Ran go mod tidy

Update Go SDK version dependency
Update ssh cli api error messages
2025-03-28 15:29:21 +00:00 · 2024-12-18 11:45:09 -08:00 · 2024-12-18 11:32:09 -08:00 · 2024-12-18 09:22:06 -08:00 · 2024-12-17 20:40:03 -08:00 · 2024-12-17 13:12:47 -08:00
23 changed files with 654 additions and 475 deletions
--- a/backend/e2e-test/mocks/queue.ts
+++ b/backend/e2e-test/mocks/queue.ts
@ -22,10 +22,8 @@ export const mockQueue = (): TQueueServiceFactory => {
    listen: (name, event) => {
      events[name] = event;
    },
-    getRepeatableJobs: async () => [],
    clearQueue: async () => {},
    stopJobById: async () => {},
-    stopRepeatableJobByJobId: async () => true,
-    stopRepeatableJobByKey: async () => true
+    stopRepeatableJobByJobId: async () => true
  };
 };
--- a/backend/src/lib/knex/index.ts
+++ b/backend/src/lib/knex/index.ts
@ -20,12 +20,11 @@ export const withTransaction = <K extends object>(db: Knex, dal: K) => ({

 export type TFindFilter<R extends object = object> = Partial<R> & {
  $in?: Partial<{ [k in keyof R]: R[k][] }>;
-  $notNull?: Array<keyof R>;
  $search?: Partial<{ [k in keyof R]: R[k] }>;
  $complex?: TKnexDynamicOperator<R>;
 };
 export const buildFindFilter =
-  <R extends object = object>({ $in, $notNull, $search, $complex, ...filter }: TFindFilter<R>) =>
+  <R extends object = object>({ $in, $search, $complex, ...filter }: TFindFilter<R>) =>
  (bd: Knex.QueryBuilder<R, R>) => {
    void bd.where(filter);
    if ($in) {
@ -35,13 +34,6 @@ export const buildFindFilter =
        }
      });
    }
-
-    if ($notNull?.length) {
-      $notNull.forEach((key) => {
-        void bd.whereNotNull(key as never);
-      });
-    }
-
    if ($search) {
      Object.entries($search).forEach(([key, val]) => {
        if (val) {
--- a/backend/src/queue/queue-service.ts
+++ b/backend/src/queue/queue-service.ts
@ -317,13 +317,6 @@ export const queueServiceFactory = (
    }
  };

-  const getRepeatableJobs = (name: QueueName, startOffset?: number, endOffset?: number) => {
-    const q = queueContainer[name];
-    if (!q) throw new Error(`Queue '${name}' not initialized`);
-
-    return q.getRepeatableJobs(startOffset, endOffset);
-  };
-
  const stopRepeatableJobByJobId = async <T extends QueueName>(name: T, jobId: string) => {
    const q = queueContainer[name];
    const job = await q.getJob(jobId);
@ -333,11 +326,6 @@ export const queueServiceFactory = (
    return q.removeRepeatableByKey(job.repeatJobKey);
  };

-  const stopRepeatableJobByKey = async <T extends QueueName>(name: T, repeatJobKey: string) => {
-    const q = queueContainer[name];
-    return q.removeRepeatableByKey(repeatJobKey);
-  };
-
  const stopJobById = async <T extends QueueName>(name: T, jobId: string) => {
    const q = queueContainer[name];
    const job = await q.getJob(jobId);
@ -361,10 +349,8 @@ export const queueServiceFactory = (
    shutdown,
    stopRepeatableJob,
    stopRepeatableJobByJobId,
-    stopRepeatableJobByKey,
    clearQueue,
    stopJobById,
-    getRepeatableJobs,
    startPg,
    queuePg
  };
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@ -538,11 +538,7 @@ export const registerRoutes = async (

  const orgService = orgServiceFactory({
    userAliasDAL,
-    queueService,
    identityMetadataDAL,
-    secretDAL,
-    secretV2BridgeDAL,
-    folderDAL,
    licenseService,
    samlConfigDAL,
    orgRoleDAL,
@ -563,7 +559,6 @@ export const registerRoutes = async (
    groupDAL,
    orgBotDAL,
    oidcConfigDAL,
-    loginService,
    projectBotService
  });
  const signupService = authSignupServiceFactory({
@ -781,58 +776,10 @@ export const registerRoutes = async (
    projectTemplateDAL
  });

-  const integrationAuthService = integrationAuthServiceFactory({
-    integrationAuthDAL,
-    integrationDAL,
-    permissionService,
-    projectBotService,
-    kmsService
-  });
-
-  const secretQueueService = secretQueueFactory({
-    keyStore,
-    queueService,
-    secretDAL,
-    folderDAL,
-    integrationAuthService,
-    projectBotService,
-    integrationDAL,
-    secretImportDAL,
-    projectEnvDAL,
-    webhookDAL,
-    orgDAL,
-    auditLogService,
-    userDAL,
-    projectMembershipDAL,
-    smtpService,
-    projectDAL,
-    projectBotDAL,
-    secretVersionDAL,
-    secretBlindIndexDAL,
-    secretTagDAL,
-    secretVersionTagDAL,
-    kmsService,
-    secretVersionV2BridgeDAL,
-    secretV2BridgeDAL,
-    secretVersionTagV2BridgeDAL,
-    secretRotationDAL,
-    integrationAuthDAL,
-    snapshotDAL,
-    snapshotSecretV2BridgeDAL,
-    secretApprovalRequestDAL,
-    projectKeyDAL,
-    projectUserMembershipRoleDAL,
-    orgService
-  });
-
  const projectService = projectServiceFactory({
    permissionService,
    projectDAL,
-    secretDAL,
-    secretV2BridgeDAL,
-    queueService,
    projectQueue: projectQueueService,
-    projectBotService,
    identityProjectDAL,
    identityOrgMembershipDAL,
    projectKeyDAL,
@ -912,6 +859,48 @@ export const registerRoutes = async (
    projectDAL
  });

+  const integrationAuthService = integrationAuthServiceFactory({
+    integrationAuthDAL,
+    integrationDAL,
+    permissionService,
+    projectBotService,
+    kmsService
+  });
+  const secretQueueService = secretQueueFactory({
+    keyStore,
+    queueService,
+    secretDAL,
+    folderDAL,
+    integrationAuthService,
+    projectBotService,
+    integrationDAL,
+    secretImportDAL,
+    projectEnvDAL,
+    webhookDAL,
+    orgDAL,
+    auditLogService,
+    userDAL,
+    projectMembershipDAL,
+    smtpService,
+    projectDAL,
+    projectBotDAL,
+    secretVersionDAL,
+    secretBlindIndexDAL,
+    secretTagDAL,
+    secretVersionTagDAL,
+    kmsService,
+    secretVersionV2BridgeDAL,
+    secretV2BridgeDAL,
+    secretVersionTagV2BridgeDAL,
+    secretRotationDAL,
+    integrationAuthDAL,
+    snapshotDAL,
+    snapshotSecretV2BridgeDAL,
+    secretApprovalRequestDAL,
+    projectKeyDAL,
+    projectUserMembershipRoleDAL,
+    orgService
+  });
  const secretImportService = secretImportServiceFactory({
    licenseService,
    projectBotService,
@ -1240,7 +1229,6 @@ export const registerRoutes = async (
    auditLogDAL,
    queueService,
    secretVersionDAL,
-    secretDAL,
    secretFolderVersionDAL: folderVersionDAL,
    snapshotDAL,
    identityAccessTokenDAL,
--- a/backend/src/server/routes/v2/organization-router.ts
+++ b/backend/src/server/routes/v2/organization-router.ts
@ -10,7 +10,6 @@ import {
  UsersSchema
 } from "@app/db/schemas";
 import { ORGANIZATIONS } from "@app/lib/api-docs";
-import { getConfig } from "@app/lib/config/env";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
@ -364,35 +363,21 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
      }),
      response: {
        200: z.object({
-          organization: OrganizationsSchema,
-          accessToken: z.string()
+          organization: OrganizationsSchema
        })
      }
    },
    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY]),
-    handler: async (req, res) => {
+    handler: async (req) => {
      if (req.auth.actor !== ActorType.USER) return;

