improvement: add name constraint error feedback to update cmek

Fix: Exclude Reserved Folders from Deep Search Folder Query

.env.example

@@ -26,7 +26,8 @@ SITE_URL=http://localhost:8080
 # Mail/SMTP 
 SMTP_HOST=
 SMTP_PORT=
-SMTP_NAME=
+SMTP_FROM_ADDRESS=
+SMTP_FROM_NAME=
 SMTP_USERNAME=
 SMTP_PASSWORD=
 
@@ -104,4 +105,7 @@ INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID=
 INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET=
 INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY=
 INF_APP_CONNECTION_GITHUB_APP_SLUG=
-INF_APP_CONNECTION_GITHUB_APP_ID=
+INF_APP_CONNECTION_GITHUB_APP_ID=
+
+#gcp app
+INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL=

.github/workflows/helm-release-infisical-core.yml

@@ -1,4 +1,4 @@
-name: Release Helm Charts
+name: Release Infisical Core Helm chart
 
 on: [workflow_dispatch]
 
@@ -17,6 +17,6 @@ jobs:
       - name: Install Cloudsmith CLI
         run: pip install --upgrade cloudsmith-cli
       - name: Build and push helm package to Cloudsmith
-        run: cd helm-charts && sh upload-to-cloudsmith.sh
+        run: cd helm-charts && sh upload-infisical-core-helm-cloudsmith.sh
         env:
           CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}

.github/workflows/release_docker_k8_operator.yaml

@@ -1,4 +1,4 @@
-name: Release Docker image for K8 operator
+name: Release image + Helm chart K8s Operator
 on:
   push:
     tags:
@@ -35,3 +35,18 @@ jobs:
           tags: |
             infisical/kubernetes-operator:latest
             infisical/kubernetes-operator:${{ steps.extract_version.outputs.version }}
+
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.10.0
+      - name: Install python
+        uses: actions/setup-python@v4
+      - name: Install Cloudsmith CLI
+        run: pip install --upgrade cloudsmith-cli
+      - name: Build and push helm package to Cloudsmith
+        run: cd helm-charts && sh upload-k8s-operator-cloudsmith.sh
+        env:
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}

Makefile

@@ -30,3 +30,6 @@ reviewable-api:
 	npm run type:check
 
 reviewable: reviewable-ui reviewable-api
+
+up-dev-sso:
+	docker compose -f docker-compose.dev.yml --profile sso up --build

