misc: added message for bypass

.env.example

@@ -79,4 +79,4 @@ PLAIN_WISH_LABEL_IDS=
 
 SSL_CLIENT_CERTIFICATE_HEADER_KEY=
 
-ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT=true
+ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT=

.github/workflows/release-standalone-docker-img-postgres-offical.yml

@@ -1,115 +1,62 @@
 name: Release standalone docker image
 on:
-    push:
-        tags:
-            - "infisical/v*.*.*-postgres"
+  push:
+    tags:
+      - "infisical/v*.*.*-postgres"
 
 jobs:
-    infisical-tests:
-        name: Run tests before deployment
-        # https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview
-        uses: ./.github/workflows/run-backend-tests.yml
-
-    infisical-standalone:
-        name: Build infisical standalone image postgres
-        runs-on: ubuntu-latest
-        needs: [infisical-tests]
-        steps:
-            - name: Extract version from tag
-              id: extract_version
-              run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
-            - name: ☁️ Checkout source
-              uses: actions/checkout@v3
-              with:
-                  fetch-depth: 0
-            - name: 📦 Install dependencies to test all dependencies
-              run: npm ci --only-production
-              working-directory: backend
-            - name: version output
-              run: |
-                  echo "Output Value: ${{ steps.version.outputs.major }}"
-                  echo "Output Value: ${{ steps.version.outputs.minor }}"
-                  echo "Output Value: ${{ steps.version.outputs.patch }}"
-                  echo "Output Value: ${{ steps.version.outputs.version }}"
-                  echo "Output Value: ${{ steps.version.outputs.version_type }}"
-                  echo "Output Value: ${{ steps.version.outputs.increment }}"
-            - name: Save commit hashes for tag
-              id: commit
-              uses: pr-mpt/actions-commit-hash@v2
-            - name: 🔧 Set up Docker Buildx
-              uses: docker/setup-buildx-action@v2
-            - name: 🐋 Login to Docker Hub
-              uses: docker/login-action@v2
-              with:
-                  username: ${{ secrets.DOCKERHUB_USERNAME }}
-                  password: ${{ secrets.DOCKERHUB_TOKEN }}
-            - name: Set up Depot CLI
-              uses: depot/setup-action@v1
-            - name: 📦 Build backend and export to Docker
-              uses: depot/build-push-action@v1
-              with:
-                  project: 64mmf0n610
-                  token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-                  push: true
-                  context: .
-                  tags: |
-                      infisical/infisical:latest-postgres
-                      infisical/infisical:${{ steps.commit.outputs.short }}
-                      infisical/infisical:${{ steps.extract_version.outputs.version }}
-                  platforms: linux/amd64,linux/arm64
-                  file: Dockerfile.standalone-infisical
-                  build-args: |
-                      POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-                      INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
-
-    infisical-fips-standalone:
-        name: Build infisical standalone image postgres
-        runs-on: ubuntu-latest
-        needs: [infisical-tests]
-        steps:
-            - name: Extract version from tag
-              id: extract_version
-              run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
-            - name: ☁️ Checkout source
-              uses: actions/checkout@v3
-              with:
-                  fetch-depth: 0
-            - name: 📦 Install dependencies to test all dependencies
-              run: npm ci --only-production
-              working-directory: backend
-            - name: version output
-              run: |
-                  echo "Output Value: ${{ steps.version.outputs.major }}"
-                  echo "Output Value: ${{ steps.version.outputs.minor }}"
-                  echo "Output Value: ${{ steps.version.outputs.patch }}"
-                  echo "Output Value: ${{ steps.version.outputs.version }}"
-                  echo "Output Value: ${{ steps.version.outputs.version_type }}"
-                  echo "Output Value: ${{ steps.version.outputs.increment }}"
-            - name: Save commit hashes for tag
-              id: commit
-              uses: pr-mpt/actions-commit-hash@v2
-            - name: 🔧 Set up Docker Buildx
-              uses: docker/setup-buildx-action@v2
-            - name: 🐋 Login to Docker Hub
-              uses: docker/login-action@v2
-              with:
-                  username: ${{ secrets.DOCKERHUB_USERNAME }}
-                  password: ${{ secrets.DOCKERHUB_TOKEN }}
-            - name: Set up Depot CLI
-              uses: depot/setup-action@v1
-            - name: 📦 Build backend and export to Docker
-              uses: depot/build-push-action@v1
-              with:
-                  project: 64mmf0n610
-                  token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-                  push: true
-                  context: .
-                  tags: |
-                      infisical/infisical-fips:latest-postgres
-                      infisical/infisical-fips:${{ steps.commit.outputs.short }}
-                      infisical/infisical-fips:${{ steps.extract_version.outputs.version }}
-                  platforms: linux/amd64,linux/arm64
-                  file: Dockerfile.fips.standalone-infisical
-                  build-args: |
-                      POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
-                      INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}
+  infisical-tests:
+    name: Run tests before deployment
+    # https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview
+    uses: ./.github/workflows/run-backend-tests.yml
+  infisical-standalone:
+    name: Build infisical standalone image postgres
+    runs-on: ubuntu-latest
+    needs: [infisical-tests]
+    steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: 📦 Install dependencies to test all dependencies
+        run: npm ci --only-production
+        working-directory: backend
+      - name: version output
+        run: |
+          echo "Output Value: ${{ steps.version.outputs.major }}"
+          echo "Output Value: ${{ steps.version.outputs.minor }}"
+          echo "Output Value: ${{ steps.version.outputs.patch }}"
+          echo "Output Value: ${{ steps.version.outputs.version }}"
+          echo "Output Value: ${{ steps.version.outputs.version_type }}"
+          echo "Output Value: ${{ steps.version.outputs.increment }}"
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 📦 Build backend and export to Docker
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          push: true
+          context: .
+          tags: |
+            infisical/infisical:latest-postgres
+            infisical/infisical:${{ steps.commit.outputs.short }}
+            infisical/infisical:${{ steps.extract_version.outputs.version }}
+          platforms: linux/amd64,linux/arm64
+          file: Dockerfile.standalone-infisical
+          build-args: |
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+            INFISICAL_PLATFORM_VERSION=${{ steps.extract_version.outputs.version }}