-      const cfg = getConfig();
-
-      const { organization, tokens } = await server.services.org.deleteOrganizationById({
-        userId: req.permission.id,
-        orgId: req.params.organizationId,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        authorizationHeader: req.headers.authorization,
-        userAgentHeader: req.headers["user-agent"],
-        ipAddress: req.realIp
-      });
-
-      void res.setCookie("jid", tokens.refreshToken, {
-        httpOnly: true,
-        path: "/",
-        sameSite: "strict",
-        secure: cfg.HTTPS_ENABLED
-      });
-
-      return { organization, accessToken: tokens.accessToken };
+      const organization = await server.services.org.deleteOrganizationById(
+        req.permission.id,
+        req.params.organizationId,
+        req.permission.authMethod,
+        req.permission.orgId
+      );
+      return { organization };
    }
  });
 };
--- a/backend/src/services/auth-token/auth-token-dal.ts
+++ b/backend/src/services/auth-token/auth-token-dal.ts
@ -12,12 +12,9 @@ export type TTokenDALFactory = ReturnType<typeof tokenDALFactory>;
 export const tokenDALFactory = (db: TDbClient) => {
  const authOrm = ormify(db, TableName.AuthTokens);

-  const findOneTokenSession = async (
-    filter: Partial<TAuthTokenSessions>,
-    tx?: Knex
-  ): Promise<TAuthTokenSessions | undefined> => {
+  const findOneTokenSession = async (filter: Partial<TAuthTokenSessions>): Promise<TAuthTokenSessions | undefined> => {
    try {
-      const doc = await (tx || db.replicaNode())(TableName.AuthTokenSession).where(filter).first();
+      const doc = await db.replicaNode()(TableName.AuthTokenSession).where(filter).first();
      return doc;
    } catch (error) {
      throw new DatabaseError({ error, name: "FindOneTokenSession" });
@ -57,11 +54,10 @@ export const tokenDALFactory = (db: TDbClient) => {
  const insertTokenSession = async (
    userId: string,
    ip: string,
-    userAgent: string,
-    tx?: Knex
+    userAgent: string
  ): Promise<TAuthTokenSessions | undefined> => {
    try {
-      const [session] = await (tx || db)(TableName.AuthTokenSession)
+      const [session] = await db(TableName.AuthTokenSession)
        .insert({
          userId,
          ip,
--- a/backend/src/services/auth-token/auth-token-service.ts
+++ b/backend/src/services/auth-token/auth-token-service.ts
@ -1,7 +1,6 @@
 import crypto from "node:crypto";

 import bcrypt from "bcrypt";
-import { Knex } from "knex";

 import { TAuthTokens, TAuthTokenSessions } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
@ -124,13 +123,14 @@ export const tokenServiceFactory = ({ tokenDAL, userDAL, orgMembershipDAL }: TAu
    return deletedToken?.[0];
  };

-  const getUserTokenSession = async (
-    { userId, ip, userAgent }: TIssueAuthTokenDTO,
-    tx?: Knex
-  ): Promise<TAuthTokenSessions | undefined> => {
-    let session = await tokenDAL.findOneTokenSession({ userId, ip, userAgent }, tx);
+  const getUserTokenSession = async ({
+    userId,
+    ip,
+    userAgent
+  }: TIssueAuthTokenDTO): Promise<TAuthTokenSessions | undefined> => {
+    let session = await tokenDAL.findOneTokenSession({ userId, ip, userAgent });
    if (!session) {
-      session = await tokenDAL.insertTokenSession(userId, ip, userAgent, tx);
+      session = await tokenDAL.insertTokenSession(userId, ip, userAgent);
    }
    return session;
  };
--- a/backend/src/services/auth/auth-login-service.ts
+++ b/backend/src/services/auth/auth-login-service.ts
@ -1,6 +1,5 @@
 import bcrypt from "bcrypt";
 import jwt from "jsonwebtoken";
-import { Knex } from "knex";

 import { TUsers, UserDeviceSchema } from "@app/db/schemas";
 import { isAuthMethodSaml } from "@app/ee/services/permission/permission-fns";
@ -51,13 +50,13 @@ export const authLoginServiceFactory = ({
   * Not exported. This is to update user device list
   * If new device is found. Will be saved and a mail will be send
   */
-  const updateUserDeviceSession = async (user: TUsers, ip: string, userAgent: string, tx?: Knex) => {
+  const updateUserDeviceSession = async (user: TUsers, ip: string, userAgent: string) => {
    const devices = await UserDeviceSchema.parseAsync(user.devices || []);
    const isDeviceSeen = devices.some((device) => device.ip === ip && device.userAgent === userAgent);

    if (!isDeviceSeen) {
      const newDeviceList = devices.concat([{ ip, userAgent }]);
-      await userDAL.updateById(user.id, { devices: JSON.stringify(newDeviceList) }, tx);
+      await userDAL.updateById(user.id, { devices: JSON.stringify(newDeviceList) });
      if (user.email) {
        await smtpService.sendMail({
          template: SmtpTemplates.NewDeviceJoin,
@ -98,36 +97,30 @@ export const authLoginServiceFactory = ({
   * Check user device and send mail if new device
   * generate the auth and refresh token. fn shared by mfa verification and login verification with mfa disabled
   */
-  const generateUserTokens = async (
-    {
-      user,
-      ip,
-      userAgent,
-      organizationId,
-      authMethod,
-      isMfaVerified,
-      mfaMethod
-    }: {
-      user: TUsers;
-      ip: string;
-      userAgent: string;
-      organizationId?: string;
-      authMethod: AuthMethod;
-      isMfaVerified?: boolean;
-      mfaMethod?: MfaMethod;
-    },
-    tx?: Knex
-  ) => {
+  const generateUserTokens = async ({
+    user,
+    ip,
+    userAgent,
+    organizationId,
+    authMethod,
+    isMfaVerified,
+    mfaMethod
+  }: {
+    user: TUsers;
+    ip: string;
+    userAgent: string;
+    organizationId?: string;
+    authMethod: AuthMethod;
+    isMfaVerified?: boolean;
+    mfaMethod?: MfaMethod;
+  }) => {
    const cfg = getConfig();
-    await updateUserDeviceSession(user, ip, userAgent, tx);
-    const tokenSession = await tokenService.getUserTokenSession(
-      {
-        userAgent,
-        ip,
-        userId: user.id
-      },
-      tx
-    );
+    await updateUserDeviceSession(user, ip, userAgent);
+    const tokenSession = await tokenService.getUserTokenSession({
+      userAgent,
+      ip,
+      userId: user.id
+    });
    if (!tokenSession) throw new Error("Failed to create token");

    const accessToken = jwt.sign(
--- a/backend/src/services/org/org-service.ts
+++ b/backend/src/services/org/org-service.ts
@ -31,13 +31,11 @@ import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedErro
 import { groupBy } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { isDisposableEmail } from "@app/lib/validator";
-import { TQueueServiceFactory } from "@app/queue";
 import { getDefaultOrgMembershipRoleForUpdateOrg } from "@app/services/org/org-role-fns";
 import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";