README.md

@@ -125,7 +125,7 @@ Install pre commit hook to scan each commit before you push to your repository
 infisical scan install --pre-commit-hook
 ```
 
-Lean about Infisical's code scanning feature [here](https://infisical.com/docs/cli/scanning-overview)
+Learn about Infisical's code scanning feature [here](https://infisical.com/docs/cli/scanning-overview)
 
 ## Open-source vs. paid
 

backend/src/db/migrations/20250129214629_oidc-configs-manage-group-memberships-col.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasManageGroupMembershipsCol = await knex.schema.hasColumn(TableName.OidcConfig, "manageGroupMemberships");
+
+  await knex.schema.alterTable(TableName.OidcConfig, (tb) => {
+    if (!hasManageGroupMembershipsCol) {
+      tb.boolean("manageGroupMemberships").notNullable().defaultTo(false);
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasManageGroupMembershipsCol = await knex.schema.hasColumn(TableName.OidcConfig, "manageGroupMemberships");
+
+  await knex.schema.alterTable(TableName.OidcConfig, (t) => {
+    if (hasManageGroupMembershipsCol) {
+      t.dropColumn("manageGroupMemberships");
+    }
+  });
+}

backend/src/db/migrations/20250204025010_app-connections-and-secret-syncs-unique-constraint.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.AppConnection, (t) => {
+    t.unique(["orgId", "name"]);
+  });
+
+  await knex.schema.alterTable(TableName.SecretSync, (t) => {
+    t.unique(["projectId", "name"]);
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.AppConnection, (t) => {
+    t.dropUnique(["orgId", "name"]);
+  });
+
+  await knex.schema.alterTable(TableName.SecretSync, (t) => {
+    t.dropUnique(["projectId", "name"]);
+  });
+}

backend/src/db/migrations/20250205045509_increase-gcp-auth-limit.ts

@@ -0,0 +1,37 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasTable = await knex.schema.hasTable(TableName.IdentityGcpAuth);
+  const hasAllowedProjectsColumn = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedProjects");
+  const hasAllowedServiceAccountsColumn = await knex.schema.hasColumn(
+    TableName.IdentityGcpAuth,
+    "allowedServiceAccounts"
+  );
+  const hasAllowedZones = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedZones");
+  if (hasTable) {
+    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
+      if (hasAllowedProjectsColumn) t.string("allowedProjects", 2500).alter();
+      if (hasAllowedServiceAccountsColumn) t.string("allowedServiceAccounts", 5000).alter();
+      if (hasAllowedZones) t.string("allowedZones", 2500).alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasTable = await knex.schema.hasTable(TableName.IdentityGcpAuth);
+  const hasAllowedProjectsColumn = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedProjects");
+  const hasAllowedServiceAccountsColumn = await knex.schema.hasColumn(
+    TableName.IdentityGcpAuth,
+    "allowedServiceAccounts"
+  );
+  const hasAllowedZones = await knex.schema.hasColumn(TableName.IdentityGcpAuth, "allowedZones");
+  if (hasTable) {
+    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
+      if (hasAllowedProjectsColumn) t.string("allowedProjects").alter();
+      if (hasAllowedServiceAccountsColumn) t.string("allowedServiceAccounts").alter();
+      if (hasAllowedZones) t.string("allowedZones").alter();
+    });
+  }
+}

backend/src/db/migrations/20250205220952_kms-keys-drop-slug-col.ts

@@ -0,0 +1,27 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.KmsKey)) {
+    const hasSlugCol = await knex.schema.hasColumn(TableName.KmsKey, "slug");
+
+    if (hasSlugCol) {
+      await knex.schema.alterTable(TableName.KmsKey, (t) => {
+        t.dropColumn("slug");
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.KmsKey)) {
+    const hasSlugCol = await knex.schema.hasColumn(TableName.KmsKey, "slug");
+
+    if (!hasSlugCol) {
+      await knex.schema.alterTable(TableName.KmsKey, (t) => {
+        t.string("slug", 32);
+      });
+    }
+  }
+}

backend/src/db/schemas/identity-gcp-auths.ts

@@ -17,9 +17,9 @@ export const IdentityGcpAuthsSchema = z.object({
   updatedAt: z.date(),
   identityId: z.string().uuid(),
   type: z.string(),
-  allowedServiceAccounts: z.string(),
-  allowedProjects: z.string(),
-  allowedZones: z.string()
+  allowedServiceAccounts: z.string().nullable().optional(),
+  allowedProjects: z.string().nullable().optional(),
+  allowedZones: z.string().nullable().optional()
 });
 
 export type TIdentityGcpAuths = z.infer<typeof IdentityGcpAuthsSchema>;

backend/src/db/schemas/kms-keys.ts

@@ -16,8 +16,7 @@ export const KmsKeysSchema = z.object({
   name: z.string(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  projectId: z.string().nullable().optional(),
-  slug: z.string().nullable().optional()
+  projectId: z.string().nullable().optional()
 });
 
 export type TKmsKeys = z.infer<typeof KmsKeysSchema>;

backend/src/db/schemas/oidc-configs.ts

@@ -27,7 +27,8 @@ export const OidcConfigsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   orgId: z.string().uuid(),
-  lastUsed: z.date().nullable().optional()
+  lastUsed: z.date().nullable().optional(),
+  manageGroupMemberships: z.boolean().default(false)
 });
 
 export type TOidcConfigs = z.infer<typeof OidcConfigsSchema>;

backend/src/ee/routes/v1/oidc-router.ts

@@ -153,7 +153,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
           discoveryURL: true,
           isActive: true,
           orgId: true,
-          allowedEmailDomains: true
+          allowedEmailDomains: true,
+          manageGroupMemberships: true
         }).extend({
           clientId: z.string(),
           clientSecret: z.string()
@@ -207,7 +208,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
           userinfoEndpoint: z.string().trim(),
           clientId: z.string().trim(),
           clientSecret: z.string().trim(),
-          isActive: z.boolean()
+          isActive: z.boolean(),
+          manageGroupMemberships: z.boolean().optional()
         })
         .partial()
         .merge(z.object({ orgSlug: z.string() })),
@@ -223,7 +225,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
           userinfoEndpoint: true,
           orgId: true,
           allowedEmailDomains: true,
-          isActive: true
+          isActive: true,
+          manageGroupMemberships: true
         })
       }
     },
@@ -272,7 +275,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
           clientId: z.string().trim(),
           clientSecret: z.string().trim(),
           isActive: z.boolean(),
-          orgSlug: z.string().trim()
+          orgSlug: z.string().trim(),
+          manageGroupMemberships: z.boolean().optional().default(false)
         })
         .superRefine((data, ctx) => {
           if (data.configurationType === OIDCConfigurationType.CUSTOM) {
@@ -334,7 +338,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
           userinfoEndpoint: true,
           orgId: true,
           isActive: true,
-          allowedEmailDomains: true
+          allowedEmailDomains: true,
+          manageGroupMemberships: true
         })
       }
     },
@@ -350,4 +355,25 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
       return oidc;
     }
   });
+
+  server.route({
+    method: "GET",
+    url: "/manage-group-memberships",
+    schema: {
+      querystring: z.object({
+        orgId: z.string().trim().min(1, "Org ID is required")
+      }),
+      response: {
+        200: z.object({
+          isEnabled: z.boolean()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const isEnabled = await server.services.oidc.isOidcManageGroupMembershipsEnabled(req.query.orgId, req.permission);
+
+      return { isEnabled };
+    }
+  });
 };

backend/src/ee/services/audit-log/audit-log-dal.ts

@@ -39,11 +39,13 @@ export const auditLogDALFactory = (db: TDbClient) => {
       offset = 0,
       actorId,
       actorType,
+      secretPath,
       eventType,
       eventMetadata
     }: Omit<TFindQuery, "actor" | "eventType"> & {
       actorId?: string;
       actorType?: ActorType;
+      secretPath?: string;
       eventType?: EventType[];
       eventMetadata?: Record<string, string>;
     },
@@ -88,6 +90,10 @@ export const auditLogDALFactory = (db: TDbClient) => {
         });
       }
 
+      if (projectId && secretPath) {
+        void sqlQuery.whereRaw(`"eventMetadata" @> jsonb_build_object('secretPath', ?::text)`, [secretPath]);
+      }
+
       // Filter by actor type
       if (actorType) {
         void sqlQuery.where("actor", actorType);

backend/src/ee/services/audit-log/audit-log-service.ts

@@ -46,10 +46,6 @@ export const auditLogServiceFactory = ({
         actorOrgId
       );
 
-      /**
-       * NOTE (dangtony98): Update this to organization-level audit log permission check once audit logs are moved
-       * to the organization level ✅
-       */
       ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
     }
 
@@ -64,6 +60,7 @@ export const auditLogServiceFactory = ({
       actorId: filter.auditLogActorId,
       actorType: filter.actorType,
       eventMetadata: filter.eventMetadata,
+      secretPath: filter.secretPath,
       ...(filter.projectId ? { projectId: filter.projectId } : { orgId: actorOrgId })
     });
 

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -32,6 +32,7 @@ export type TListProjectAuditLogDTO = {
     projectId?: string;
     auditLogActorId?: string;
     actorType?: ActorType;
+    secretPath?: string;
     eventMetadata?: Record<string, string>;
   };
 } & Omit<TProjectPermission, "projectId">;
@@ -222,6 +223,7 @@ export enum EventType {
   UPDATE_CMEK = "update-cmek",
   DELETE_CMEK = "delete-cmek",
   GET_CMEKS = "get-cmeks",
+  GET_CMEK = "get-cmek",
   CMEK_ENCRYPT = "cmek-encrypt",
   CMEK_DECRYPT = "cmek-decrypt",
   UPDATE_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS = "update-external-group-org-role-mapping",
@@ -248,7 +250,9 @@ export enum EventType {
   DELETE_SECRET_SYNC = "delete-secret-sync",
   SECRET_SYNC_SYNC_SECRETS = "secret-sync-sync-secrets",
   SECRET_SYNC_IMPORT_SECRETS = "secret-sync-import-secrets",
-  SECRET_SYNC_REMOVE_SECRETS = "secret-sync-remove-secrets"
+  SECRET_SYNC_REMOVE_SECRETS = "secret-sync-remove-secrets",
+  OIDC_GROUP_MEMBERSHIP_MAPPING_ASSIGN_USER = "oidc-group-membership-mapping-assign-user",
+  OIDC_GROUP_MEMBERSHIP_MAPPING_REMOVE_USER = "oidc-group-membership-mapping-remove-user"
 }
 
 interface UserActorMetadata {
@@ -759,9 +763,9 @@ interface AddIdentityGcpAuthEvent {
   metadata: {
     identityId: string;
     type: string;
-    allowedServiceAccounts: string;
-    allowedProjects: string;
-    allowedZones: string;
+    allowedServiceAccounts?: string | null;
+    allowedProjects?: string | null;
+    allowedZones?: string | null;
     accessTokenTTL: number;
     accessTokenMaxTTL: number;
     accessTokenNumUsesLimit: number;
@@ -781,9 +785,9 @@ interface UpdateIdentityGcpAuthEvent {
   metadata: {
     identityId: string;
     type?: string;
-    allowedServiceAccounts?: string;
-    allowedProjects?: string;
-    allowedZones?: string;
+    allowedServiceAccounts?: string | null;
+    allowedProjects?: string | null;
+    allowedZones?: string | null;
     accessTokenTTL?: number;
     accessTokenMaxTTL?: number;
     accessTokenNumUsesLimit?: number;
@@ -1834,6 +1838,13 @@ interface GetCmeksEvent {
   };
 }
 
+interface GetCmekEvent {
+  type: EventType.GET_CMEK;
+  metadata: {
+    keyId: string;
+  };
+}
+
 interface CmekEncryptEvent {
   type: EventType.CMEK_ENCRYPT;
   metadata: {
@@ -2043,6 +2054,26 @@ interface SecretSyncRemoveSecretsEvent {
   };
 }
 
+interface OidcGroupMembershipMappingAssignUserEvent {
+  type: EventType.OIDC_GROUP_MEMBERSHIP_MAPPING_ASSIGN_USER;
+  metadata: {
+    assignedToGroups: { id: string; name: string }[];
+    userId: string;
+    userEmail: string;
+    userGroupsClaim: string[];
+  };
+}
+
+interface OidcGroupMembershipMappingRemoveUserEvent {
+  type: EventType.OIDC_GROUP_MEMBERSHIP_MAPPING_REMOVE_USER;
+  metadata: {
+    removedFromGroups: { id: string; name: string }[];
+    userId: string;
+    userEmail: string;
+    userGroupsClaim: string[];
+  };
+}
+
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -2204,6 +2235,7 @@ export type Event =
   | CreateCmekEvent
   | UpdateCmekEvent
   | DeleteCmekEvent
+  | GetCmekEvent
   | GetCmeksEvent
   | CmekEncryptEvent
   | CmekDecryptEvent
@@ -2231,4 +2263,6 @@ export type Event =
   | DeleteSecretSyncEvent
   | SecretSyncSyncSecretsEvent
   | SecretSyncImportSecretsEvent
-  | SecretSyncRemoveSecretsEvent;
+  | SecretSyncRemoveSecretsEvent
+  | OidcGroupMembershipMappingAssignUserEvent
+  | OidcGroupMembershipMappingRemoveUserEvent;

backend/src/ee/services/group/group-service.ts

@@ -2,6 +2,7 @@ import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
 
 import { OrgMembershipRole, TOrgRoles } from "@app/db/schemas";
+import { TOidcConfigDALFactory } from "@app/ee/services/oidc/oidc-config-dal";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -45,6 +46,7 @@ type TGroupServiceFactoryDep = {
   projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "delete" | "findLatestProjectKey" | "insertMany">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission" | "getOrgPermissionByRole">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  oidcConfigDAL: Pick<TOidcConfigDALFactory, "findOne">;
 };
 
 export type TGroupServiceFactory = ReturnType<typeof groupServiceFactory>;
@@ -59,7 +61,8 @@ export const groupServiceFactory = ({
   projectBotDAL,
   projectKeyDAL,
   permissionService,
-  licenseService
+  licenseService,
+  oidcConfigDAL
 }: TGroupServiceFactoryDep) => {
   const createGroup = async ({ name, slug, role, actor, actorId, actorAuthMethod, actorOrgId }: TCreateGroupDTO) => {
     if (!actorOrgId) throw new UnauthorizedError({ message: "No organization ID provided in request" });
@@ -311,6 +314,18 @@ export const groupServiceFactory = ({
         message: `Failed to find group with ID ${id}`
       });
 
+    const oidcConfig = await oidcConfigDAL.findOne({
+      orgId: group.orgId,
+      isActive: true
+    });
+
+    if (oidcConfig?.manageGroupMemberships) {
+      throw new BadRequestError({
+        message:
+          "Cannot add user to group: OIDC group membership mapping is enabled - user must be assigned to this group in your OIDC provider."
+      });
+    }
+
     const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);
 
     // check if user has broader or equal to privileges than group
@@ -366,6 +381,18 @@ export const groupServiceFactory = ({
         message: `Failed to find group with ID ${id}`
       });
 
+    const oidcConfig = await oidcConfigDAL.findOne({
+      orgId: group.orgId,
+      isActive: true
+    });
+
+    if (oidcConfig?.manageGroupMemberships) {
+      throw new BadRequestError({
+        message:
+          "Cannot remove user from group: OIDC group membership mapping is enabled - user must be removed from this group in your OIDC provider."
+      });
+    }
+
     const { permission: groupRolePermission } = await permissionService.getOrgPermissionByRole(group.role, actorOrgId);
 
     // check if user has broader or equal to privileges than group

backend/src/ee/services/oidc/oidc-config-service.ts

@@ -5,6 +5,11 @@ import { Issuer, Issuer as OpenIdIssuer, Strategy as OpenIdStrategy, TokenSet }
 
 import { OrgMembershipStatus, SecretKeyEncoding, TableName, TUsers } from "@app/db/schemas";
 import { TOidcConfigsUpdate } from "@app/db/schemas/oidc-configs";
+import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
+import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee/services/group/group-fns";
+import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
@@ -18,13 +23,18 @@ import {
   infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, OidcAuthError } from "@app/lib/errors";
-import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
+import { OrgServiceActor } from "@app/lib/types";
+import { ActorType, AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TokenType } from "@app/services/auth-token/auth-token-types";
+import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
 import { getDefaultOrgMembershipRole } from "@app/services/org/org-role-fns";
 import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
+import { TProjectDALFactory } from "@app/services/project/project-dal";
+import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
+import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal";
 import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { LoginMethod } from "@app/services/super-admin/super-admin-types";
@@ -45,7 +55,14 @@ import {
 type TOidcConfigServiceFactoryDep = {
   userDAL: Pick<
     TUserDALFactory,
-    "create" | "findOne" | "transaction" | "updateById" | "findById" | "findUserEncKeyByUserId"
+    | "create"
+    | "findOne"
+    | "updateById"
+    | "findById"
+    | "findUserEncKeyByUserId"
+    | "findUserEncKeyByUserIdsBatch"
+    | "find"
+    | "transaction"
   >;
   userAliasDAL: Pick<TUserAliasDALFactory, "create" | "findOne">;
   orgDAL: Pick<
@@ -57,8 +74,23 @@ type TOidcConfigServiceFactoryDep = {
   licenseService: Pick<TLicenseServiceFactory, "getPlan" | "updateSubscriptionOrgMemberCount">;
   tokenService: Pick<TAuthTokenServiceFactory, "createTokenForUser">;
   smtpService: Pick<TSmtpService, "sendMail" | "verify">;
-  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission" | "getUserOrgPermission">;
   oidcConfigDAL: Pick<TOidcConfigDALFactory, "findOne" | "update" | "create">;
+  groupDAL: Pick<TGroupDALFactory, "findByOrgId">;
+  userGroupMembershipDAL: Pick<
+    TUserGroupMembershipDALFactory,
+    | "find"
+    | "transaction"
+    | "insertMany"
+    | "findGroupMembershipsByUserIdInOrg"
+    | "delete"
+    | "filterProjectsByUserMembership"
+  >;
+  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
+  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany" | "delete">;
+  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser">;
+  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
+  auditLogService: Pick<TAuditLogServiceFactory, "createAuditLog">;
 };
 
 export type TOidcConfigServiceFactory = ReturnType<typeof oidcConfigServiceFactory>;
@@ -73,7 +105,14 @@ export const oidcConfigServiceFactory = ({
   tokenService,
   orgBotDAL,
   smtpService,
-  oidcConfigDAL
+  oidcConfigDAL,
+  userGroupMembershipDAL,
+  groupDAL,
+  groupProjectDAL,
+  projectKeyDAL,
+  projectDAL,
+  projectBotDAL,
+  auditLogService
 }: TOidcConfigServiceFactoryDep) => {
   const getOidc = async (dto: TGetOidcCfgDTO) => {
     const org = await orgDAL.findOne({ slug: dto.orgSlug });
@@ -156,11 +195,21 @@ export const oidcConfigServiceFactory = ({
       isActive: oidcCfg.isActive,
       allowedEmailDomains: oidcCfg.allowedEmailDomains,
       clientId,
-      clientSecret
+      clientSecret,
+      manageGroupMemberships: oidcCfg.manageGroupMemberships
     };
   };
 
-  const oidcLogin = async ({ externalId, email, firstName, lastName, orgId, callbackPort }: TOidcLoginDTO) => {
+  const oidcLogin = async ({
+    externalId,
+    email,
+    firstName,
+    lastName,
+    orgId,
+    callbackPort,
+    groups = [],
+    manageGroupMemberships
+  }: TOidcLoginDTO) => {
     const serverCfg = await getServerCfg();
 
     if (serverCfg.enabledLoginMethods && !serverCfg.enabledLoginMethods.includes(LoginMethod.OIDC)) {
@@ -315,6 +364,83 @@ export const oidcConfigServiceFactory = ({
       });
     }
 
+    if (manageGroupMemberships) {
+      const userGroups = await userGroupMembershipDAL.findGroupMembershipsByUserIdInOrg(user.id, orgId);
+      const orgGroups = await groupDAL.findByOrgId(orgId);
+
+      const userGroupsNames = userGroups.map((membership) => membership.groupName);
+      const missingGroupsMemberships = groups.filter((groupName) => !userGroupsNames.includes(groupName));
+      const groupsToAddUserTo = orgGroups.filter((group) => missingGroupsMemberships.includes(group.name));
+
+      for await (const group of groupsToAddUserTo) {
+        await addUsersToGroupByUserIds({
+          userIds: [user.id],
+          group,
+          userDAL,
+          userGroupMembershipDAL,
+          orgDAL,
+          groupProjectDAL,
+          projectKeyDAL,
+          projectDAL,
+          projectBotDAL
+        });
+      }
+
+      if (groupsToAddUserTo.length) {
+        await auditLogService.createAuditLog({
+          actor: {
+            type: ActorType.PLATFORM,
+            metadata: {}
+          },
+          orgId,
+          event: {
+            type: EventType.OIDC_GROUP_MEMBERSHIP_MAPPING_ASSIGN_USER,
+            metadata: {
+              userId: user.id,
+              userEmail: user.email ?? user.username,
+              assignedToGroups: groupsToAddUserTo.map(({ id, name }) => ({ id, name })),
+              userGroupsClaim: groups
+            }
+          }
+        });
+      }
+
+      const membershipsToRemove = userGroups
+        .filter((membership) => !groups.includes(membership.groupName))
+        .map((membership) => membership.groupId);
+      const groupsToRemoveUserFrom = orgGroups.filter((group) => membershipsToRemove.includes(group.id));
+
+      for await (const group of groupsToRemoveUserFrom) {
+        await removeUsersFromGroupByUserIds({
+          userIds: [user.id],
+          group,
+          userDAL,
+          userGroupMembershipDAL,
+          groupProjectDAL,
+          projectKeyDAL
+        });
+      }
+
+      if (groupsToRemoveUserFrom.length) {
+        await auditLogService.createAuditLog({
+          actor: {
+            type: ActorType.PLATFORM,
+            metadata: {}
+          },
+          orgId,
+          event: {
+            type: EventType.OIDC_GROUP_MEMBERSHIP_MAPPING_REMOVE_USER,
+            metadata: {
+              userId: user.id,
+              userEmail: user.email ?? user.username,
+              removedFromGroups: groupsToRemoveUserFrom.map(({ id, name }) => ({ id, name })),
+              userGroupsClaim: groups
+            }
+          }
+        });
+      }
+    }
+
     await licenseService.updateSubscriptionOrgMemberCount(organization.id);
 
     const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
@@ -385,7 +511,8 @@ export const oidcConfigServiceFactory = ({
     tokenEndpoint,
     userinfoEndpoint,
     clientId,
-    clientSecret
+    clientSecret,
+    manageGroupMemberships
   }: TUpdateOidcCfgDTO) => {
     const org = await orgDAL.findOne({
       slug: orgSlug
@@ -448,7 +575,8 @@ export const oidcConfigServiceFactory = ({
       userinfoEndpoint,
       jwksUri,
       isActive,
-      lastUsed: null
+      lastUsed: null,
+      manageGroupMemberships
     };
 
     if (clientId !== undefined) {
@@ -491,7 +619,8 @@ export const oidcConfigServiceFactory = ({
     tokenEndpoint,
     userinfoEndpoint,
     clientId,
-    clientSecret
+    clientSecret,
+    manageGroupMemberships
   }: TCreateOidcCfgDTO) => {
     const org = await orgDAL.findOne({
       slug: orgSlug
@@ -589,7 +718,8 @@ export const oidcConfigServiceFactory = ({
       clientIdTag,
       encryptedClientSecret,
       clientSecretIV,
-      clientSecretTag
+      clientSecretTag,
+      manageGroupMemberships
     });
 
     return oidcCfg;
@@ -683,7 +813,9 @@ export const oidcConfigServiceFactory = ({
           firstName: claims.given_name ?? "",
           lastName: claims.family_name ?? "",
           orgId: org.id,
-          callbackPort
+          groups: claims.groups as string[] | undefined,
