityMembershipOrg, oidcTokenData: tokenData };
+    return { accessToken, identityOidcAuth, identityAccessToken, identityMembershipOrg };
   };
 
   const attachOidcAuth = async ({
@@ -258,7 +249,7 @@ export const identityOidcAuthServiceFactory = ({
       actorOrgId
     );
 
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
 
     const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
     const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
@@ -350,7 +341,7 @@ export const identityOidcAuthServiceFactory = ({
       actorOrgId
     );
 
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
 
     const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
     const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
@@ -423,7 +414,7 @@ export const identityOidcAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
 
     const identityOidcAuth = await identityOidcAuthDAL.findOne({ identityId });
 
@@ -451,7 +442,7 @@ export const identityOidcAuthServiceFactory = ({
       });
     }
 
-    const { permission, membership } = await permissionService.getOrgPermission(
+    const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
       identityMembershipOrg.orgId,
@@ -459,7 +450,7 @@ export const identityOidcAuthServiceFactory = ({
       actorOrgId
     );
 
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
 
     const { permission: rolePermission } = await permissionService.getOrgPermission(
       ActorType.IDENTITY,
@@ -469,22 +460,11 @@ export const identityOidcAuthServiceFactory = ({
       actorOrgId
     );
 
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      OrgPermissionIdentityActions.RevokeAuth,
-      OrgPermissionSubjects.Identity,
-      permission,
-      rolePermission
-    );
-
+    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to revoke oidc auth of identity with more privileged role",
-          membership.shouldUseNewPrivilegeSystem,
-          OrgPermissionIdentityActions.RevokeAuth,
-          OrgPermissionSubjects.Identity
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to revoke oidc auth of identity with more privileged role",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 

backend/src/services/identity-project/identity-project-service.ts

@@ -1,16 +1,14 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
 import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
-import {
-  constructPermissionErrorMessage,
-  validatePrivilegeChangeOperation
-} from "@app/ee/services/permission/permission-fns";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionIdentityActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
 import { ms } from "@app/lib/ms";
 
+import { ActorType } from "../auth/auth-type";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TProjectDALFactory } from "../project/project-dal";
 import { ProjectUserMembershipTemporaryMode } from "../project-membership/project-membership-types";
@@ -56,7 +54,7 @@ export const identityProjectServiceFactory = ({
     projectId,
     roles
   }: TCreateProjectIdentityDTO) => {
-    const { permission, membership } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId,
@@ -65,7 +63,7 @@ export const identityProjectServiceFactory = ({
       actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionIdentityActions.Create,
+      ProjectPermissionActions.Create,
       subject(ProjectPermissionSub.Identity, {
         identityId
       })
@@ -93,21 +91,11 @@ export const identityProjectServiceFactory = ({
         projectId
       );
 
-      const permissionBoundary = validatePrivilegeChangeOperation(
-        membership.shouldUseNewPrivilegeSystem,
-        ProjectPermissionIdentityActions.GrantPrivileges,
-        ProjectPermissionSub.Identity,
-        permission,
-        rolePermission
-      );
+      const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
       if (!permissionBoundary.isValid)
-        throw new PermissionBoundaryError({
-          message: constructPermissionErrorMessage(
-            "Failed to assign to role",
-            membership.shouldUseNewPrivilegeSystem,
-            ProjectPermissionIdentityActions.GrantPrivileges,
-            ProjectPermissionSub.Identity
-          ),
+        throw new ForbiddenRequestError({
+          name: "PermissionBoundaryError",
+          message: "Failed to assign to a more privileged role",
           details: { missingPermissions: permissionBoundary.missingPermissions }
         });
     }
@@ -174,7 +162,7 @@ export const identityProjectServiceFactory = ({
     actorAuthMethod,
     actorOrgId
   }: TUpdateProjectIdentityDTO) => {
-    const { permission, membership } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId,
@@ -183,7 +171,7 @@ export const identityProjectServiceFactory = ({
       actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionIdentityActions.Edit,
+      ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId })
     );
 
@@ -199,22 +187,11 @@ export const identityProjectServiceFactory = ({
         projectId
       );
 
-      const permissionBoundary = validatePrivilegeChangeOperation(
-        membership.shouldUseNewPrivilegeSystem,
-        ProjectPermissionIdentityActions.GrantPrivileges,
-        ProjectPermissionSub.Identity,
-        permission,
-        rolePermission
-      );
-
+      const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
       if (!permissionBoundary.isValid)
-        throw new PermissionBoundaryError({
-          message: constructPermissionErrorMessage(
-            "Failed to change role",
-            membership.shouldUseNewPrivilegeSystem,
-            ProjectPermissionIdentityActions.GrantPrivileges,
-            ProjectPermissionSub.Identity
-          ),
+        throw new ForbiddenRequestError({
+          name: "PermissionBoundaryError",
+          message: "Failed to change to a more privileged role",
           details: { missingPermissions: permissionBoundary.missingPermissions }
         });
     }
@@ -294,10 +271,26 @@ export const identityProjectServiceFactory = ({
       actionProjectType: ActionProjectType.Any
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionIdentityActions.Delete,
+      ProjectPermissionActions.Delete,
       subject(ProjectPermissionSub.Identity, { identityId })
     );
 
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission({
+      actor: ActorType.IDENTITY,
+      actorId: identityId,
+      projectId: identityProjectMembership.projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.Any
+    });
+    const permissionBoundary = validatePermissionBoundary(permission, identityRolePermission);
+    if (!permissionBoundary.isValid)
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to remove more privileged identity",
+        details: { missingPermissions: permissionBoundary.missingPermissions }
+      });
+
     const [deletedIdentity] = await identityProjectDAL.delete({ identityId, projectId });
     return deletedIdentity;
   };
@@ -322,10 +315,7 @@ export const identityProjectServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionIdentityActions.Read,
-      ProjectPermissionSub.Identity
-    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);
 
     const identityMemberships = await identityProjectDAL.findByProjectId(projectId, {
       limit,
@@ -358,7 +348,7 @@ export const identityProjectServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionIdentityActions.Read,
+      ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Identity, { identityId })
     );
 

backend/src/services/identity-token-auth/identity-token-auth-service.ts

@@ -3,14 +3,11 @@ import jwt from "jsonwebtoken";
 
 import { IdentityAuthMethod, TableName } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionIdentityActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
-import {
-  constructPermissionErrorMessage,
-  validatePrivilegeChangeOperation
-} from "@app/ee/services/permission/permission-fns";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 
 import { ActorType, AuthTokenType } from "../auth/auth-type";
@@ -88,7 +85,7 @@ export const identityTokenAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
 
     const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
     const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
@@ -164,7 +161,7 @@ export const identityTokenAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
 
     const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
     const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
@@ -218,7 +215,7 @@ export const identityTokenAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
 
     return { ...identityTokenAuth, orgId: identityMembershipOrg.orgId };
   };
@@ -248,9 +245,9 @@ export const identityTokenAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
 
-    const { permission: rolePermission, membership } = await permissionService.getOrgPermission(
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
       ActorType.IDENTITY,
       identityMembershipOrg.identityId,
       identityMembershipOrg.orgId,
@@ -258,21 +255,11 @@ export const identityTokenAuthServiceFactory = ({
       actorOrgId
     );
 
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      OrgPermissionIdentityActions.RevokeAuth,
-      OrgPermissionSubjects.Identity,
-      permission,
-      rolePermission
-    );
+    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to revoke token auth of identity with more privileged role",
-          membership.shouldUseNewPrivilegeSystem,
-          OrgPermissionIdentityActions.RevokeAuth,
-          OrgPermissionSubjects.Identity
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to revoke token auth of identity with more privileged role",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
@@ -314,31 +301,20 @@ export const identityTokenAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
 
-    const { permission: rolePermission, membership } = await permissionService.getOrgPermission(
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
       ActorType.IDENTITY,
       identityMembershipOrg.identityId,
       identityMembershipOrg.orgId,
       actorAuthMethod,
       actorOrgId
     );
-
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      OrgPermissionIdentityActions.CreateToken,
-      OrgPermissionSubjects.Identity,
-      permission,
-      rolePermission
-    );
+    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to create token for identity with more privileged role",
-          membership.shouldUseNewPrivilegeSystem,
-          OrgPermissionIdentityActions.CreateToken,
-          OrgPermissionSubjects.Identity
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to create token for identity with more privileged role",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
@@ -407,7 +383,7 @@ export const identityTokenAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
 
     const tokens = await identityAccessTokenDAL.find(
       {
@@ -453,30 +429,20 @@ export const identityTokenAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
 
-    const { permission: rolePermission, membership } = await permissionService.getOrgPermission(
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
       ActorType.IDENTITY,
       identityMembershipOrg.identityId,
       identityMembershipOrg.orgId,
       actorAuthMethod,
       actorOrgId
     );
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      OrgPermissionIdentityActions.CreateToken,
-      OrgPermissionSubjects.Identity,
-      permission,
-      rolePermission
-    );
+    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to update token for identity with more privileged role",
-          membership.shouldUseNewPrivilegeSystem,
-          OrgPermissionIdentityActions.CreateToken,
-          OrgPermissionSubjects.Identity
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to update token for identity with more privileged role",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
@@ -530,7 +496,7 @@ export const identityTokenAuthServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
 
     const [revokedToken] = await identityAccessTokenDAL.update(
       {

backend/src/services/identity-ua/identity-ua-service.ts

@@ -6,14 +6,11 @@ import jwt from "jsonwebtoken";
 
 import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionIdentityActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
-import {
-  constructPermissionErrorMessage,
-  validatePrivilegeChangeOperation
-} from "@app/ee/services/permission/permission-fns";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, NotFoundError, PermissionBoundaryError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { checkIPAgainstBlocklist, extractIPDetails, isValidIpOrCidr, TIp } from "@app/lib/ip";
 
 import { ActorType, AuthTokenType } from "../auth/auth-type";
@@ -187,7 +184,7 @@ export const identityUaServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
 
     const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
     const reformattedClientSecretTrustedIps = clientSecretTrustedIps.map((clientSecretTrustedIp) => {
@@ -281,7 +278,7 @@ export const identityUaServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
 
     const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
     const reformattedClientSecretTrustedIps = clientSecretTrustedIps?.map((clientSecretTrustedIp) => {
@@ -353,7 +350,7 @@ export const identityUaServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
     return { ...uaIdentityAuth, orgId: identityMembershipOrg.orgId };
   };
 
@@ -379,30 +376,20 @@ export const identityUaServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
 
-    const { permission: rolePermission, membership } = await permissionService.getOrgPermission(
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
       ActorType.IDENTITY,
       identityMembershipOrg.identityId,
       identityMembershipOrg.orgId,
       actorAuthMethod,
       actorOrgId
     );
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      OrgPermissionIdentityActions.RevokeAuth,
-      OrgPermissionSubjects.Identity,
-      permission,
-      rolePermission
-    );
+    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to revoke universal auth of identity with more privileged role",
-          membership.shouldUseNewPrivilegeSystem,
-          OrgPermissionIdentityActions.RevokeAuth,
-          OrgPermissionSubjects.Identity
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to revoke universal auth of identity with more privileged role",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
@@ -432,14 +419,14 @@ export const identityUaServiceFactory = ({
       });
     }
 
-    const { permission, membership } = await permissionService.getOrgPermission(
+    const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
       identityMembershipOrg.orgId,
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
 
     const { permission: rolePermission } = await permissionService.getOrgPermission(
       ActorType.IDENTITY,
@@ -448,21 +435,11 @@ export const identityUaServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      OrgPermissionIdentityActions.CreateToken,
-      OrgPermissionSubjects.Identity,
-      permission,
-      rolePermission
-    );
+    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to create client secret for identity.",
-          membership.shouldUseNewPrivilegeSystem,
-          OrgPermissionIdentityActions.CreateToken,
-          OrgPermissionSubjects.Identity
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to create client secret for a more privileged identity.",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
@@ -471,7 +448,6 @@ export const identityUaServiceFactory = ({
     const clientSecretHash = await bcrypt.hash(clientSecret, appCfg.SALT_ROUNDS);
 
     const identityUaAuth = await identityUaDAL.findOne({ identityId: identityMembershipOrg.identityId });
-    if (!identityUaAuth) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
 
     const identityUaClientSecret = await identityUaClientSecretDAL.create({
       identityUAId: identityUaAuth.id,
@@ -505,14 +481,14 @@ export const identityUaServiceFactory = ({
         message: "The identity does not have universal auth"
       });
     }
-    const { permission, membership } = await permissionService.getOrgPermission(
+    const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
       identityMembershipOrg.orgId,
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
 
     const { permission: rolePermission } = await permissionService.getOrgPermission(
       ActorType.IDENTITY,
@@ -522,21 +498,11 @@ export const identityUaServiceFactory = ({
       actorOrgId
     );
 
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      OrgPermissionIdentityActions.GetToken,
-      OrgPermissionSubjects.Identity,
-      permission,
-      rolePermission
-    );
+    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to get identity client secret with more privileged role",
-          membership.shouldUseNewPrivilegeSystem,
-          OrgPermissionIdentityActions.GetToken,
-          OrgPermissionSubjects.Identity
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to get identity client secret with more privileged role",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
@@ -568,20 +534,14 @@ export const identityUaServiceFactory = ({
       });
     }
 