-import { TAuthLoginFactory } from "../auth/auth-login-service";
-import { ActorAuthMethod, ActorType, AuthMethod, AuthModeJwtTokenPayload, AuthTokenType } from "../auth/auth-type";
+import { ActorAuthMethod, ActorType, AuthMethod, AuthTokenType } from "../auth/auth-type";
 import { TAuthTokenServiceFactory } from "../auth-token/auth-token-service";
 import { TokenType } from "../auth-token/auth-token-types";
 import { TIdentityMetadataDALFactory } from "../identity/identity-metadata-dal";
@ -49,10 +47,6 @@ import { TProjectKeyDALFactory } from "../project-key/project-key-dal";
 import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
 import { TProjectUserMembershipRoleDALFactory } from "../project-membership/project-user-membership-role-dal";
 import { TProjectRoleDALFactory } from "../project-role/project-role-dal";
-import { TSecretDALFactory } from "../secret/secret-dal";
-import { fnDeleteProjectSecretReminders } from "../secret/secret-fns";
-import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
-import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
 import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
 import { TUserDALFactory } from "../user/user-dal";
 import { TIncidentContactsDALFactory } from "./incident-contacts-dal";
@ -75,9 +69,6 @@ import {

 type TOrgServiceFactoryDep = {
  userAliasDAL: Pick<TUserAliasDALFactory, "delete">;
-  secretDAL: Pick<TSecretDALFactory, "find">;
-  secretV2BridgeDAL: Pick<TSecretV2BridgeDALFactory, "find">;
-  folderDAL: Pick<TSecretFolderDALFactory, "findByProjectId">;
  orgDAL: TOrgDALFactory;
  orgBotDAL: TOrgBotDALFactory;
  orgRoleDAL: TOrgRoleDALFactory;
@ -106,8 +97,6 @@ type TOrgServiceFactoryDep = {
  projectBotDAL: Pick<TProjectBotDALFactory, "findOne" | "updateById">;
  projectUserMembershipRoleDAL: Pick<TProjectUserMembershipRoleDALFactory, "insertMany" | "create">;
  projectBotService: Pick<TProjectBotServiceFactory, "getBotKey">;
-  queueService: Pick<TQueueServiceFactory, "stopRepeatableJob">;
-  loginService: Pick<TAuthLoginFactory, "generateUserTokens">;
 };

 export type TOrgServiceFactory = ReturnType<typeof orgServiceFactory>;
@ -115,9 +104,6 @@ export type TOrgServiceFactory = ReturnType<typeof orgServiceFactory>;
 export const orgServiceFactory = ({
  userAliasDAL,
  orgDAL,
-  secretDAL,
-  secretV2BridgeDAL,
-  folderDAL,
  userDAL,
  groupDAL,
  orgRoleDAL,
@ -138,9 +124,7 @@ export const orgServiceFactory = ({
  projectBotDAL,
  projectUserMembershipRoleDAL,
  identityMetadataDAL,
-  projectBotService,
-  queueService,
-  loginService
+  projectBotService
 }: TOrgServiceFactoryDep) => {
  /*
   * Get organization details by the organization id
@ -435,88 +419,24 @@ export const orgServiceFactory = ({
  /*
   * Delete organization by id
   * */
-  const deleteOrganizationById = async ({
-    userId,
-    authorizationHeader,
-    userAgentHeader,
-    ipAddress,
-    orgId,
-    actorAuthMethod,
-    actorOrgId
-  }: {
-    userId: string;
-    authorizationHeader?: string;
-    userAgentHeader?: string;
-    ipAddress: string;
-    orgId: string;
-    actorAuthMethod: ActorAuthMethod;
-    actorOrgId: string | undefined;
-  }) => {
+  const deleteOrganizationById = async (
+    userId: string,
+    orgId: string,
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
+  ) => {
    const { membership } = await permissionService.getUserOrgPermission(userId, orgId, actorAuthMethod, actorOrgId);
-    if ((membership.role as OrgMembershipRole) !== OrgMembershipRole.Admin) {
+    if ((membership.role as OrgMembershipRole) !== OrgMembershipRole.Admin)
      throw new ForbiddenRequestError({
        name: "DeleteOrganizationById",
        message: "Insufficient privileges"
      });
+
+    const organization = await orgDAL.deleteById(orgId);
+    if (organization.customerId) {
+      await licenseService.removeOrgCustomer(organization.customerId);
    }
-
-    if (!authorizationHeader) {
-      throw new UnauthorizedError({ name: "Authorization header not set on request." });
-    }
-
-    if (!userAgentHeader) {
-      throw new BadRequestError({ name: "User agent not set on request." });
-    }
-
-    const cfg = getConfig();
-    const authToken = authorizationHeader.replace("Bearer ", "");
-
-    const decodedToken = jwt.verify(authToken, cfg.AUTH_SECRET) as AuthModeJwtTokenPayload;
-    if (!decodedToken.authMethod) throw new UnauthorizedError({ name: "Auth method not found on existing token" });
-
-    const response = await orgDAL.transaction(async (tx) => {
-      const projects = await projectDAL.find({ orgId }, { tx });
-
-      for await (const project of projects) {
-        await fnDeleteProjectSecretReminders(project.id, {
-          secretDAL,
-          secretV2BridgeDAL,
-          queueService,
-          projectBotService,
-          folderDAL
-        });
-      }
-
-      const deletedOrg = await orgDAL.deleteById(orgId, tx);
-
-      if (deletedOrg.customerId) {
-        await licenseService.removeOrgCustomer(deletedOrg.customerId);
-      }
-
-      // Generate new tokens without the organization ID present
-      const user = await userDAL.findById(userId, tx);
-      const { access: accessToken, refresh: refreshToken } = await loginService.generateUserTokens(
-        {
-          user,
-          authMethod: decodedToken.authMethod,
-          ip: ipAddress,
-          userAgent: userAgentHeader,
-          isMfaVerified: decodedToken.isMfaVerified,
-          mfaMethod: decodedToken.mfaMethod
-        },
-        tx
-      );
-
-      return {
-        organization: deletedOrg,
-        tokens: {
-          accessToken,
-          refreshToken
-        }
-      };
-    });
-
-    return response;
+    return organization;
  };
  /*
   * Org membership management
--- a/backend/src/services/project/project-dal.ts
+++ b/backend/src/services/project/project-dal.ts
@ -51,7 +51,7 @@ export const projectDALFactory = (db: TDbClient) => {
        .join(TableName.Project, `${TableName.GroupProjectMembership}.projectId`, `${TableName.Project}.id`)
        .where(`${TableName.Project}.orgId`, orgId)
        .andWhere((qb) => {
-          if (projectType !== "all") {
+          if (projectType) {
            void qb.where(`${TableName.Project}.type`, projectType);
          }
        })
--- a/backend/src/services/project/project-service.ts
+++ b/backend/src/services/project/project-service.ts
@ -14,7 +14,6 @@ import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/
 import { groupBy } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TProjectPermission } from "@app/lib/types";
-import { TQueueServiceFactory } from "@app/queue";

 import { ActorType } from "../auth/auth-type";
 import { TCertificateDALFactory } from "../certificate/certificate-dal";
@ -29,17 +28,13 @@ import { TOrgServiceFactory } from "../org/org-service";
 import { TPkiAlertDALFactory } from "../pki-alert/pki-alert-dal";
 import { TPkiCollectionDALFactory } from "../pki-collection/pki-collection-dal";
 import { TProjectBotDALFactory } from "../project-bot/project-bot-dal";
-import { TProjectBotServiceFactory } from "../project-bot/project-bot-service";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TProjectKeyDALFactory } from "../project-key/project-key-dal";
 import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
 import { TProjectUserMembershipRoleDALFactory } from "../project-membership/project-user-membership-role-dal";
 import { TProjectRoleDALFactory } from "../project-role/project-role-dal";
 import { getPredefinedRoles } from "../project-role/project-role-fns";
-import { TSecretDALFactory } from "../secret/secret-dal";
-import { fnDeleteProjectSecretReminders } from "../secret/secret-fns";
 import { ROOT_FOLDER_NAME, TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
-import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
 import { TProjectSlackConfigDALFactory } from "../slack/project-slack-config-dal";
 import { TSlackIntegrationDALFactory } from "../slack/slack-integration-dal";
 import { TUserDALFactory } from "../user/user-dal";
@ -79,10 +74,7 @@ type TProjectServiceFactoryDep = {
  projectDAL: TProjectDALFactory;
  projectQueue: TProjectQueueFactory;
  userDAL: TUserDALFactory;
-  projectBotService: Pick<TProjectBotServiceFactory, "getBotKey">;
-  folderDAL: Pick<TSecretFolderDALFactory, "insertMany" | "findByProjectId">;
-  secretDAL: Pick<TSecretDALFactory, "find">;
-  secretV2BridgeDAL: Pick<TSecretV2BridgeDALFactory, "find">;
+  folderDAL: TSecretFolderDALFactory;
  projectEnvDAL: Pick<TProjectEnvDALFactory, "insertMany" | "find">;
  identityOrgMembershipDAL: TIdentityOrgDALFactory;
  identityProjectDAL: TIdentityProjectDALFactory;
@ -100,8 +92,6 @@ type TProjectServiceFactoryDep = {
  permissionService: TPermissionServiceFactory;
  orgService: Pick<TOrgServiceFactory, "addGhostUser">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-  queueService: Pick<TQueueServiceFactory, "stopRepeatableJob">;
-
  orgDAL: Pick<TOrgDALFactory, "findOne">;
  keyStore: Pick<TKeyStoreFactory, "deleteItem">;
  projectBotDAL: Pick<TProjectBotDALFactory, "create">;
@ -122,13 +112,9 @@ export type TProjectServiceFactory = ReturnType<typeof projectServiceFactory>;

 export const projectServiceFactory = ({
  projectDAL,
-  secretDAL,
-  secretV2BridgeDAL,
  projectQueue,
  projectKeyDAL,
  permissionService,
-  queueService,
-  projectBotService,
  orgDAL,
  userDAL,
  folderDAL,
@ -438,14 +424,6 @@ export const projectServiceFactory = ({
        await userDAL.deleteById(projectGhostUser.id, tx);
      }