+          callbackPort,
+          manageGroupMemberships: oidcCfg.manageGroupMemberships
         })
           .then(({ isUserCompleted, providerAuthToken }) => {
             cb(null, { isUserCompleted, providerAuthToken });
@@ -697,5 +829,16 @@ export const oidcConfigServiceFactory = ({
     return strategy;
   };
 
-  return { oidcLogin, getOrgAuthStrategy, getOidc, updateOidcCfg, createOidcCfg };
+  const isOidcManageGroupMembershipsEnabled = async (orgId: string, actor: OrgServiceActor) => {
+    await permissionService.getUserOrgPermission(actor.id, orgId, actor.authMethod, actor.orgId);
+
+    const oidcConfig = await oidcConfigDAL.findOne({
+      orgId,
+      isActive: true
+    });
+
+    return Boolean(oidcConfig?.manageGroupMemberships);
+  };
+
+  return { oidcLogin, getOrgAuthStrategy, getOidc, updateOidcCfg, createOidcCfg, isOidcManageGroupMembershipsEnabled };
 };

backend/src/ee/services/oidc/oidc-config-types.ts

@@ -12,6 +12,8 @@ export type TOidcLoginDTO = {
   lastName?: string;
   orgId: string;
   callbackPort?: string;
+  groups?: string[];
+  manageGroupMemberships?: boolean | null;
 };
 
 export type TGetOidcCfgDTO =
@@ -37,6 +39,7 @@ export type TCreateOidcCfgDTO = {
   clientSecret: string;
   isActive: boolean;
   orgSlug: string;
+  manageGroupMemberships: boolean;
 } & TGenericPermission;
 
 export type TUpdateOidcCfgDTO = Partial<{
@@ -52,5 +55,6 @@ export type TUpdateOidcCfgDTO = Partial<{
   clientSecret: string;
   isActive: boolean;
   orgSlug: string;
+  manageGroupMemberships: boolean;
 }> &
   TGenericPermission;

backend/src/ee/services/permission/project-permission.ts

@@ -163,6 +163,27 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback]
   | [ProjectPermissionActions.Edit, ProjectPermissionSub.Kms];
 
+const SECRET_PATH_MISSING_SLASH_ERR_MSG = "Invalid Secret Path; it must start with a '/'";
+const SECRET_PATH_PERMISSION_OPERATOR_SCHEMA = z.union([
+  z.string().refine((val) => val.startsWith("/"), SECRET_PATH_MISSING_SLASH_ERR_MSG),
+  z
+    .object({
+      [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ].refine(
+        (val) => val.startsWith("/"),
+        SECRET_PATH_MISSING_SLASH_ERR_MSG
+      ),
+      [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ].refine(
+        (val) => val.startsWith("/"),
+        SECRET_PATH_MISSING_SLASH_ERR_MSG
+      ),
+      [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN].refine(
+        (val) => val.every((el) => el.startsWith("/")),
+        SECRET_PATH_MISSING_SLASH_ERR_MSG
+      ),
+      [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB]
+    })
+    .partial()
+]);
 // akhilmhdh: don't modify this for v2
 // if you want to update create a new schema
 const SecretConditionV1Schema = z
@@ -177,17 +198,7 @@ const SecretConditionV1Schema = z
         })
         .partial()
     ]),
-    secretPath: z.union([
-      z.string(),
-      z
-        .object({
-          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
-          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
-          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN],
-          [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB]
-        })
-        .partial()
-    ])
+    secretPath: SECRET_PATH_PERMISSION_OPERATOR_SCHEMA
   })
   .partial();
 
@@ -204,17 +215,7 @@ const SecretConditionV2Schema = z
         })
         .partial()
     ]),
-    secretPath: z.union([
-      z.string(),
-      z
-        .object({
-          [PermissionConditionOperators.$EQ]: PermissionConditionSchema[PermissionConditionOperators.$EQ],
-          [PermissionConditionOperators.$NEQ]: PermissionConditionSchema[PermissionConditionOperators.$NEQ],
-          [PermissionConditionOperators.$IN]: PermissionConditionSchema[PermissionConditionOperators.$IN],
-          [PermissionConditionOperators.$GLOB]: PermissionConditionSchema[PermissionConditionOperators.$GLOB]
-        })
-        .partial()
-    ]),
+    secretPath: SECRET_PATH_PERMISSION_OPERATOR_SCHEMA,
     secretName: z.union([
       z.string(),
       z

backend/src/lib/api-docs/constants.ts

@@ -828,6 +828,8 @@ export const AUDIT_LOGS = {
     projectId:
       "Optionally filter logs by project ID. If not provided, logs from the entire organization will be returned.",
     eventType: "The type of the event to export.",
+    secretPath:
+      "The path of the secret to query audit logs for. Note that the projectId parameter must also be provided.",
     userAgentType: "Choose which consuming application to export audit logs for.",
     eventMetadata:
       "Filter by event metadata key-value pairs. Formatted as `key1=value1,key2=value2`, with comma-separation.",
@@ -1589,6 +1591,13 @@ export const KMS = {
     orderDirection: "The direction to order keys in.",
     search: "The text string to filter key names by."
   },
+  GET_KEY_BY_ID: {
+    keyId: "The ID of the KMS key to retrieve."
+  },
+  GET_KEY_BY_NAME: {
+    keyName: "The name of the KMS key to retrieve.",
+    projectId: "The ID of the project the key belongs to."
+  },
   ENCRYPT: {
     keyId: "The ID of the key to encrypt the data with.",
     plaintext: "The plaintext to be encrypted (base64 encoded)."

backend/src/lib/config/env.ts

@@ -201,6 +201,9 @@ const envSchema = z
     INF_APP_CONNECTION_GITHUB_APP_SLUG: zpStr(z.string().optional()),
     INF_APP_CONNECTION_GITHUB_APP_ID: zpStr(z.string().optional()),
 
+    // gcp app
+    INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL: zpStr(z.string().optional()),
+
     /* CORS ----------------------------------------------------------------------------- */
 
     CORS_ALLOWED_ORIGINS: zpStr(

backend/src/lib/crypto/encryption.ts

@@ -116,7 +116,7 @@ export const decryptAsymmetric = ({ ciphertext, nonce, publicKey, privateKey }:
 
 export const generateSymmetricKey = (size = 32) => crypto.randomBytes(size).toString("base64");
 
-export const generateHash = (value: string) => crypto.createHash("sha256").update(value).digest("hex");
+export const generateHash = (value: string | Buffer) => crypto.createHash("sha256").update(value).digest("hex");
 
 export const generateAsymmetricKeyPair = () => {
   const pair = nacl.box.keyPair();

backend/src/lib/error-codes/database.ts

@@ -0,0 +1,4 @@
+export enum DatabaseErrorCode {
+  ForeignKeyViolation = "23503",
+  UniqueViolation = "23505"
+}

backend/src/lib/error-codes/index.ts

@@ -0,0 +1 @@
+export * from "./database";

backend/src/lib/knex/index.ts

@@ -7,6 +7,7 @@ import { buildDynamicKnexQuery, TKnexDynamicOperator } from "./dynamic";
 
 export * from "./connection";
 export * from "./join";
+export * from "./prependTableNameToFindFilter";
 export * from "./select";
 
 export const withTransaction = <K extends object>(db: Knex, dal: K) => ({

backend/src/lib/knex/prependTableNameToFindFilter.ts

@@ -0,0 +1,13 @@
+import { TableName } from "@app/db/schemas";
+import { buildFindFilter } from "@app/lib/knex/index";
+
+type TFindFilterParameters = Parameters<typeof buildFindFilter<object>>[0];
+
+export const prependTableNameToFindFilter = (tableName: TableName, filterObj: object): TFindFilterParameters =>
+  Object.fromEntries(
+    Object.entries(filterObj).map(([key, value]) =>
+      key.startsWith("$")
+        ? [key, prependTableNameToFindFilter(tableName, value as object)]
+        : [`${tableName}.${key}`, value]
+    )
+  );

backend/src/server/routes/index.ts

@@ -467,7 +467,8 @@ export const registerRoutes = async (
     projectBotDAL,
     projectKeyDAL,
     permissionService,
-    licenseService
+    licenseService,
+    oidcConfigDAL
   });
   const groupProjectService = groupProjectServiceFactory({
     groupDAL,
@@ -1337,7 +1338,14 @@ export const registerRoutes = async (
     smtpService,
     orgBotDAL,
     permissionService,
-    oidcConfigDAL
+    oidcConfigDAL,
+    projectBotDAL,
+    projectKeyDAL,
+    projectDAL,
+    userGroupMembershipDAL,
+    groupProjectDAL,
+    groupDAL,
+    auditLogService
   });
 
   const userEngagementService = userEngagementServiceFactory({

backend/src/server/routes/sanitizedSchemas.ts

@@ -110,7 +110,6 @@ export const secretRawSchema = z.object({
   secretReminderNote: z.string().nullable().optional(),
   secretReminderRepeatDays: z.number().nullable().optional(),
   skipMultilineEncoding: z.boolean().default(false).nullable().optional(),
-  metadata: z.unknown().nullable().optional(),
   createdAt: z.date(),
   updatedAt: z.date()
 });

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -4,18 +4,21 @@ import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AwsConnectionListItemSchema, SanitizedAwsConnectionSchema } from "@app/services/app-connection/aws";
+import { GcpConnectionListItemSchema, SanitizedGcpConnectionSchema } from "@app/services/app-connection/gcp";
 import { GitHubConnectionListItemSchema, SanitizedGitHubConnectionSchema } from "@app/services/app-connection/github";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 // can't use discriminated due to multiple schemas for certain apps
 const SanitizedAppConnectionSchema = z.union([
   ...SanitizedAwsConnectionSchema.options,
-  ...SanitizedGitHubConnectionSchema.options
+  ...SanitizedGitHubConnectionSchema.options,
+  ...SanitizedGcpConnectionSchema.options
 ]);
 
 const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   AwsConnectionListItemSchema,
-  GitHubConnectionListItemSchema
+  GitHubConnectionListItemSchema,
+  GcpConnectionListItemSchema
 ]);
 
 export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v1/app-connection-routers/gcp-connection-router.ts

@@ -0,0 +1,48 @@
+import z from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateGcpConnectionSchema,
+  SanitizedGcpConnectionSchema,
+  UpdateGcpConnectionSchema
+} from "@app/services/app-connection/gcp";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerGcpConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.GCP,
+    server,
+    sanitizedResponseSchema: SanitizedGcpConnectionSchema,
+    createSchema: CreateGcpConnectionSchema,
+    updateSchema: UpdateGcpConnectionSchema
+  });
+
+  // The below endpoints are not exposed and for Infisical App use
+  server.route({
+    method: "GET",
+    url: `/:connectionId/secret-manager-projects`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z.object({ id: z.string(), name: z.string() }).array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const projects = await server.services.appConnection.gcp.listSecretManagerProjects(connectionId, req.permission);
+
+      return projects;
+    }
+  });
+};

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -1,6 +1,7 @@
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 
 import { registerAwsConnectionRouter } from "./aws-connection-router";
+import { registerGcpConnectionRouter } from "./gcp-connection-router";
 import { registerGitHubConnectionRouter } from "./github-connection-router";
 
 export * from "./app-connection-router";
@@ -8,5 +9,6 @@ export * from "./app-connection-router";
 export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server: FastifyZodProvider) => Promise<void>> =
   {
     [AppConnection.AWS]: registerAwsConnectionRouter,
-    [AppConnection.GitHub]: registerGitHubConnectionRouter
+    [AppConnection.GitHub]: registerGitHubConnectionRouter,
+    [AppConnection.GCP]: registerGcpConnectionRouter
   };

backend/src/server/routes/v1/cmek-router.ts

@@ -15,6 +15,10 @@ import { CmekOrderBy } from "@app/services/cmek/cmek-types";
 const keyNameSchema = slugSchema({ min: 1, max: 32, field: "Name" });
 const keyDescriptionSchema = z.string().trim().max(500).optional();
 
+const CmekSchema = KmsKeysSchema.merge(InternalKmsSchema.pick({ version: true, encryptionAlgorithm: true })).omit({
+  isReserved: true
+});
+
 const base64Schema = z.string().superRefine((val, ctx) => {
   if (!isBase64(val)) {
     ctx.addIssue({
@@ -53,7 +57,7 @@ export const registerCmekRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          key: KmsKeysSchema
+          key: CmekSchema
         })
       }
     },
@@ -106,7 +110,7 @@ export const registerCmekRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          key: KmsKeysSchema
+          key: CmekSchema
         })
       }
     },
@@ -150,7 +154,7 @@ export const registerCmekRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          key: KmsKeysSchema
+          key: CmekSchema
         })
       }
     },
@@ -201,7 +205,7 @@ export const registerCmekRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          keys: KmsKeysSchema.merge(InternalKmsSchema.pick({ version: true, encryptionAlgorithm: true })).array(),
+          keys: CmekSchema.array(),
           totalCount: z.number()
         })
       }
@@ -230,6 +234,92 @@ export const registerCmekRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "GET",
+    url: "/keys/:keyId",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Get KMS key by ID",
+      params: z.object({
+        keyId: z.string().uuid().describe(KMS.GET_KEY_BY_ID.keyId)
+      }),
+      response: {
+        200: z.object({
+          key: CmekSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        params: { keyId },
+        permission
+      } = req;
+
+      const key = await server.services.cmek.findCmekById(keyId, permission);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: key.projectId!,
+        event: {
+          type: EventType.GET_CMEK,
+          metadata: {
+            keyId: key.id
+          }
+        }
+      });
+
+      return { key };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/keys/key-name/:keyName",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Get KMS key by Name",
+      params: z.object({
+        keyName: slugSchema({ field: "Key name" }).describe(KMS.GET_KEY_BY_NAME.keyName)
+      }),
+      querystring: z.object({
+        projectId: z.string().min(1, "Project ID is required").describe(KMS.GET_KEY_BY_NAME.projectId)
+      }),
+      response: {
+        200: z.object({
+          key: CmekSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const {
+        params: { keyName },
+        query: { projectId },
+        permission
+      } = req;
+
+      const key = await server.services.cmek.findCmekByName(keyName, projectId, permission);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: key.projectId!,
+        event: {
+          type: EventType.GET_CMEK,
+          metadata: {
+            keyId: key.id
+          }
+        }
+      });
+
+      return { key };
+    }
+  });
+
   // encrypt data
   server.route({
     method: "POST",

backend/src/server/routes/v1/identity-aws-iam-auth-router.ts

@@ -79,44 +79,44 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
       params: z.object({
         identityId: z.string().trim().describe(AWS_AUTH.ATTACH.identityId)
       }),
-      body: z.object({
-        stsEndpoint: z
-          .string()
-          .trim()
-          .min(1)
-          .default("https://sts.amazonaws.com/")
-          .describe(AWS_AUTH.ATTACH.stsEndpoint),
-        allowedPrincipalArns: validatePrincipalArns.describe(AWS_AUTH.ATTACH.allowedPrincipalArns),
-        allowedAccountIds: validateAccountIds.describe(AWS_AUTH.ATTACH.allowedAccountIds),
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-          .describe(AWS_AUTH.ATTACH.accessTokenTrustedIps),
-        accessTokenTTL: z
-          .number()
-          .int()
-          .min(1)
-          .max(315360000)
-          .refine((value) => value !== 0, {
-            message: "accessTokenTTL must have a non zero number"
-          })
-          .default(2592000)
-          .describe(AWS_AUTH.ATTACH.accessTokenTTL),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .max(315360000)
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .default(2592000)
-          .describe(AWS_AUTH.ATTACH.accessTokenMaxTTL),
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(AWS_AUTH.ATTACH.accessTokenNumUsesLimit)
-      }),
+      body: z
+        .object({
+          stsEndpoint: z
+            .string()
+            .trim()
+            .min(1)
+            .default("https://sts.amazonaws.com/")
+            .describe(AWS_AUTH.ATTACH.stsEndpoint),
+          allowedPrincipalArns: validatePrincipalArns.describe(AWS_AUTH.ATTACH.allowedPrincipalArns),
+          allowedAccountIds: validateAccountIds.describe(AWS_AUTH.ATTACH.allowedAccountIds),
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+            .describe(AWS_AUTH.ATTACH.accessTokenTrustedIps),
+          accessTokenTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .default(2592000)
+            .describe(AWS_AUTH.ATTACH.accessTokenTTL),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .min(1)
+            .max(315360000)
+            .default(2592000)
+            .describe(AWS_AUTH.ATTACH.accessTokenMaxTTL),
+          accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(AWS_AUTH.ATTACH.accessTokenNumUsesLimit)
+        })
+        .refine(
+          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
       response: {
         200: z.object({
           identityAwsAuth: IdentityAwsAuthsSchema
@@ -172,30 +172,33 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
       params: z.object({
         identityId: z.string().describe(AWS_AUTH.UPDATE.identityId)
       }),
-      body: z.object({
-        stsEndpoint: z.string().trim().min(1).optional().describe(AWS_AUTH.UPDATE.stsEndpoint),
-        allowedPrincipalArns: validatePrincipalArns.describe(AWS_AUTH.UPDATE.allowedPrincipalArns),
-        allowedAccountIds: validateAccountIds.describe(AWS_AUTH.UPDATE.allowedAccountIds),
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .optional()
-          .describe(AWS_AUTH.UPDATE.accessTokenTrustedIps),
-        accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(AWS_AUTH.UPDATE.accessTokenTTL),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(AWS_AUTH.UPDATE.accessTokenNumUsesLimit),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .max(315360000)
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .optional()
-          .describe(AWS_AUTH.UPDATE.accessTokenMaxTTL)
-      }),
+      body: z
+        .object({
+          stsEndpoint: z.string().trim().min(1).optional().describe(AWS_AUTH.UPDATE.stsEndpoint),
+          allowedPrincipalArns: validatePrincipalArns.describe(AWS_AUTH.UPDATE.allowedPrincipalArns),
+          allowedAccountIds: validateAccountIds.describe(AWS_AUTH.UPDATE.allowedAccountIds),
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .optional()
+            .describe(AWS_AUTH.UPDATE.accessTokenTrustedIps),
+          accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(AWS_AUTH.UPDATE.accessTokenTTL),
+          accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(AWS_AUTH.UPDATE.accessTokenNumUsesLimit),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .max(315360000)
+            .min(0)
+            .optional()
+            .describe(AWS_AUTH.UPDATE.accessTokenMaxTTL)
+        })
+        .refine(
+          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
       response: {
         200: z.object({
           identityAwsAuth: IdentityAwsAuthsSchema

backend/src/server/routes/v1/identity-azure-auth-router.ts

@@ -76,39 +76,44 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
       params: z.object({
         identityId: z.string().trim().describe(AZURE_AUTH.LOGIN.identityId)
       }),
-      body: z.object({
-        tenantId: z.string().trim().describe(AZURE_AUTH.ATTACH.tenantId),
-        resource: z.string().trim().describe(AZURE_AUTH.ATTACH.resource),
-        allowedServicePrincipalIds: validateAzureAuthField.describe(AZURE_AUTH.ATTACH.allowedServicePrincipalIds),
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-          .describe(AZURE_AUTH.ATTACH.accessTokenTrustedIps),
-        accessTokenTTL: z
-          .number()
-          .int()
-          .min(1)
-          .max(315360000)
-          .refine((value) => value !== 0, {
-            message: "accessTokenTTL must have a non zero number"
-          })
-          .default(2592000)
-          .describe(AZURE_AUTH.ATTACH.accessTokenTTL),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .max(315360000)
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .default(2592000)
-          .describe(AZURE_AUTH.ATTACH.accessTokenMaxTTL),
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(AZURE_AUTH.ATTACH.accessTokenNumUsesLimit)
-      }),
+      body: z
+        .object({
+          tenantId: z.string().trim().describe(AZURE_AUTH.ATTACH.tenantId),
+          resource: z.string().trim().describe(AZURE_AUTH.ATTACH.resource),
+          allowedServicePrincipalIds: validateAzureAuthField.describe(AZURE_AUTH.ATTACH.allowedServicePrincipalIds),
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+            .describe(AZURE_AUTH.ATTACH.accessTokenTrustedIps),
+          accessTokenTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .default(2592000)
+            .describe(AZURE_AUTH.ATTACH.accessTokenTTL),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .default(2592000)
+            .describe(AZURE_AUTH.ATTACH.accessTokenMaxTTL),
+          accessTokenNumUsesLimit: z
+            .number()
+            .int()
+            .min(0)
+            .default(0)
+            .describe(AZURE_AUTH.ATTACH.accessTokenNumUsesLimit)
+        })
+        .refine(
+          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
       response: {
         200: z.object({
           identityAzureAuth: IdentityAzureAuthsSchema
@@ -163,32 +168,40 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
       params: z.object({
         identityId: z.string().trim().describe(AZURE_AUTH.UPDATE.identityId)
       }),
-      body: z.object({
-        tenantId: z.string().trim().optional().describe(AZURE_AUTH.UPDATE.tenantId),
-        resource: z.string().trim().optional().describe(AZURE_AUTH.UPDATE.resource),
-        allowedServicePrincipalIds: validateAzureAuthField
-          .optional()
-          .describe(AZURE_AUTH.UPDATE.allowedServicePrincipalIds),
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .optional()
-          .describe(AZURE_AUTH.UPDATE.accessTokenTrustedIps),
-        accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(AZURE_AUTH.UPDATE.accessTokenTTL),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(AZURE_AUTH.UPDATE.accessTokenNumUsesLimit),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .max(315360000)
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .optional()
-          .describe(AZURE_AUTH.UPDATE.accessTokenMaxTTL)
-      }),
+      body: z
+        .object({
+          tenantId: z.string().trim().optional().describe(AZURE_AUTH.UPDATE.tenantId),
+          resource: z.string().trim().optional().describe(AZURE_AUTH.UPDATE.resource),
+          allowedServicePrincipalIds: validateAzureAuthField
+            .optional()
+            .describe(AZURE_AUTH.UPDATE.allowedServicePrincipalIds),
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .optional()
+            .describe(AZURE_AUTH.UPDATE.accessTokenTrustedIps),
+          accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(AZURE_AUTH.UPDATE.accessTokenTTL),
+          accessTokenNumUsesLimit: z
+            .number()
+            .int()
+            .min(0)
+            .optional()
+            .describe(AZURE_AUTH.UPDATE.accessTokenNumUsesLimit),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .max(315360000)
+            .min(0)
+            .optional()