-    const identityUa = await identityUaDAL.findOne({ identityId });
-    if (!identityUa) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-
-    const clientSecret = await identityUaClientSecretDAL.findOne({ id: clientSecretId, identityUAId: identityUa.id });
-    if (!clientSecret) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-
-    const { permission, membership } = await permissionService.getOrgPermission(
+    const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
       identityMembershipOrg.orgId,
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
 
     const { permission: rolePermission } = await permissionService.getOrgPermission(
       ActorType.IDENTITY,
@@ -590,24 +550,15 @@ export const identityUaServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      OrgPermissionIdentityActions.GetToken,
-      OrgPermissionSubjects.Identity,
-      permission,
-      rolePermission
-    );
+    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to read identity client secret of identity with more privileged role",
-          membership.shouldUseNewPrivilegeSystem,
-          OrgPermissionIdentityActions.GetToken,
-          OrgPermissionSubjects.Identity
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to read identity client secret of identity with more privileged role",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
+    const clientSecret = await identityUaClientSecretDAL.findById(clientSecretId);
     return { ...clientSecret, identityId, orgId: identityMembershipOrg.orgId };
   };
 
@@ -628,20 +579,14 @@ export const identityUaServiceFactory = ({
       });
     }
 
-    const identityUa = await identityUaDAL.findOne({ identityId });
-    if (!identityUa) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-
-    const clientSecret = await identityUaClientSecretDAL.findOne({ id: clientSecretId, identityUAId: identityUa.id });
-    if (!clientSecret) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
-
-    const { permission, membership } = await permissionService.getOrgPermission(
+    const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
       identityMembershipOrg.orgId,
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Delete, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Identity);
 
     const { permission: rolePermission } = await permissionService.getOrgPermission(
       ActorType.IDENTITY,
@@ -650,31 +595,18 @@ export const identityUaServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      OrgPermissionIdentityActions.DeleteToken,
-      OrgPermissionSubjects.Identity,
-      permission,
-      rolePermission
-    );
-    if (!permissionBoundary.isValid) {
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to revoke identity client secret with more privileged role",
-          membership.shouldUseNewPrivilegeSystem,
-          OrgPermissionIdentityActions.DeleteToken,
-          OrgPermissionSubjects.Identity
-        ),
+    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
+    if (!permissionBoundary.isValid)
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to revoke identity client secret with more privileged role",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
-    }
 
-    const updatedClientSecret = await identityUaClientSecretDAL.updateById(clientSecretId, {
+    const clientSecret = await identityUaClientSecretDAL.updateById(clientSecretId, {
       isClientSecretRevoked: true
     });
-
-    return { ...updatedClientSecret, identityId, orgId: identityMembershipOrg.orgId };
+    return { ...clientSecret, identityId, orgId: identityMembershipOrg.orgId };
   };
 
   return {

backend/src/services/identity/identity-service.ts

@@ -2,15 +2,13 @@ import { ForbiddenError } from "@casl/ability";
 
 import { OrgMembershipRole, TableName, TOrgRoles } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionIdentityActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
-import {
-  constructPermissionErrorMessage,
-  validatePrivilegeChangeOperation
-} from "@app/ee/services/permission/permission-fns";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
+import { validatePermissionBoundary } from "@app/lib/casl/boundary";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 
+import { ActorType } from "../auth/auth-type";
 import { validateIdentityUpdateForSuperAdminPrivileges } from "../super-admin/super-admin-fns";
 import { TIdentityDALFactory } from "./identity-dal";
 import { TIdentityMetadataDALFactory } from "./identity-metadata-dal";
@@ -53,35 +51,19 @@ export const identityServiceFactory = ({
     actorOrgId,
     metadata
   }: TCreateIdentityDTO) => {
-    const { permission, membership } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      orgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
 
     const { permission: rolePermission, role: customRole } = await permissionService.getOrgPermissionByRole(
       role,
       orgId
     );
     const isCustomRole = Boolean(customRole);
-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      OrgPermissionIdentityActions.GrantPrivileges,
-      OrgPermissionSubjects.Identity,
-      permission,
-      rolePermission
-    );
+    const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
     if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to create identity",
-          membership.shouldUseNewPrivilegeSystem,
-          OrgPermissionIdentityActions.GrantPrivileges,
-          OrgPermissionSubjects.Identity
-        ),
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to create a more privileged identity",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
@@ -139,14 +121,29 @@ export const identityServiceFactory = ({
     const identityOrgMembership = await identityOrgMembershipDAL.findOne({ identityId: id });
     if (!identityOrgMembership) throw new NotFoundError({ message: `Failed to find identity with id ${id}` });
 
-    const { permission, membership } = await permissionService.getOrgPermission(
+    const { permission } = await permissionService.getOrgPermission(
       actor,
       actorId,
       identityOrgMembership.orgId,
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: identityRolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      id,
+      identityOrgMembership.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const permissionBoundary = validatePermissionBoundary(permission, identityRolePermission);
+    if (!permissionBoundary.isValid)
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to update a more privileged identity",
+        details: { missingPermissions: permissionBoundary.missingPermissions }
+      });
 
     let customRole: TOrgRoles | undefined;
     if (role) {
@@ -156,21 +153,11 @@ export const identityServiceFactory = ({
       );
 
       const isCustomRole = Boolean(customOrgRole);
-      const appliedRolePermissionBoundary = validatePrivilegeChangeOperation(
-        membership.shouldUseNewPrivilegeSystem,
-        OrgPermissionIdentityActions.GrantPrivileges,
-        OrgPermissionSubjects.Identity,
-        permission,
-        rolePermission
-      );
+      const appliedRolePermissionBoundary = validatePermissionBoundary(permission, rolePermission);
       if (!appliedRolePermissionBoundary.isValid)
-        throw new PermissionBoundaryError({
-          message: constructPermissionErrorMessage(
-            "Failed to update identity",
-            membership.shouldUseNewPrivilegeSystem,
-            OrgPermissionIdentityActions.GrantPrivileges,
-            OrgPermissionSubjects.Identity
-          ),
+        throw new ForbiddenRequestError({
+          name: "PermissionBoundaryError",
+          message: "Failed to create a more privileged identity",
           details: { missingPermissions: appliedRolePermissionBoundary.missingPermissions }
         });
       if (isCustomRole) customRole = customOrgRole;
@@ -222,7 +209,7 @@ export const identityServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
     return identity;
   };
 
@@ -246,8 +233,21 @@ export const identityServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Delete, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Identity);
+    const { permission: identityRolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      id,
+      identityOrgMembership.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const permissionBoundary = validatePermissionBoundary(permission, identityRolePermission);
+    if (!permissionBoundary.isValid)
+      throw new ForbiddenRequestError({
+        name: "PermissionBoundaryError",
+        message: "Failed to delete more privileged identity",
+        details: { missingPermissions: permissionBoundary.missingPermissions }
+      });
 
     const deletedIdentity = await identityDAL.deleteById(id);
 
@@ -269,7 +269,7 @@ export const identityServiceFactory = ({
     search
   }: TListOrgIdentitiesByOrgIdDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
 
     const identityMemberships = await identityOrgMembershipDAL.find({
       [`${TableName.IdentityOrgMembership}.orgId` as "orgId"]: orgId,
@@ -305,7 +305,7 @@ export const identityServiceFactory = ({
       actorAuthMethod,
       actorOrgId
     );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
 
     const identityMemberships = await identityProjectDAL.findByIdentityId(identityId);
     return identityMemberships;

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -584,7 +584,7 @@ const syncSecretsAzureKeyVault = async ({
   }[] = [];
 
   Object.keys(secrets).forEach((key) => {
-    const hyphenatedKey = key.replaceAll("_", "-");
+    const hyphenatedKey = key.replace(/_/g, "-");
     if (!(hyphenatedKey in res)) {
       // case: secret has been created
       setSecrets.push({
@@ -603,7 +603,7 @@ const syncSecretsAzureKeyVault = async ({
   const deleteSecrets: AzureKeyVaultSecret[] = [];
 
   Object.keys(res).forEach((key) => {
-    const underscoredKey = key.replaceAll("-", "_");
+    const underscoredKey = key.replace(/-/g, "_");
     if (!(underscoredKey in secrets)) {
       deleteSecrets.push(res[key]);
     }
@@ -617,7 +617,7 @@ const syncSecretsAzureKeyVault = async ({
   if (!integration.lastUsed) {
     Object.keys(res).forEach((key) => {
       // first time using integration
-      const underscoredKey = key.replaceAll("-", "_");
+      const underscoredKey = key.replace(/-/g, "_");
 
       // -> apply initial sync behavior
       switch (metadata.initialSyncBehavior) {
@@ -3578,7 +3578,7 @@ const syncSecretsTeamCity = async ({
       .filter((parameter) => !parameter.inherited)
       .reduce(
         (obj, secret) => {
-          const secretName = secret.name.startsWith(".env") ? secret.name.slice(4) : secret.name;
+          const secretName = secret.name.replace(/^env\./, "");
           return {
             ...obj,
             [secretName]: secret.value
@@ -3595,10 +3595,7 @@ const syncSecretsTeamCity = async ({
           `${integrationAuth.url}/app/rest/buildTypes/${integration.targetEnvironmentId}/parameters`,
           {
             name: `env.${key}`,
-            value: secrets[key].value,
-            type: {
-              rawValue: "password display='hidden'"
-            }
+            value: secrets[key].value
           },
           {
             headers: {
@@ -3638,7 +3635,7 @@ const syncSecretsTeamCity = async ({
       )
     ).data.property.reduce(
       (obj, secret) => {
-        const secretName = secret.name.startsWith("env.") ? secret.name.slice(4) : secret.name;
+        const secretName = secret.name.replace(/^env\./, "");
         return {
           ...obj,
           [secretName]: secret.value
@@ -3655,10 +3652,7 @@ const syncSecretsTeamCity = async ({
           `${integrationAuth.url}/app/rest/projects/id:${integration.appId}/parameters`,
           {
             name: `env.${key}`,
-            value: secrets[key].value,
-            type: {
-              rawValue: "password display='hidden'"
-            }
+            value: secrets[key].value
           },
           {
             headers: {

backend/src/services/org/org-dal.ts

@@ -43,7 +43,7 @@ export const orgDALFactory = (db: TDbClient) => {
         .select(selectAllTableCols(TableName.Organization))
         .select(
           db.raw(`
-            CASE
+            CASE 
               WHEN ${TableName.SamlConfig}."orgId" IS NOT NULL THEN '${OrgAuthMethod.SAML}'
               WHEN ${TableName.OidcConfig}."orgId" IS NOT NULL THEN '${OrgAuthMethod.OIDC}'
               ELSE ''
@@ -80,7 +80,7 @@ export const orgDALFactory = (db: TDbClient) => {
         .select(selectAllTableCols(TableName.Organization))
         .select(
           db.raw(`
-            CASE
+            CASE 
               WHEN ${TableName.SamlConfig}."orgId" IS NOT NULL THEN '${OrgAuthMethod.SAML}'
               WHEN ${TableName.OidcConfig}."orgId" IS NOT NULL THEN '${OrgAuthMethod.OIDC}'
               ELSE ''
@@ -119,7 +119,7 @@ export const orgDALFactory = (db: TDbClient) => {
         .select(selectAllTableCols(TableName.Organization))
         .select(
           db.raw(`
-            CASE
+            CASE 
               WHEN ${TableName.SamlConfig}."orgId" IS NOT NULL THEN 'saml'
               WHEN ${TableName.OidcConfig}."orgId" IS NOT NULL THEN 'oidc'
               ELSE ''

backend/src/services/org/org-schema.ts

@@ -12,9 +12,5 @@ export const sanitizedOrganizationSchema = OrganizationsSchema.pick({
   kmsDefaultKeyId: true,
   defaultMembershipRole: true,
   enforceMfa: true,
-  selectedMfaMethod: true,
-  allowSecretSharingOutsideOrganization: true,
-  shouldUseNewPrivilegeSystem: true,
-  privilegeUpgradeInitiatedByUsername: true,
-  privilegeUpgradeInitiatedAt: true
+  selectedMfaMethod: true
 });

backend/src/services/org/org-service.ts

@@ -21,29 +21,18 @@ import { TLicenseServiceFactory } from "@app/ee/services/license/license-service
 import { TOidcConfigDALFactory } from "@app/ee/services/oidc/oidc-config-dal";
 import {
   OrgPermissionActions,
-  OrgPermissionGroupActions,
   OrgPermissionSecretShareAction,
   OrgPermissionSubjects
 } from "@app/ee/services/permission/org-permission";
-import {
-  constructPermissionErrorMessage,
-  validatePrivilegeChangeOperation
-} from "@app/ee/services/permission/permission-fns";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionMemberActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-dal";
 import { TSamlConfigDALFactory } from "@app/ee/services/saml-config/saml-config-dal";
 import { getConfig } from "@app/lib/config/env";
 import { generateAsymmetricKeyPair } from "@app/lib/crypto";
 import { generateSymmetricKey, infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { generateUserSrpKeys } from "@app/lib/crypto/srp";
-import {
-  BadRequestError,
-  ForbiddenRequestError,
-  NotFoundError,
-  PermissionBoundaryError,
-  UnauthorizedError
-} from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { isDisposableEmail } from "@app/lib/validator";
@@ -87,7 +76,6 @@ import {
   TResendOrgMemberInvitationDTO,
   TUpdateOrgDTO,
   TUpdateOrgMembershipDTO,
-  TUpgradePrivilegeSystemDTO,
   TVerifyUserToOrgDTO
 } from "./org-types";
 