-      await fnDeleteProjectSecretReminders(project.id, {
-        secretDAL,
-        secretV2BridgeDAL,
-        queueService,
-        projectBotService,
-        folderDAL
-      });
-
      return delProject;
    });

--- a/backend/src/services/resource-cleanup/resource-cleanup-queue.ts
+++ b/backend/src/services/resource-cleanup/resource-cleanup-queue.ts
@ -5,7 +5,6 @@ import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";

 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
 import { TIdentityUaClientSecretDALFactory } from "../identity-ua/identity-ua-client-secret-dal";
-import { TSecretDALFactory } from "../secret/secret-dal";
 import { TSecretVersionDALFactory } from "../secret/secret-version-dal";
 import { TSecretFolderVersionDALFactory } from "../secret-folder/secret-folder-version-dal";
 import { TSecretSharingDALFactory } from "../secret-sharing/secret-sharing-dal";
@ -17,7 +16,6 @@ type TDailyResourceCleanUpQueueServiceFactoryDep = {
  identityUniversalAuthClientSecretDAL: Pick<TIdentityUaClientSecretDALFactory, "removeExpiredClientSecrets">;
  secretVersionDAL: Pick<TSecretVersionDALFactory, "pruneExcessVersions">;
  secretVersionV2DAL: Pick<TSecretVersionV2DALFactory, "pruneExcessVersions">;
-  secretDAL: Pick<TSecretDALFactory, "pruneSecretReminders">;
  secretFolderVersionDAL: Pick<TSecretFolderVersionDALFactory, "pruneExcessVersions">;
  snapshotDAL: Pick<TSnapshotDALFactory, "pruneExcessSnapshots">;
  secretSharingDAL: Pick<TSecretSharingDALFactory, "pruneExpiredSharedSecrets">;
@ -32,7 +30,6 @@ export const dailyResourceCleanUpQueueServiceFactory = ({
  snapshotDAL,
  secretVersionDAL,
  secretFolderVersionDAL,
-  secretDAL,
  identityAccessTokenDAL,
  secretSharingDAL,
  secretVersionV2DAL,
@ -40,7 +37,6 @@ export const dailyResourceCleanUpQueueServiceFactory = ({
 }: TDailyResourceCleanUpQueueServiceFactoryDep) => {
  queueService.start(QueueName.DailyResourceCleanUp, async () => {
    logger.info(`${QueueName.DailyResourceCleanUp}: queue task started`);
-    await secretDAL.pruneSecretReminders(queueService);
    await auditLogDAL.pruneAuditLog();
    await identityAccessTokenDAL.removeExpiredTokens();
    await identityUniversalAuthClientSecretDAL.removeExpiredClientSecrets();
--- a/backend/src/services/secret/secret-dal.ts
+++ b/backend/src/services/secret/secret-dal.ts
@ -5,8 +5,6 @@ import { TDbClient } from "@app/db";
 import { SecretsSchema, SecretType, TableName, TSecrets, TSecretsUpdate } from "@app/db/schemas";
 import { BadRequestError, DatabaseError, NotFoundError } from "@app/lib/errors";
 import { ormify, selectAllTableCols, sqlNestRelationships } from "@app/lib/knex";
-import { logger } from "@app/lib/logger";
-import { QueueName, TQueueServiceFactory } from "@app/queue";

 export type TSecretDALFactory = ReturnType<typeof secretDALFactory>;

@ -341,94 +339,6 @@ export const secretDALFactory = (db: TDbClient) => {
    }
  };

-  const pruneSecretReminders = async (queueService: TQueueServiceFactory) => {
-    const REMINDER_PRUNE_BATCH_SIZE = 5_000;
-    const MAX_RETRY_ON_FAILURE = 3;
-    let numberOfRetryOnFailure = 0;
-    let deletedReminderCount = 0;
-
-    logger.info(`${QueueName.DailyResourceCleanUp}: secret reminders started`);
-
-    try {
-      const repeatableJobs = await queueService.getRepeatableJobs(QueueName.SecretReminder);
-      const reminderJobs = repeatableJobs
-        .map((job) => ({ secretId: job.id?.replace("reminder-", "") as string, jobKey: job.key }))
-        .filter(Boolean);
-
-      if (reminderJobs.length === 0) {
-        logger.info(`${QueueName.DailyResourceCleanUp}: no reminder jobs found`);
-        return;
-      }
-
-      for (let offset = 0; offset < reminderJobs.length; offset += REMINDER_PRUNE_BATCH_SIZE) {
-        try {
-          const batchIds = reminderJobs.slice(offset, offset + REMINDER_PRUNE_BATCH_SIZE).map((r) => r.secretId);
-
-          const payload = {
-            $in: {
-              id: batchIds
-            }
-          };
-
-          const opts = {
-            limit: REMINDER_PRUNE_BATCH_SIZE
-          };
-
-          // Find existing secrets with pagination
-          // eslint-disable-next-line no-await-in-loop
-          const [secrets, secretsV2] = await Promise.all([
-            ormify(db, TableName.Secret).find(payload, opts),
-            ormify(db, TableName.SecretV2).find(payload, opts)
-          ]);
-
-          const foundSecretIds = new Set([
-            ...secrets.map((secret) => secret.id),
-            ...secretsV2.map((secret) => secret.id)
-          ]);
-
-          // Find IDs that don't exist in either table
-          const secretIdsNotFound = batchIds.filter((secretId) => !foundSecretIds.has(secretId));
-
-          // Delete reminders for non-existent secrets
-          for (const secretId of secretIdsNotFound) {
-            const jobKey = reminderJobs.find((r) => r.secretId === secretId)?.jobKey;
-
-            if (jobKey) {
-              // eslint-disable-next-line no-await-in-loop
-              await queueService.stopRepeatableJobByKey(QueueName.SecretReminder, jobKey);
-              deletedReminderCount += 1;
-            }
-          }
-
-          numberOfRetryOnFailure = 0;
-        } catch (error) {
-          numberOfRetryOnFailure += 1;
-          logger.error(error, `Failed to process batch at offset ${offset}`);
-
-          if (numberOfRetryOnFailure >= MAX_RETRY_ON_FAILURE) {
-            break;
-          }
-
-          // Retry the current batch
-          offset -= REMINDER_PRUNE_BATCH_SIZE;
-
-          // eslint-disable-next-line no-promise-executor-return, @typescript-eslint/no-loop-func, no-await-in-loop
-          await new Promise((resolve) => setTimeout(resolve, 500 * numberOfRetryOnFailure));
-        }
-
-        // Small delay between batches
-        // eslint-disable-next-line no-promise-executor-return, @typescript-eslint/no-loop-func, no-await-in-loop
-        await new Promise((resolve) => setTimeout(resolve, 10));
-      }
-    } catch (error) {
-      logger.error(error, "Failed to complete secret reminder pruning");
-    } finally {
-      logger.info(
-        `${QueueName.DailyResourceCleanUp}: secret reminders completed. Deleted ${deletedReminderCount} reminders`
-      );
-    }
-  };
-
  return {
    ...secretOrm,
    update,
@ -442,7 +352,6 @@ export const secretDALFactory = (db: TDbClient) => {
    findByBlindIndexes,
    upsertSecretReferences,
    findReferencedSecretReferences,
-    findAllProjectSecretValues,
-    pruneSecretReminders
+    findAllProjectSecretValues
  };
 };
--- a/backend/src/services/secret/secret-fns.ts
+++ b/backend/src/services/secret/secret-fns.ts
@ -19,11 +19,9 @@ import {
  decryptSymmetric128BitHexKeyUTF8,
  encryptSymmetric128BitHexKeyUTF8
 } from "@app/lib/crypto";
-import { daysToMillisecond, secondsToMillis } from "@app/lib/dates";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy, unique } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
-import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
 import {
  fnSecretBulkInsert as fnSecretV2BridgeBulkInsert,
  fnSecretBulkUpdate as fnSecretV2BridgeBulkUpdate,
@ -33,10 +31,8 @@ import {
 import { ActorAuthMethod, ActorType } from "../auth/auth-type";
 import { KmsDataKey } from "../kms/kms-types";
 import { getBotKeyFnFactory } from "../project-bot/project-bot-fns";
-import { TProjectBotServiceFactory } from "../project-bot/project-bot-service";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
-import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
 import { TSecretDALFactory } from "./secret-dal";
 import {
  TCreateManySecretsRawFn,
@ -1142,49 +1138,3 @@ export const decryptSecretWithBot = (
    secretComment
  };
 };
-
-type TFnDeleteProjectSecretReminders = {
-  secretDAL: Pick<TSecretDALFactory, "find">;
-  secretV2BridgeDAL: Pick<TSecretV2BridgeDALFactory, "find">;
-  queueService: Pick<TQueueServiceFactory, "stopRepeatableJob">;
-  projectBotService: Pick<TProjectBotServiceFactory, "getBotKey">;
-  folderDAL: Pick<TSecretFolderDALFactory, "findByProjectId">;
-};
-
-export const fnDeleteProjectSecretReminders = async (
-  projectId: string,
-  { secretDAL, secretV2BridgeDAL, queueService, projectBotService, folderDAL }: TFnDeleteProjectSecretReminders
-) => {
-  const projectFolders = await folderDAL.findByProjectId(projectId);
-  const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId, false);
-
-  const projectSecrets = shouldUseSecretV2Bridge
-    ? await secretV2BridgeDAL.find({
-        $in: { folderId: projectFolders.map((folder) => folder.id) },
-        $notNull: ["reminderRepeatDays"]
-      })
-    : await secretDAL.find({
-        $in: { folderId: projectFolders.map((folder) => folder.id) },
-        $notNull: ["secretReminderRepeatDays"]
-      });
-
-  const appCfg = getConfig();
-  for await (const secret of projectSecrets) {
-    const repeatDays = shouldUseSecretV2Bridge
-      ? (secret as { reminderRepeatDays: number }).reminderRepeatDays
-      : (secret as { secretReminderRepeatDays: number }).secretReminderRepeatDays;
-
-    // We're using the queue service directly to get around conflicting imports.
-    if (repeatDays) {
-      await queueService.stopRepeatableJob(
-        QueueName.SecretReminder,
-        QueueJobs.SecretReminder,
-        {
-          // on prod it this will be in days, in development this will be second
-          every: appCfg.NODE_ENV === "development" ? secondsToMillis(repeatDays) : daysToMillisecond(repeatDays)
-        },
-        `reminder-${secret.id}`
-      );
-    }
-  }
-};
--- a/backend/src/services/secret/secret-queue.ts
+++ b/backend/src/services/secret/secret-queue.ts
@ -248,9 +248,7 @@ export const secretQueueFactory = ({
                ? secondsToMillis(newSecret.secretReminderRepeatDays)
                : daysToMillisecond(newSecret.secretReminderRepeatDays),
            immediately: true
-          },
-          removeOnComplete: true,
-          removeOnFail: true
+          }
        }
      );
    } catch (err) {
--- a/backend/src/services/secret/secret-service.ts
+++ b/backend/src/services/secret/secret-service.ts
@ -491,8 +491,8 @@ export const secretServiceFactory = ({
      secretDAL
    });