+            .describe(AZURE_AUTH.UPDATE.accessTokenMaxTTL)
+        })
+        .refine(
+          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
       response: {
         200: z.object({
           identityAzureAuth: IdentityAzureAuthsSchema

backend/src/server/routes/v1/identity-gcp-auth-router.ts

@@ -74,40 +74,40 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
       params: z.object({
         identityId: z.string().trim().describe(GCP_AUTH.ATTACH.identityId)
       }),
-      body: z.object({
-        type: z.enum(["iam", "gce"]),
-        allowedServiceAccounts: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedServiceAccounts),
-        allowedProjects: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedProjects),
-        allowedZones: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedZones),
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-          .describe(GCP_AUTH.ATTACH.accessTokenTrustedIps),
-        accessTokenTTL: z
-          .number()
-          .int()
-          .min(1)
-          .max(315360000)
-          .refine((value) => value !== 0, {
-            message: "accessTokenTTL must have a non zero number"
-          })
-          .default(2592000)
-          .describe(GCP_AUTH.ATTACH.accessTokenTTL),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .max(315360000)
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .default(2592000)
-          .describe(GCP_AUTH.ATTACH.accessTokenMaxTTL),
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(GCP_AUTH.ATTACH.accessTokenNumUsesLimit)
-      }),
+      body: z
+        .object({
+          type: z.enum(["iam", "gce"]),
+          allowedServiceAccounts: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedServiceAccounts),
+          allowedProjects: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedProjects),
+          allowedZones: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedZones),
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+            .describe(GCP_AUTH.ATTACH.accessTokenTrustedIps),
+          accessTokenTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .default(2592000)
+            .describe(GCP_AUTH.ATTACH.accessTokenTTL),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .default(2592000)
+            .describe(GCP_AUTH.ATTACH.accessTokenMaxTTL),
+          accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(GCP_AUTH.ATTACH.accessTokenNumUsesLimit)
+        })
+        .refine(
+          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
       response: {
         200: z.object({
           identityGcpAuth: IdentityGcpAuthsSchema
@@ -164,31 +164,34 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
       params: z.object({
         identityId: z.string().trim().describe(GCP_AUTH.UPDATE.identityId)
       }),
-      body: z.object({
-        type: z.enum(["iam", "gce"]).optional(),
-        allowedServiceAccounts: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedServiceAccounts),
-        allowedProjects: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedProjects),
-        allowedZones: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedZones),
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .optional()
-          .describe(GCP_AUTH.UPDATE.accessTokenTrustedIps),
-        accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(GCP_AUTH.UPDATE.accessTokenTTL),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(GCP_AUTH.UPDATE.accessTokenNumUsesLimit),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .max(315360000)
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .optional()
-          .describe(GCP_AUTH.UPDATE.accessTokenMaxTTL)
-      }),
+      body: z
+        .object({
+          type: z.enum(["iam", "gce"]).optional(),
+          allowedServiceAccounts: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedServiceAccounts),
+          allowedProjects: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedProjects),
+          allowedZones: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedZones),
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .optional()
+            .describe(GCP_AUTH.UPDATE.accessTokenTrustedIps),
+          accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(GCP_AUTH.UPDATE.accessTokenTTL),
+          accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(GCP_AUTH.UPDATE.accessTokenNumUsesLimit),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .optional()
+            .describe(GCP_AUTH.UPDATE.accessTokenMaxTTL)
+        })
+        .refine(
+          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
       response: {
         200: z.object({
           identityGcpAuth: IdentityGcpAuthsSchema

backend/src/server/routes/v1/identity-jwt-auth-router.ts

@@ -34,23 +34,12 @@ const CreateBaseSchema = z.object({
     .min(1)
     .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
     .describe(JWT_AUTH.ATTACH.accessTokenTrustedIps),
-  accessTokenTTL: z
-    .number()
-    .int()
-    .min(1)
-    .max(315360000)
-    .refine((value) => value !== 0, {
-      message: "accessTokenTTL must have a non zero number"
-    })
-    .default(2592000)
-    .describe(JWT_AUTH.ATTACH.accessTokenTTL),
+  accessTokenTTL: z.number().int().min(0).max(315360000).default(2592000).describe(JWT_AUTH.ATTACH.accessTokenTTL),
   accessTokenMaxTTL: z
     .number()
     .int()
+    .min(0)
     .max(315360000)
-    .refine((value) => value !== 0, {
-      message: "accessTokenMaxTTL must have a non zero number"
-    })
     .default(2592000)
     .describe(JWT_AUTH.ATTACH.accessTokenMaxTTL),
   accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(JWT_AUTH.ATTACH.accessTokenNumUsesLimit)
@@ -70,23 +59,12 @@ const UpdateBaseSchema = z
       .min(1)
       .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
       .describe(JWT_AUTH.UPDATE.accessTokenTrustedIps),
-    accessTokenTTL: z
-      .number()
-      .int()
-      .min(1)
-      .max(315360000)
-      .refine((value) => value !== 0, {
-        message: "accessTokenTTL must have a non zero number"
-      })
-      .default(2592000)
-      .describe(JWT_AUTH.UPDATE.accessTokenTTL),
+    accessTokenTTL: z.number().int().min(0).max(315360000).default(2592000).describe(JWT_AUTH.UPDATE.accessTokenTTL),
     accessTokenMaxTTL: z
       .number()
       .int()
+      .min(0)
       .max(315360000)
-      .refine((value) => value !== 0, {
-        message: "accessTokenMaxTTL must have a non zero number"
-      })
       .default(2592000)
       .describe(JWT_AUTH.UPDATE.accessTokenMaxTTL),
     accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(JWT_AUTH.UPDATE.accessTokenNumUsesLimit)

backend/src/server/routes/v1/identity-kubernetes-auth-router.ts

@@ -87,47 +87,47 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
       params: z.object({
         identityId: z.string().trim().describe(KUBERNETES_AUTH.ATTACH.identityId)
       }),
-      body: z.object({
-        kubernetesHost: z.string().trim().min(1).describe(KUBERNETES_AUTH.ATTACH.kubernetesHost),
-        caCert: z.string().trim().default("").describe(KUBERNETES_AUTH.ATTACH.caCert),
-        tokenReviewerJwt: z.string().trim().min(1).describe(KUBERNETES_AUTH.ATTACH.tokenReviewerJwt),
-        allowedNamespaces: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedNamespaces), // TODO: validation
-        allowedNames: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedNames),
-        allowedAudience: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedAudience),
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-          .describe(KUBERNETES_AUTH.ATTACH.accessTokenTrustedIps),
-        accessTokenTTL: z
-          .number()
-          .int()
-          .min(1)
-          .max(315360000)
-          .refine((value) => value !== 0, {
-            message: "accessTokenTTL must have a non zero number"
-          })
-          .default(2592000)
-          .describe(KUBERNETES_AUTH.ATTACH.accessTokenTTL),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .max(315360000)
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .default(2592000)
-          .describe(KUBERNETES_AUTH.ATTACH.accessTokenMaxTTL),
-        accessTokenNumUsesLimit: z
-          .number()
-          .int()
-          .min(0)
-          .default(0)
-          .describe(KUBERNETES_AUTH.ATTACH.accessTokenNumUsesLimit)
-      }),
+      body: z
+        .object({
+          kubernetesHost: z.string().trim().min(1).describe(KUBERNETES_AUTH.ATTACH.kubernetesHost),
+          caCert: z.string().trim().default("").describe(KUBERNETES_AUTH.ATTACH.caCert),
+          tokenReviewerJwt: z.string().trim().min(1).describe(KUBERNETES_AUTH.ATTACH.tokenReviewerJwt),
+          allowedNamespaces: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedNamespaces), // TODO: validation
+          allowedNames: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedNames),
+          allowedAudience: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedAudience),
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+            .describe(KUBERNETES_AUTH.ATTACH.accessTokenTrustedIps),
+          accessTokenTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .default(2592000)
+            .describe(KUBERNETES_AUTH.ATTACH.accessTokenTTL),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .default(2592000)
+            .describe(KUBERNETES_AUTH.ATTACH.accessTokenMaxTTL),
+          accessTokenNumUsesLimit: z
+            .number()
+            .int()
+            .min(0)
+            .default(0)
+            .describe(KUBERNETES_AUTH.ATTACH.accessTokenNumUsesLimit)
+        })
+        .refine(
+          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
       response: {
         200: z.object({
           identityKubernetesAuth: IdentityKubernetesAuthResponseSchema
@@ -183,44 +183,47 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
       params: z.object({
         identityId: z.string().describe(KUBERNETES_AUTH.UPDATE.identityId)
       }),
-      body: z.object({
-        kubernetesHost: z.string().trim().min(1).optional().describe(KUBERNETES_AUTH.UPDATE.kubernetesHost),
-        caCert: z.string().trim().optional().describe(KUBERNETES_AUTH.UPDATE.caCert),
-        tokenReviewerJwt: z.string().trim().min(1).optional().describe(KUBERNETES_AUTH.UPDATE.tokenReviewerJwt),
-        allowedNamespaces: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedNamespaces), // TODO: validation
-        allowedNames: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedNames),
-        allowedAudience: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedAudience),
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .optional()
-          .describe(KUBERNETES_AUTH.UPDATE.accessTokenTrustedIps),
-        accessTokenTTL: z
-          .number()
-          .int()
-          .min(0)
-          .max(315360000)
-          .optional()
-          .describe(KUBERNETES_AUTH.UPDATE.accessTokenTTL),
-        accessTokenNumUsesLimit: z
-          .number()
-          .int()
-          .min(0)
-          .optional()
-          .describe(KUBERNETES_AUTH.UPDATE.accessTokenNumUsesLimit),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .max(315360000)
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .optional()
-          .describe(KUBERNETES_AUTH.UPDATE.accessTokenMaxTTL)
-      }),
+      body: z
+        .object({
+          kubernetesHost: z.string().trim().min(1).optional().describe(KUBERNETES_AUTH.UPDATE.kubernetesHost),
+          caCert: z.string().trim().optional().describe(KUBERNETES_AUTH.UPDATE.caCert),
+          tokenReviewerJwt: z.string().trim().min(1).optional().describe(KUBERNETES_AUTH.UPDATE.tokenReviewerJwt),
+          allowedNamespaces: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedNamespaces), // TODO: validation
+          allowedNames: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedNames),
+          allowedAudience: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedAudience),
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .optional()
+            .describe(KUBERNETES_AUTH.UPDATE.accessTokenTrustedIps),
+          accessTokenTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .optional()
+            .describe(KUBERNETES_AUTH.UPDATE.accessTokenTTL),
+          accessTokenNumUsesLimit: z
+            .number()
+            .int()
+            .min(0)
+            .optional()
+            .describe(KUBERNETES_AUTH.UPDATE.accessTokenNumUsesLimit),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .optional()
+            .describe(KUBERNETES_AUTH.UPDATE.accessTokenMaxTTL)
+        })
+        .refine(
+          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
       response: {
         200: z.object({
           identityKubernetesAuth: IdentityKubernetesAuthResponseSchema

backend/src/server/routes/v1/identity-oidc-auth-router.ts

@@ -87,42 +87,42 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
       params: z.object({
         identityId: z.string().trim().describe(OIDC_AUTH.ATTACH.identityId)
       }),
-      body: z.object({
-        oidcDiscoveryUrl: z.string().url().min(1).describe(OIDC_AUTH.ATTACH.oidcDiscoveryUrl),
-        caCert: z.string().trim().default("").describe(OIDC_AUTH.ATTACH.caCert),
-        boundIssuer: z.string().min(1).describe(OIDC_AUTH.ATTACH.boundIssuer),
-        boundAudiences: validateOidcAuthAudiencesField.describe(OIDC_AUTH.ATTACH.boundAudiences),
-        boundClaims: validateOidcBoundClaimsField.describe(OIDC_AUTH.ATTACH.boundClaims),
-        boundSubject: z.string().optional().default("").describe(OIDC_AUTH.ATTACH.boundSubject),
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-          .describe(OIDC_AUTH.ATTACH.accessTokenTrustedIps),
-        accessTokenTTL: z
-          .number()
-          .int()
-          .min(1)
-          .max(315360000)
-          .refine((value) => value !== 0, {
-            message: "accessTokenTTL must have a non zero number"
-          })
-          .default(2592000)
-          .describe(OIDC_AUTH.ATTACH.accessTokenTTL),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .max(315360000)
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .default(2592000)
-          .describe(OIDC_AUTH.ATTACH.accessTokenMaxTTL),
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(OIDC_AUTH.ATTACH.accessTokenNumUsesLimit)
-      }),
+      body: z
+        .object({
+          oidcDiscoveryUrl: z.string().url().min(1).describe(OIDC_AUTH.ATTACH.oidcDiscoveryUrl),
+          caCert: z.string().trim().default("").describe(OIDC_AUTH.ATTACH.caCert),
+          boundIssuer: z.string().min(1).describe(OIDC_AUTH.ATTACH.boundIssuer),
+          boundAudiences: validateOidcAuthAudiencesField.describe(OIDC_AUTH.ATTACH.boundAudiences),
+          boundClaims: validateOidcBoundClaimsField.describe(OIDC_AUTH.ATTACH.boundClaims),
+          boundSubject: z.string().optional().default("").describe(OIDC_AUTH.ATTACH.boundSubject),
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+            .describe(OIDC_AUTH.ATTACH.accessTokenTrustedIps),
+          accessTokenTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .default(2592000)
+            .describe(OIDC_AUTH.ATTACH.accessTokenTTL),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .default(2592000)
+            .describe(OIDC_AUTH.ATTACH.accessTokenMaxTTL),
+          accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(OIDC_AUTH.ATTACH.accessTokenNumUsesLimit)
+        })
+        .refine(
+          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
       response: {
         200: z.object({
           identityOidcAuth: IdentityOidcAuthResponseSchema
@@ -202,26 +202,24 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
           accessTokenTTL: z
             .number()
             .int()
-            .min(1)
+            .min(0)
             .max(315360000)
-            .refine((value) => value !== 0, {
-              message: "accessTokenTTL must have a non zero number"
-            })
             .default(2592000)
             .describe(OIDC_AUTH.UPDATE.accessTokenTTL),
           accessTokenMaxTTL: z
             .number()
             .int()
+            .min(0)
             .max(315360000)
-            .refine((value) => value !== 0, {
-              message: "accessTokenMaxTTL must have a non zero number"
-            })
             .default(2592000)
             .describe(OIDC_AUTH.UPDATE.accessTokenMaxTTL),
-
           accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(OIDC_AUTH.UPDATE.accessTokenNumUsesLimit)
         })
-        .partial(),
+        .partial()
+        .refine(
+          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
       response: {
         200: z.object({
           identityOidcAuth: IdentityOidcAuthResponseSchema

backend/src/server/routes/v1/identity-token-auth-router.ts

@@ -26,36 +26,41 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
       params: z.object({
         identityId: z.string().trim().describe(TOKEN_AUTH.ATTACH.identityId)
       }),
-      body: z.object({
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-          .describe(TOKEN_AUTH.ATTACH.accessTokenTrustedIps),
-        accessTokenTTL: z
-          .number()
-          .int()
-          .min(1)
-          .max(315360000)
-          .refine((value) => value !== 0, {
-            message: "accessTokenTTL must have a non zero number"
-          })
-          .default(2592000)
-          .describe(TOKEN_AUTH.ATTACH.accessTokenTTL),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .max(315360000)
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .default(2592000)
-          .describe(TOKEN_AUTH.ATTACH.accessTokenMaxTTL),
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(TOKEN_AUTH.ATTACH.accessTokenNumUsesLimit)
-      }),
+      body: z
+        .object({
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+            .describe(TOKEN_AUTH.ATTACH.accessTokenTrustedIps),
+          accessTokenTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .default(2592000)
+            .describe(TOKEN_AUTH.ATTACH.accessTokenTTL),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .default(2592000)
+            .describe(TOKEN_AUTH.ATTACH.accessTokenMaxTTL),
+          accessTokenNumUsesLimit: z
+            .number()
+            .int()
+            .min(0)
+            .default(0)
+            .describe(TOKEN_AUTH.ATTACH.accessTokenNumUsesLimit)
+        })
+        .refine(
+          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
       response: {
         200: z.object({
           identityTokenAuth: IdentityTokenAuthsSchema
@@ -110,27 +115,35 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
       params: z.object({
         identityId: z.string().trim().describe(TOKEN_AUTH.UPDATE.identityId)
       }),
-      body: z.object({
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .optional()
-          .describe(TOKEN_AUTH.UPDATE.accessTokenTrustedIps),
-        accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(TOKEN_AUTH.UPDATE.accessTokenTTL),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(TOKEN_AUTH.UPDATE.accessTokenNumUsesLimit),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .max(315360000)
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .optional()
-          .describe(TOKEN_AUTH.UPDATE.accessTokenMaxTTL)
-      }),
+      body: z
+        .object({
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .optional()
+            .describe(TOKEN_AUTH.UPDATE.accessTokenTrustedIps),
+          accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(TOKEN_AUTH.UPDATE.accessTokenTTL),
+          accessTokenNumUsesLimit: z
+            .number()
+            .int()
+            .min(0)
+            .optional()
+            .describe(TOKEN_AUTH.UPDATE.accessTokenNumUsesLimit),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .optional()
+            .describe(TOKEN_AUTH.UPDATE.accessTokenMaxTTL)
+        })
+        .refine(
+          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
       response: {
         200: z.object({
           identityTokenAuth: IdentityTokenAuthsSchema

backend/src/server/routes/v1/identity-universal-auth-router.ts

@@ -86,49 +86,49 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
       params: z.object({
         identityId: z.string().trim().describe(UNIVERSAL_AUTH.ATTACH.identityId)
       }),
-      body: z.object({
-        clientSecretTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-          .describe(UNIVERSAL_AUTH.ATTACH.clientSecretTrustedIps),
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
-          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenTrustedIps),
-        accessTokenTTL: z
-          .number()
-          .int()
-          .min(1)
-          .max(315360000)
-          .refine((value) => value !== 0, {
-            message: "accessTokenTTL must have a non zero number"
-          })
-          .default(2592000)
-          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenTTL), // 30 days
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .max(315360000)
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .default(2592000)
-          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenMaxTTL), // 30 days
-        accessTokenNumUsesLimit: z
-          .number()
-          .int()
-          .min(0)
-          .default(0)
-          .describe(UNIVERSAL_AUTH.ATTACH.accessTokenNumUsesLimit)
-      }),
+      body: z
+        .object({
+          clientSecretTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+            .describe(UNIVERSAL_AUTH.ATTACH.clientSecretTrustedIps),
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+            .describe(UNIVERSAL_AUTH.ATTACH.accessTokenTrustedIps),
+          accessTokenTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .default(2592000)
+            .describe(UNIVERSAL_AUTH.ATTACH.accessTokenTTL), // 30 days
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .default(2592000)
+            .describe(UNIVERSAL_AUTH.ATTACH.accessTokenMaxTTL), // 30 days
+          accessTokenNumUsesLimit: z
+            .number()
+            .int()
+            .min(0)
+            .default(0)
+            .describe(UNIVERSAL_AUTH.ATTACH.accessTokenNumUsesLimit)
+        })
+        .refine(
+          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
       response: {
         200: z.object({
           identityUniversalAuth: IdentityUniversalAuthsSchema
@@ -181,46 +181,49 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
       params: z.object({
         identityId: z.string().describe(UNIVERSAL_AUTH.UPDATE.identityId)
       }),
-      body: z.object({
-        clientSecretTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .optional()
-          .describe(UNIVERSAL_AUTH.UPDATE.clientSecretTrustedIps),
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .optional()
-          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenTrustedIps),
-        accessTokenTTL: z
-          .number()
-          .int()
-          .min(0)
-          .max(315360000)
-          .optional()
-          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenTTL),
-        accessTokenNumUsesLimit: z
-          .number()
-          .int()
-          .min(0)
-          .optional()
-          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenNumUsesLimit),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .max(315360000)
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .optional()