@@ -199,7 +187,7 @@ export const orgServiceFactory = ({
 
   const getOrgGroups = async ({ actor, actorId, orgId, actorAuthMethod, actorOrgId }: TGetOrgGroupsDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionGroupActions.Read, OrgPermissionSubjects.Groups);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Groups);
     const groups = await groupDAL.findByOrgId(orgId);
     return groups;
   };
@@ -293,45 +281,6 @@ export const orgServiceFactory = ({
     };
   };
 
-  const upgradePrivilegeSystem = async ({
-    actorId,
-    actorOrgId,
-    actorAuthMethod,
-    orgId
-  }: TUpgradePrivilegeSystemDTO) => {
-    const { membership } = await permissionService.getUserOrgPermission(actorId, orgId, actorAuthMethod, actorOrgId);
-
-    if (membership.role !== OrgMembershipRole.Admin) {
-      throw new ForbiddenRequestError({
-        message: "Insufficient privileges - only the organization admin can upgrade the privilege system."
-      });
-    }
-
-    return orgDAL.transaction(async (tx) => {
-      const org = await orgDAL.findById(actorOrgId, tx);
-      if (org.shouldUseNewPrivilegeSystem) {
-        throw new BadRequestError({
-          message: "Privilege system already upgraded"
-        });
-      }
-
-      const user = await userDAL.findById(actorId, tx);
-      if (!user) {
-        throw new NotFoundError({ message: `User with ID '${actorId}' not found` });
-      }
-
-      return orgDAL.updateById(
-        actorOrgId,
-        {
-          shouldUseNewPrivilegeSystem: true,
-          privilegeUpgradeInitiatedAt: new Date(),
-          privilegeUpgradeInitiatedByUsername: user.username
-        },
-        tx
-      );
-    });
-  };
-
   /*
    * Update organization details
    * */
@@ -907,7 +856,7 @@ export const orgServiceFactory = ({
       // if there exist no project membership we set is as given by the request
       for await (const project of projectsToInvite) {
         const projectId = project.id;
-        const { permission: projectPermission, membership } = await permissionService.getProjectPermission({
+        const { permission: projectPermission } = await permissionService.getProjectPermission({
           actor,
           actorId,
           projectId,
@@ -916,7 +865,7 @@ export const orgServiceFactory = ({
           actionProjectType: ActionProjectType.Any
         });
         ForbiddenError.from(projectPermission).throwUnlessCan(
-          ProjectPermissionMemberActions.Create,
+          ProjectPermissionActions.Create,
           ProjectPermissionSub.Member
         );
         const existingMembers = await projectMembershipDAL.find(
@@ -939,34 +888,6 @@ export const orgServiceFactory = ({
           ProjectMembershipRole.Member
         ];
 
-        for await (const invitedRole of invitedProjectRoles) {
-          const { permission: rolePermission } = await permissionService.getProjectPermissionByRole(
-            invitedRole,
-            projectId
-          );
-
-          if (invitedRole !== ProjectMembershipRole.NoAccess) {
-            const permissionBoundary = validatePrivilegeChangeOperation(
-              membership.shouldUseNewPrivilegeSystem,
-              ProjectPermissionMemberActions.GrantPrivileges,
-              ProjectPermissionSub.Member,
-              projectPermission,
-              rolePermission
-            );
-
-            if (!permissionBoundary.isValid)
-              throw new PermissionBoundaryError({
-                message: constructPermissionErrorMessage(
-                  "Failed to invite user to the project",
-                  membership.shouldUseNewPrivilegeSystem,
-                  ProjectPermissionMemberActions.GrantPrivileges,
-                  ProjectPermissionSub.Member
-                ),
-                details: { missingPermissions: permissionBoundary.missingPermissions }
-              });
-          }
-        }
-
         const customProjectRoles = invitedProjectRoles.filter(
           (role) => !Object.values(ProjectMembershipRole).includes(role as ProjectMembershipRole)
         );
@@ -1100,9 +1021,9 @@ export const orgServiceFactory = ({
         const sanitizedProjectMembershipRoles: TProjectUserMembershipRolesInsert[] = [];
         invitedProjectRoles.forEach((projectRole) => {
           const isCustomRole = Boolean(customRolesGroupBySlug?.[projectRole]?.[0]);
-          projectMemberships.forEach((membershipEntry) => {
+          projectMemberships.forEach((membership) => {
             sanitizedProjectMembershipRoles.push({
-              projectMembershipId: membershipEntry.id,
+              projectMembershipId: membership.id,
               role: isCustomRole ? ProjectMembershipRole.Custom : projectRole,
               customRoleId: customRolesGroupBySlug[projectRole] ? customRolesGroupBySlug[projectRole][0].id : null
             });
@@ -1383,7 +1304,6 @@ export const orgServiceFactory = ({
     getOrgGroups,
     listProjectMembershipsByOrgMembershipId,
     findOrgBySlug,
-    resendOrgMemberInvitation,
-    upgradePrivilegeSystem
+    resendOrgMemberInvitation
   };
 };

backend/src/services/org/org-types.ts

@@ -76,8 +76,6 @@ export type TUpdateOrgDTO = {
   }>;
 } & TOrgPermission;
 
-export type TUpgradePrivilegeSystemDTO = Omit<TOrgPermission, "actor">;
-
 export type TGetOrgGroupsDTO = TOrgPermission;
 
 export type TListProjectMembershipsByOrgMembershipIdDTO = {

backend/src/services/project-key/project-key-service.ts

@@ -2,7 +2,7 @@ import { ForbiddenError } from "@casl/ability";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionMemberActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError } from "@app/lib/errors";
 
 import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
@@ -40,7 +40,7 @@ export const projectKeyServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
 
     const receiverMembership = await projectMembershipDAL.findOne({
       userId: receiverId,
@@ -89,7 +89,7 @@ export const projectKeyServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
     return projectKeyDAL.findAllProjectUserPubKeys(projectId);
   };
 

backend/src/services/project-membership/project-membership-service.ts

@@ -3,15 +3,12 @@ import { ForbiddenError } from "@casl/ability";
 
 import { ActionProjectType, ProjectMembershipRole, ProjectVersion, TableName } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import {
-  constructPermissionErrorMessage,
-  validatePrivilegeChangeOperation
-} from "@app/ee/services/permission/permission-fns";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionMemberActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-dal";
+import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, ForbiddenRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
 import { ms } from "@app/lib/ms";
 
@@ -89,7 +86,7 @@ export const projectMembershipServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
 
     const projectMembers = await projectMembershipDAL.findAllProjectMembers(projectId);
 
@@ -133,7 +130,7 @@ export const projectMembershipServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
 
     const [membership] = await projectMembershipDAL.findAllProjectMembers(projectId, { username });
     if (!membership) throw new NotFoundError({ message: `Project membership not found for user '${username}'` });
@@ -156,7 +153,7 @@ export const projectMembershipServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
 
     const [membership] = await projectMembershipDAL.findAllProjectMembers(projectId, { id });
     if (!membership) throw new NotFoundError({ message: `Project membership not found for user ${id}` });
@@ -183,7 +180,7 @@ export const projectMembershipServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Create, ProjectPermissionSub.Member);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Member);
     const orgMembers = await orgDAL.findMembership({
       [`${TableName.OrgMembership}.orgId` as "orgId"]: project.orgId,
       $in: {
@@ -256,7 +253,7 @@ export const projectMembershipServiceFactory = ({
     membershipId,
     roles
   }: TUpdateProjectMembershipDTO) => {
-    const { permission, membership } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId,
@@ -264,7 +261,7 @@ export const projectMembershipServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Edit, ProjectPermissionSub.Member);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
 
     const membershipUser = await userDAL.findUserByProjectMembershipId(membershipId);
     if (membershipUser?.isGhost || membershipUser?.projectId !== projectId) {
@@ -277,21 +274,11 @@ export const projectMembershipServiceFactory = ({
         projectId
       );
 
-      const permissionBoundary = validatePrivilegeChangeOperation(
-        membership.shouldUseNewPrivilegeSystem,
-        ProjectPermissionMemberActions.GrantPrivileges,
-        ProjectPermissionSub.Member,
-        permission,
-        rolePermission
-      );
+      const permissionBoundary = validatePermissionBoundary(permission, rolePermission);
       if (!permissionBoundary.isValid)
-        throw new PermissionBoundaryError({
-          message: constructPermissionErrorMessage(
-            `Failed to change role ${requestedRoleChange}`,
-            membership.shouldUseNewPrivilegeSystem,
-            ProjectPermissionMemberActions.GrantPrivileges,
-            ProjectPermissionSub.Member
-          ),
+        throw new ForbiddenRequestError({
+          name: "PermissionBoundaryError",
+          message: `Failed to change to a more privileged role ${requestedRoleChange}`,
           details: { missingPermissions: permissionBoundary.missingPermissions }
         });
     }
@@ -374,7 +361,7 @@ export const projectMembershipServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Delete, ProjectPermissionSub.Member);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Member);
 
     const member = await userDAL.findUserByProjectMembershipId(membershipId);
 
@@ -410,7 +397,7 @@ export const projectMembershipServiceFactory = ({
       actorOrgId,
       actionProjectType: ActionProjectType.Any
     });
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionMemberActions.Delete, ProjectPermissionSub.Member);
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Member);
 
     const project = await projectDAL.findById(projectId);
 

backend/src/services/secret-folder/secret-folder-dal.ts

@@ -7,16 +7,14 @@ import { groupBy, removeTrailingSlash } from "@app/lib/fn";
 import { ormify, selectAllTableCols } from "@app/lib/knex";
 import { OrderByDirection } from "@app/lib/types";
 import { isValidSecretPath } from "@app/lib/validator";
-import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
 
 import { TFindFoldersDeepByParentIdsDTO } from "./secret-folder-types";
 
-export const validateFolderName = characterValidator([
-  CharacterType.AlphaNumeric,
-  CharacterType.Hyphen,
-  CharacterType.Underscore
-]);
+export const validateFolderName = (folderName: string) => {
+  const validNameRegex = /^[a-zA-Z0-9-_]+$/;
+  return validNameRegex.test(folderName);
+};
 
 const sqlFindMultipleFolderByEnvPathQuery = (db: Knex, query: Array<{ envId: string; secretPath: string }>) => {
   // this is removing an trailing slash like /folder1/folder2/ -> /folder1/folder2
@@ -190,9 +188,9 @@ const sqlFindSecretPathByFolderId = (db: Knex, projectId: string, folderIds: str
                 // the root folder check is used to avoid last / and also root name in folders
                 depth: db.raw("parent.depth + 1"),
                 path: db.raw(
-                  `CONCAT( CASE
-                  WHEN  ${TableName.SecretFolder}."parentId" is NULL THEN ''
-                  ELSE  CONCAT('/', secret_folders.name)
+                  `CONCAT( CASE 
+                  WHEN  ${TableName.SecretFolder}."parentId" is NULL THEN '' 
+                  ELSE  CONCAT('/', secret_folders.name) 
                 END, parent.path )`
                 ),
                 child: db.raw("COALESCE(parent.child, parent.id)"),
@@ -466,7 +464,7 @@ export const secretFolderDALFactory = (db: TDbClient) => {
                   db.raw("parents.depth + 1 as depth"),
                   db.raw(
                     `CONCAT(
-                        CASE WHEN parents.path = '/' THEN '' ELSE parents.path END,
+                        CASE WHEN parents.path = '/' THEN '' ELSE parents.path END, 
                         CASE WHEN  ${TableName.SecretFolder}."parentId" is NULL THEN '' ELSE CONCAT('/', secret_folders.name) END
                     )`
                   ),

backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-schemas.ts

@@ -1,7 +1,6 @@
 import { z } from "zod";
 
 import { SecretSyncs } from "@app/lib/api-docs";
-import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";
 import { AppConnection, AWSRegion } from "@app/services/app-connection/app-connection-enums";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 import {
@@ -11,25 +10,6 @@ import {
 } from "@app/services/secret-sync/secret-sync-schemas";
 import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
 