-    const deletedSecret = await secretDAL.transaction(async (tx) => {
-      const secrets = await fnSecretBulkDelete({
+    const deletedSecret = await secretDAL.transaction(async (tx) =>
+      fnSecretBulkDelete({
        projectId,
        folderId,
        actorId,
@ -505,19 +505,8 @@ export const secretServiceFactory = ({
          }
        ],
        tx
-      });
-
-      for await (const secret of secrets) {
-        if (secret.secretReminderRepeatDays !== null && secret.secretReminderRepeatDays !== undefined) {
-          await secretQueueService.removeSecretReminder({
-            repeatDays: secret.secretReminderRepeatDays,
-            secretId: secret.id
-          });
-        }
-      }
-
-      return secrets;
-    });
+      })
+    );

    if (inputSecret.type === SecretType.Shared) {
      await snapshotService.performSnapshot(folderId);
@ -982,8 +971,8 @@ export const secretServiceFactory = ({
      secretDAL
    });

-    const secretsDeleted = await secretDAL.transaction(async (tx) => {
-      const secrets = await fnSecretBulkDelete({
+    const secretsDeleted = await secretDAL.transaction(async (tx) =>
+      fnSecretBulkDelete({
        secretDAL,
        secretQueueService,
        inputSecrets: inputSecrets.map(({ type, secretName }) => ({
@ -994,19 +983,8 @@ export const secretServiceFactory = ({
        folderId,
        actorId,
        tx
-      });
-
-      for await (const secret of secrets) {
-        if (secret.secretReminderRepeatDays !== null && secret.secretReminderRepeatDays !== undefined) {
-          await secretQueueService.removeSecretReminder({
-            repeatDays: secret.secretReminderRepeatDays,
-            secretId: secret.id
-          });
-        }
-      }
-
-      return secrets;
-    });
+      })
+    );