-          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenMaxTTL)
-      }),
+      body: z
+        .object({
+          clientSecretTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .optional()
+            .describe(UNIVERSAL_AUTH.UPDATE.clientSecretTrustedIps),
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .optional()
+            .describe(UNIVERSAL_AUTH.UPDATE.accessTokenTrustedIps),
+          accessTokenTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .optional()
+            .describe(UNIVERSAL_AUTH.UPDATE.accessTokenTTL),
+          accessTokenNumUsesLimit: z
+            .number()
+            .int()
+            .min(0)
+            .optional()
+            .describe(UNIVERSAL_AUTH.UPDATE.accessTokenNumUsesLimit),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .optional()
+            .describe(UNIVERSAL_AUTH.UPDATE.accessTokenMaxTTL)
+        })
+        .refine(
+          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
       response: {
         200: z.object({
           identityUniversalAuth: IdentityUniversalAuthsSchema

backend/src/server/routes/v1/integration-auth-router.ts

@@ -1151,6 +1151,50 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
     }
   });
 
+  server.route({
+    method: "GET",
+    url: "/:integrationAuthId/vercel/custom-environments",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      querystring: z.object({
+        teamId: z.string().trim()
+      }),
+      params: z.object({
+        integrationAuthId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          environments: z
+            .object({
+              appId: z.string(),
+              customEnvironments: z
+                .object({
+                  id: z.string(),
+                  slug: z.string()
+                })
+                .array()
+            })
+            .array()
+        })
+      }
+    },
+    handler: async (req) => {
+      const environments = await server.services.integrationAuth.getVercelCustomEnvironments({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.integrationAuthId,
+        teamId: req.query.teamId
+      });
+
+      return { environments };
+    }
+  });
+
   server.route({
     method: "GET",
     url: "/:integrationAuthId/octopus-deploy/spaces",

backend/src/server/routes/v1/organization-router.ts

@@ -11,7 +11,7 @@ import {
 } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import { AUDIT_LOGS, ORGANIZATIONS } from "@app/lib/api-docs";
-import { getLastMidnightDateISO } from "@app/lib/fn";
+import { getLastMidnightDateISO, removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -113,6 +113,12 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
       querystring: z.object({
         projectId: z.string().optional().describe(AUDIT_LOGS.EXPORT.projectId),
         actorType: z.nativeEnum(ActorType).optional(),
+        secretPath: z
+          .string()
+          .optional()
+          .transform((val) => (!val ? val : removeTrailingSlash(val)))
+          .describe(AUDIT_LOGS.EXPORT.secretPath),
+
         // eventType is split with , for multiple values, we need to transform it to array
         eventType: z
           .string()

backend/src/server/routes/v1/password-router.ts

@@ -203,7 +203,8 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
         encryptedPrivateKeyIV: z.string().trim(),
         encryptedPrivateKeyTag: z.string().trim(),
         salt: z.string().trim(),
-        verifier: z.string().trim()
+        verifier: z.string().trim(),
+        password: z.string().trim()
       }),
       response: {
         200: z.object({
@@ -218,7 +219,69 @@ export const registerPasswordRouter = async (server: FastifyZodProvider) => {
         userId: token.userId
       });
 
-      return { message: "Successfully updated backup private key" };
+      return { message: "Successfully reset password" };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/email/password-setup",
+    config: {
+      rateLimit: authRateLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    handler: async (req) => {
+      await server.services.password.sendPasswordSetupEmail(req.permission);
+
+      return {
+        message: "A password setup link has been sent"
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/password-setup",
+    config: {
+      rateLimit: authRateLimit
+    },
+    schema: {
+      body: z.object({
+        protectedKey: z.string().trim(),
+        protectedKeyIV: z.string().trim(),
+        protectedKeyTag: z.string().trim(),
+        encryptedPrivateKey: z.string().trim(),
+        encryptedPrivateKeyIV: z.string().trim(),
+        encryptedPrivateKeyTag: z.string().trim(),
+        salt: z.string().trim(),
+        verifier: z.string().trim(),
+        password: z.string().trim(),
+        token: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    handler: async (req, res) => {
+      await server.services.password.setupPassword(req.body, req.permission);
+
+      const appCfg = getConfig();
+      void res.cookie("jid", "", {
+        httpOnly: true,
+        path: "/",
+        sameSite: "strict",
+        secure: appCfg.HTTPS_ENABLED
+      });
+
+      return { message: "Successfully setup password" };
     }
   });
 };

backend/src/server/routes/v1/secret-sync-routers/gcp-sync-router.ts

@@ -0,0 +1,13 @@
+import { CreateGcpSyncSchema, GcpSyncSchema, UpdateGcpSyncSchema } from "@app/services/secret-sync/gcp";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerGcpSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.GCPSecretManager,
+    server,
+    responseSchema: GcpSyncSchema,
+    createSchema: CreateGcpSyncSchema,
+    updateSchema: UpdateGcpSyncSchema
+  });

backend/src/server/routes/v1/secret-sync-routers/index.ts

@@ -1,11 +1,13 @@
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 
 import { registerAwsParameterStoreSyncRouter } from "./aws-parameter-store-sync-router";
+import { registerGcpSyncRouter } from "./gcp-sync-router";
 import { registerGitHubSyncRouter } from "./github-sync-router";
 
 export * from "./secret-sync-router";
 
 export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: FastifyZodProvider) => Promise<void>> = {
   [SecretSync.AWSParameterStore]: registerAwsParameterStoreSyncRouter,
-  [SecretSync.GitHub]: registerGitHubSyncRouter
+  [SecretSync.GitHub]: registerGitHubSyncRouter,
+  [SecretSync.GCPSecretManager]: registerGcpSyncRouter
 };

backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts

@@ -9,13 +9,19 @@ import {
   AwsParameterStoreSyncListItemSchema,
   AwsParameterStoreSyncSchema
 } from "@app/services/secret-sync/aws-parameter-store";
+import { GcpSyncListItemSchema, GcpSyncSchema } from "@app/services/secret-sync/gcp";
 import { GitHubSyncListItemSchema, GitHubSyncSchema } from "@app/services/secret-sync/github";
 
-const SecretSyncSchema = z.discriminatedUnion("destination", [AwsParameterStoreSyncSchema, GitHubSyncSchema]);
+const SecretSyncSchema = z.discriminatedUnion("destination", [
+  AwsParameterStoreSyncSchema,
+  GitHubSyncSchema,
+  GcpSyncSchema
+]);
 
 const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
   AwsParameterStoreSyncListItemSchema,
-  GitHubSyncListItemSchema
+  GitHubSyncListItemSchema,
+  GcpSyncListItemSchema
 ]);
 
 export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {

backend/src/services/app-connection/app-connection-enums.ts

@@ -1,6 +1,7 @@
 export enum AppConnection {
   GitHub = "github",
-  AWS = "aws"
+  AWS = "aws",
+  GCP = "gcp"
 }
 
 export enum AWSRegion {

backend/src/services/app-connection/app-connection-fns.ts

@@ -1,4 +1,5 @@
 import { TAppConnections } from "@app/db/schemas/app-connections";
+import { generateHash } from "@app/lib/crypto/encryption";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { TAppConnectionServiceFactoryDep } from "@app/services/app-connection/app-connection-service";
 import { TAppConnection, TAppConnectionConfig } from "@app/services/app-connection/app-connection-types";
@@ -7,6 +8,11 @@ import {
   getAwsAppConnectionListItem,
   validateAwsConnectionCredentials
 } from "@app/services/app-connection/aws";
+import {
+  GcpConnectionMethod,
+  getGcpAppConnectionListItem,
+  validateGcpConnectionCredentials
+} from "@app/services/app-connection/gcp";
 import {
   getGitHubConnectionListItem,
   GitHubConnectionMethod,
@@ -15,7 +21,9 @@ import {
 import { KmsDataKey } from "@app/services/kms/kms-types";
 
 export const listAppConnectionOptions = () => {
-  return [getAwsAppConnectionListItem(), getGitHubConnectionListItem()].sort((a, b) => a.name.localeCompare(b.name));
+  return [getAwsAppConnectionListItem(), getGitHubConnectionListItem(), getGcpAppConnectionListItem()].sort((a, b) =>
+    a.name.localeCompare(b.name)
+  );
 };
 
 export const encryptAppConnectionCredentials = async ({
@@ -69,6 +77,8 @@ export const validateAppConnectionCredentials = async (
       return validateAwsConnectionCredentials(appConnection);
     case AppConnection.GitHub:
       return validateGitHubConnectionCredentials(appConnection);
+    case AppConnection.GCP:
+      return validateGcpConnectionCredentials(appConnection);
     default:
       // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
       throw new Error(`Unhandled App Connection ${app}`);
@@ -85,6 +95,8 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
       return "Access Key";
     case AwsConnectionMethod.AssumeRole:
       return "Assume Role";
+    case GcpConnectionMethod.ServiceAccountImpersonation:
+      return "Service Account Impersonation";
     default:
       // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
       throw new Error(`Unhandled App Connection Method: ${method}`);
@@ -101,6 +113,7 @@ export const decryptAppConnection = async (
       encryptedCredentials: appConnection.encryptedCredentials,
       orgId: appConnection.orgId,
       kmsService
-    })
+    }),
+    credentialsHash: generateHash(appConnection.encryptedCredentials)
   } as TAppConnection;
 };

backend/src/services/app-connection/app-connection-maps.ts

@@ -2,5 +2,6 @@ import { AppConnection } from "./app-connection-enums";
 
 export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
   [AppConnection.AWS]: "AWS",
-  [AppConnection.GitHub]: "GitHub"
+  [AppConnection.GitHub]: "GitHub",
+  [AppConnection.GCP]: "GCP"
 };

backend/src/services/app-connection/app-connection-schemas.ts

@@ -10,6 +10,8 @@ export const BaseAppConnectionSchema = AppConnectionsSchema.omit({
   encryptedCredentials: true,
   app: true,
   method: true
+}).extend({
+  credentialsHash: z.string().optional()
 });
 
 export const GenericCreateAppConnectionFieldsSchema = (app: AppConnection) =>

backend/src/services/app-connection/app-connection-service.ts

@@ -2,6 +2,8 @@ import { ForbiddenError, subject } from "@casl/ability";
 
 import { OrgPermissionAppConnectionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { generateHash } from "@app/lib/crypto/encryption";
+import { DatabaseErrorCode } from "@app/lib/error-codes";
 import { BadRequestError, DatabaseError, NotFoundError } from "@app/lib/errors";
 import { DiscriminativePick, OrgServiceActor } from "@app/lib/types";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
@@ -26,6 +28,8 @@ import { githubConnectionService } from "@app/services/app-connection/github/git
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 
 import { TAppConnectionDALFactory } from "./app-connection-dal";
+import { ValidateGcpConnectionCredentialsSchema } from "./gcp";
+import { gcpConnectionService } from "./gcp/gcp-connection-service";
 
 export type TAppConnectionServiceFactoryDep = {
   appConnectionDAL: TAppConnectionDALFactory;
@@ -37,7 +41,8 @@ export type TAppConnectionServiceFactory = ReturnType<typeof appConnectionServic
 
 const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAppConnectionCredentials> = {
   [AppConnection.AWS]: ValidateAwsConnectionCredentialsSchema,
-  [AppConnection.GitHub]: ValidateGitHubConnectionCredentialsSchema
+  [AppConnection.GitHub]: ValidateGitHubConnectionCredentialsSchema,
+  [AppConnection.GCP]: ValidateGcpConnectionCredentialsSchema
 };
 
 export const appConnectionServiceFactory = ({
@@ -140,53 +145,40 @@ export const appConnectionServiceFactory = ({
       OrgPermissionSubjects.AppConnections
     );
 
-    const appConnection = await appConnectionDAL.transaction(async (tx) => {
-      const isConflictingName = Boolean(
-        await appConnectionDAL.findOne(
-          {
-            name: params.name,
-            orgId: actor.orgId
-          },
-          tx
-        )
-      );
+    const validatedCredentials = await validateAppConnectionCredentials({
+      app,
+      credentials,
+      method,
+      orgId: actor.orgId
+    } as TAppConnectionConfig);
 
-      if (isConflictingName)
-        throw new BadRequestError({
-          message: `An App Connection with the name "${params.name}" already exists`
-        });
+    const encryptedCredentials = await encryptAppConnectionCredentials({
+      credentials: validatedCredentials,
+      orgId: actor.orgId,
+      kmsService
+    });
 
-      const validatedCredentials = await validateAppConnectionCredentials({
-        app,
-        credentials,
-        method,
-        orgId: actor.orgId
-      } as TAppConnectionConfig);
-
-      const encryptedCredentials = await encryptAppConnectionCredentials({
-        credentials: validatedCredentials,
+    try {
+      const connection = await appConnectionDAL.create({
         orgId: actor.orgId,
-        kmsService
+        encryptedCredentials,
+        method,
+        app,
+        ...params
       });
 
-      const connection = await appConnectionDAL.create(
-        {
-          orgId: actor.orgId,
-          encryptedCredentials,
-          method,
-          app,
-          ...params
-        },
-        tx
-      );
-
       return {
         ...connection,
+        credentialsHash: generateHash(connection.encryptedCredentials),
         credentials: validatedCredentials
-      };
-    });
+      } as TAppConnection;
+    } catch (err) {
+      if (err instanceof DatabaseError && (err.error as { code: string })?.code === DatabaseErrorCode.UniqueViolation) {
+        throw new BadRequestError({ message: `An App Connection with the name "${params.name}" already exists` });
+      }
 
-    return appConnection as TAppConnection;
+      throw err;
+    }
   };
 
   const updateAppConnection = async (
@@ -210,72 +202,55 @@ export const appConnectionServiceFactory = ({
       OrgPermissionSubjects.AppConnections
     );
 
-    const updatedAppConnection = await appConnectionDAL.transaction(async (tx) => {
-      if (params.name && appConnection.name !== params.name) {
-        const isConflictingName = Boolean(
-          await appConnectionDAL.findOne(
-            {
-              name: params.name,
-              orgId: appConnection.orgId
-            },
-            tx
-          )
-        );
+    let encryptedCredentials: undefined | Buffer;
 
-        if (isConflictingName)
-          throw new BadRequestError({
-            message: `An App Connection with the name "${params.name}" already exists`
-          });
-      }
+    if (credentials) {
+      const { app, method } = appConnection as DiscriminativePick<TAppConnectionConfig, "app" | "method">;
 
-      let encryptedCredentials: undefined | Buffer;
-
-      if (credentials) {
-        const { app, method } = appConnection as DiscriminativePick<TAppConnectionConfig, "app" | "method">;
-
-        if (
-          !VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[app].safeParse({
-            method,
-            credentials
-          }).success
-        )
-          throw new BadRequestError({
-            message: `Invalid credential format for ${
-              APP_CONNECTION_NAME_MAP[app]
-            } Connection with method ${getAppConnectionMethodName(method)}`
-          });
-
-        const validatedCredentials = await validateAppConnectionCredentials({
-          app,
-          orgId: actor.orgId,
-          credentials,
-          method
-        } as TAppConnectionConfig);
-
-        if (!validatedCredentials)
-          throw new BadRequestError({ message: "Unable to validate connection - check credentials" });
-
-        encryptedCredentials = await encryptAppConnectionCredentials({
-          credentials: validatedCredentials,
-          orgId: actor.orgId,
-          kmsService
+      if (
+        !VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[app].safeParse({
+          method,
+          credentials
+        }).success
+      )
+        throw new BadRequestError({
+          message: `Invalid credential format for ${
+            APP_CONNECTION_NAME_MAP[app]
+          } Connection with method ${getAppConnectionMethodName(method)}`
         });
+
+      const validatedCredentials = await validateAppConnectionCredentials({
+        app,
+        orgId: actor.orgId,
+        credentials,
+        method
+      } as TAppConnectionConfig);
+
+      if (!validatedCredentials)
+        throw new BadRequestError({ message: "Unable to validate connection - check credentials" });
+
+      encryptedCredentials = await encryptAppConnectionCredentials({
+        credentials: validatedCredentials,
+        orgId: actor.orgId,
+        kmsService
+      });
+    }
+
+    try {
+      const updatedConnection = await appConnectionDAL.updateById(connectionId, {
+        orgId: actor.orgId,
+        encryptedCredentials,
+        ...params
+      });
+
+      return await decryptAppConnection(updatedConnection, kmsService);
+    } catch (err) {
+      if (err instanceof DatabaseError && (err.error as { code: string })?.code === DatabaseErrorCode.UniqueViolation) {
+        throw new BadRequestError({ message: `An App Connection with the name "${params.name}" already exists` });
       }
 
-      const updatedConnection = await appConnectionDAL.updateById(
-        connectionId,
-        {
-          orgId: actor.orgId,
-          encryptedCredentials,
-          ...params
-        },
-        tx
-      );
-
-      return updatedConnection;
-    });
-
-    return decryptAppConnection(updatedAppConnection, kmsService);
+      throw err;
+    }
   };
 
   const deleteAppConnection = async (app: AppConnection, connectionId: string, actor: OrgServiceActor) => {
@@ -306,7 +281,10 @@ export const appConnectionServiceFactory = ({
 
       return await decryptAppConnection(deletedAppConnection, kmsService);
     } catch (err) {
-      if (err instanceof DatabaseError && (err.error as { code: string })?.code === "23503") {
+      if (
+        err instanceof DatabaseError &&
+        (err.error as { code: string })?.code === DatabaseErrorCode.ForeignKeyViolation
+      ) {
         throw new BadRequestError({
           message:
             "Cannot delete App Connection with existing connections. Remove all existing connections and try again."
@@ -382,6 +360,7 @@ export const appConnectionServiceFactory = ({
     deleteAppConnection,
     connectAppConnectionById,
     listAvailableAppConnectionsForUser,
-    github: githubConnectionService(connectAppConnectionById)
+    github: githubConnectionService(connectAppConnectionById),
+    gcp: gcpConnectionService(connectAppConnectionById)
   };
 };

backend/src/services/app-connection/app-connection-types.ts

@@ -11,9 +11,11 @@ import {
   TValidateGitHubConnectionCredentials
 } from "@app/services/app-connection/github";
 
-export type TAppConnection = { id: string } & (TAwsConnection | TGitHubConnection);
+import { TGcpConnection, TGcpConnectionConfig, TGcpConnectionInput, TValidateGcpConnectionCredentials } from "./gcp";
 
-export type TAppConnectionInput = { id: string } & (TAwsConnectionInput | TGitHubConnectionInput);
+export type TAppConnection = { id: string } & (TAwsConnection | TGitHubConnection | TGcpConnection);
+
+export type TAppConnectionInput = { id: string } & (TAwsConnectionInput | TGitHubConnectionInput | TGcpConnectionInput);
 
 export type TCreateAppConnectionDTO = Pick<
   TAppConnectionInput,
@@ -24,8 +26,9 @@ export type TUpdateAppConnectionDTO = Partial<Omit<TCreateAppConnectionDTO, "met
   connectionId: string;
 };
 
-export type TAppConnectionConfig = TAwsConnectionConfig | TGitHubConnectionConfig;
+export type TAppConnectionConfig = TAwsConnectionConfig | TGitHubConnectionConfig | TGcpConnectionConfig;
 
 export type TValidateAppConnectionCredentials =
   | TValidateAwsConnectionCredentials
-  | TValidateGitHubConnectionCredentials;
+  | TValidateGitHubConnectionCredentials
+  | TValidateGcpConnectionCredentials;

backend/src/services/app-connection/gcp/gcp-connection-enums.ts

@@ -0,0 +1,3 @@
+export enum GcpConnectionMethod {
+  ServiceAccountImpersonation = "service-account-impersonation"
+}

backend/src/services/app-connection/gcp/gcp-connection-fns.ts

@@ -0,0 +1,164 @@
+import { gaxios, Impersonated, JWT } from "google-auth-library";
+import { GetAccessTokenResponse } from "google-auth-library/build/src/auth/oauth2client";
+
+import { getConfig } from "@app/lib/config/env";
+import { request } from "@app/lib/config/request";
+import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+
+import { AppConnection } from "../app-connection-enums";
+import { getAppConnectionMethodName } from "../app-connection-fns";
+import { GcpConnectionMethod } from "./gcp-connection-enums";
+import {
+  GCPApp,
+  GCPGetProjectsRes,
+  GCPGetServiceRes,
+  TGcpConnection,
+  TGcpConnectionConfig
+} from "./gcp-connection-types";
+
+export const getGcpAppConnectionListItem = () => {
+  return {
+    name: "GCP" as const,
+    app: AppConnection.GCP as const,
+    methods: Object.values(GcpConnectionMethod) as [GcpConnectionMethod.ServiceAccountImpersonation]
+  };
+};
+
+export const getGcpConnectionAuthToken = async (appConnection: TGcpConnectionConfig) => {
+  const appCfg = getConfig();
+  if (!appCfg.INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL) {
+    throw new InternalServerError({
+      message: `Environment variables have not been configured for GCP ${getAppConnectionMethodName(
+        GcpConnectionMethod.ServiceAccountImpersonation
+      )}`
+    });
+  }
+
+  const credJson = JSON.parse(appCfg.INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL) as {
+    client_email: string;
+    private_key: string;
+  };
+
+  const sourceClient = new JWT({
+    email: credJson.client_email,
+    key: credJson.private_key,
+    scopes: ["https://www.googleapis.com/auth/cloud-platform"]
+  });
+
+  const impersonatedCredentials = new Impersonated({
+    sourceClient,
+    targetPrincipal: appConnection.credentials.serviceAccountEmail,
+    lifetime: 3600,
+    delegates: [],
+    targetScopes: ["https://www.googleapis.com/auth/cloud-platform"]
+  });
+
+  let tokenResponse: GetAccessTokenResponse | undefined;
+  try {
+    tokenResponse = await impersonatedCredentials.getAccessToken();
+  } catch (error) {
+    let message = "Unable to validate connection";
+    if (error instanceof gaxios.GaxiosError) {
+      message = error.message;
+    }
+
+    throw new BadRequestError({
+      message
+    });
+  }
+
+  if (!tokenResponse || !tokenResponse.token) {
+    throw new BadRequestError({
+      message: `Unable to validate connection`
+    });
+  }
+
+  return tokenResponse.token;
+};
+
+export const getGcpSecretManagerProjects = async (appConnection: TGcpConnection) => {
+  const accessToken = await getGcpConnectionAuthToken(appConnection);
+
+  let gcpApps: GCPApp[] = [];
+
+  const pageSize = 100;