-const tagFieldCharacterValidator = characterValidator([
-  CharacterType.AlphaNumeric,
-  CharacterType.Spaces,
-  CharacterType.Period,
-  CharacterType.Underscore,
-  CharacterType.Colon,
-  CharacterType.ForwardSlash,
-  CharacterType.Equals,
-  CharacterType.Plus,
-  CharacterType.Hyphen,
-  CharacterType.At
-]);
-
-const pathCharacterValidator = characterValidator([
-  CharacterType.AlphaNumeric,
-  CharacterType.Underscore,
-  CharacterType.Hyphen
-]);
-
 const AwsParameterStoreSyncDestinationConfigSchema = z.object({
   region: z.nativeEnum(AWSRegion).describe(SecretSyncs.DESTINATION_CONFIG.AWS_PARAMETER_STORE.region),
   path: z
@@ -37,54 +17,35 @@ const AwsParameterStoreSyncDestinationConfigSchema = z.object({
     .trim()
     .min(1, "Parameter Store Path required")
     .max(2048, "Cannot exceed 2048 characters")
-    .refine(
-      (val) =>
-        val.startsWith("/") &&
-        val.endsWith("/") &&
-        val
-          .split("/")
-          .filter(Boolean)
-          .every((el) => pathCharacterValidator(el)),
-      'Invalid path - must follow "/example/path/" format'
-    )
+    .regex(/^\/([/]|(([\w-]+\/)+))?$/, 'Invalid path - must follow "/example/path/" format')
     .describe(SecretSyncs.DESTINATION_CONFIG.AWS_PARAMETER_STORE.path)
 });
 
 const AwsParameterStoreSyncOptionsSchema = z.object({
   keyId: z
     .string()
+    .regex(/^([a-zA-Z0-9:/_-]+)$/, "Invalid KMS Key ID")
     .min(1, "Invalid KMS Key ID")
     .max(256, "Invalid KMS Key ID")
-    .refine(
-      (val) =>
-        characterValidator([
-          CharacterType.AlphaNumeric,
-          CharacterType.Colon,
-          CharacterType.ForwardSlash,
-          CharacterType.Underscore,
-          CharacterType.Hyphen
-        ])(val),
-      "Invalid KMS Key ID"
-    )
     .optional()
     .describe(SecretSyncs.ADDITIONAL_SYNC_OPTIONS.AWS_PARAMETER_STORE.keyId),
   tags: z
     .object({
       key: z
         .string()
-        .min(1, "Resource tag key required")
-        .max(128, "Resource tag key cannot exceed 128 characters")
-        .refine(
-          (val) => tagFieldCharacterValidator(val),
+        .regex(
+          /^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$/u,
           "Invalid resource tag key: keys can only contain Unicode letters, digits, white space and any of the following: _.:/=+@-"
-        ),
+        )
+        .min(1, "Resource tag key required")
+        .max(128, "Resource tag key cannot exceed 128 characters"),
       value: z
         .string()
-        .max(256, "Resource tag value cannot exceed 256 characters")
-        .refine(
-          (val) => tagFieldCharacterValidator(val),
+        .regex(
+          /^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$/u,
           "Invalid resource tag value: tag values can only contain Unicode letters, digits, white space and any of the following: _.:/=+@-"
         )
+        .max(256, "Resource tag value cannot exceed 256 characters")
     })
     .array()
     .max(50)

backend/src/services/secret-sync/aws-secrets-manager/aws-secrets-manager-sync-schemas.ts

@@ -1,7 +1,6 @@
 import { z } from "zod";
 
 import { SecretSyncs } from "@app/lib/api-docs";
-import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";
 import { AppConnection, AWSRegion } from "@app/services/app-connection/app-connection-enums";
 import { AwsSecretsManagerSyncMappingBehavior } from "@app/services/secret-sync/aws-secrets-manager/aws-secrets-manager-sync-enums";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
@@ -25,23 +24,12 @@ const AwsSecretsManagerSyncDestinationConfigSchema = z
         .describe(SecretSyncs.DESTINATION_CONFIG.AWS_SECRETS_MANAGER.mappingBehavior),
       secretName: z
         .string()
-
-        .min(1, "Secret name is required")
-        .max(256, "Secret name cannot exceed 256 characters")
-        .refine(
-          (val) =>
-            characterValidator([
-              CharacterType.AlphaNumeric,
-              CharacterType.ForwardSlash,
-              CharacterType.Underscore,
-              CharacterType.Plus,
-              CharacterType.Equals,
-              CharacterType.Period,
-              CharacterType.At,
-              CharacterType.Hyphen
-            ])(val),
+        .regex(
+          /^[a-zA-Z0-9/_+=.@-]+$/,
           "Secret name must contain only alphanumeric characters and the characters /_+=.@-"
         )
+        .min(1, "Secret name is required")
+        .max(256, "Secret name cannot exceed 256 characters")
         .describe(SecretSyncs.DESTINATION_CONFIG.AWS_SECRETS_MANAGER.secretName)
     })
   ])
@@ -51,54 +39,31 @@ const AwsSecretsManagerSyncDestinationConfigSchema = z
     })
   );
 
-const tagFieldCharacterValidator = characterValidator([
-  CharacterType.AlphaNumeric,
-  CharacterType.Spaces,
-  CharacterType.Period,
-  CharacterType.Underscore,
-  CharacterType.Colon,
-  CharacterType.ForwardSlash,
-  CharacterType.Equals,
-  CharacterType.Plus,
-  CharacterType.Hyphen,
-  CharacterType.At
-]);
-
 const AwsSecretsManagerSyncOptionsSchema = z.object({
   keyId: z
     .string()
+    .regex(/^([a-zA-Z0-9:/_-]+)$/, "Invalid KMS Key ID")
     .min(1, "Invalid KMS Key ID")
     .max(256, "Invalid KMS Key ID")
-    .refine(
-      (val) =>
-        characterValidator([
-          CharacterType.AlphaNumeric,
-          CharacterType.Colon,
-          CharacterType.ForwardSlash,
-          CharacterType.Underscore,
-          CharacterType.Hyphen
-        ])(val),
-      "Invalid KMS Key ID"
-    )
     .optional()
     .describe(SecretSyncs.ADDITIONAL_SYNC_OPTIONS.AWS_SECRETS_MANAGER.keyId),
   tags: z
     .object({
       key: z
         .string()
+        .regex(
+          /^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$/u,
+          "Invalid tag key: keys can only contain Unicode letters, digits, white space and any of the following: _.:/=+@-"
+        )
         .min(1, "Tag key required")
-        .max(128, "Tag key cannot exceed 128 characters")
-        .refine(
-          (val) => tagFieldCharacterValidator(val),
-          "Invalid resource tag key: keys can only contain Unicode letters, digits, white space and any of the following: _.:/=+@-"
-        ),
+        .max(128, "Tag key cannot exceed 128 characters"),
       value: z
         .string()
-        .max(256, "Tag value cannot exceed 256 characters")
-        .refine(
-          (val) => tagFieldCharacterValidator(val),
-          "Invalid resource tag value: tag values can only contain Unicode letters, digits, white space and any of the following: _.:/=+@-"
+        .regex(
+          /^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$/u,
+          "Invalid tag value: tag values can only contain Unicode letters, digits, white space and any of the following: _.:/=+@-"
         )
+        .max(256, "Tag value cannot exceed 256 characters")
     })
     .array()
     .max(50)

backend/src/services/secret-sync/azure-key-vault/azure-key-vault-sync-fns.ts

@@ -100,7 +100,7 @@ export const azureKeyVaultSyncFactory = ({ kmsService, appConnectionDAL }: TAzur
     const deleteSecrets: string[] = [];
 
     Object.keys(secretMap).forEach((infisicalKey) => {
-      const hyphenatedKey = infisicalKey.replaceAll("_", "-");
+      const hyphenatedKey = infisicalKey.replace(/_/g, "-");
       if (!(hyphenatedKey in vaultSecrets)) {
         // case: secret has been created
         setSecrets.push({
@@ -117,7 +117,7 @@ export const azureKeyVaultSyncFactory = ({ kmsService, appConnectionDAL }: TAzur
     });
 
     Object.keys(vaultSecrets).forEach((key) => {
-      const underscoredKey = key.replaceAll("-", "_");
+      const underscoredKey = key.replace(/-/g, "_");
       if (!(underscoredKey in secretMap)) {
         deleteSecrets.push(key);
       }
@@ -211,7 +211,7 @@ export const azureKeyVaultSyncFactory = ({ kmsService, appConnectionDAL }: TAzur
     );
 
     for await (const [key] of Object.entries(vaultSecrets)) {
-      const underscoredKey = key.replaceAll("-", "_");
+      const underscoredKey = key.replace(/-/g, "_");
 
       if (underscoredKey in secretMap) {
         if (!disabledAzureKeyVaultSecretKeys.includes(underscoredKey)) {
@@ -237,7 +237,7 @@ export const azureKeyVaultSyncFactory = ({ kmsService, appConnectionDAL }: TAzur
 
     Object.keys(vaultSecrets).forEach((key) => {
       if (!disabledAzureKeyVaultSecretKeys.includes(key)) {
-        const underscoredKey = key.replaceAll("-", "_");
+        const underscoredKey = key.replace(/-/g, "_");
         secretMap[underscoredKey] = {
           value: vaultSecrets[key].value
         };

backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts

@@ -463,7 +463,7 @@ export const recursivelyGetSecretPaths = async ({
 const formatMultiValueEnv = (val?: string) => {
   if (!val) return "";
   if (!val.match("\n")) return val;
-  return `"${val.replaceAll("\n", "\\n")}"`;
+  return `"${val.replace(/\n/g, "\\n")}"`;
 };
 
 type TSecretReferenceTraceNode = {

backend/src/services/secret/secret-fns.ts

@@ -207,7 +207,7 @@ export const recursivelyGetSecretPaths = ({
 const formatMultiValueEnv = (val?: string) => {
   if (!val) return "";
   if (!val.match("\n")) return val;
-  return `"${val.replaceAll("\n", "\\n")}"`;
+  return `"${val.replace(/\n/g, "\\n")}"`;
 };
 
 type TInterpolateSecretArg = {
@@ -218,7 +218,7 @@ type TInterpolateSecretArg = {
 };
 
 const MAX_SECRET_REFERENCE_DEPTH = 5;
-const INTERPOLATION_SYNTAX_REG = /\${([a-zA-Z0-9-_.]+)}/g;
+const INTERPOLATION_SYNTAX_REG = /\${([^}]+)}/g;
 export const interpolateSecrets = ({ projectId, secretEncKey, secretDAL, folderDAL }: TInterpolateSecretArg) => {
   const secretCache: Record<string, Record<string, string>> = {};
   const getCacheUniqueKey = (environment: string, secretPath: string) => `${environment}-${secretPath}`;

backend/src/services/telemetry/telemetry-types.ts

@@ -17,7 +17,9 @@ export enum PostHogEventTypes {
   SecretRequestCreated = "Secret Request Created",
   SecretRequestDeleted = "Secret Request Deleted",
   SignSshKey = "Sign SSH Key",
-  IssueSshCreds = "Issue SSH Credentials"
+  IssueSshCreds = "Issue SSH Credentials",
+  SignCert = "Sign PKI Certificate",
+  IssueCert = "Issue PKI Certificate"
 }
 
 export type TSecretModifiedEvent = {
@@ -159,6 +161,26 @@ export type TIssueSshCredsEvent = {
   };
 };
 
+export type TSignCertificateEvent = {
+  event: PostHogEventTypes.SignCert;
+  properties: {
+    caId?: string;
+    certificateTemplateId?: string;
+    commonName: string;
+    userAgent?: string;
+  };
+};
+
+export type TIssueCertificateEvent = {
+  event: PostHogEventTypes.IssueCert;
+  properties: {
+    caId?: string;
+    certificateTemplateId?: string;
+    commonName: string;
+    userAgent?: string;
+  };
+};
+
 export type TPostHogEvent = { distinctId: string } & (
   | TSecretModifiedEvent
   | TAdminInitEvent
@@ -173,4 +195,6 @@ export type TPostHogEvent = { distinctId: string } & (
   | TSecretRequestDeletedEvent
   | TSignSshKeyEvent
   | TIssueSshCredsEvent
+  | TSignCertificateEvent
+  | TIssueCertificateEvent
 );

cli/go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/fatih/semgroup v1.2.0
 	github.com/gitleaks/go-gitdiff v0.8.0
 	github.com/h2non/filetype v1.1.3
-	github.com/infisical/go-sdk v0.5.1
+	github.com/infisical/go-sdk v0.4.8
 	github.com/infisical/infisical-kmip v0.3.5
 	github.com/mattn/go-isatty v0.0.20
 	github.com/muesli/ansi v0.0.0-20221106050444-61f0cd9a192a
@@ -34,7 +34,6 @@ require (
 	golang.org/x/sys v0.31.0
 	golang.org/x/term v0.30.0
 	gopkg.in/yaml.v2 v2.4.0
-	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
@@ -126,6 +125,7 @@ require (
 	google.golang.org/grpc v1.64.1 // indirect
 	google.golang.org/protobuf v1.36.1 // indirect
 	gopkg.in/ini.v1 v1.62.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
 require (

cli/go.sum

@@ -277,8 +277,8 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
 github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/infisical/go-sdk v0.5.1 h1:bl0D4A6CmvfL8RwEQTcZh39nsxC6q3HSs76/4J8grWY=
-github.com/infisical/go-sdk v0.5.1/go.mod h1:ExjqFLRz7LSpZpGluqDLvFl6dFBLq5LKyLW7GBaMAIs=
+github.com/infisical/go-sdk v0.4.8 h1:aphRnaauC5//PkP1ZbY9RSK2RiT1LjPS5o4CbX0x5OQ=
+github.com/infisical/go-sdk v0.4.8/go.mod h1:bMO9xSaBeXkDBhTIM4FkkREAfw2V8mv5Bm7lvo4+uDk=
 github.com/infisical/infisical-kmip v0.3.5 h1:QM3s0e18B+mYv3a9HQNjNAlbwZJBzXq5BAJM2scIeiE=
 github.com/infisical/infisical-kmip v0.3.5/go.mod h1:bO1M4YtKyutNg1bREPmlyZspC5duSR7hyQ3lPmLzrIs=
 github.com/jedib0t/go-pretty v4.3.0+incompatible h1:CGs8AVhEKg/n9YbUenWmNStRW2PHJzaeDodcfvRAbIo=
@@ -858,4 +858,4 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
-rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

cli/packages/cmd/agent.go

@@ -29,6 +29,7 @@ import (
 	"github.com/Infisical/infisical-merge/packages/config"
 	"github.com/Infisical/infisical-merge/packages/models"
 	"github.com/Infisical/infisical-merge/packages/util"
+	"github.com/go-resty/resty/v2"
 	"github.com/spf13/cobra"
 )
 