    await snapshotService.performSnapshot(folderId);
    await secretQueueService.syncSecrets({
--- a/cli/go.mod
+++ b/cli/go.mod
@ -10,7 +10,7 @@ require (
 	github.com/fatih/semgroup v1.2.0
 	github.com/gitleaks/go-gitdiff v0.8.0
 	github.com/h2non/filetype v1.1.3
-	github.com/infisical/go-sdk v0.4.3
+	github.com/infisical/go-sdk v0.4.7
 	github.com/mattn/go-isatty v0.0.20
 	github.com/muesli/ansi v0.0.0-20221106050444-61f0cd9a192a
 	github.com/muesli/mango-cobra v1.2.0
--- a/cli/go.sum
+++ b/cli/go.sum
@ -265,8 +265,8 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
 github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/infisical/go-sdk v0.4.3 h1:O5ZJ2eCBAZDE9PIAfBPq9Utb2CgQKrhmj9R0oFTRu4U=
-github.com/infisical/go-sdk v0.4.3/go.mod h1:6fWzAwTPIoKU49mQ2Oxu+aFnJu9n7k2JcNrZjzhHM2M=
+github.com/infisical/go-sdk v0.4.7 h1:+cxIdDfciMh0Syxbxbqjhvz9/ShnN1equ2zqlVQYGtw=
+github.com/infisical/go-sdk v0.4.7/go.mod h1:6fWzAwTPIoKU49mQ2Oxu+aFnJu9n7k2JcNrZjzhHM2M=
 github.com/jedib0t/go-pretty v4.3.0+incompatible h1:CGs8AVhEKg/n9YbUenWmNStRW2PHJzaeDodcfvRAbIo=
 github.com/jedib0t/go-pretty v4.3.0+incompatible/go.mod h1:XemHduiw8R651AF9Pt4FwCTKeG3oo7hrHJAoznj9nag=
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
--- a/cli/packages/cmd/ssh.go
+++ b/cli/packages/cmd/ssh.go
@ -0,0 +1,524 @@
+/*
+Copyright (c) 2023 Infisical Inc.
+*/
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/Infisical/infisical-merge/packages/api"
+	"github.com/Infisical/infisical-merge/packages/config"
+	"github.com/Infisical/infisical-merge/packages/util"
+	infisicalSdk "github.com/infisical/go-sdk"
+	infisicalSdkUtil "github.com/infisical/go-sdk/packages/util"
+	"github.com/spf13/cobra"
+)
+
+var sshCmd = &cobra.Command{
+	Example:               `infisical ssh`,
+	Short:                 "Used to issue SSH credentials",
+	Use:                   "ssh",
+	DisableFlagsInUseLine: true,
+	Args:                  cobra.NoArgs,
+}
+
+var sshIssueCredentialsCmd = &cobra.Command{
+	Example:               `ssh issue-credentials`,
+	Short:                 "Used to issue SSH credentials against a certificate template",
+	Use:                   "issue-credentials",
+	DisableFlagsInUseLine: true,
+	Args:                  cobra.NoArgs,
+	Run:                   issueCredentials,
+}
+
+var sshSignKeyCmd = &cobra.Command{
+	Example:               `ssh sign-key`,
+	Short:                 "Used to sign a SSH public key against a certificate template",
+	Use:                   "sign-key",
+	DisableFlagsInUseLine: true,
+	Args:                  cobra.NoArgs,
+	Run:                   signKey,
+}
+
+var algoToFileName = map[infisicalSdkUtil.CertKeyAlgorithm]string{
+	infisicalSdkUtil.RSA2048:   "id_rsa_2048",
+	infisicalSdkUtil.RSA4096:   "id_rsa_4096",
+	infisicalSdkUtil.ECDSAP256: "id_ecdsa_p256",
+	infisicalSdkUtil.ECDSAP384: "id_ecdsa_p384",
+}
+
+func isValidKeyAlgorithm(algo infisicalSdkUtil.CertKeyAlgorithm) bool {
+    _, exists := algoToFileName[algo]
+    return exists
+}
+
+func isValidCertType(certType infisicalSdkUtil.SshCertType) bool {
+	switch certType {
+	case infisicalSdkUtil.UserCert, infisicalSdkUtil.HostCert:
+		return true
+	default:
+		return false
+	}
+}
+
+func writeToFile(filePath string, content string, perm os.FileMode) error {
+	// Ensure the directory exists
+	dir := filepath.Dir(filePath)
+	if err := os.MkdirAll(dir, 0755); err != nil {
+		return fmt.Errorf("failed to create directory %s: %w", dir, err)
+	}
+
+	// Write the content to the file
+	err := os.WriteFile(filePath, []byte(content), perm)
+	if err != nil {
+		return fmt.Errorf("failed to write to file %s: %w", filePath, err)
+	}
+
+	return nil
+}
+
+func issueCredentials(cmd *cobra.Command, args []string) {
+
+	token, err := util.GetInfisicalToken(cmd)
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	var infisicalToken string
+
+	if token != nil && (token.Type == util.SERVICE_TOKEN_IDENTIFIER || token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER) {
+		infisicalToken = token.Token
+	} else {
+		util.RequireLogin()
+		util.RequireLocalWorkspaceFile()
+
+		loggedInUserDetails, err := util.GetCurrentLoggedInUserDetails(true)
+		if err != nil {
+			util.HandleError(err, "Unable to authenticate")
+		}
+
+		if loggedInUserDetails.LoginExpired {
+			util.PrintErrorMessageAndExit("Your login session has expired, please run [infisical login] and try again")
+		}
+		infisicalToken = loggedInUserDetails.UserCredentials.JTWToken
+	}
+
+	certificateTemplateId, err := cmd.Flags().GetString("certificateTemplateId")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+	if certificateTemplateId == "" {
+		util.PrintErrorMessageAndExit("You must set the --certificateTemplateId flag")
+	}
+
+	principalsStr, err := cmd.Flags().GetString("principals")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	// Check if the input string is empty before splitting
+	if principalsStr == "" {
+		util.HandleError(fmt.Errorf("no principals provided"), "The 'principals' flag cannot be empty")
+	}
+
+	// Convert the comma-delimited string into a slice of strings
+	principals := strings.Split(principalsStr, ",")
+	for i, principal := range principals {
+		principals[i] = strings.TrimSpace(principal)
+	}
+
+	keyAlgorithm, err := cmd.Flags().GetString("keyAlgorithm")
+	if err != nil {
+		util.HandleError(err, "Unable to parse keyAlgorithm flag")
+	}
+
+	if !isValidKeyAlgorithm(infisicalSdkUtil.CertKeyAlgorithm(keyAlgorithm)) {
+		util.HandleError(fmt.Errorf("invalid keyAlgorithm: %s", keyAlgorithm),
+			"Valid values: RSA_2048, RSA_4096, EC_prime256v1, EC_secp384r1")
+	}
+
+	certType, err := cmd.Flags().GetString("certType")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	if !isValidCertType(infisicalSdkUtil.SshCertType(certType)) {
+		util.HandleError(fmt.Errorf("invalid certType: %s", certType),
+			"Valid values: user, host")
+	}
+
+	ttl, err := cmd.Flags().GetString("ttl")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	keyId, err := cmd.Flags().GetString("keyId")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	outFilePath, err := cmd.Flags().GetString("outFilePath")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	var (
+		outputDir      string
+		privateKeyPath string
+		publicKeyPath  string
+		signedKeyPath  string
+	)
+
+	if outFilePath == "" {
+		// Use current working directory
+		cwd, err := os.Getwd()
+		if err != nil {
+			util.HandleError(err, "Failed to get current working directory")
+		}
+		outputDir = cwd
+	} else {
+		// Expand ~ to home directory if present
+		if strings.HasPrefix(outFilePath, "~") {
+			homeDir, err := os.UserHomeDir()
+			if err != nil {
+				util.HandleError(err, "Failed to resolve home directory")
+			}
+			outFilePath = strings.Replace(outFilePath, "~", homeDir, 1)
+		}
+
+		// Check if outFilePath ends with "-cert.pub"
+		if strings.HasSuffix(outFilePath, "-cert.pub") {
+			// Treat outFilePath as the signed key path
+			signedKeyPath = outFilePath
+
+			// Derive the base name by removing "-cert.pub"
+			baseName := strings.TrimSuffix(filepath.Base(outFilePath), "-cert.pub")
+
+			// Set the output directory
+			outputDir = filepath.Dir(outFilePath)
+
+			// Define private and public key paths
+			privateKeyPath = filepath.Join(outputDir, baseName)
+			publicKeyPath = filepath.Join(outputDir, baseName+".pub")
+		} else {
+			// Treat outFilePath as a directory
+			outputDir = outFilePath
+
+			// Check if the directory exists; if not, create it
+			info, err := os.Stat(outputDir)
+			if os.IsNotExist(err) {
+				err = os.MkdirAll(outputDir, 0755)
+				if err != nil {
+					util.HandleError(err, "Failed to create output directory")
+				}
+			} else if err != nil {
+				util.HandleError(err, "Failed to access output directory")
+			} else if !info.IsDir() {
+				util.PrintErrorMessageAndExit("The provided --outFilePath is not a directory")
+			}
+		}
+	}
+
+	// Define file names based on key algorithm
+	fileName := algoToFileName[infisicalSdkUtil.CertKeyAlgorithm(keyAlgorithm)]
+
+	// Define file paths
+	privateKeyPath = filepath.Join(outputDir, fileName)
+	publicKeyPath = filepath.Join(outputDir, fileName+".pub")
+	signedKeyPath = filepath.Join(outputDir, fileName+"-cert.pub")
+
+	// If outFilePath ends with "-cert.pub", ensure the signedKeyPath is set
+	if strings.HasSuffix(outFilePath, "-cert.pub") {
+		// Ensure the signedKeyPath was set
+		if signedKeyPath == "" {
+			util.HandleError(fmt.Errorf("signedKeyPath is not set correctly"), "Internal error")
+		}
+	} else {
+		// Ensure all paths are set
+		if privateKeyPath == "" || publicKeyPath == "" || signedKeyPath == "" {
+			util.HandleError(fmt.Errorf("file paths are not set correctly"), "Internal error")
+		}
+	}
+
+	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
+		SiteUrl:          config.INFISICAL_URL,
+		UserAgent:        api.USER_AGENT,
+		AutoTokenRefresh: false,
+	})
+	infisicalClient.Auth().SetAccessToken(infisicalToken)
+
+	creds, err := infisicalClient.Ssh().IssueCredentials(infisicalSdk.IssueSshCredsOptions{
+		CertificateTemplateID: certificateTemplateId,
+		Principals:            principals,
+		KeyAlgorithm:          infisicalSdkUtil.CertKeyAlgorithm(keyAlgorithm),
+		CertType:              infisicalSdkUtil.SshCertType(certType),
+		TTL:                   ttl,
+		KeyID:                 keyId,
+	})
+
+	if err != nil {
+		util.HandleError(err, "Failed to issue SSH credentials")
+	}
+
+	// If signedKeyPath wasn't set in the directory scenario, set it now
+	if signedKeyPath == "" {
+		fileName := algoToFileName[infisicalSdkUtil.CertKeyAlgorithm(keyAlgorithm)]
+		signedKeyPath = filepath.Join(outputDir, fileName+"-cert.pub")
+	}
+
+	if privateKeyPath == "" {
+		privateKeyPath = filepath.Join(outputDir, algoToFileName[infisicalSdkUtil.CertKeyAlgorithm(keyAlgorithm)])