+  let pageToken: string | undefined;
+  let hasMorePages = true;
+
+  const projects: {
+    name: string;
+    id: string;
+  }[] = [];
+
+  while (hasMorePages) {
+    const params = new URLSearchParams({
+      pageSize: String(pageSize),
+      ...(pageToken ? { pageToken } : {})
+    });
+
+    // eslint-disable-next-line no-await-in-loop
+    const { data } = await request.get<GCPGetProjectsRes>(`${IntegrationUrls.GCP_API_URL}/v1/projects`, {
+      params,
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json"
+      }
+    });
+
+    gcpApps = gcpApps.concat(data.projects);
+
+    if (!data.nextPageToken) {
+      hasMorePages = false;
+    }
+
+    pageToken = data.nextPageToken;
+  }
+
+  // eslint-disable-next-line
+  for await (const gcpApp of gcpApps) {
+    try {
+      const res = (
+        await request.get<GCPGetServiceRes>(
+          `${IntegrationUrls.GCP_SERVICE_USAGE_URL}/v1/projects/${gcpApp.projectId}/services/${IntegrationUrls.GCP_SECRET_MANAGER_SERVICE_NAME}`,
+          {
+            headers: {
+              Authorization: `Bearer ${accessToken}`,
+              "Accept-Encoding": "application/json"
+            }
+          }
+        )
+      ).data;
+
+      if (res.state === "ENABLED") {
+        projects.push({
+          name: gcpApp.name,
+          id: gcpApp.projectId
+        });
+      }
+    } catch {
+      // eslint-disable-next-line
+      continue;
+    }
+  }
+
+  return projects;
+};
+
+export const validateGcpConnectionCredentials = async (appConnection: TGcpConnectionConfig) => {
+  // Check if provided service account email suffix matches organization ID.
+  // We do this to mitigate confused deputy attacks in multi-tenant instances
+  if (appConnection.credentials.serviceAccountEmail) {
+    const expectedAccountIdSuffix = appConnection.orgId.split("-").slice(0, 2).join("-");
+    const serviceAccountId = appConnection.credentials.serviceAccountEmail.split("@")[0];
+    if (!serviceAccountId.endsWith(expectedAccountIdSuffix)) {
+      throw new BadRequestError({
+        message: `GCP service account ID must have a suffix of "${expectedAccountIdSuffix}" e.g. service-account-${expectedAccountIdSuffix}@my-project.iam.gserviceaccount.com"`
+      });
+    }
+  }
+
+  await getGcpConnectionAuthToken(appConnection);
+
+  return appConnection.credentials;
+};

backend/src/services/app-connection/gcp/gcp-connection-schemas.ts

@@ -0,0 +1,65 @@
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { GcpConnectionMethod } from "./gcp-connection-enums";
+
+export const GcpConnectionServiceAccountImpersonationCredentialsSchema = z.object({
+  serviceAccountEmail: z.string().email().trim().min(1, "Service account email required")
+});
+
+const BaseGcpConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.GCP) });
+
+export const GcpConnectionSchema = z.intersection(
+  BaseGcpConnectionSchema,
+  z.discriminatedUnion("method", [
+    z.object({
+      method: z.literal(GcpConnectionMethod.ServiceAccountImpersonation),
+      credentials: GcpConnectionServiceAccountImpersonationCredentialsSchema
+    })
+  ])
+);
+
+export const SanitizedGcpConnectionSchema = z.discriminatedUnion("method", [
+  BaseGcpConnectionSchema.extend({
+    method: z.literal(GcpConnectionMethod.ServiceAccountImpersonation),
+    credentials: GcpConnectionServiceAccountImpersonationCredentialsSchema.pick({})
+  })
+]);
+
+export const ValidateGcpConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z
+      .literal(GcpConnectionMethod.ServiceAccountImpersonation)
+      .describe(AppConnections?.CREATE(AppConnection.GCP).method),
+    credentials: GcpConnectionServiceAccountImpersonationCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.GCP).credentials
+    )
+  })
+]);
+
+export const CreateGcpConnectionSchema = ValidateGcpConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.GCP)
+);
+
+export const UpdateGcpConnectionSchema = z
+  .object({
+    credentials: GcpConnectionServiceAccountImpersonationCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.GCP).credentials
+    )
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.GCP));
+
+export const GcpConnectionListItemSchema = z.object({
+  name: z.literal("GCP"),
+  app: z.literal(AppConnection.GCP),
+  // the below is preferable but currently breaks with our zod to json schema parser
+  // methods: z.tuple([z.literal(GitHubConnectionMethod.App), z.literal(GitHubConnectionMethod.OAuth)]),
+  methods: z.nativeEnum(GcpConnectionMethod).array()
+});

backend/src/services/app-connection/gcp/gcp-connection-service.ts

@@ -0,0 +1,29 @@
+import { OrgServiceActor } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import { getGcpSecretManagerProjects } from "./gcp-connection-fns";
+import { TGcpConnection } from "./gcp-connection-types";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<TGcpConnection>;
+
+export const gcpConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
+  const listSecretManagerProjects = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.GCP, connectionId, actor);
+
+    try {
+      const projects = await getGcpSecretManagerProjects(appConnection);
+
+      return projects;
+    } catch (error) {
+      return [];
+    }
+  };
+
+  return {
+    listSecretManagerProjects
+  };
+};

backend/src/services/app-connection/gcp/gcp-connection-types.ts

@@ -0,0 +1,45 @@
+import z from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  CreateGcpConnectionSchema,
+  GcpConnectionSchema,
+  ValidateGcpConnectionCredentialsSchema
+} from "./gcp-connection-schemas";
+
+export type TGcpConnection = z.infer<typeof GcpConnectionSchema>;
+
+export type TGcpConnectionInput = z.infer<typeof CreateGcpConnectionSchema> & {
+  app: AppConnection.GCP;
+};
+
+export type TValidateGcpConnectionCredentials = typeof ValidateGcpConnectionCredentialsSchema;
+
+export type TGcpConnectionConfig = DiscriminativePick<TGcpConnectionInput, "method" | "app" | "credentials"> & {
+  orgId: string;
+};
+
+export type GCPApp = {
+  projectNumber: string;
+  projectId: string;
+  lifecycleState: "ACTIVE" | "LIFECYCLE_STATE_UNSPECIFIED" | "DELETE_REQUESTED" | "DELETE_IN_PROGRESS";
+  name: string;
+  createTime: string;
+  parent: {
+    type: "organization" | "folder" | "project";
+    id: string;
+  };
+};
+
+export type GCPGetProjectsRes = {
+  projects: GCPApp[];
+  nextPageToken?: string;
+};
+
+export type GCPGetServiceRes = {
+  name: string;
+  parent: string;
+  state: "ENABLED" | "DISABLED" | "STATE_UNSPECIFIED";
+};

backend/src/services/app-connection/gcp/index.ts

@@ -0,0 +1,4 @@
+export * from "./gcp-connection-enums";
+export * from "./gcp-connection-fns";
+export * from "./gcp-connection-schemas";
+export * from "./gcp-connection-types";

backend/src/services/auth-token/auth-token-service.ts

@@ -57,6 +57,12 @@ export const getTokenConfig = (tokenType: TokenType) => {
       const expiresAt = new Date(new Date().getTime() + 86400000);
       return { token, expiresAt };
     }
+    case TokenType.TOKEN_EMAIL_PASSWORD_SETUP: {
+      // generate random hex
+      const token = crypto.randomBytes(16).toString("hex");
+      const expiresAt = new Date(new Date().getTime() + 86400000);
+      return { token, expiresAt };
+    }
     case TokenType.TOKEN_USER_UNLOCK: {
       const token = crypto.randomBytes(16).toString("hex");
       const expiresAt = new Date(new Date().getTime() + 259200000);

backend/src/services/auth-token/auth-token-types.ts

@@ -6,6 +6,7 @@ export enum TokenType {
   TOKEN_EMAIL_MFA = "emailMfa",
   TOKEN_EMAIL_ORG_INVITATION = "organizationInvitation",
   TOKEN_EMAIL_PASSWORD_RESET = "passwordReset",
+  TOKEN_EMAIL_PASSWORD_SETUP = "passwordSetup",
   TOKEN_USER_UNLOCK = "userUnlock"
 }
 

backend/src/services/auth/auth-password-service.ts

@@ -4,6 +4,8 @@ import jwt from "jsonwebtoken";
 import { SecretEncryptionAlgo, SecretKeyEncoding } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { generateSrpServerKey, srpCheckClientProof } from "@app/lib/crypto";
+import { BadRequestError } from "@app/lib/errors";
+import { OrgServiceActor } from "@app/lib/types";
 
 import { TAuthTokenServiceFactory } from "../auth-token/auth-token-service";
 import { TokenType } from "../auth-token/auth-token-types";
@@ -11,8 +13,13 @@ import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
 import { TTotpConfigDALFactory } from "../totp/totp-config-dal";
 import { TUserDALFactory } from "../user/user-dal";
 import { TAuthDALFactory } from "./auth-dal";
-import { TChangePasswordDTO, TCreateBackupPrivateKeyDTO, TResetPasswordViaBackupKeyDTO } from "./auth-password-type";
-import { AuthTokenType } from "./auth-type";
+import {
+  TChangePasswordDTO,
+  TCreateBackupPrivateKeyDTO,
+  TResetPasswordViaBackupKeyDTO,
+  TSetupPasswordViaBackupKeyDTO
+} from "./auth-password-type";
+import { ActorType, AuthMethod, AuthTokenType } from "./auth-type";
 
 type TAuthPasswordServiceFactoryDep = {
   authDAL: TAuthDALFactory;
@@ -169,8 +176,13 @@ export const authPaswordServiceFactory = ({
     verifier,
     encryptedPrivateKeyIV,
     encryptedPrivateKeyTag,
-    userId
+    userId,
+    password
   }: TResetPasswordViaBackupKeyDTO) => {
+    const cfg = getConfig();
+
+    const hashedPassword = await bcrypt.hash(password, cfg.BCRYPT_SALT_ROUND);
+
     await userDAL.updateUserEncryptionByUserId(userId, {
       encryptionVersion: 2,
       protectedKey,
@@ -180,7 +192,8 @@ export const authPaswordServiceFactory = ({
       iv: encryptedPrivateKeyIV,
       tag: encryptedPrivateKeyTag,
       salt,
-      verifier
+      verifier,
+      hashedPassword
     });
 
     await userDAL.updateById(userId, {
@@ -267,6 +280,108 @@ export const authPaswordServiceFactory = ({
     return backupKey;
   };
 
+  const sendPasswordSetupEmail = async (actor: OrgServiceActor) => {
+    if (actor.type !== ActorType.USER)
+      throw new BadRequestError({ message: `Actor of type ${actor.type} cannot set password` });
+
+    const user = await userDAL.findById(actor.id);
+
+    if (!user) throw new BadRequestError({ message: `Could not find user with ID ${actor.id}` });
+
+    if (!user.isAccepted || !user.authMethods)
+      throw new BadRequestError({ message: `You must complete signup to set a password` });
+
+    const cfg = getConfig();
+
+    const token = await tokenService.createTokenForUser({
+      type: TokenType.TOKEN_EMAIL_PASSWORD_SETUP,
+      userId: user.id
+    });
+
+    const email = user.email ?? user.username;
+
+    await smtpService.sendMail({
+      template: SmtpTemplates.SetupPassword,
+      recipients: [email],
+      subjectLine: "Infisical Password Setup",
+      substitutions: {
+        email,
+        token,
+        callback_url: cfg.SITE_URL ? `${cfg.SITE_URL}/password-setup` : ""
+      }
+    });
+  };
+
+  const setupPassword = async (
+    {
+      encryptedPrivateKey,
+      protectedKeyTag,
+      protectedKey,
+      protectedKeyIV,
+      salt,
+      verifier,
+      encryptedPrivateKeyIV,
+      encryptedPrivateKeyTag,
+      password,
+      token
+    }: TSetupPasswordViaBackupKeyDTO,
+    actor: OrgServiceActor
+  ) => {
+    try {
+      await tokenService.validateTokenForUser({
+        type: TokenType.TOKEN_EMAIL_PASSWORD_SETUP,
+        userId: actor.id,
+        code: token
+      });
+    } catch (e) {
+      throw new BadRequestError({ message: "Expired or invalid token. Please try again." });
+    }
+
+    await userDAL.transaction(async (tx) => {
+      const user = await userDAL.findById(actor.id, tx);
+
+      if (!user) throw new BadRequestError({ message: `Could not find user with ID ${actor.id}` });
+
+      if (!user.isAccepted || !user.authMethods)
+        throw new BadRequestError({ message: `You must complete signup to set a password` });
+
+      if (!user.authMethods.includes(AuthMethod.EMAIL)) {
+        await userDAL.updateById(
+          actor.id,
+          {
+            authMethods: [...user.authMethods, AuthMethod.EMAIL]
+          },
+          tx
+        );
+      }
+
+      const cfg = getConfig();
+
+      const hashedPassword = await bcrypt.hash(password, cfg.BCRYPT_SALT_ROUND);
+
+      await userDAL.updateUserEncryptionByUserId(
+        actor.id,
+        {
+          encryptionVersion: 2,
+          protectedKey,
+          protectedKeyIV,
+          protectedKeyTag,
+          encryptedPrivateKey,
+          iv: encryptedPrivateKeyIV,
+          tag: encryptedPrivateKeyTag,
+          salt,
+          verifier,
+          hashedPassword,
+          serverPrivateKey: null,
+          clientPublicKey: null
+        },
+        tx
+      );
+    });
+
+    await tokenService.revokeAllMySessions(actor.id);
+  };
+
   return {
     generateServerPubKey,
     changePassword,
@@ -274,6 +389,8 @@ export const authPaswordServiceFactory = ({
     sendPasswordResetEmail,
     verifyPasswordResetEmail,
     createBackupPrivateKey,
-    getBackupPrivateKeyOfUser
+    getBackupPrivateKeyOfUser,
+    sendPasswordSetupEmail,
+    setupPassword
   };
 };

backend/src/services/auth/auth-password-type.ts

@@ -23,6 +23,20 @@ export type TResetPasswordViaBackupKeyDTO = {
   encryptedPrivateKeyTag: string;
   salt: string;
   verifier: string;
+  password: string;
+};
+
+export type TSetupPasswordViaBackupKeyDTO = {
+  protectedKey: string;
+  protectedKeyIV: string;
+  protectedKeyTag: string;
+  encryptedPrivateKey: string;
+  encryptedPrivateKeyIV: string;
+  encryptedPrivateKeyTag: string;
+  salt: string;
+  verifier: string;
+  password: string;
+  token: string;
 };
 
 export type TCreateBackupPrivateKeyDTO = {

backend/src/services/cmek/cmek-service.ts

@@ -3,7 +3,8 @@ import { ForbiddenError } from "@casl/ability";
 import { ActionProjectType, ProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionCmekActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { DatabaseErrorCode } from "@app/lib/error-codes";
+import { BadRequestError, DatabaseError, NotFoundError } from "@app/lib/errors";
 import { OrgServiceActor } from "@app/lib/types";
 import {
   TCmekDecryptDTO,
@@ -44,17 +45,31 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
     });
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Create, ProjectPermissionSub.Cmek);
 
-    const cmek = await kmsService.generateKmsKey({
-      ...dto,
-      projectId,
-      isReserved: false
-    });
+    try {
+      const cmek = await kmsService.generateKmsKey({
+        ...dto,
+        projectId,
+        isReserved: false
+      });
 
-    return cmek;
+      return {
+        ...cmek,
+        version: 1,
+        encryptionAlgorithm: dto.encryptionAlgorithm
+      };
+    } catch (err) {
+      if (err instanceof DatabaseError && (err.error as { code: string })?.code === DatabaseErrorCode.UniqueViolation) {
+        throw new BadRequestError({
+          message: `A KMS key with the name "${dto.name}" already exists for the project with ID "${projectId}"`
+        });
+      }
+
+      throw err;
+    }
   };
 
   const updateCmekById = async ({ keyId, ...data }: TUpdabteCmekByIdDTO, actor: OrgServiceActor) => {
-    const key = await kmsDAL.findById(keyId);
+    const key = await kmsDAL.findCmekById(keyId);
 
     if (!key) throw new NotFoundError({ message: `Key with ID ${keyId} not found` });
 
@@ -71,13 +86,27 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Edit, ProjectPermissionSub.Cmek);
 
-    const cmek = await kmsDAL.updateById(keyId, data);
+    try {
+      const cmek = await kmsDAL.updateById(keyId, data);
 
-    return cmek;
+      return {
+        ...cmek,
+        version: key.version,
+        encryptionAlgorithm: key.encryptionAlgorithm
+      };
+    } catch (err) {
+      if (err instanceof DatabaseError && (err.error as { code: string })?.code === DatabaseErrorCode.UniqueViolation) {
+        throw new BadRequestError({
+          message: `A KMS key with the name "${data.name!}" already exists for the project with ID "${key.projectId}"`
+        });
+      }
+
+      throw err;
+    }
   };
 
   const deleteCmekById = async (keyId: string, actor: OrgServiceActor) => {
-    const key = await kmsDAL.findById(keyId);
+    const key = await kmsDAL.findCmekById(keyId);
 
     if (!key) throw new NotFoundError({ message: `Key with ID ${keyId} not found` });
 
@@ -94,9 +123,9 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Delete, ProjectPermissionSub.Cmek);
 
-    const cmek = kmsDAL.deleteById(keyId);
+    await kmsDAL.deleteById(keyId);
 
-    return cmek;
+    return key;
   };
 
   const listCmeksByProjectId = async (
@@ -120,15 +149,58 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
 
-    const { keys: cmeks, totalCount } = await kmsDAL.findKmsKeysByProjectId({ projectId, ...filters });
+    const { keys: cmeks, totalCount } = await kmsDAL.listCmeksByProjectId({ projectId, ...filters });
 
     return { cmeks, totalCount };
   };
 
+  const findCmekById = async (keyId: string, actor: OrgServiceActor) => {
+    const key = await kmsDAL.findCmekById(keyId);
+
+    if (!key) throw new NotFoundError({ message: `Key with ID "${keyId}" not found` });
+
+    if (!key.projectId || key.isReserved) throw new BadRequestError({ message: "Key is not customer managed" });
+
+    const { permission } = await permissionService.getProjectPermission({
+      actor: actor.type,
+      actorId: actor.id,
+      projectId: key.projectId,
+      actorAuthMethod: actor.authMethod,
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
+
+    return key;
+  };
+
+  const findCmekByName = async (keyName: string, projectId: string, actor: OrgServiceActor) => {
+    const key = await kmsDAL.findCmekByName(keyName, projectId);
+
+    if (!key)
+      throw new NotFoundError({ message: `Key with name "${keyName}" not found for project with ID "${projectId}"` });
+
+    if (!key.projectId || key.isReserved) throw new BadRequestError({ message: "Key is not customer managed" });
+
+    const { permission } = await permissionService.getProjectPermission({
+      actor: actor.type,
+      actorId: actor.id,
+      projectId: key.projectId,
+      actorAuthMethod: actor.authMethod,
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.KMS
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
+
+    return key;
+  };
+
   const cmekEncrypt = async ({ keyId, plaintext }: TCmekEncryptDTO, actor: OrgServiceActor) => {
     const key = await kmsDAL.findById(keyId);
 
-    if (!key) throw new NotFoundError({ message: `Key with ID ${keyId} not found` });
+    if (!key) throw new NotFoundError({ message: `Key with ID "${keyId}" not found` });
 
     if (!key.projectId || key.isReserved) throw new BadRequestError({ message: "Key is not customer managed" });
 
@@ -155,7 +227,7 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
   const cmekDecrypt = async ({ keyId, ciphertext }: TCmekDecryptDTO, actor: OrgServiceActor) => {
     const key = await kmsDAL.findById(keyId);
 
-    if (!key) throw new NotFoundError({ message: `Key with ID ${keyId} not found` });
+    if (!key) throw new NotFoundError({ message: `Key with ID "${keyId}" not found` });
 
     if (!key.projectId || key.isReserved) throw new BadRequestError({ message: "Key is not customer managed" });
 
@@ -185,6 +257,8 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
     deleteCmekById,
     listCmeksByProjectId,
     cmekEncrypt,
-    cmekDecrypt
+    cmekDecrypt,
+    findCmekById,
+    findCmekByName
   };
 };

backend/src/services/identity-aws-auth/identity-aws-auth-service.ts

@@ -126,12 +126,12 @@ export const identityAwsAuthServiceFactory = ({
         authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
       } as TIdentityAccessTokenJwtPayload,
       appCfg.AUTH_SECRET,
-      {
-        expiresIn:
-          Number(identityAccessToken.accessTokenMaxTTL) === 0
-            ? undefined
-            : Number(identityAccessToken.accessTokenMaxTTL)
-      }
+      // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
+      Number(identityAccessToken.accessTokenTTL) === 0
+        ? undefined
+        : {
+            expiresIn: Number(identityAccessToken.accessTokenTTL)
+          }
     );
 
     return { accessToken, identityAwsAuth, identityAccessToken, identityMembershipOrg };

backend/src/services/identity-azure-auth/identity-azure-auth-service.ts

@@ -99,12 +99,12 @@ export const identityAzureAuthServiceFactory = ({
         authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
       } as TIdentityAccessTokenJwtPayload,
       appCfg.AUTH_SECRET,
-      {
-        expiresIn:
-          Number(identityAccessToken.accessTokenMaxTTL) === 0
-            ? undefined
-            : Number(identityAccessToken.accessTokenMaxTTL)
-      }
+      // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
+      Number(identityAccessToken.accessTokenTTL) === 0
+        ? undefined
+        : {
+            expiresIn: Number(identityAccessToken.accessTokenTTL)
+          }
     );
 
     return { accessToken, identityAzureAuth, identityAccessToken, identityMembershipOrg };

backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts

@@ -138,12 +138,12 @@ export const identityGcpAuthServiceFactory = ({
         authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
       } as TIdentityAccessTokenJwtPayload,
       appCfg.AUTH_SECRET,
-      {
-        expiresIn:
-          Number(identityAccessToken.accessTokenMaxTTL) === 0
-            ? undefined
-            : Number(identityAccessToken.accessTokenMaxTTL)
-      }
+      // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
+      Number(identityAccessToken.accessTokenTTL) === 0
+        ? undefined
+        : {
+            expiresIn: Number(identityAccessToken.accessTokenTTL)
+          }
     );
 
     return { accessToken, identityGcpAuth, identityAccessToken, identityMembershipOrg };

backend/src/services/identity-jwt-auth/identity-jwt-auth-service.ts

@@ -212,12 +212,12 @@ export const identityJwtAuthServiceFactory = ({
         authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
       } as TIdentityAccessTokenJwtPayload,
       appCfg.AUTH_SECRET,
-      {
-        expiresIn:
-          Number(identityAccessToken.accessTokenMaxTTL) === 0
-            ? undefined
-            : Number(identityAccessToken.accessTokenMaxTTL)
-      }
+      // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
+      Number(identityAccessToken.accessTokenTTL) === 0
+        ? undefined
+        : {
+            expiresIn: Number(identityAccessToken.accessTokenTTL)
+          }
     );
 
     return { accessToken, identityJwtAuth, identityAccessToken, identityMembershipOrg };

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts

@@ -229,12 +229,12 @@ export const identityKubernetesAuthServiceFactory = ({
         authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
       } as TIdentityAccessTokenJwtPayload,
       appCfg.AUTH_SECRET,
-      {
-        expiresIn:
-          Number(identityAccessToken.accessTokenMaxTTL) === 0
-            ? undefined
-            : Number(identityAccessToken.accessTokenMaxTTL)
-      }
+      // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
+      Number(identityAccessToken.accessTokenTTL) === 0
+        ? undefined
+        : {
+            expiresIn: Number(identityAccessToken.accessTokenTTL)
+          }
     );
 
     return { accessToken, identityKubernetesAuth, identityAccessToken, identityMembershipOrg };

backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts

@@ -194,12 +194,12 @@ export const identityOidcAuthServiceFactory = ({
         authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
       } as TIdentityAccessTokenJwtPayload,
       appCfg.AUTH_SECRET,
-      {
-        expiresIn:
-          Number(identityAccessToken.accessTokenMaxTTL) === 0
-            ? undefined
-            : Number(identityAccessToken.accessTokenMaxTTL)
-      }
+      // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
+      Number(identityAccessToken.accessTokenTTL) === 0
+        ? undefined
+        : {
+            expiresIn: Number(identityAccessToken.accessTokenTTL)
+          }
     );
 
     return { accessToken, identityOidcAuth, identityAccessToken, identityMembershipOrg };

backend/src/services/identity-token-auth/identity-token-auth-service.ts

@@ -328,12 +328,12 @@ export const identityTokenAuthServiceFactory = ({
         authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
       } as TIdentityAccessTokenJwtPayload,
       appCfg.AUTH_SECRET,
-      {
-        expiresIn:
-          Number(identityAccessToken.accessTokenMaxTTL) === 0
-            ? undefined
-            : Number(identityAccessToken.accessTokenMaxTTL)
-      }
+      // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
+      Number(identityAccessToken.accessTokenTTL) === 0
+        ? undefined
+        : {
+            expiresIn: Number(identityAccessToken.accessTokenTTL)
+          }
     );
 
     return { accessToken, identityTokenAuth, identityAccessToken, identityMembershipOrg };

backend/src/services/identity-ua/identity-ua-service.ts

@@ -129,12 +129,12 @@ export const identityUaServiceFactory = ({
         authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
       } as TIdentityAccessTokenJwtPayload,
       appCfg.AUTH_SECRET,
-      {
-        expiresIn:
-          Number(identityAccessToken.accessTokenMaxTTL) === 0
-            ? undefined
-            : Number(identityAccessToken.accessTokenMaxTTL)
-      }
+      // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
+      Number(identityAccessToken.accessTokenTTL) === 0
+        ? undefined
+        : {
+            expiresIn: Number(identityAccessToken.accessTokenTTL)
+          }
     );
 
     return { accessToken, identityUa, validClientSecretInfo, identityAccessToken, identityMembershipOrg };

backend/src/services/integration-auth/integration-app-list.ts

@@ -132,16 +132,26 @@ const getAppsHeroku = async ({ accessToken }: { accessToken: string }) => {
 
 /**
  * Return list of names of apps for Vercel integration
+ * This is re-used for getting custom environments for Vercel
  */
-const getAppsVercel = async ({ accessToken, teamId }: { teamId?: string | null; accessToken: string }) => {
-  const apps: Array<{ name: string; appId: string }> = [];
+export const getAppsVercel = async ({ accessToken, teamId }: { teamId?: string | null; accessToken: string }) => {
+  const apps: Array<{ name: string; appId: string; customEnvironments: Array<{ slug: string; id: string }> }> = [];
 
   const limit = "20";
   let hasMorePages = true;
   let next: number | null = null;
 
   interface Response {
-    projects: { name: string; id: string }[];
+    projects: {
+      name: string;
+      id: string;
+      customEnvironments?: {
+        id: string;
+        type: string;
+        description: string;
+        slug: string;
+      }[];
+    }[];
     pagination: {
       count: number;
       next: number | null;
@@ -173,7 +183,12 @@ const getAppsVercel = async ({ accessToken, teamId }: { teamId?: string | null;
     data.projects.forEach((a) => {
       apps.push({
         name: a.name,
-        appId: a.id
+        appId: a.id,
+        customEnvironments:
+          a.customEnvironments?.map((env) => ({
+            slug: env.slug,
+            id: env.id
+          })) ?? []
       });
     });
 

backend/src/services/integration-auth/integration-auth-service.ts

@@ -25,11 +25,12 @@ import { TIntegrationDALFactory } from "../integration/integration-dal";
 import { TKmsServiceFactory } from "../kms/kms-service";
 import { KmsDataKey } from "../kms/kms-types";
 import { TProjectBotServiceFactory } from "../project-bot/project-bot-service";
-import { getApps } from "./integration-app-list";
+import { getApps, getAppsVercel } from "./integration-app-list";
 import { TCircleCIContext } from "./integration-app-types";
 import { TIntegrationAuthDALFactory } from "./integration-auth-dal";
 import { IntegrationAuthMetadataSchema, TIntegrationAuthMetadata } from "./integration-auth-schema";
 import {
+  GetVercelCustomEnvironmentsDTO,
   OctopusDeployScope,
   TBitbucketEnvironment,
   TBitbucketWorkspace,
@@ -1825,6 +1826,41 @@ export const integrationAuthServiceFactory = ({
     return integrationAuthDAL.create(newIntegrationAuth);
   };
 
+  const getVercelCustomEnvironments = async ({
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    teamId,
+    id
+  }: GetVercelCustomEnvironmentsDTO) => {
+    const integrationAuth = await integrationAuthDAL.findById(id);
+    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
+
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: integrationAuth.projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
+
+    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(integrationAuth.projectId);
+    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
+
+    const vercelApps = await getAppsVercel({
+      accessToken,
+      teamId
+    });
+
+    return vercelApps.map((app) => ({
+      customEnvironments: app.customEnvironments,
+      appId: app.appId
+    }));
+  };
+
   const getOctopusDeploySpaces = async ({
     actorId,
     actor,
@@ -1944,6 +1980,7 @@ export const integrationAuthServiceFactory = ({
     getIntegrationAccessToken,
     duplicateIntegrationAuth,
     getOctopusDeploySpaces,
-    getOctopusDeployScopeValues
+    getOctopusDeployScopeValues,
+    getVercelCustomEnvironments
   };
 };

backend/src/services/integration-auth/integration-auth-types.ts

@@ -284,3 +284,8 @@ export type TOctopusDeployVariableSet = {
     Self: string;
   };
 };
+
+export type GetVercelCustomEnvironmentsDTO = {
+  teamId: string;
+  id: string;
+} & Omit<TProjectPermission, "projectId">;

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -1450,9 +1450,13 @@ const syncSecretsVercel = async ({
   secrets: Record<string, { value: string; comment?: string } | null>;
   accessToken: string;
 }) => {
+  const isCustomEnvironment = !["development", "preview", "production"].includes(
+    integration.targetEnvironment as string
+  );
   interface VercelSecret {
     id?: string;
     type: string;
+    customEnvironmentIds?: string[];
     key: string;
     value: string;
     target: string[];
@@ -1486,6 +1490,16 @@ const syncSecretsVercel = async ({
       }
     )
   ).data.envs.filter((secret) => {
+    if (isCustomEnvironment) {
+      if (!secret.customEnvironmentIds?.includes(integration.targetEnvironment as string)) {
+        // case: secret does not have the same custom environment
+        return false;
+      }
+
+      // no need to check for preview environment, as custom environments are not available in preview
+      return true;
+    }
+
     if (!secret.target.includes(integration.targetEnvironment as string)) {
       // case: secret does not have the same target environment
       return false;
@@ -1583,7 +1597,13 @@ const syncSecretsVercel = async ({
             key,
             value: infisicalSecrets[key]?.value,
             type: "encrypted",
-            target: [integration.targetEnvironment as string],
+            ...(isCustomEnvironment
+              ? {
+                  customEnvironmentIds: [integration.targetEnvironment as string]
+                }
+              : {
+                  target: [integration.targetEnvironment as string]
+                }),
             ...(integration.path
               ? {
                   gitBranch: integration.path
@@ -1607,9 +1627,19 @@ const syncSecretsVercel = async ({
             key,
             value: infisicalSecrets[key]?.value,
             type: res[key].type,
-            target: res[key].target.includes(integration.targetEnvironment as string)
-              ? [...res[key].target]
-              : [...res[key].target, integration.targetEnvironment as string],
+
+            ...(!isCustomEnvironment
+              ? {
+                  target: res[key].target.includes(integration.targetEnvironment as string)
+                    ? [...res[key].target]
+                    : [...res[key].target, integration.targetEnvironment as string]
+                }
+              : {
+                  customEnvironmentIds: res[key].customEnvironmentIds?.includes(integration.targetEnvironment as string)
+                    ? [...(res[key].customEnvironmentIds || [])]
+                    : [...(res[key]?.customEnvironmentIds || []), integration.targetEnvironment as string]
+                }),
+
             ...(integration.path
               ? {
                   gitBranch: integration.path

backend/src/services/kms/kms-key-dal.ts

@@ -3,12 +3,32 @@ import { Knex } from "knex";
 import { TDbClient } from "@app/db";
 import { KmsKeysSchema, TableName, TInternalKms, TKmsKeys } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { ormify, selectAllTableCols } from "@app/lib/knex";
+import { buildFindFilter, ormify, prependTableNameToFindFilter, selectAllTableCols } from "@app/lib/knex";
 import { OrderByDirection } from "@app/lib/types";
 import { CmekOrderBy, TListCmeksByProjectIdDTO } from "@app/services/cmek/cmek-types";
 
 export type TKmsKeyDALFactory = ReturnType<typeof kmskeyDALFactory>;
 
+type TCmekFindFilter = Parameters<typeof buildFindFilter<TKmsKeys>>[0];
+
+const baseCmekQuery = ({ filter, db, tx }: { db: TDbClient; filter?: TCmekFindFilter; tx?: Knex }) => {
+  const query = (tx || db.replicaNode())(TableName.KmsKey)
+    .where(`${TableName.KmsKey}.isReserved`, false)
+    .join(TableName.InternalKms, `${TableName.InternalKms}.kmsKeyId`, `${TableName.KmsKey}.id`)
+    .select(
+      selectAllTableCols(TableName.KmsKey),
+      db.ref("encryptionAlgorithm").withSchema(TableName.InternalKms),
+      db.ref("version").withSchema(TableName.InternalKms)
+    );
+
+  if (filter) {
+    /* eslint-disable @typescript-eslint/no-misused-promises */
+    void query.where(buildFindFilter(prependTableNameToFindFilter(TableName.KmsKey, filter)));
+  }
+
+  return query;
+};
+
 export const kmskeyDALFactory = (db: TDbClient) => {
   const kmsOrm = ormify(db, TableName.KmsKey);
 
@@ -73,7 +93,7 @@ export const kmskeyDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findKmsKeysByProjectId = async (
+  const listCmeksByProjectId = async (
     {
       projectId,
       offset = 0,
@@ -92,6 +112,7 @@ export const kmskeyDALFactory = (db: TDbClient) => {
             void qb.whereILike("name", `%${search}%`);
           }
         })
+        .where(`${TableName.KmsKey}.isReserved`, false)
         .join(TableName.InternalKms, `${TableName.InternalKms}.kmsKeyId`, `${TableName.KmsKey}.id`)
         .select<
           (TKmsKeys &
@@ -118,5 +139,33 @@ export const kmskeyDALFactory = (db: TDbClient) => {
     }
   };
 
-  return { ...kmsOrm, findByIdWithAssociatedKms, findKmsKeysByProjectId };
+  const findCmekById = async (id: string, tx?: Knex) => {
+    try {
+      const key = await baseCmekQuery({
+        filter: { id },
+        db,
+        tx
+      }).first();
+
+      return key;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find by ID - KMS Key" });
+    }
+  };
+
+  const findCmekByName = async (keyName: string, projectId: string, tx?: Knex) => {
+    try {
+      const key = await baseCmekQuery({
+        filter: { name: keyName, projectId },
+        db,
+        tx
+      }).first();
+
+      return key;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find by Name - KMS Key" });
+    }
+  };
+
+  return { ...kmsOrm, findByIdWithAssociatedKms, listCmeksByProjectId, findCmekById, findCmekByName };
 };

backend/src/services/secret-folder/secret-folder-dal.ts

@@ -493,6 +493,7 @@ export const secretFolderDALFactory = (db: TDbClient) => {
                   db.ref("parents.environment")
                 )
                 .from(TableName.SecretFolder)
+                .where(`${TableName.SecretFolder}.isReserved`, false)
                 .join("parents", `${TableName.SecretFolder}.parentId`, "parents.id");
             })
         )

backend/src/services/secret-sync/gcp/gcp-sync-constants.ts

@@ -0,0 +1,10 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
+
+export const GCP_SYNC_LIST_OPTION: TSecretSyncListItem = {
+  name: "GCP Secret Manager",
+  destination: SecretSync.GCPSecretManager,
+  connection: AppConnection.GCP,
+  canImportSecrets: true
+};

backend/src/services/secret-sync/gcp/gcp-sync-enums.ts

@@ -0,0 +1,3 @@
+export enum GcpSyncScope {
+  Global = "global"
+}

backend/src/services/secret-sync/gcp/gcp-sync-fns.ts

@@ -0,0 +1,218 @@
+import { AxiosError } from "axios";
+
+import { request } from "@app/lib/config/request";
+import { logger } from "@app/lib/logger";
+import { getGcpConnectionAuthToken } from "@app/services/app-connection/gcp";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+
+import { SecretSyncError } from "../secret-sync-errors";
+import { TSecretMap } from "../secret-sync-types";
+import {
+  GCPLatestSecretVersionAccess,
+  GCPSecret,
+  GCPSMListSecretsRes,
+  TGcpSyncWithCredentials
+} from "./gcp-sync-types";
+
+const getGcpSecrets = async (accessToken: string, secretSync: TGcpSyncWithCredentials) => {
+  const { destinationConfig } = secretSync;
+
+  let gcpSecrets: GCPSecret[] = [];
+
+  const pageSize = 100;
+  let pageToken: string | undefined;
+  let hasMorePages = true;
+
+  while (hasMorePages) {
+    const params = new URLSearchParams({
+      pageSize: String(pageSize),
+      ...(pageToken ? { pageToken } : {})
+    });
+
+    // eslint-disable-next-line no-await-in-loop
+    const { data: secretsRes } = await request.get<GCPSMListSecretsRes>(
+      `${IntegrationUrls.GCP_SECRET_MANAGER_URL}/v1/projects/${secretSync.destinationConfig.projectId}/secrets`,
+      {
+        params,
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          "Accept-Encoding": "application/json"
+        }
+      }
+    );
+
+    if (secretsRes.secrets) {
+      gcpSecrets = gcpSecrets.concat(secretsRes.secrets);
+    }
+
+    if (!secretsRes.nextPageToken) {
+      hasMorePages = false;
+    }
+
+    pageToken = secretsRes.nextPageToken;
+  }
+
+  const res: { [key: string]: string } = {};
+
+  for await (const gcpSecret of gcpSecrets) {
+    const arr = gcpSecret.name.split("/");
+    const key = arr[arr.length - 1];
+
+    try {
+      const { data: secretLatest } = await request.get<GCPLatestSecretVersionAccess>(
+        `${IntegrationUrls.GCP_SECRET_MANAGER_URL}/v1/projects/${destinationConfig.projectId}/secrets/${key}/versions/latest:access`,
+        {
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            "Accept-Encoding": "application/json"
+          }
+        }
+      );
+
+      res[key] = Buffer.from(secretLatest.payload.data, "base64").toString("utf-8");
+    } catch (error) {
+      // when a secret in GCP has no versions, we treat it as if it's a blank value
+      if (error instanceof AxiosError && error.response?.status === 404) {
+        res[key] = "";
+      } else {
+        throw new SecretSyncError({
+          error,
+          secretKey: key
+        });
+      }
+    }
+  }
+
+  return res;
+};
+
+export const GcpSyncFns = {
+  syncSecrets: async (secretSync: TGcpSyncWithCredentials, secretMap: TSecretMap) => {
+    const { destinationConfig, connection } = secretSync;
+    const accessToken = await getGcpConnectionAuthToken(connection);
+
+    const gcpSecrets = await getGcpSecrets(accessToken, secretSync);
+
+    for await (const key of Object.keys(secretMap)) {
+      try {
+        // we do not process secrets with no value because GCP secret manager does not allow it
+        if (!secretMap[key].value) {
+          // eslint-disable-next-line no-continue
+          continue;
+        }
+
+        if (!(key in gcpSecrets)) {
+          // case: create secret
+          await request.post(
+            `${IntegrationUrls.GCP_SECRET_MANAGER_URL}/v1/projects/${destinationConfig.projectId}/secrets`,
+            {
+              replication: {
+                automatic: {}
+              }
+            },
+            {
+              params: {
+                secretId: key
+              },
+              headers: {
+                Authorization: `Bearer ${accessToken}`,
+                "Accept-Encoding": "application/json"
+              }
+            }
+          );
+
+          await request.post(
+            `${IntegrationUrls.GCP_SECRET_MANAGER_URL}/v1/projects/${destinationConfig.projectId}/secrets/${key}:addVersion`,
+            {
+              payload: {
+                data: Buffer.from(secretMap[key].value).toString("base64")
+              }
+            },
+            {
+              headers: {
+                Authorization: `Bearer ${accessToken}`,
+                "Accept-Encoding": "application/json"
+              }
+            }
+          );
+        }
+      } catch (error) {
+        throw new SecretSyncError({
+          error,
+          secretKey: key
+        });
+      }
+    }
+
+    for await (const key of Object.keys(gcpSecrets)) {
+      try {
+        if (!(key in secretMap) || !secretMap[key].value) {
+          // case: delete secret
+          await request.delete(
+            `${IntegrationUrls.GCP_SECRET_MANAGER_URL}/v1/projects/${destinationConfig.projectId}/secrets/${key}`,
+            {
+              headers: {
+                Authorization: `Bearer ${accessToken}`,
+                "Accept-Encoding": "application/json"
+              }
+            }
+          );
+        } else if (secretMap[key].value !== gcpSecrets[key]) {
+          if (!secretMap[key].value) {
+            logger.warn(
+              `syncSecretsGcpsecretManager: update secret value in gcp where [key=${key}] and [projectId=${destinationConfig.projectId}]`
+            );
+          }
+
+          await request.post(
+            `${IntegrationUrls.GCP_SECRET_MANAGER_URL}/v1/projects/${destinationConfig.projectId}/secrets/${key}:addVersion`,
+            {
+              payload: {
+                data: Buffer.from(secretMap[key].value).toString("base64")
+              }
+            },
+            {
+              headers: {
+                Authorization: `Bearer ${accessToken}`,
+                "Accept-Encoding": "application/json"
+              }
+            }
+          );
+        }
+      } catch (error) {
+        throw new SecretSyncError({
+          error,
+          secretKey: key
+        });
+      }
+    }
+  },
+
+  getSecrets: async (secretSync: TGcpSyncWithCredentials): Promise<TSecretMap> => {
+    const { connection } = secretSync;
+    const accessToken = await getGcpConnectionAuthToken(connection);
+
+    const gcpSecrets = await getGcpSecrets(accessToken, secretSync);
+    return Object.fromEntries(Object.entries(gcpSecrets).map(([key, value]) => [key, { value: value ?? "" }]));
+  },
+
+  removeSecrets: async (secretSync: TGcpSyncWithCredentials, secretMap: TSecretMap) => {
+    const { destinationConfig, connection } = secretSync;
+    const accessToken = await getGcpConnectionAuthToken(connection);
+
+    const gcpSecrets = await getGcpSecrets(accessToken, secretSync);
+    for await (const [key] of Object.entries(gcpSecrets)) {
+      if (key in secretMap) {
+        await request.delete(
+          `${IntegrationUrls.GCP_SECRET_MANAGER_URL}/v1/projects/${destinationConfig.projectId}/secrets/${key}`,
+          {
+            headers: {
+              Authorization: `Bearer ${accessToken}`,
+              "Accept-Encoding": "application/json"
+            }
+          }
+        );
+      }
+    }
+  }
+};

backend/src/services/secret-sync/gcp/gcp-sync-schemas.ts

@@ -0,0 +1,45 @@
+import z from "zod";
+
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseSecretSyncSchema,
+  GenericCreateSecretSyncFieldsSchema,
+  GenericUpdateSecretSyncFieldsSchema
+} from "@app/services/secret-sync/secret-sync-schemas";
+import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
+
+import { SecretSync } from "../secret-sync-enums";
+import { GcpSyncScope } from "./gcp-sync-enums";
+
+const GcpSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
+
+const GcpSyncDestinationConfigSchema = z.object({
+  scope: z.literal(GcpSyncScope.Global),
+  projectId: z.string().min(1, "Project ID is required")
+});
+
+export const GcpSyncSchema = BaseSecretSyncSchema(SecretSync.GCPSecretManager, GcpSyncOptionsConfig).extend({
+  destination: z.literal(SecretSync.GCPSecretManager),
+  destinationConfig: GcpSyncDestinationConfigSchema
+});
+
+export const CreateGcpSyncSchema = GenericCreateSecretSyncFieldsSchema(
+  SecretSync.GCPSecretManager,
+  GcpSyncOptionsConfig
+).extend({
+  destinationConfig: GcpSyncDestinationConfigSchema
+});
+
+export const UpdateGcpSyncSchema = GenericUpdateSecretSyncFieldsSchema(
+  SecretSync.GCPSecretManager,
+  GcpSyncOptionsConfig
+).extend({
+  destinationConfig: GcpSyncDestinationConfigSchema.optional()
+});
+
+export const GcpSyncListItemSchema = z.object({
+  name: z.literal("GCP Secret Manager"),
+  connection: z.literal(AppConnection.GCP),
+  destination: z.literal(SecretSync.GCPSecretManager),
+  canImportSecrets: z.literal(true)
+});

backend/src/services/secret-sync/gcp/gcp-sync-types.ts

@@ -0,0 +1,33 @@
+import z from "zod";
+
+import { TGcpConnection } from "@app/services/app-connection/gcp";
+
+import { CreateGcpSyncSchema, GcpSyncListItemSchema, GcpSyncSchema } from "./gcp-sync-schemas";
+
+export type TGcpSyncListItem = z.infer<typeof GcpSyncListItemSchema>;
+
+export type TGcpSync = z.infer<typeof GcpSyncSchema>;
+
+export type TGcpSyncInput = z.infer<typeof CreateGcpSyncSchema>;
+
+export type TGcpSyncWithCredentials = TGcpSync & {
+  connection: TGcpConnection;
+};
+
+export type GCPSecret = {
+  name: string;
+  createTime: string;
+};
+
+export type GCPSMListSecretsRes = {
+  secrets?: GCPSecret[];
+  totalSize?: number;
+  nextPageToken?: string;
+};
+
+export type GCPLatestSecretVersionAccess = {
+  name: string;
+  payload: {
+    data: string;
+  };
+};

backend/src/services/secret-sync/gcp/index.ts

@@ -0,0 +1,4 @@
+export * from "./gcp-sync-constants";
+export * from "./gcp-sync-enums";
+export * from "./gcp-sync-schemas";
+export * from "./gcp-sync-types";

backend/src/services/secret-sync/secret-sync-dal.ts

@@ -4,7 +4,7 @@ import { TDbClient } from "@app/db";
 import { TableName } from "@app/db/schemas";
 import { TSecretSyncs } from "@app/db/schemas/secret-syncs";
 import { DatabaseError } from "@app/lib/errors";
-import { buildFindFilter, ormify, selectAllTableCols } from "@app/lib/knex";
+import { buildFindFilter, ormify, prependTableNameToFindFilter, selectAllTableCols } from "@app/lib/knex";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 
 export type TSecretSyncDALFactory = ReturnType<typeof secretSyncDALFactory>;
@@ -34,17 +34,9 @@ const baseSecretSyncQuery = ({ filter, db, tx }: { db: TDbClient; filter?: Secre
       db.ref("updatedAt").withSchema(TableName.AppConnection).as("connectionUpdatedAt")
     );
 
-  // prepends table name to filter keys to avoid ambiguous col references, skipping utility filters like $in, etc.
-  const prependTableName = (filterObj: object): SecretSyncFindFilter =>