@@ -513,10 +514,7 @@ type NewAgentMangerOptions struct {
 }
 
 func NewAgentManager(options NewAgentMangerOptions) *AgentManager {
-	customHeaders, err := util.GetInfisicalCustomHeadersMap()
-	if err != nil {
-		util.HandleError(err, "Unable to get custom headers")
-	}
+
 	return &AgentManager{
 		filePaths: options.FileDeposits,
 		templates: options.Templates,
@@ -531,7 +529,6 @@ func NewAgentManager(options NewAgentMangerOptions) *AgentManager {
 			SiteUrl:          config.INFISICAL_URL,
 			UserAgent:        api.USER_AGENT, // ? Should we perhaps use a different user agent for the Agent for better analytics?
 			AutoTokenRefresh: false,
-			CustomHeaders:    customHeaders,
 		}),
 	}
 
@@ -719,11 +716,7 @@ func (tm *AgentManager) FetchNewAccessToken() error {
 
 // Refreshes the existing access token
 func (tm *AgentManager) RefreshAccessToken() error {
-	httpClient, err := util.GetRestyClientWithCustomHeaders()
-	if err != nil {
-		return err
-	}
-
+	httpClient := resty.New()
 	httpClient.SetRetryCount(10000).
 		SetRetryMaxWaitTime(20 * time.Second).
 		SetRetryWaitTime(5 * time.Second)

cli/packages/cmd/bootstrap.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/util"
+	"github.com/go-resty/resty/v2"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 )
@@ -69,12 +70,8 @@ var bootstrapCmd = &cobra.Command{
 			return
 		}
 
-		httpClient, err := util.GetRestyClientWithCustomHeaders()
-		if err != nil {
-			log.Error().Msgf("Failed to get resty client with custom headers: %v", err)
-			return
-		}
-		httpClient.SetHeader("Accept", "application/json")
+		httpClient := resty.New().
+			SetHeader("Accept", "application/json")
 
 		bootstrapResponse, err := api.CallBootstrapInstance(httpClient, api.BootstrapInstanceRequest{
 			Domain:       util.AppendAPIEndpoint(domain),

cli/packages/cmd/dynamic_secrets.go

@@ -14,6 +14,7 @@ import (
 	// "github.com/Infisical/infisical-merge/packages/models"
 	"github.com/Infisical/infisical-merge/packages/util"
 	// "github.com/Infisical/infisical-merge/packages/visualize"
+	"github.com/go-resty/resty/v2"
 	"github.com/posthog/posthog-go"
 	"github.com/spf13/cobra"
 
@@ -55,10 +56,7 @@ func getDynamicSecretList(cmd *cobra.Command, args []string) {
 	}
 
 	var infisicalToken string
-	httpClient, err := util.GetRestyClientWithCustomHeaders()
-	if err != nil {
-		util.HandleError(err, "Unable to get resty client with custom headers")
-	}
+	httpClient := resty.New()
 
 	if projectId == "" {
 		workspaceFile, err := util.GetWorkSpaceFromFile()
@@ -87,16 +85,10 @@ func getDynamicSecretList(cmd *cobra.Command, args []string) {
 
 	httpClient.SetAuthToken(infisicalToken)
 
-	customHeaders, err := util.GetInfisicalCustomHeadersMap()
-	if err != nil {
-		util.HandleError(err, "Unable to get custom headers")
-	}
-
 	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
 		SiteUrl:          config.INFISICAL_URL,
 		UserAgent:        api.USER_AGENT,
 		AutoTokenRefresh: false,
-		CustomHeaders:    customHeaders,
 	})
 	infisicalClient.Auth().SetAccessToken(infisicalToken)
 
@@ -172,10 +164,7 @@ func createDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 	}
 
 	var infisicalToken string
-	httpClient, err := util.GetRestyClientWithCustomHeaders()
-	if err != nil {
-		util.HandleError(err, "Unable to get resty client with custom headers")
-	}
+	httpClient := resty.New()
 
 	if projectId == "" {
 		workspaceFile, err := util.GetWorkSpaceFromFile()
@@ -204,16 +193,10 @@ func createDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 
 	httpClient.SetAuthToken(infisicalToken)
 
-	customHeaders, err := util.GetInfisicalCustomHeadersMap()
-	if err != nil {
-		util.HandleError(err, "Unable to get custom headers")
-	}
-
 	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
 		SiteUrl:          config.INFISICAL_URL,
 		UserAgent:        api.USER_AGENT,
 		AutoTokenRefresh: false,
-		CustomHeaders:    customHeaders,
 	})
 	infisicalClient.Auth().SetAccessToken(infisicalToken)
 
@@ -303,10 +286,7 @@ func renewDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 	}
 
 	var infisicalToken string
-	httpClient, err := util.GetRestyClientWithCustomHeaders()
-	if err != nil {
-		util.HandleError(err, "Unable to get resty client with custom headers")
-	}
+	httpClient := resty.New()
 
 	if projectId == "" {
 		workspaceFile, err := util.GetWorkSpaceFromFile()
@@ -335,16 +315,10 @@ func renewDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 
 	httpClient.SetAuthToken(infisicalToken)
 
-	customHeaders, err := util.GetInfisicalCustomHeadersMap()
-	if err != nil {
-		util.HandleError(err, "Unable to get custom headers")
-	}
-
 	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
 		SiteUrl:          config.INFISICAL_URL,
 		UserAgent:        api.USER_AGENT,
 		AutoTokenRefresh: false,
-		CustomHeaders:    customHeaders,
 	})
 	infisicalClient.Auth().SetAccessToken(infisicalToken)
 
@@ -410,10 +384,7 @@ func revokeDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 	}
 
 	var infisicalToken string
-	httpClient, err := util.GetRestyClientWithCustomHeaders()
-	if err != nil {
-		util.HandleError(err, "Unable to get resty client with custom headers")
-	}
+	httpClient := resty.New()
 
 	if projectId == "" {
 		workspaceFile, err := util.GetWorkSpaceFromFile()
@@ -442,16 +413,10 @@ func revokeDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 
 	httpClient.SetAuthToken(infisicalToken)
 
-	customHeaders, err := util.GetInfisicalCustomHeadersMap()
-	if err != nil {
-		util.HandleError(err, "Unable to get custom headers")
-	}
-
 	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
 		SiteUrl:          config.INFISICAL_URL,
 		UserAgent:        api.USER_AGENT,
 		AutoTokenRefresh: false,
-		CustomHeaders:    customHeaders,
 	})
 	infisicalClient.Auth().SetAccessToken(infisicalToken)
 
@@ -516,10 +481,7 @@ func listDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 	}
 
 	var infisicalToken string
-	httpClient, err := util.GetRestyClientWithCustomHeaders()
-	if err != nil {
-		util.HandleError(err, "Unable to get resty client with custom headers")
-	}
+	httpClient := resty.New()
 
 	if projectId == "" {
 		workspaceFile, err := util.GetWorkSpaceFromFile()
@@ -548,16 +510,10 @@ func listDynamicSecretLeaseByName(cmd *cobra.Command, args []string) {
 
 	httpClient.SetAuthToken(infisicalToken)
 
-	customHeaders, err := util.GetInfisicalCustomHeadersMap()
-	if err != nil {
-		util.HandleError(err, "Unable to get custom headers")
-	}
-
 	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
 		SiteUrl:          config.INFISICAL_URL,
 		UserAgent:        api.USER_AGENT,
 		AutoTokenRefresh: false,
-		CustomHeaders:    customHeaders,
 	})
 	infisicalClient.Auth().SetAccessToken(infisicalToken)
 

cli/packages/cmd/init.go

@@ -10,6 +10,7 @@ import (
 	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/models"
 	"github.com/Infisical/infisical-merge/packages/util"
+	"github.com/go-resty/resty/v2"
 	"github.com/manifoldco/promptui"
 	"github.com/posthog/posthog-go"
 	"github.com/rs/zerolog/log"
@@ -49,10 +50,7 @@ var initCmd = &cobra.Command{
 			util.PrintErrorMessageAndExit("Your login session has expired, please run [infisical login] and try again")
 		}
 
-		httpClient, err := util.GetRestyClientWithCustomHeaders()
-		if err != nil {
-			util.HandleError(err, "Unable to get resty client with custom headers")
-		}
+		httpClient := resty.New()
 		httpClient.SetAuthToken(userCreds.UserCredentials.JTWToken)
 
 		organizationResponse, err := api.CallGetAllOrganizations(httpClient)
@@ -83,10 +81,7 @@ var initCmd = &cobra.Command{
 			for i < 6 {
 				mfaVerifyCode := askForMFACode(tokenResponse.MfaMethod)
 
-				httpClient, err := util.GetRestyClientWithCustomHeaders()
-				if err != nil {
-					util.HandleError(err, "Unable to get resty client with custom headers")
-				}
+				httpClient := resty.New()
 				httpClient.SetAuthToken(tokenResponse.Token)
 				verifyMFAresponse, mfaErrorResponse, requestError := api.CallVerifyMfaToken(httpClient, api.VerifyMfaTokenRequest{
 					Email:     userCreds.UserCredentials.Email,

cli/packages/cmd/login.go

@@ -27,6 +27,7 @@ import (
 	"github.com/Infisical/infisical-merge/packages/srp"
 	"github.com/Infisical/infisical-merge/packages/util"
 	"github.com/fatih/color"
+	"github.com/go-resty/resty/v2"
 	"github.com/manifoldco/promptui"
 	"github.com/posthog/posthog-go"
 	"github.com/rs/cors"
@@ -177,16 +178,10 @@ var loginCmd = &cobra.Command{
 			return
 		}
 
-		customHeaders, err := util.GetInfisicalCustomHeadersMap()
-		if err != nil {
-			util.HandleError(err, "Unable to get custom headers")
-		}
-
 		infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
 			SiteUrl:          config.INFISICAL_URL,
 			UserAgent:        api.USER_AGENT,
 			AutoTokenRefresh: false,
-			CustomHeaders:    customHeaders,
 		})
 
 		loginMethod, err := cmd.Flags().GetString("method")
@@ -364,10 +359,7 @@ func cliDefaultLogin(userCredentialsToBeStored *models.UserCredentials) {
 		for i < 6 {
 			mfaVerifyCode := askForMFACode("email")
 
-			httpClient, err := util.GetRestyClientWithCustomHeaders()
-			if err != nil {
-				util.HandleError(err, "Unable to get resty client with custom headers")
-			}
+			httpClient := resty.New()
 			httpClient.SetAuthToken(loginTwoResponse.Token)
 			verifyMFAresponse, mfaErrorResponse, requestError := api.CallVerifyMfaToken(httpClient, api.VerifyMfaTokenRequest{
 				Email:    email,
@@ -734,10 +726,7 @@ func askForLoginCredentials() (email string, password string, err error) {
 
 func getFreshUserCredentials(email string, password string) (*api.GetLoginOneV2Response, *api.GetLoginTwoV2Response, error) {
 	log.Debug().Msg(fmt.Sprint("getFreshUserCredentials: ", "email", email, "password: ", password))
-	httpClient, err := util.GetRestyClientWithCustomHeaders()
-	if err != nil {
-		return nil, nil, err
-	}
+	httpClient := resty.New()
 	httpClient.SetRetryCount(5)
 
 	params := srp.GetParams(4096)
@@ -787,10 +776,7 @@ func getFreshUserCredentials(email string, password string) (*api.GetLoginOneV2R
 func GetJwtTokenWithOrganizationId(oldJwtToken string, email string) string {
 	log.Debug().Msg(fmt.Sprint("GetJwtTokenWithOrganizationId: ", "oldJwtToken", oldJwtToken))
 
-	httpClient, err := util.GetRestyClientWithCustomHeaders()
-	if err != nil {
-		util.HandleError(err, "Unable to get resty client with custom headers")
-	}
+	httpClient := resty.New()
 	httpClient.SetAuthToken(oldJwtToken)
 
 	organizationResponse, err := api.CallGetAllOrganizations(httpClient)
@@ -825,10 +811,7 @@ func GetJwtTokenWithOrganizationId(oldJwtToken string, email string) string {
 		for i < 6 {
 			mfaVerifyCode := askForMFACode(selectedOrgRes.MfaMethod)
 
-			httpClient, err := util.GetRestyClientWithCustomHeaders()
-			if err != nil {
-				util.HandleError(err, "Unable to get resty client with custom headers")
-			}
+			httpClient := resty.New()
 			httpClient.SetAuthToken(selectedOrgRes.Token)
 			verifyMFAresponse, mfaErrorResponse, requestError := api.CallVerifyMfaToken(httpClient, api.VerifyMfaTokenRequest{
 				Email:     email,
@@ -930,14 +913,7 @@ func askToPasteJwtToken(success chan models.UserCredentials, failure chan error)
 	}
 