+	}
+	err = writeToFile(privateKeyPath, creds.PrivateKey, 0600)
+	if err != nil {
+		util.HandleError(err, "Failed to write Private Key to file")
+	}
+
+	if publicKeyPath == "" {
+		publicKeyPath = privateKeyPath + ".pub"
+	}
+	err = writeToFile(publicKeyPath, creds.PublicKey, 0644)
+	if err != nil {
+		util.HandleError(err, "Failed to write Public Key to file")
+	}
+
+	err = writeToFile(signedKeyPath, creds.SignedKey, 0644)
+	if err != nil {
+		util.HandleError(err, "Failed to write Signed Key to file")
+	}
+
+	fmt.Println("Successfully wrote SSH certificate to:", signedKeyPath)
+}
+
+func signKey(cmd *cobra.Command, args []string) {
+
+	token, err := util.GetInfisicalToken(cmd)
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	var infisicalToken string
+
+	if token != nil && (token.Type == util.SERVICE_TOKEN_IDENTIFIER || token.Type == util.UNIVERSAL_AUTH_TOKEN_IDENTIFIER) {
+		infisicalToken = token.Token
+	} else {
+		util.RequireLogin()
+		util.RequireLocalWorkspaceFile()
+
+		loggedInUserDetails, err := util.GetCurrentLoggedInUserDetails(true)
+		if err != nil {
+			util.HandleError(err, "Unable to authenticate")
+		}
+
+		if loggedInUserDetails.LoginExpired {
+			util.PrintErrorMessageAndExit("Your login session has expired, please run [infisical login] and try again")
+		}
+		infisicalToken = loggedInUserDetails.UserCredentials.JTWToken
+	}
+
+	certificateTemplateId, err := cmd.Flags().GetString("certificateTemplateId")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+	if certificateTemplateId == "" {
+		util.PrintErrorMessageAndExit("You must set the --certificateTemplateId flag")
+	}
+
+	publicKey, err := cmd.Flags().GetString("publicKey")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	publicKeyFilePath, err := cmd.Flags().GetString("publicKeyFilePath")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	if publicKey == "" && publicKeyFilePath == "" {
+		util.HandleError(fmt.Errorf("either --publicKey or --publicKeyFilePath must be provided"), "Invalid input")
+	}
+
+	if publicKey != "" && publicKeyFilePath != "" {
+		util.HandleError(fmt.Errorf("only one of --publicKey or --publicKeyFile can be provided"), "Invalid input")
+	}
+
+	if publicKeyFilePath != "" {
+		if strings.HasPrefix(publicKeyFilePath, "~") {
+			// Expand the tilde (~) to the user's home directory
+			homeDir, err := os.UserHomeDir()
+			if err != nil {
+				util.HandleError(err, "Failed to resolve home directory")
+			}
+			publicKeyFilePath = strings.Replace(publicKeyFilePath, "~", homeDir, 1)
+		}
+
+		// Ensure the file has a .pub extension
+		if !strings.HasSuffix(publicKeyFilePath, ".pub") {
+			util.HandleError(fmt.Errorf("public key file must have a .pub extension"), "Invalid input")
+		}
+
+		content, err := os.ReadFile(publicKeyFilePath)
+		if err != nil {
+			util.HandleError(err, "Failed to read public key file")
+		}
+
+		publicKey = strings.TrimSpace(string(content))
+	}
+
+	if strings.TrimSpace(publicKey) == "" {
+		util.HandleError(fmt.Errorf("Public key is empty"), "Invalid input")
+	}
+
+	principalsStr, err := cmd.Flags().GetString("principals")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	// Check if the input string is empty before splitting
+	if principalsStr == "" {
+		util.HandleError(fmt.Errorf("no principals provided"), "The 'principals' flag cannot be empty")
+	}
+
+	// Convert the comma-delimited string into a slice of strings
+	principals := strings.Split(principalsStr, ",")
+	for i, principal := range principals {
+		principals[i] = strings.TrimSpace(principal)
+	}
+
+	certType, err := cmd.Flags().GetString("certType")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	if !isValidCertType(infisicalSdkUtil.SshCertType(certType)) {
+		util.HandleError(fmt.Errorf("invalid certType: %s", certType),
+			"Valid values: user, host")
+	}
+
+	ttl, err := cmd.Flags().GetString("ttl")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	keyId, err := cmd.Flags().GetString("keyId")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	outFilePath, err := cmd.Flags().GetString("outFilePath")
+	if err != nil {
+		util.HandleError(err, "Unable to parse flag")
+	}
+
+	var (
+		outputDir     string
+		signedKeyPath string
+	)
+
+	if outFilePath == "" {
+		// Use current working directory
+		if err != nil {
+			util.HandleError(err, "Failed to get current working directory")
+		}
+
+		// check if public key path exists
+		if publicKeyFilePath == "" {
+			util.PrintErrorMessageAndExit("--outFilePath must be specified when --publicKeyFilePath is not provided")
+		}
+
+		outputDir = filepath.Dir(publicKeyFilePath)
+		// Derive the base name by removing "-cert.pub"
+		baseName := strings.TrimSuffix(filepath.Base(publicKeyFilePath), ".pub")
+		signedKeyPath = filepath.Join(outputDir, baseName+"-cert.pub")
+	} else {
+		// Expand ~ to home directory if present
+		if strings.HasPrefix(outFilePath, "~") {
+			homeDir, err := os.UserHomeDir()
+			if err != nil {
+				util.HandleError(err, "Failed to resolve home directory")
+			}
+			outFilePath = strings.Replace(outFilePath, "~", homeDir, 1)
+		}
+
+		// Check if outFilePath ends with "-cert.pub"
+		if !strings.HasSuffix(outFilePath, "-cert.pub") {
+			util.PrintErrorMessageAndExit("--outFilePath must end with -cert.pub")
+		}
+
+		// Extract the directory from outFilePath
+		outputDir = filepath.Dir(outFilePath)
+
+		// Validate the output directory
+		info, err := os.Stat(outputDir)
+		if os.IsNotExist(err) {
+			// Directory does not exist; attempt to create it
+			err = os.MkdirAll(outputDir, 0755)
+			if err != nil {
+				util.HandleError(err, "Failed to create output directory")
+			}
+		} else if err != nil {
+			// Other errors accessing the directory
+			util.HandleError(err, "Failed to access output directory")
+		} else if !info.IsDir() {
+			// Path exists but is not a directory
+			util.PrintErrorMessageAndExit("The provided --outFilePath's directory is not valid")
+		}
+
+		signedKeyPath = outFilePath
+	}
+
+	infisicalClient := infisicalSdk.NewInfisicalClient(context.Background(), infisicalSdk.Config{
+		SiteUrl:          config.INFISICAL_URL,
+		UserAgent:        api.USER_AGENT,
+		AutoTokenRefresh: false,
+	})
+	infisicalClient.Auth().SetAccessToken(infisicalToken)
+
+	creds, err := infisicalClient.Ssh().SignKey(infisicalSdk.SignSshPublicKeyOptions{
+		CertificateTemplateID: certificateTemplateId,
+		PublicKey:             publicKey,
+		Principals:            principals,
+		CertType:              infisicalSdkUtil.SshCertType(certType),
+		TTL:                   ttl,
+		KeyID:                 keyId,
+	})
+
+	if err != nil {
+		util.HandleError(err, "Failed to sign SSH public key")
+	}
+
+	err = writeToFile(signedKeyPath, creds.SignedKey, 0644)
+	if err != nil {
+		util.HandleError(err, "Failed to write Signed Key to file")
+	}
+
+	fmt.Println("Successfully wrote SSH certificate to:", signedKeyPath)
+}
+
+func init() {
+	sshSignKeyCmd.Flags().String("token", "", "Issue SSH certificate using machine identity access token")
+	sshSignKeyCmd.Flags().String("certificateTemplateId", "", "The ID of the SSH certificate template to issue the SSH certificate for")
+	sshSignKeyCmd.Flags().String("publicKey", "", "The public key to sign")
+	sshSignKeyCmd.Flags().String("publicKeyFilePath", "", "The file path to the public key file to sign")
+	sshSignKeyCmd.Flags().String("outFilePath", "", "The path to write the SSH certificate to such as ~/.ssh/id_rsa-cert.pub. If not provided, the credentials will be saved to the directory of the specified public key file path or the current working directory")
+	sshSignKeyCmd.Flags().String("principals", "", "The principals that the certificate should be signed for")
+	sshSignKeyCmd.Flags().String("certType", string(infisicalSdkUtil.UserCert), "The cert type for the created certificate")
+	sshSignKeyCmd.Flags().String("ttl", "", "The ttl for the created certificate")
+	sshSignKeyCmd.Flags().String("keyId", "", "The keyId that the created certificate should have")
+	sshCmd.AddCommand(sshSignKeyCmd)
+
+	sshIssueCredentialsCmd.Flags().String("token", "", "Issue SSH credentials using machine identity access token")
+	sshIssueCredentialsCmd.Flags().String("certificateTemplateId", "", "The ID of the SSH certificate template to issue SSH credentials for")
+	sshIssueCredentialsCmd.Flags().String("principals", "", "The principals to issue SSH credentials for")
+	sshIssueCredentialsCmd.Flags().String("keyAlgorithm", string(infisicalSdkUtil.RSA2048), "The key algorithm to issue SSH credentials for")
+	sshIssueCredentialsCmd.Flags().String("certType", string(infisicalSdkUtil.UserCert), "The cert type to issue SSH credentials for")
+	sshIssueCredentialsCmd.Flags().String("ttl", "", "The ttl to issue SSH credentials for")
+	sshIssueCredentialsCmd.Flags().String("keyId", "", "The keyId to issue SSH credentials for")
+	sshIssueCredentialsCmd.Flags().String("outFilePath", "", "The path to write the SSH credentials to such as ~/.ssh, ./some_folder, ./some_folder/id_rsa-cert.pub. If not provided, the credentials will be saved to the current working directory")
+	sshCmd.AddCommand(sshIssueCredentialsCmd)
+	rootCmd.AddCommand(sshCmd)
+}
--- a/frontend/src/hooks/api/auth/queries.tsx
+++ b/frontend/src/hooks/api/auth/queries.tsx
@ -77,16 +77,11 @@ export const selectOrganization = async (data: {
 export const useSelectOrganization = () => {
  const queryClient = useQueryClient();
  return useMutation({
-    mutationFn: async (details: {
-      organizationId: string;
-      userAgent?: UserAgentType;
-      forceSetCredentials?: boolean;
-    }) => {
+    mutationFn: async (details: { organizationId: string; userAgent?: UserAgentType }) => {
      const data = await selectOrganization(details);