-    Object.fromEntries(
-      Object.entries(filterObj).map(([key, value]) =>
-        key.startsWith("$") ? [key, prependTableName(value as object)] : [`${TableName.SecretSync}.${key}`, value]
-      )
-    );
-
   if (filter) {
     /* eslint-disable @typescript-eslint/no-misused-promises */
-    void query.where(buildFindFilter(prependTableName(filter)));
+    void query.where(buildFindFilter(prependTableNameToFindFilter(TableName.SecretSync, filter)));
   }
 
   return query;
@@ -123,47 +115,39 @@ export const secretSyncDALFactory = (
   };
 
   const create = async (data: Parameters<(typeof secretSyncOrm)["create"]>[0]) => {
-    try {
-      const secretSync = (await secretSyncOrm.transaction(async (tx) => {
-        const sync = await secretSyncOrm.create(data, tx);
+    const secretSync = (await secretSyncOrm.transaction(async (tx) => {
+      const sync = await secretSyncOrm.create(data, tx);
 
-        return baseSecretSyncQuery({
-          filter: { id: sync.id },
-          db,
-          tx
-        }).first();
-      }))!;
+      return baseSecretSyncQuery({
+        filter: { id: sync.id },
+        db,
+        tx
+      }).first();
+    }))!;
 
-      // TODO (scott): replace with cached folder path once implemented
-      const [folderWithPath] = secretSync.folderId
-        ? await folderDAL.findSecretPathByFolderIds(secretSync.projectId, [secretSync.folderId])
-        : [];
-      return expandSecretSync(secretSync, folderWithPath);
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Create - Secret Sync" });
-    }
+    // TODO (scott): replace with cached folder path once implemented
+    const [folderWithPath] = secretSync.folderId
+      ? await folderDAL.findSecretPathByFolderIds(secretSync.projectId, [secretSync.folderId])
+      : [];
+    return expandSecretSync(secretSync, folderWithPath);
   };
 
   const updateById = async (syncId: string, data: Parameters<(typeof secretSyncOrm)["updateById"]>[1]) => {
-    try {
-      const secretSync = (await secretSyncOrm.transaction(async (tx) => {
-        const sync = await secretSyncOrm.updateById(syncId, data, tx);
+    const secretSync = (await secretSyncOrm.transaction(async (tx) => {
+      const sync = await secretSyncOrm.updateById(syncId, data, tx);
 
-        return baseSecretSyncQuery({
-          filter: { id: sync.id },
-          db,
-          tx
-        }).first();
-      }))!;
+      return baseSecretSyncQuery({
+        filter: { id: sync.id },
+        db,
+        tx
+      }).first();
+    }))!;
 
-      // TODO (scott): replace with cached folder path once implemented
-      const [folderWithPath] = secretSync.folderId
-        ? await folderDAL.findSecretPathByFolderIds(secretSync.projectId, [secretSync.folderId])
-        : [];
-      return expandSecretSync(secretSync, folderWithPath);
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Update by ID - Secret Sync" });
-    }
+    // TODO (scott): replace with cached folder path once implemented
+    const [folderWithPath] = secretSync.folderId
+      ? await folderDAL.findSecretPathByFolderIds(secretSync.projectId, [secretSync.folderId])
+      : [];
+    return expandSecretSync(secretSync, folderWithPath);
   };
 
   const findOne = async (filter: Parameters<(typeof secretSyncOrm)["findOne"]>[0], tx?: Knex) => {

backend/src/services/secret-sync/secret-sync-enums.ts

@@ -1,6 +1,7 @@
 export enum SecretSync {
   AWSParameterStore = "aws-parameter-store",
-  GitHub = "github"
+  GitHub = "github",
+  GCPSecretManager = "gcp-secret-manager"
 }
 
 export enum SecretSyncInitialSyncBehavior {

backend/src/services/secret-sync/secret-sync-fns.ts

@@ -13,9 +13,13 @@ import {
   TSecretSyncWithCredentials
 } from "@app/services/secret-sync/secret-sync-types";
 
+import { GCP_SYNC_LIST_OPTION } from "./gcp";
+import { GcpSyncFns } from "./gcp/gcp-sync-fns";
+
 const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
   [SecretSync.AWSParameterStore]: AWS_PARAMETER_STORE_SYNC_LIST_OPTION,
-  [SecretSync.GitHub]: GITHUB_SYNC_LIST_OPTION
+  [SecretSync.GitHub]: GITHUB_SYNC_LIST_OPTION,
+  [SecretSync.GCPSecretManager]: GCP_SYNC_LIST_OPTION
 };
 
 export const listSecretSyncOptions = () => {
@@ -71,6 +75,8 @@ export const SecretSyncFns = {
         return AwsParameterStoreSyncFns.syncSecrets(secretSync, secretMap);
       case SecretSync.GitHub:
         return GithubSyncFns.syncSecrets(secretSync, secretMap);
+      case SecretSync.GCPSecretManager:
+        return GcpSyncFns.syncSecrets(secretSync, secretMap);
       default:
         throw new Error(
           `Unhandled sync destination for sync secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@@ -86,6 +92,9 @@ export const SecretSyncFns = {
       case SecretSync.GitHub:
         secretMap = await GithubSyncFns.getSecrets(secretSync);
         break;
+      case SecretSync.GCPSecretManager:
+        secretMap = await GcpSyncFns.getSecrets(secretSync);
+        break;
       default:
         throw new Error(
           `Unhandled sync destination for get secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@@ -103,6 +112,8 @@ export const SecretSyncFns = {
         return AwsParameterStoreSyncFns.removeSecrets(secretSync, secretMap);
       case SecretSync.GitHub:
         return GithubSyncFns.removeSecrets(secretSync, secretMap);
+      case SecretSync.GCPSecretManager:
+        return GcpSyncFns.removeSecrets(secretSync, secretMap);
       default:
         throw new Error(
           `Unhandled sync destination for remove secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@@ -115,7 +126,7 @@ export const parseSyncErrorMessage = (err: unknown): string => {
   if (err instanceof SecretSyncError) {
     return JSON.stringify({
       secretKey: err.secretKey,
-      error: err.message ?? parseSyncErrorMessage(err.error)
+      error: err.message || parseSyncErrorMessage(err.error)
     });
   }
 

backend/src/services/secret-sync/secret-sync-maps.ts

@@ -3,10 +3,12 @@ import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 
 export const SECRET_SYNC_NAME_MAP: Record<SecretSync, string> = {
   [SecretSync.AWSParameterStore]: "AWS Parameter Store",
-  [SecretSync.GitHub]: "GitHub"
+  [SecretSync.GitHub]: "GitHub",
+  [SecretSync.GCPSecretManager]: "GCP Secret Manager"
 };
 
 export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
   [SecretSync.AWSParameterStore]: AppConnection.AWS,
-  [SecretSync.GitHub]: AppConnection.GitHub
+  [SecretSync.GitHub]: AppConnection.GitHub,
+  [SecretSync.GCPSecretManager]: AppConnection.GCP
 };

backend/src/services/secret-sync/secret-sync-service.ts

@@ -8,7 +8,8 @@ import {
   ProjectPermissionSub
 } from "@app/ee/services/permission/project-permission";
 import { KeyStorePrefixes, TKeyStoreFactory } from "@app/keystore/keystore";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { DatabaseErrorCode } from "@app/lib/error-codes";
+import { BadRequestError, DatabaseError, NotFoundError } from "@app/lib/errors";
 import { OrgServiceActor } from "@app/lib/types";
 import { TAppConnectionServiceFactory } from "@app/services/app-connection/app-connection-service";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
@@ -197,37 +198,26 @@ export const secretSyncServiceFactory = ({
     // validates permission to connect and app is valid for sync destination
     await appConnectionService.connectAppConnectionById(destinationApp, params.connectionId, actor);
 
-    const secretSync = await secretSyncDAL.transaction(async (tx) => {
-      const isConflictingName = Boolean(
-        (
-          await secretSyncDAL.find(
-            {
-              name: params.name,
-              projectId
-            },
-            tx
-          )
-        ).length
-      );
-
-      if (isConflictingName)
-        throw new BadRequestError({
-          message: `A Secret Sync with the name "${params.name}" already exists for the project with ID "${folder.projectId}"`
-        });
-
-      const sync = await secretSyncDAL.create({
+    try {
+      const secretSync = await secretSyncDAL.create({
         folderId: folder.id,
         ...params,
         ...(params.isAutoSyncEnabled && { syncStatus: SecretSyncStatus.Pending }),
         projectId
       });
 
-      return sync;
-    });
+      if (secretSync.isAutoSyncEnabled) await secretSyncQueue.queueSecretSyncSyncSecretsById({ syncId: secretSync.id });
 
-    if (secretSync.isAutoSyncEnabled) await secretSyncQueue.queueSecretSyncSyncSecretsById({ syncId: secretSync.id });
+      return secretSync as TSecretSync;
+    } catch (err) {
+      if (err instanceof DatabaseError && (err.error as { code: string })?.code === DatabaseErrorCode.UniqueViolation) {
+        throw new BadRequestError({
+          message: `A Secret Sync with the name "${params.name}" already exists for the project with ID "${folder.projectId}"`
+        });
+      }
 
-    return secretSync as TSecretSync;
+      throw err;
+    }
   };
 
   const updateSecretSync = async (
@@ -260,78 +250,65 @@ export const secretSyncServiceFactory = ({
         message: `Secret sync with ID "${secretSync.id}" is not configured for ${SECRET_SYNC_NAME_MAP[destination]}`
       });
 
-    const updatedSecretSync = await secretSyncDAL.transaction(async (tx) => {
-      let { folderId } = secretSync;
+    let { folderId } = secretSync;
 
-      if (params.connectionId) {
-        const destinationApp = SECRET_SYNC_CONNECTION_MAP[secretSync.destination as SecretSync];
+    if (params.connectionId) {
+      const destinationApp = SECRET_SYNC_CONNECTION_MAP[secretSync.destination as SecretSync];
 
-        // validates permission to connect and app is valid for sync destination
-        await appConnectionService.connectAppConnectionById(destinationApp, params.connectionId, actor);
-      }
+      // validates permission to connect and app is valid for sync destination
+      await appConnectionService.connectAppConnectionById(destinationApp, params.connectionId, actor);
+    }
 
-      if (
-        (secretPath && secretPath !== secretSync.folder?.path) ||
-        (environment && environment !== secretSync.environment?.slug)
-      ) {
-        const updatedEnvironment = environment ?? secretSync.environment?.slug;
-        const updatedSecretPath = secretPath ?? secretSync.folder?.path;
+    if (
+      (secretPath && secretPath !== secretSync.folder?.path) ||
+      (environment && environment !== secretSync.environment?.slug)
+    ) {
+      const updatedEnvironment = environment ?? secretSync.environment?.slug;
+      const updatedSecretPath = secretPath ?? secretSync.folder?.path;
 
-        if (!updatedEnvironment || !updatedSecretPath)
-          throw new BadRequestError({ message: "Must specify both source environment and secret path" });
+      if (!updatedEnvironment || !updatedSecretPath)
+        throw new BadRequestError({ message: "Must specify both source environment and secret path" });
 
-        ForbiddenError.from(permission).throwUnlessCan(
-          ProjectPermissionActions.Read,
-          subject(ProjectPermissionSub.Secrets, {
-            environment: updatedEnvironment,
-            secretPath: updatedSecretPath
-          })
-        );
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionActions.Read,
+        subject(ProjectPermissionSub.Secrets, {
+          environment: updatedEnvironment,
+          secretPath: updatedSecretPath
+        })
+      );
 
-        const newFolder = await folderDAL.findBySecretPath(secretSync.projectId, updatedEnvironment, updatedSecretPath);
+      const newFolder = await folderDAL.findBySecretPath(secretSync.projectId, updatedEnvironment, updatedSecretPath);
 
-        if (!newFolder)
-          throw new BadRequestError({
-            message: `Could not find folder with path "${secretPath}" in environment "${environment}" for project with ID "${secretSync.projectId}"`
-          });
+      if (!newFolder)
+        throw new BadRequestError({
+          message: `Could not find folder with path "${secretPath}" in environment "${environment}" for project with ID "${secretSync.projectId}"`
+        });
 
-        folderId = newFolder.id;
-      }
+      folderId = newFolder.id;
+    }
 
-      if (params.name && secretSync.name !== params.name) {
-        const isConflictingName = Boolean(
-          (
-            await secretSyncDAL.find(
-              {
-                name: params.name,
-                projectId: secretSync.projectId
-              },
-              tx
-            )
-          ).length
-        );
+    const isAutoSyncEnabled = params.isAutoSyncEnabled ?? secretSync.isAutoSyncEnabled;
 
-        if (isConflictingName)
-          throw new BadRequestError({
-            message: `A Secret Sync with the name "${params.name}" already exists for project with ID "${secretSync.projectId}"`
-          });
-      }
-
-      const isAutoSyncEnabled = params.isAutoSyncEnabled ?? secretSync.isAutoSyncEnabled;
-
-      const updatedSync = await secretSyncDAL.updateById(syncId, {
+    try {
+      const updatedSecretSync = await secretSyncDAL.updateById(syncId, {
         ...params,
         ...(isAutoSyncEnabled && folderId && { syncStatus: SecretSyncStatus.Pending }),
         folderId
       });
 
-      return updatedSync;
-    });
+      if (updatedSecretSync.isAutoSyncEnabled)
+        await secretSyncQueue.queueSecretSyncSyncSecretsById({ syncId: secretSync.id });
 
-    if (updatedSecretSync.isAutoSyncEnabled)
-      await secretSyncQueue.queueSecretSyncSyncSecretsById({ syncId: secretSync.id });
+      return updatedSecretSync as TSecretSync;
+    } catch (err) {
+      if (err instanceof DatabaseError && (err.error as { code: string })?.code === DatabaseErrorCode.UniqueViolation) {
+        throw new BadRequestError({
+          message: `A Secret Sync with the name "${params.name}" already exists for the project with ID "${secretSync.projectId}"`
+        });
+      }
 
-    return updatedSecretSync as TSecretSync;
+      throw err;
+    }
   };
 
   const deleteSecretSync = async (

backend/src/services/secret-sync/secret-sync-types.ts

@@ -17,14 +17,18 @@ import {
   TAwsParameterStoreSyncListItem,
   TAwsParameterStoreSyncWithCredentials
 } from "./aws-parameter-store";
+import { TGcpSync, TGcpSyncInput, TGcpSyncListItem, TGcpSyncWithCredentials } from "./gcp";
 
-export type TSecretSync = TAwsParameterStoreSync | TGitHubSync;
+export type TSecretSync = TAwsParameterStoreSync | TGitHubSync | TGcpSync;
 
-export type TSecretSyncWithCredentials = TAwsParameterStoreSyncWithCredentials | TGitHubSyncWithCredentials;
+export type TSecretSyncWithCredentials =
+  | TAwsParameterStoreSyncWithCredentials
+  | TGitHubSyncWithCredentials
+  | TGcpSyncWithCredentials;
 
-export type TSecretSyncInput = TAwsParameterStoreSyncInput | TGitHubSyncInput;
+export type TSecretSyncInput = TAwsParameterStoreSyncInput | TGitHubSyncInput | TGcpSyncInput;
 
-export type TSecretSyncListItem = TAwsParameterStoreSyncListItem | TGitHubSyncListItem;
+export type TSecretSyncListItem = TAwsParameterStoreSyncListItem | TGitHubSyncListItem | TGcpSyncListItem;
 
 export type TSyncOptionsConfig = {
   canImportSecrets: boolean;

backend/src/services/smtp/smtp-service.ts

@@ -30,6 +30,7 @@ export enum SmtpTemplates {
   NewDeviceJoin = "newDevice.handlebars",
   OrgInvite = "organizationInvitation.handlebars",
   ResetPassword = "passwordReset.handlebars",
+  SetupPassword = "passwordSetup.handlebars",
   SecretLeakIncident = "secretLeakIncident.handlebars",
   WorkspaceInvite = "workspaceInvitation.handlebars",
   ScimUserProvisioned = "scimUserProvisioned.handlebars",

backend/src/services/smtp/templates/passwordSetup.handlebars

@@ -0,0 +1,17 @@
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <meta http-equiv="x-ua-compatible" content="ie=edge" />
+    <title>Password Setup</title>
+  </head>
+  <body>
+    <h2>Setup your password</h2>
+    <p>Someone requested to set up a password for your account.</p>
+    <p><strong>Make sure you are already logged in to Infisical in the current browser before clicking the link below.</strong></p>
+    <a href="{{callback_url}}?token={{token}}&to={{email}}">Setup password</a>
+    <p>If you didn't initiate this request, please contact
+      {{#if isCloud}}us immediately at team@infisical.com.{{else}}your administrator immediately.{{/if}}</p>
+
+    {{emailFooter}}
+  </body>
+</html>

cli/packages/cmd/secrets.go

@@ -110,7 +110,7 @@ var secretsCmd = &cobra.Command{
 
 		if plainOutput {
 			for _, secret := range secrets {
-				fmt.Println(secret.Value)
+				fmt.Println(fmt.Sprintf("%s=%s", secret.Key, secret.Value))
 			}
 		} else {
 			visualize.PrintAllSecretDetails(secrets)

company/documentation/engineering/how-to-write-design-doc.mdx

@@ -0,0 +1,67 @@
+---
+title: "How to write a design document"
+sidebarTitle: "Writing Design Docs"
+description: "Learn how to write a design document at Infisical"
+---
+
+## **Why write a design document?**
+
+Writing a design document helps you efficiently solve broad, complex engineering problems at Infisical. While planning is important, we are a startup, so speed and urgency should be your top of mind. Keep the process lightweight and time boxed so that we can get the most out of it.
+
+**Writing a design will help you:**
+
+- **Understand the problem space:** Deeply understand the problem you’re solving to make sure it is well scoped.
+- **Stay on the right path:** Without proper planning, you risk cycling between partial implementation and replanning, encountering roadblocks that force you back to square one. A solid plan minimizes wasted engineering hours.
+- **An opportunity to collaborate:** Bring relevant engineers into the discussion to develop well-thought-out solutions and catch potential issues you might have overlooked.
+- **Faster implementation:** A well-thought-out plan will help you catch roadblocks early and ship quickly because you know exactly what needs to get implemented.
+
+**When to write a design document:** 
+
+- **Write a design doc**: If the feature is not well defined, high-security, or will take more than **1 full engineering week** to build.
+- **Skip the design doc**: For small, straightforward features that can be built quickly with informal discussions.
+
+If you are unsure when to create a design doc, chat with @maidul.
+
+## **What to Include in your Design Document**
+
+Every feature/problem is unique, but your design docs should generally include the following sections. If you need to include additional sections, feel free to do so.
+
+1. **Title**
+    - A descriptive title.
+    - Name of document owner and name of reviewer(s).
+2. **Overview**
+    - A high-level summary of the problem and proposed solution. Keep it brief (max 3 paragraphs).
+3. **Context**
+    - Explain the problem’s background, why it’s important to solve now, and any constraints (e.g., technical, sales, or timeline-related). What do we get out of solving this problem? (needed to close a deal, scale, performance, etc.). 
+4. **Solution**
+    - Provide a big-picture explanation of the solution, followed by detailed technical architecture.
+    - Use diagrams/charts where needed.
+    - Write clearly so that another engineer could implement the solution in your absence.
+5. **Milestones**
+    - Break the project into phases with clear start and end dates estimates. Use a table or bullet points.
+6. **FAQ**
+    - Common questions or concerns someone might have while reading your document that can be quickly addressed.
+
+
+## **How to Write a Design Doc**
+
+- **Keep it Simple**: Use clear, simple language. Opt for short sentences, bullet points, and concrete examples over fluff writing.
+- **Use Visuals**: Add diagrams and charts for clarity to convey your ideas.
+- **Make it Self-Explanatory**: Ensure that anyone reading the document can understand and implement the plan without needing additional context.
+
+Before sharing your design docs with others, review your design doc as if you were a teammate seeing it for the first time. Anticipate questions and address them.
+
+
+## **Process from start to finish**
+
+1. **Research/Discuss**
+    - Before you start writing, take some time to research and get a solid understanding of the problem space. Look into how other well-established companies are tackling similar challenges, if they are. 
+      Talk through the problem and your initial solution with other engineers on the team—bounce ideas around and get their feedback. If you have ideas on how the system could if implemented in Infisical, would it effect any downstream features/systems, etc?
+      
+      Once you’ve got a general direction, you might need to test a some theories. This is where quick proof of concepts (POCs) come in handy, but don’t get too caught up in the details. The goal of a POC is simply to validate a core idea or concept so you can get to the rest of your planning.
+2. **Write the Doc**
+    - Based on your research/discussions, write the design doc and include all relevant sections. Your goal is to come up with a convincing plan on why this is the correct why to solve the problem at hand.
+3. **Assign Reviewers**
+    - Ask a relevant engineer(s) to review your document. Their role is to identify blind spots, challenge assumptions, and ensure everything is clear. Once you and the reviewer are on the same page on the approach, update the document with any missing details they brought up.
+4. **Team Review and Feedback**
+    - Invite the relevant engineers to a design doc review meeting and give them 10-15 minutes to read through the document. After everyone has had a chance to review it, open the floor up for discussion. Address any feedback or concerns raised during this meeting. If significant points were overlooked during your initial planning, you may need to revisit the drawing board. Your goal is to think about the feature holistically and minimize the need for drastic changes to your design doc later on.

company/mint.json

@@ -66,7 +66,8 @@
         {
           "group": "Engineering",
           "pages": [
-            "documentation/engineering/oncall"
+            "documentation/engineering/oncall",
+            "documentation/engineering/how-to-write-design-doc"
           ]
         }
       ]

docker-compose.dev.yml

@@ -192,6 +192,17 @@ services:
     depends_on:
       - openldap
     profiles: [ldap]
+    
+  keycloak:
+    image: quay.io/keycloak/keycloak:26.1.0
+    restart: always
+    environment:
+      - KC_BOOTSTRAP_ADMIN_PASSWORD=admin
+      - KC_BOOTSTRAP_ADMIN_USERNAME=admin
+    command: start-dev
+    ports:
+      - 8088:8080
+    profiles: [ sso ]
 
 volumes:
   postgres-data:

docker-swarm/.env-example

@@ -20,7 +20,8 @@ SITE_URL=http://localhost:8080
 # Mail/SMTP 
 SMTP_HOST=
 SMTP_PORT=
-SMTP_NAME=
+SMTP_FROM_ADDRESS=
+SMTP_FROM_NAME=
 SMTP_USERNAME=
 SMTP_PASSWORD=
 

docs/api-reference/endpoints/app-connections/gcp/available.mdx

@@ -0,0 +1,4 @@
+---
+title: "Available"
+openapi: "GET /api/v1/app-connections/gcp/available"
+---

docs/api-reference/endpoints/app-connections/gcp/create.mdx

@@ -0,0 +1,10 @@
+---
+title: "Create"
+openapi: "POST /api/v1/app-connections/gcp"
+---
+
+<Note>
+  Check out the configuration docs for [GCP
+  Connections](/integrations/app-connections/gcp) to learn how to obtain the
+  required credentials.
+</Note>

docs/api-reference/endpoints/app-connections/gcp/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/app-connections/gcp/{connectionId}"
+---