 	// verify JTW
-	httpClient, err := util.GetRestyClientWithCustomHeaders()
-	if err != nil {
-		failure <- err
-		fmt.Println("Error getting resty client with custom headers", err)
-		os.Exit(1)
-	}
-
-	httpClient.
+	httpClient := resty.New().
 		SetAuthToken(userCredentials.JTWToken).
 		SetHeader("Accept", "application/json")
 

cli/packages/cmd/secrets.go

@@ -5,7 +5,6 @@ package cmd
 
 import (
 	"fmt"
-	"os"
 	"regexp"
 	"sort"
 	"strings"
@@ -14,6 +13,7 @@ import (
 	"github.com/Infisical/infisical-merge/packages/models"
 	"github.com/Infisical/infisical-merge/packages/util"
 	"github.com/Infisical/infisical-merge/packages/visualize"
+	"github.com/go-resty/resty/v2"
 	"github.com/posthog/posthog-go"
 	"github.com/spf13/cobra"
 )
@@ -139,7 +139,7 @@ var secretsGenerateExampleEnvCmd = &cobra.Command{
 }
 
 var secretsSetCmd = &cobra.Command{
-	Example:               `secrets set <secretName=secretValue> <secretName=secretValue> <secretName=@/path/to/file>..."`,
+	Example:               `secrets set <secretName=secretValue> <secretName=secretValue>..."`,
 	Short:                 "Used set secrets",
 	Use:                   "set [secrets]",
 	DisableFlagsInUseLine: true,
@@ -185,30 +185,6 @@ var secretsSetCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse secret type")
 		}
 
-		processedArgs := []string{}
-		for _, arg := range args {
-			splitKeyValue := strings.SplitN(arg, "=", 2)
-			if len(splitKeyValue) != 2 {
-				util.HandleError(fmt.Errorf("invalid argument format: %s. Expected format: key=value or key=@filepath", arg), "")
-			}
-
-			key := splitKeyValue[0]
-			value := splitKeyValue[1]
-
-			if strings.HasPrefix(value, "\\@") {
-				value = "@" + value[2:]
-			} else if strings.HasPrefix(value, "@") {
-				filePath := strings.TrimPrefix(value, "@")
-				content, err := os.ReadFile(filePath)
-				if err != nil {
-					util.HandleError(err, fmt.Sprintf("Unable to read file %s", filePath))
-				}
-				value = string(content)
-			}
-
-			processedArgs = append(processedArgs, fmt.Sprintf("%s=%s", key, value))
-		}
-
 		file, err := cmd.Flags().GetString("file")
 		if err != nil {
 			util.HandleError(err, "Unable to parse flag")
@@ -240,7 +216,7 @@ var secretsSetCmd = &cobra.Command{
 				util.PrintErrorMessageAndExit("Your login session has expired, please run [infisical login] and try again")
 			}
 
-			secretOperations, err = util.SetRawSecrets(processedArgs, secretType, environmentName, secretsPath, projectId, &models.TokenDetails{
+			secretOperations, err = util.SetRawSecrets(args, secretType, environmentName, secretsPath, projectId, &models.TokenDetails{
 				Type:  "",
 				Token: loggedInUserDetails.UserCredentials.JTWToken,
 			}, file)
@@ -298,12 +274,8 @@ var secretsDeleteCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}
 
-		httpClient, err := util.GetRestyClientWithCustomHeaders()
-		if err != nil {
-			util.HandleError(err, "Unable to get resty client with custom headers")
-		}
-
-		httpClient.SetHeader("Accept", "application/json")
+		httpClient := resty.New().
+			SetHeader("Accept", "application/json")
 
 		if projectId == "" {
 			workspaceFile, err := util.GetWorkSpaceFromFile()

cli/packages/cmd/ssh.go

@@ -315,16 +315,10 @@ func issueCredentials(cmd *cobra.Command, args []string) {
 		}
 	}
 
-	customHeaders, err := util.GetInfisicalCustomHeadersMap()
-	if err != nil {
-		util.HandleError(err, "Unable to get custom headers")
-	}
-
 	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
 		SiteUrl:          config.INFISICAL_URL,
 		UserAgent:        api.USER_AGENT,
 		AutoTokenRefresh: false,
-		CustomHeaders:    customHeaders,
 	})
 	infisicalClient.Auth().SetAccessToken(infisicalToken)
 
@@ -561,16 +555,10 @@ func signKey(cmd *cobra.Command, args []string) {
 		signedKeyPath = outFilePath
 	}
 
-	customHeaders, err := util.GetInfisicalCustomHeadersMap()
-	if err != nil {
-		util.HandleError(err, "Unable to get custom headers")
-	}
-
 	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
 		SiteUrl:          config.INFISICAL_URL,
 		UserAgent:        api.USER_AGENT,
 		AutoTokenRefresh: false,
-		CustomHeaders:    customHeaders,
 	})
 	infisicalClient.Auth().SetAccessToken(infisicalToken)
 

cli/packages/cmd/tokens.go

@@ -13,6 +13,7 @@ import (
 	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/crypto"
 	"github.com/Infisical/infisical-merge/packages/util"
+	"github.com/go-resty/resty/v2"
 	"github.com/spf13/cobra"
 )
 
@@ -135,11 +136,7 @@ var tokensCreateCmd = &cobra.Command{
 		}
 
 		// make a call to the api to save the encrypted symmetric key details
-		httpClient, err := util.GetRestyClientWithCustomHeaders()
-		if err != nil {
-			util.HandleError(err, "Unable to get resty client with custom headers")
-		}
-
+		httpClient := resty.New()
 		httpClient.SetAuthToken(loggedInUserDetails.UserCredentials.JTWToken).
 			SetHeader("Accept", "application/json")
 

cli/packages/gateway/gateway.go

@@ -13,7 +13,6 @@ import (
 
 	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/systemd"
-	"github.com/Infisical/infisical-merge/packages/util"
 	"github.com/go-resty/resty/v2"
 	"github.com/pion/dtls/v3"
 	"github.com/pion/logging"
@@ -41,11 +40,7 @@ type Gateway struct {
 }
 
 func NewGateway(identityToken string) (Gateway, error) {
-	httpClient, err := util.GetRestyClientWithCustomHeaders()
-	if err != nil {
-		return Gateway{}, fmt.Errorf("unable to get client with custom headers [err=%v]", err)
-	}
-
+	httpClient := resty.New()
 	httpClient.SetAuthToken(identityToken)
 
 	return Gateway{

cli/packages/util/common.go

@@ -4,11 +4,8 @@ import (
 	"fmt"
 	"net/http"
 	"os"
-	"strings"
-	"unicode"
 
 	"github.com/Infisical/infisical-merge/packages/config"
-	"github.com/go-resty/resty/v2"
 )
 
 func GetHomeDir() (string, error) {
@@ -30,88 +27,3 @@ func ValidateInfisicalAPIConnection() (ok bool) {
 	_, err := http.Get(fmt.Sprintf("%v/status", config.INFISICAL_URL))
 	return err == nil
 }
-
-func GetRestyClientWithCustomHeaders() (*resty.Client, error) {
-	httpClient := resty.New()
-	customHeaders := os.Getenv("INFISICAL_CUSTOM_HEADERS")
-	if customHeaders != "" {
-		headers, err := GetInfisicalCustomHeadersMap()
-		if err != nil {
-			return nil, err
-		}
-
-		httpClient.SetHeaders(headers)
-	}
-	return httpClient, nil
-}
-
-func GetInfisicalCustomHeadersMap() (map[string]string, error) {
-	customHeaders := os.Getenv("INFISICAL_CUSTOM_HEADERS")
-	if customHeaders == "" {
-		return nil, nil
-	}
-
-	headers := map[string]string{}
-
-	pos := 0
-	for pos < len(customHeaders) {
-		for pos < len(customHeaders) && unicode.IsSpace(rune(customHeaders[pos])) {
-			pos++
-		}
-
-		if pos >= len(customHeaders) {
-			break
-		}
-
-		keyStart := pos
-		for pos < len(customHeaders) && customHeaders[pos] != '=' && !unicode.IsSpace(rune(customHeaders[pos])) {
-			pos++
-		}
-
-		if pos >= len(customHeaders) || customHeaders[pos] != '=' {
-			return nil, fmt.Errorf("invalid custom header format. Expected \"headerKey1=value1 headerKey2=value2 ....\" but got %v", customHeaders)
-		}
-
-		key := customHeaders[keyStart:pos]
-		pos++
-
-		for pos < len(customHeaders) && unicode.IsSpace(rune(customHeaders[pos])) {
-			pos++
-		}
-
-		var value string
-
-		if pos < len(customHeaders) {
-			if customHeaders[pos] == '"' || customHeaders[pos] == '\'' {
-				quoteChar := customHeaders[pos]
-				pos++
-				valueStart := pos
-
-				for pos < len(customHeaders) &&
-					(customHeaders[pos] != quoteChar ||
-						(pos > 0 && customHeaders[pos-1] == '\\')) {
-					pos++
-				}
-
-				if pos < len(customHeaders) {
-					value = customHeaders[valueStart:pos]
-					pos++
-				} else {
-					value = customHeaders[valueStart:]
-				}
-			} else {
-				valueStart := pos
-				for pos < len(customHeaders) && !unicode.IsSpace(rune(customHeaders[pos])) {
-					pos++
-				}
-				value = customHeaders[valueStart:pos]
-			}
-		}
-
-		if key != "" && !strings.EqualFold(key, "User-Agent") && !strings.EqualFold(key, "Accept") {
-			headers[key] = value
-		}
-	}
-
-	return headers, nil
-}

cli/packages/util/credentials.go

@@ -9,6 +9,7 @@ import (
 	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/config"
 	"github.com/Infisical/infisical-merge/packages/models"
+	"github.com/go-resty/resty/v2"
 	"github.com/zalando/go-keyring"
 )
 
@@ -84,12 +85,7 @@ func GetCurrentLoggedInUserDetails(setConfigVariables bool) (LoggedInUserDetails
 		}
 
 		// check to to see if the JWT is still valid
-		httpClient, err := GetRestyClientWithCustomHeaders()
-		if err != nil {
-			return LoggedInUserDetails{}, fmt.Errorf("getCurrentLoggedInUserDetails: unable to get client with custom headers [err=%s]", err)
-		}
-
-		httpClient.
+		httpClient := resty.New().
 			SetAuthToken(userCreds.JTWToken).
 			SetHeader("Accept", "application/json")
 

cli/packages/util/folders.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/models"
+	"github.com/go-resty/resty/v2"
 	"github.com/rs/zerolog/log"
 )
 
@@ -64,11 +65,7 @@ func GetAllFolders(params models.GetAllFoldersParameters) ([]models.SingleFolder
 
 func GetFoldersViaJTW(JTWToken string, workspaceId string, environmentName string, foldersPath string) ([]models.SingleFolder, error) {
 	// set up resty client
-	httpClient, err := GetRestyClientWithCustomHeaders()
-	if err != nil {
-		return nil, err
-	}
-
+	httpClient := resty.New()
 	httpClient.SetAuthToken(JTWToken).
 		SetHeader("Accept", "application/json")
 
@@ -103,10 +100,7 @@ func GetFoldersViaServiceToken(fullServiceToken string, workspaceId string, envi
 
 	serviceToken := fmt.Sprintf("%v.%v.%v", serviceTokenParts[0], serviceTokenParts[1], serviceTokenParts[2])
 
-	httpClient, err := GetRestyClientWithCustomHeaders()
-	if err != nil {
-		return nil, fmt.Errorf("unable to get client with custom headers [err=%v]", err)
-	}
+	httpClient := resty.New()
 
 	httpClient.SetAuthToken(serviceToken).
 		SetHeader("Accept", "application/json")
@@ -149,11 +143,7 @@ func GetFoldersViaServiceToken(fullServiceToken string, workspaceId string, envi
 }
 
 func GetFoldersViaMachineIdentity(accessToken string, workspaceId string, envSlug string, foldersPath string) ([]models.SingleFolder, error) {
-	httpClient, err := GetRestyClientWithCustomHeaders()
-	if err != nil {
-		return nil, err
-	}
-
+	httpClient := resty.New()
 	httpClient.SetAuthToken(accessToken).
 		SetHeader("Accept", "application/json")
 
@@ -201,12 +191,9 @@ func CreateFolder(params models.CreateFolderParameters) (models.SingleFolder, er
 	}
 
 	// set up resty client
-	httpClient, err := GetRestyClientWithCustomHeaders()
-	if err != nil {
-		return models.SingleFolder{}, err
-	}
-
-	httpClient.SetAuthToken(params.InfisicalToken).
+	httpClient := resty.New()
+	httpClient.
+		SetAuthToken(params.InfisicalToken).
 		SetHeader("Accept", "application/json").
 		SetHeader("Content-Type", "application/json")
 
@@ -251,12 +238,9 @@ func DeleteFolder(params models.DeleteFolderParameters) ([]models.SingleFolder,
 	}
 
 	// set up resty client
-	httpClient, err := GetRestyClientWithCustomHeaders()
-	if err != nil {
-		return nil, err
-	}
-
-	httpClient.SetAuthToken(params.InfisicalToken).
+	httpClient := resty.New()
+	httpClient.
+		SetAuthToken(params.InfisicalToken).
 		SetHeader("Accept", "application/json").
 		SetHeader("Content-Type", "application/json")
 

cli/packages/util/helper.go

@@ -16,6 +16,7 @@ import (
 
 	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/models"
+	"github.com/go-resty/resty/v2"
 	"github.com/spf13/cobra"
 )
 