      // If a custom user agent is set, then this session is meant for another consuming application, not the web application.
-      if ((!details.userAgent && !data.isMfaEnabled) || details.forceSetCredentials) {
-        localStorage.setItem("orgData.id", details.organizationId);
+      if (!details.userAgent && !data.isMfaEnabled) {
        SecurityClient.setToken(data.token);
        SecurityClient.setProviderAuthToken("");
      }
--- a/frontend/src/hooks/api/organization/queries.tsx
+++ b/frontend/src/hooks/api/organization/queries.tsx
@ -1,6 +1,5 @@
 import { useMutation, useQuery, useQueryClient, UseQueryOptions } from "@tanstack/react-query";

-import SecurityClient from "@app/components/utilities/SecurityClient";
 import { apiRequest } from "@app/config/request";
 import { OrderByDirection } from "@app/hooks/api/generic/types";

@ -68,7 +67,7 @@ export const useCreateOrg = (options: { invalidate: boolean } = { invalidate: tr
    mutationFn: async ({ name }: { name: string }) => {
      const {
        data: { organization }
-      } = await apiRequest.post<{ organization: { id: string } }>("/api/v2/organizations", {
+      } = await apiRequest.post("/api/v2/organizations", {
        name
      });

@ -438,13 +437,10 @@ export const useDeleteOrgById = () => {
  return useMutation({
    mutationFn: async ({ organizationId }: { organizationId: string }) => {
      const {
-        data: { organization, accessToken }
-      } = await apiRequest.delete<{ organization: Organization; accessToken: string }>(
+        data: { organization }
+      } = await apiRequest.delete<{ organization: Organization }>(
        `/api/v2/organizations/${organizationId}`
      );
-      SecurityClient.setToken(accessToken);
-      localStorage.removeItem("orgData.id");
-
      return organization;
    },
    onSuccess(_, dto) {
--- a/frontend/src/views/Login/Login.utils.tsx
+++ b/frontend/src/views/Login/Login.utils.tsx
@ -7,7 +7,7 @@ import { ProjectType } from "@app/hooks/api/workspace/types";
 import { queryClient } from "@app/reactQuery";

 export const navigateUserToOrg = async (router: NextRouter, organizationId?: string) => {
-  const userOrgs = await fetchOrganizations().catch(() => []);
+  const userOrgs = await fetchOrganizations();

  const nonAuthEnforcedOrgs = userOrgs.filter((org) => !org.authEnforced);

--- a/frontend/src/views/Org/components/CreateOrgModal.tsx
+++ b/frontend/src/views/Org/components/CreateOrgModal.tsx
@ -6,7 +6,7 @@ import z from "zod";

 import { createNotification } from "@app/components/notifications";
 import { Button, FormControl, Input, Modal, ModalContent } from "@app/components/v2";
-import { useCreateOrg, useGetOrganizations, useSelectOrganization } from "@app/hooks/api";
+import { useCreateOrg, useSelectOrganization } from "@app/hooks/api";
 import { ProjectType } from "@app/hooks/api/workspace/types";

 const schema = z
@ -23,10 +23,9 @@ interface CreateOrgModalProps {
 }

 export const CreateOrgModal: FC<CreateOrgModalProps> = ({ isOpen, onClose }) => {
+  
  const router = useRouter();

-  const { refetch: refetchOrganizations } = useGetOrganizations();
-
  const {
    control,
    handleSubmit,
@ -51,21 +50,19 @@ export const CreateOrgModal: FC<CreateOrgModalProps> = ({ isOpen, onClose }) =>
      });

      await selectOrg({
-        organizationId: organization.id,
-        forceSetCredentials: true
+        organizationId: organization.id
      });

-      await refetchOrganizations();
-
      createNotification({
        text: "Successfully created organization",
        type: "success"
      });

-      if (router.isReady)
-        router.push(`/org/${organization.id}/${ProjectType.SecretManager}/overview`);
+      if (router.isReady) router.push(`/org/${organization.id}/${ProjectType.SecretManager}/overview`);
      else window.location.href = `/org/${organization.id}/${ProjectType.SecretManager}/overview`;

+      localStorage.setItem("orgData.id", organization.id);
+
      reset();
      onClose();
    } catch (err) {
Author	SHA1	Message	Date
Tuan Dang	058475fc3f	Ran go mod tidy	2024-12-18 11:45:09 -08:00
Tuan Dang	ee4eb7f84b	Update Go SDK version dependency	2024-12-18 11:32:09 -08:00
Tuan Dang	b4b417658f	Update ssh cli api error messages	2024-12-18 09:22:06 -08:00
Tuan Dang	31a21a432d	Update isValidKeyAlgorithm impl	2024-12-17 20:40:03 -08:00
Tuan Dang	765280eef6	Update ssh cli issue/sign according to review	2024-12-17 13:12:47 -08:00
Tuan Dang	be36827392	Finish ssh cli sign/issue commands	2024-12-16 17:42:11 -08:00
Tuan Dang	097512c691	Begin adding ssh commands to cli	2024-12-15 17:30:57 -08:00