@@ -119,11 +120,7 @@ func GetInfisicalToken(cmd *cobra.Command) (token *models.TokenDetails, err erro
 }
 
 func UniversalAuthLogin(clientId string, clientSecret string) (api.UniversalAuthLoginResponse, error) {
-	httpClient, err := GetRestyClientWithCustomHeaders()
-	if err != nil {
-		return api.UniversalAuthLoginResponse{}, err
-	}
-
+	httpClient := resty.New()
 	httpClient.SetRetryCount(10000).
 		SetRetryMaxWaitTime(20 * time.Second).
 		SetRetryWaitTime(5 * time.Second)
@@ -138,11 +135,7 @@ func UniversalAuthLogin(clientId string, clientSecret string) (api.UniversalAuth
 
 func RenewMachineIdentityAccessToken(accessToken string) (string, error) {
 
-	httpClient, err := GetRestyClientWithCustomHeaders()
-	if err != nil {
-		return "", err
-	}
-
+	httpClient := resty.New()
 	httpClient.SetRetryCount(10000).
 		SetRetryMaxWaitTime(20 * time.Second).
 		SetRetryWaitTime(5 * time.Second)

cli/packages/util/secrets.go

@@ -14,6 +14,7 @@ import (
 	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/crypto"
 	"github.com/Infisical/infisical-merge/packages/models"
+	"github.com/go-resty/resty/v2"
 	"github.com/rs/zerolog/log"
 	"github.com/zalando/go-keyring"
 	"gopkg.in/yaml.v3"
@@ -27,10 +28,7 @@ func GetPlainTextSecretsViaServiceToken(fullServiceToken string, environment str
 
 	serviceToken := fmt.Sprintf("%v.%v.%v", serviceTokenParts[0], serviceTokenParts[1], serviceTokenParts[2])
 
-	httpClient, err := GetRestyClientWithCustomHeaders()
-	if err != nil {
-		return nil, fmt.Errorf("unable to get client with custom headers [err=%v]", err)
-	}
+	httpClient := resty.New()
 
 	httpClient.SetAuthToken(serviceToken).
 		SetHeader("Accept", "application/json")
@@ -81,11 +79,7 @@ func GetPlainTextSecretsViaServiceToken(fullServiceToken string, environment str
 }
 
 func GetPlainTextSecretsV3(accessToken string, workspaceId string, environmentName string, secretsPath string, includeImports bool, recursive bool, tagSlugs string, expandSecretReferences bool) (models.PlaintextSecretResult, error) {
-	httpClient, err := GetRestyClientWithCustomHeaders()
-	if err != nil {
-		return models.PlaintextSecretResult{}, err
-	}
-
+	httpClient := resty.New()
 	httpClient.SetAuthToken(accessToken).
 		SetHeader("Accept", "application/json")
 
@@ -128,11 +122,7 @@ func GetPlainTextSecretsV3(accessToken string, workspaceId string, environmentNa
 }
 
 func GetSinglePlainTextSecretByNameV3(accessToken string, workspaceId string, environmentName string, secretsPath string, secretName string) (models.SingleEnvironmentVariable, string, error) {
-	httpClient, err := GetRestyClientWithCustomHeaders()
-	if err != nil {
-		return models.SingleEnvironmentVariable{}, "", err
-	}
-
+	httpClient := resty.New()
 	httpClient.SetAuthToken(accessToken).
 		SetHeader("Accept", "application/json")
 
@@ -163,11 +153,7 @@ func GetSinglePlainTextSecretByNameV3(accessToken string, workspaceId string, en
 }
 
 func CreateDynamicSecretLease(accessToken string, projectSlug string, environmentName string, secretsPath string, slug string, ttl string) (models.DynamicSecretLease, error) {
-	httpClient, err := GetRestyClientWithCustomHeaders()
-	if err != nil {
-		return models.DynamicSecretLease{}, err
-	}
-
+	httpClient := resty.New()
 	httpClient.SetAuthToken(accessToken).
 		SetHeader("Accept", "application/json")
 
@@ -539,11 +525,7 @@ func GetEnvelopmentBasedOnGitBranch(workspaceFile models.WorkspaceConfigFile) st
 }
 
 func GetPlainTextWorkspaceKey(authenticationToken string, receiverPrivateKey string, workspaceId string) ([]byte, error) {
-	httpClient, err := GetRestyClientWithCustomHeaders()
-	if err != nil {
-		return nil, fmt.Errorf("GetPlainTextWorkspaceKey: unable to get client with custom headers [err=%v]", err)
-	}
-
+	httpClient := resty.New()
 	httpClient.SetAuthToken(authenticationToken).
 		SetHeader("Accept", "application/json")
 
@@ -690,12 +672,9 @@ func SetRawSecrets(secretArgs []string, secretType string, environmentName strin
 		getAllEnvironmentVariablesRequest.InfisicalToken = tokenDetails.Token
 	}
 
-	httpClient, err := GetRestyClientWithCustomHeaders()
-	if err != nil {
-		return nil, fmt.Errorf("unable to get client with custom headers [err=%v]", err)
-	}
-
-	httpClient.SetHeader("Accept", "application/json")
+	httpClient := resty.New().
+		SetAuthToken(tokenDetails.Token).
+		SetHeader("Accept", "application/json")
 
 	// pull current secrets
 	secrets, err := GetAllEnvironmentVariables(getAllEnvironmentVariablesRequest, "")

docs/cli/commands/secrets.mdx

@@ -186,28 +186,12 @@ This command allows you to set or update secrets in your environment. If the sec
 If the secret key does not exist, a new secret will be created using both the key and value provided.
 
 ```bash
-$ infisical secrets set <key1=value1> <key2=value2> <key3=@/path/to/file>...
+$ infisical secrets set <key1=value1> <key2=value2>...
 
 ## Example
-$ infisical secrets set STRIPE_API_KEY=sjdgwkeudyjwe DOMAIN=example.com HASH=jebhfbwe SECRET_PEM_KEY=@secret.pem
+$ infisical secrets set STRIPE_API_KEY=sjdgwkeudyjwe DOMAIN=example.com HASH=jebhfbwe
 ```
 
-  <Tip>
-    When setting secret values:
-      - Use `secretName=@path/to/file` to load the secret value from a file
-      - Use `secretName=\@value` if you need the literal '@' character at the beginning of your value
-
-    Example:
-
-    ```bash
-    # Set a secret with the value loaded from a certificate file
-    $ secrets set CERTIFICATE=@/path/to/certificate.pem
-
-    # Set a secret with the literal value "@example.com"
-    $ secrets set email="\@example.com"
-    ```
-  </Tip>
-
 ### Flags
 
   <Accordion title="--env">

docs/cli/faq.mdx

@@ -33,28 +33,3 @@ Yes. This is simply a configuration file and contains no sensitive data.
     https://app.infisical.com/project/<your_project_id>/settings
   ```
 </Accordion>
-
-<Accordion title="How do I use custom headers with the Infisical CLI?">
-  
-  The Infisical CLI supports custom HTTP headers for requests to servers that require additional authentication. Set these headers using the `INFISICAL_CUSTOM_HEADERS` environment variable:
-  
-  ```bash
-  export INFISICAL_CUSTOM_HEADERS="Access-Client-Id=your-client-id Access-Client-Secret=your-client-secret"
-  ```
-  
-  After setting this environment variable, run your Infisical commands as usual.
-</Accordion>
-
-<Accordion title="Why would I need to use custom headers?">
-  
-  Custom headers are necessary when your Infisical server is protected by services like Cloudflare Access or other reverse proxies that require specific authentication headers. Without this feature, you would need to implement security workarounds that might compromise your security posture.
-</Accordion>
-
-<Accordion title="What format should I use for the custom headers?">
-  
-  Custom headers should be specified in the format `headername1=headervalue1 headername2=headervalue2`, with spaces separating each header-value pair. For example:
-  
-  ```bash
-  export INFISICAL_CUSTOM_HEADERS="Header1=value1 Header2=value2 Header3=value3"
-  ```
-</Accordion>

docs/cli/usage.mdx

@@ -120,22 +120,6 @@ The CLI is designed for a variety of secret management applications ranging from
   </Tab>
 </Tabs>
 
-<Tip>
-  ## Custom Request Headers
-
-  The Infisical CLI supports custom HTTP headers for requests to servers protected by authentication services such as Cloudflare Access. Configure these headers using the `INFISICAL_CUSTOM_HEADERS` environment variable:
-
-  ```bash
-  # Syntax: headername1=headervalue1 headername2=headervalue2
-  export INFISICAL_CUSTOM_HEADERS="Access-Client-Id=your-client-id Access-Client-Secret=your-client-secret"
-
-  # Execute Infisical commands after setting the environment variable
-  infisical secrets ls
-  ```
-
-  This functionality enables secure interaction with Infisical instances that require specific authentication headers.
-</Tip>
-
 ## History
 
 Your terminal keeps a history with the commands you run. When you create Infisical secrets directly from your terminal, they'll stay there for a while.

docs/integrations/platforms/kubernetes/infisical-dynamic-secret-crd.mdx

@@ -124,7 +124,7 @@ When `hostAPI` is not defined the operator fetches secrets from Infisical Cloud.
 </Accordion>
 
 <Accordion title="leaseTTL">
-    The `leaseTTL` is a string-formatted duration that defines the time the lease should last for the dynamic secret.
+  The `leaseTTL` is a string-formatted duration that defines the time the lease should last for the dynamic secret.
 
   The format of the field is `[duration][unit]` where `duration` is a number and `unit` is a string representing the unit of time.
 

docs/integrations/platforms/kubernetes/infisical-push-secret-crd.mdx

@@ -401,59 +401,6 @@ After applying the InfisicalPushSecret CRD, you should notice that the secrets y
 </Accordion>
 
 
-## Using templating to push secrets
-
-Pushing secrets to Infisical from the operator may not always be enough.
-Templating is a useful utility of the Infisical secrets operator that allows you to use Go Templating to template the secrets you want to push to Infisical.
-Using Go templates, you can format, combine, and create new key-value pairs of secrets that you want to push to Infisical.
-
-<Accordion title="push.secret.template"/>
-<Accordion title="push.secret.template.includeAllSecrets">
-  This property controls what secrets are included in your push to Infisica.
-  When set to `true`, all secrets included in the `push.secret.secretName` Kubernetes secret will be pushed to Infisical.
-  **Use this option when you would like to push all secrets to Infisical from the secrets operator, but want to template a subset of them.**
-
-  When set to `false`, only secrets defined in the `push.secret.template.data` field of the template will be pushed to Infisical.
-  Use this option when you would like to push **only** a subset of secrets from the Kubernetes secret to Infisical.
-</Accordion>
-<Accordion title="push.secret.template.data">
-  Define secret keys and their corresponding templates. 
-  Each data value uses a Golang template with access to all secrets defined in the `push.secret.secretName` Kubernetes secret.
-
-  Secrets are structured as follows:
-
-  ```go
-  type TemplateSecret struct {
-      Value      string `json:"value"`
-      SecretPath string `json:"secretPath"`
-  }
-  ```
-
-  #### Example template configuration:
-
-  ```yaml
-  # This example assumes that the `push-secret-demo` Kubernetes secret contains the following secrets:
-  # SITE_URL = "https://example.com"
-  # REGION = "us-east-1"
-  # OTHER_SECRET = "other-secret"
-
-  push:
-    secret:
-      secretName: push-secret-demo
-      secretNamespace: default
-      template:
-        includeAllSecrets: true # Includes all secrets from the `push-secret-demo` Kubernetes secret
-        data:
-          SITE_URL: "{{ .SITE_URL.Value }}"
-          API_URL: "https://api.{{.SITE_URL.Value}}.{{.REGION.Value}}.com" # Will create a new secret in Infisical with the key `API_URL` with the value of the `SITE_URL` and `REGION` secrets
-  ```
-
-  To help transform your config map data further, the operator provides a set of built-in functions that you can use in your templates.
-
-  ### Available templating functions
-  Please refer to the [templating functions documentation](/integrations/platforms/kubernetes/overview#available-helper-functions) for more information.
-</Accordion>
-
 ## Applying the InfisicalPushSecret CRD to your cluster
 
 Once you have configured the `InfisicalPushSecret` CRD with the required fields, you can apply it to your cluster.

docs/integrations/platforms/kubernetes/infisical-secret-crd.mdx

@@ -654,7 +654,30 @@ To help transform your secrets further, the operator provides a set of built-in
 
 ### Available templating functions
 
-Please refer to the [templating functions documentation](/integrations/platforms/kubernetes/overview#available-helper-functions) for more information.
+<Accordion title="decodeBase64ToBytes">
+  **Function name**: decodeBase64ToBytes
+
+**Description**:
+Given a base64 encoded string, this function will decodes the base64-encoded string.
+This function is useful when your secrets are already stored as base64 encoded value in Infisical.
+
+**Returns**: The decoded base64 string as bytes.
+
+**Example**:
+The example below assumes that the `BINARY_KEY_BASE64` secret is stored as a base64 encoded value in Infisical.
+The resulting managed secret will contain the decoded value of `BINARY_KEY_BASE64`.
+
+```yaml
+managedKubeSecretReferences:
+secretName: managed-secret
+secretNamespace: default
+template:
+  includeAllSecrets: true
+  data:
+    BINARY_KEY: "{{ decodeBase64ToBytes .BINARY_KEY_BASE64.Value }}"
+```
+
+</Accordion>
 
 </Accordion>
 
@@ -760,8 +783,31 @@ Using Go templates, you can format, combine, and create new key-value pairs from
   To help transform your config map data further, the operator provides a set of built-in functions that you can use in your templates.
 
   ### Available templating functions
-  
-  Please refer to the [templating functions documentation](/integrations/platforms/kubernetes/overview#available-helper-functions) for more information.
+
+  <Accordion title="decodeBase64ToBytes">
+    **Function name**: decodeBase64ToBytes
+
+    **Description**:
+    Given a base64 encoded string, this function will decodes the base64-encoded string.
+    This function is useful when your Infisical secrets are already stored as base64 encoded value in Infisical.
+
+    **Returns**: The decoded base64 string as bytes.
+
+    **Example**:
+    The example below assumes that the `BINARY_KEY_BASE64` secret is stored as a base64 encoded value in Infisical.
+    The resulting managed config map will contain the decoded value of `BINARY_KEY_BASE64`.
+
+    ```yaml
+      managedKubeConfigMapReferences:
+        - configMapName: managed-configmap
+          configMapNamespace: default
+          template:
+            includeAllSecrets: true
+          data:
+            BINARY_KEY: "{{ decodeBase64ToBytes .BINARY_KEY_BASE64.Value }}"
+    ```
+
+  </Accordion>
 </Accordion>
 
 ## Applying CRD
@@ -808,39 +854,39 @@ Here, we will highlight three of the most common ways to utilize it. Learn more
 <Accordion title="envFrom">
   This will take all the secrets from your managed secret and expose them to your container
 
-  ````yaml
-    envFrom:
-      - secretRef:
-          name: managed-secret # managed secret name
-    ```
+````yaml
+  envFrom:
+    - secretRef:
+        name: managed-secret # managed secret name
+  ```
 
-    Example usage in a deployment
-    ```yaml
-    apiVersion: apps/v1
-  kind: Deployment
-  metadata:
-    name: nginx-deployment
-    labels:
+  Example usage in a deployment
+  ```yaml
+  apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
       app: nginx
-  spec:
-    replicas: 1
-    selector:
-      matchLabels:
+  template:
+    metadata:
+      labels:
         app: nginx
-    template:
-      metadata:
-        labels:
-          app: nginx
-      spec:
-        containers:
-        - name: nginx
-          image: nginx:1.14.2
-          envFrom:
-          - secretRef:
-              name: managed-secret # <- name of managed secret
-          ports:
-          - containerPort: 80
-  ````
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        envFrom:
+        - secretRef:
+            name: managed-secret # <- name of managed secret
+        ports:
+        - containerPort: 80
+````
 
 </Accordion>
 
@@ -856,90 +902,91 @@ Here, we will highlight three of the most common ways to utilize it. Learn more
           key: SOME_SECRET_KEY # The name of the key which exists in the managed secret
   ```
 
-  Example usage in a deployment
+Example usage in a deployment
 
-  ```yaml
-  apiVersion: apps/v1
-  kind: Deployment
-  metadata:
-    name: nginx-deployment
-    labels:
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
       app: nginx
-  spec:
-    replicas: 1
-    selector:
-      matchLabels:
+  template:
+    metadata:
+      labels:
         app: nginx
-    template:
-      metadata:
-        labels:
-          app: nginx
-      spec:
-        containers:
-          - name: nginx
-            image: nginx:1.14.2
-            env:
-              - name: STRIPE_API_SECRET
-                valueFrom:
-                  secretKeyRef:
-                    name: managed-secret # <- name of managed secret
-                    key: STRIPE_API_SECRET
-            ports:
-              - containerPort: 80
-  ```
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:1.14.2
+          env:
+            - name: STRIPE_API_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: managed-secret # <- name of managed secret
+                  key: STRIPE_API_SECRET
+          ports:
+            - containerPort: 80
+```
+
 </Accordion>
 
 <Accordion title="volumes">
-  This will allow you to create a volume on your container which comprises of files holding the secrets in your managed kubernetes secret
-  ```yaml
-  volumes:
-    - name: secrets-volume-name # The name of the volume under which secrets will be stored
-      secret:
-        secretName: managed-secret # managed secret name
-  ````
+This will allow you to create a volume on your container which comprises of files holding the secrets in your managed kubernetes secret
+```yaml
+volumes:
+  - name: secrets-volume-name # The name of the volume under which secrets will be stored
+    secret:
+      secretName: managed-secret # managed secret name
+````
 
-  You can then mount this volume to the container's filesystem so that your deployment can access the files containing the managed secrets
+You can then mount this volume to the container's filesystem so that your deployment can access the files containing the managed secrets
 
-  ```yaml
-  volumeMounts:
-    - name: secrets-volume-name
-      mountPath: /etc/secrets
-      readOnly: true
-  ```
+```yaml
+volumeMounts:
+  - name: secrets-volume-name
+    mountPath: /etc/secrets
+    readOnly: true
+```
 
-  Example usage in a deployment
+Example usage in a deployment
 
-  ```yaml
-  apiVersion: apps/v1
-  kind: Deployment
-  metadata:
-    name: nginx-deployment
-    labels:
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
       app: nginx
-  spec:
-    replicas: 1
-    selector:
-      matchLabels:
+  template:
+    metadata:
+      labels:
         app: nginx
-    template:
-      metadata:
-        labels:
-          app: nginx
-      spec:
-        containers:
-          - name: nginx
-            image: nginx:1.14.2
-            volumeMounts:
-              - name: secrets-volume-name
-                mountPath: /etc/secrets
-                readOnly: true
-            ports:
-              - containerPort: 80
-        volumes:
-          - name: secrets-volume-name
-            secret:
-              secretName: managed-secret # <- managed secrets
-  ```
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:1.14.2
+          volumeMounts:
+            - name: secrets-volume-name
+              mountPath: /etc/secrets
+              readOnly: true
+          ports:
+            - containerPort: 80
+      volumes:
+        - name: secrets-volume-name
+          secret:
+            secretName: managed-secret # <- managed secrets
+```
 
 </Accordion>
 
@@ -974,34 +1021,34 @@ secrets.infisical.com/auto-reload: "true"
 ```
 
 <Accordion title="Deployment example with auto redeploy enabled">
-  ```yaml
-  apiVersion: apps/v1
-  kind: Deployment
-  metadata:
-    name: nginx-deployment
-    labels:
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+  annotations: 
+    secrets.infisical.com/auto-reload: "true" # <- redeployment annotation
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
       app: nginx
-    annotations: 
-      secrets.infisical.com/auto-reload: "true" # <- redeployment annotation
-  spec:
-    replicas: 1
-    selector:
-      matchLabels:
+  template:
+    metadata:
+      labels:
         app: nginx
-    template:
-      metadata:
-        labels:
-          app: nginx
-      spec:
-        containers:
-        - name: nginx
-          image: nginx:1.14.2
-          envFrom:
-          - secretRef:
-              name: managed-secret
-          ports:
-          - containerPort: 80
-  ```
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        envFrom:
+        - secretRef:
+            name: managed-secret
+        ports:
+        - containerPort: 80
+```
 </Accordion>
 <Info>
   #### How it works 
@@ -1022,39 +1069,39 @@ Here, we will highlight three of the most common ways to utilize it. Learn more
 <Accordion title="envFrom">
   This will take all the secrets from your managed ConfigMap and expose them to your container
 
-  ````yaml
-    envFrom:
-      - configMapRef:
-          name: managed-configmap # managed configmap name
-    ```
+````yaml
+  envFrom:
+    - configMapRef:
+        name: managed-configmap # managed configmap name
+  ```
 
-    Example usage in a deployment
-    ```yaml
-    apiVersion: apps/v1
-  kind: Deployment
-  metadata:
-    name: nginx-deployment
-    labels:
+  Example usage in a deployment
+  ```yaml
+  apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
       app: nginx
-  spec:
-    replicas: 1
-    selector:
-      matchLabels:
+  template:
+    metadata:
+      labels:
         app: nginx
-    template:
-      metadata:
-        labels:
-          app: nginx
-      spec:
-        containers:
-        - name: nginx
-          image: nginx:1.14.2
-          envFrom:
-          - configMapRef:
-              name: managed-configmap # <- name of managed configmap
-          ports:
-          - containerPort: 80
-  ````
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        envFrom:
+        - configMapRef:
+            name: managed-configmap # <- name of managed configmap
+        ports:
+        - containerPort: 80
+````
 
 </Accordion>
 
@@ -1070,91 +1117,92 @@ Here, we will highlight three of the most common ways to utilize it. Learn more
           key: SOME_CONFIG_KEY # The name of the key which exists in the managed configmap
   ```
 
-  Example usage in a deployment
+Example usage in a deployment
 
-  ```yaml
-  apiVersion: apps/v1
-  kind: Deployment
-  metadata:
-    name: nginx-deployment
-    labels:
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
       app: nginx
-  spec:
-    replicas: 1
-    selector:
-      matchLabels:
+  template:
+    metadata:
+      labels:
         app: nginx
-    template:
-      metadata:
-        labels:
-          app: nginx
-      spec:
-        containers:
-          - name: nginx
-            image: nginx:1.14.2
-            env:
-              - name: STRIPE_API_SECRET
-                valueFrom:
-                  configMapKeyRef:
-                    name: managed-configmap # <- name of managed configmap
-                    key: STRIPE_API_SECRET
-            ports:
-              - containerPort: 80
-  ```
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:1.14.2
+          env:
+            - name: STRIPE_API_SECRET
+              valueFrom:
+                configMapKeyRef:
+                  name: managed-configmap # <- name of managed configmap
+                  key: STRIPE_API_SECRET
+          ports:
+            - containerPort: 80
+```
 
 </Accordion>
 
 <Accordion title="volumes">
-  This will allow you to create a volume on your container which comprises of files holding the secrets in your managed kubernetes secret
-  ```yaml
-  volumes:
-    - name: configmaps-volume-name # The name of the volume under which configmaps will be stored
-      configMap:
-        name: managed-configmap # managed configmap name
-  ````
+This will allow you to create a volume on your container which comprises of files holding the secrets in your managed kubernetes secret
+```yaml
+volumes:
+  - name: configmaps-volume-name # The name of the volume under which configmaps will be stored
+    configMap:
+      name: managed-configmap # managed configmap name
+````
 
-  You can then mount this volume to the container's filesystem so that your deployment can access the files containing the managed secrets
+You can then mount this volume to the container's filesystem so that your deployment can access the files containing the managed secrets
 
-  ```yaml
-  volumeMounts:
-    - name: configmaps-volume-name
-      mountPath: /etc/config
-      readOnly: true
-  ```
+```yaml
+volumeMounts:
+  - name: configmaps-volume-name
+    mountPath: /etc/config
+    readOnly: true
+```
 
-  Example usage in a deployment
+Example usage in a deployment
 
-  ```yaml
-  apiVersion: apps/v1
-  kind: Deployment
-  metadata:
-    name: nginx-deployment
-    labels:
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
       app: nginx
-  spec:
-    replicas: 1
-    selector:
-      matchLabels:
+  template:
+    metadata:
+      labels:
         app: nginx
-    template:
-      metadata:
-        labels:
-          app: nginx
-      spec:
-        containers:
-          - name: nginx
-            image: nginx:1.14.2
-            volumeMounts:
-              - name: configmaps-volume-name
-                mountPath: /etc/config
-                readOnly: true
-            ports:
-              - containerPort: 80
-        volumes:
-          - name: configmaps-volume-name
-            configMap:
-              name: managed-configmap # <- managed configmap
-  ```
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:1.14.2
+          volumeMounts:
+            - name: configmaps-volume-name
+              mountPath: /etc/config
+              readOnly: true
+          ports:
+            - containerPort: 80
+      volumes:
+        - name: configmaps-volume-name
+          configMap:
+            name: managed-configmap # <- managed configmap
+```
+
 </Accordion>
 
 The definition file of the Kubernetes secret for the CA certificate can be structured like the following:
@@ -1180,37 +1228,37 @@ The operator will transfer all labels & annotations present on the `InfisicalSec
 Thus, if a specific label is required on the resulting secret, it can be applied as demonstrated in the following example:
 
 <Accordion title="Example propagation">
-  ```yaml
-  apiVersion: secrets.infisical.com/v1alpha1
-  kind: InfisicalSecret
-  metadata:
-    name: infisicalsecret-sample
-    labels:
-      label-to-be-passed-to-managed-secret: sample-value
-    annotations:
-      example.com/annotation-to-be-passed-to-managed-secret: "sample-value"
-  spec:
-    ..
-    authentication:
-      ...
-    managedKubeSecretReferences:
-      ...
-  ```
+```yaml
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalSecret
+metadata:
+  name: infisicalsecret-sample
+  labels:
+    label-to-be-passed-to-managed-secret: sample-value
+  annotations:
+    example.com/annotation-to-be-passed-to-managed-secret: "sample-value"
+spec:
+  ..
+  authentication:
+    ...
+  managedKubeSecretReferences:
+    ...
+```
 
-  This would result in the following managed secret to be created:
+This would result in the following managed secret to be created:
 
-  ```yaml
-  apiVersion: v1
-  data: ...
-  kind: Secret
-  metadata:
-    annotations:
-      example.com/annotation-to-be-passed-to-managed-secret: sample-value
-      secrets.infisical.com/version: W/"3f1-ZyOSsrCLGSkAhhCkY2USPu2ivRw"
-    labels:
-      label-to-be-passed-to-managed-secret: sample-value
-    name: managed-token
-    namespace: default
-  type: Opaque
-  ```
+```yaml
+apiVersion: v1
+data: ...
+kind: Secret
+metadata:
+  annotations:
+    example.com/annotation-to-be-passed-to-managed-secret: sample-value
+    secrets.infisical.com/version: W/"3f1-ZyOSsrCLGSkAhhCkY2USPu2ivRw"
+  labels:
+    label-to-be-passed-to-managed-secret: sample-value
+  name: managed-token
+  namespace: default
+type: Opaque
+```
 </Accordion>