.github/workflows/release_build_infisical_cli.yml

@@ -10,7 +10,8 @@ on:
 
 permissions:
     contents: write
-
+    # packages: write
+    # issues: write
 jobs:
     cli-integration-tests:
         name: Run tests before deployment
@@ -25,63 +26,6 @@ jobs:
             CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
             CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
 
-    npm-release:
-        runs-on: ubuntu-20.04
-        env:
-            working-directory: ./npm
-        needs:
-            - cli-integration-tests
-            - goreleaser
-        steps:
-            - uses: actions/checkout@v3
-              with:
-                  fetch-depth: 0
-
-            - name: Extract version
-              run: |
-                  VERSION=$(echo ${{ github.ref_name }} | sed 's/infisical-cli\/v//')
-                  echo "Version extracted: $VERSION"
-                  echo "CLI_VERSION=$VERSION" >> $GITHUB_ENV
-
-            - name: Print version
-              run: echo ${{ env.CLI_VERSION }}
-
-            - name: Setup Node
-              uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
-              with:
-                  node-version: 20
-                  cache: "npm"
-                  cache-dependency-path: ./npm/package-lock.json
-            - name: Install dependencies
-              working-directory: ${{ env.working-directory }}
-              run: npm install --ignore-scripts
-
-            - name: Set NPM version
-              working-directory: ${{ env.working-directory }}
-              run: npm version ${{ env.CLI_VERSION }} --allow-same-version --no-git-tag-version
-
-            - name: Setup NPM
-              working-directory: ${{ env.working-directory }}
-              run: |
-                  echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
-                  echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc
-
-                  echo 'registry="https://registry.npmjs.org/"' > ~/.npmrc
-                  echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
-              env:
-                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-
-            - name: Pack NPM
-              working-directory: ${{ env.working-directory }}
-              run: npm pack
-
-            - name: Publish NPM
-              working-directory: ${{ env.working-directory }}
-              run: npm publish --tarball=./infisical-sdk-${{github.ref_name}} --access public --registry=https://registry.npmjs.org/
-              env:
-                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-                  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-
     goreleaser:
         runs-on: ubuntu-20.04
         needs: [cli-integration-tests]

.gitignore

@@ -71,5 +71,3 @@ frontend-build
 cli/infisical-merge
 cli/test/infisical-merge
 /backend/binary
-
-/npm/bin

.infisicalignore

@@ -6,4 +6,3 @@ frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/S
 docs/self-hosting/configuration/envars.mdx:generic-api-key:106
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:451
 docs/mint.json:generic-api-key:651
-backend/src/ee/services/hsm/hsm-service.ts:generic-api-key:134

Dockerfile.fips.standalone-infisical

@@ -1,167 +0,0 @@
-ARG POSTHOG_HOST=https://app.posthog.com
-ARG POSTHOG_API_KEY=posthog-api-key
-ARG INTERCOM_ID=intercom-id
-ARG CAPTCHA_SITE_KEY=captcha-site-key
-
-FROM node:20-slim AS base
-
-FROM base AS frontend-dependencies
-WORKDIR /app
-
-COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
-
-# Install dependencies
-RUN npm ci --only-production --ignore-scripts
-
-# Rebuild the source code only when needed
-FROM base AS frontend-builder
-WORKDIR /app
-
-# Copy dependencies
-COPY --from=frontend-dependencies /app/node_modules ./node_modules
-# Copy all files 
-COPY /frontend .
-
-ENV NODE_ENV production
-ENV NEXT_PUBLIC_ENV production
-ARG POSTHOG_HOST
-ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
-ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
-ARG INTERCOM_ID
-ENV NEXT_PUBLIC_INTERCOM_ID $INTERCOM_ID
-ARG INFISICAL_PLATFORM_VERSION
-ENV NEXT_PUBLIC_INFISICAL_PLATFORM_VERSION $INFISICAL_PLATFORM_VERSION
-ARG CAPTCHA_SITE_KEY
-ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY $CAPTCHA_SITE_KEY 
-
-# Build
-RUN npm run build
-
-# Production image
-FROM base AS frontend-runner
-WORKDIR /app
-
-RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
-
-RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
-VOLUME /app/.next/cache/images
-
-COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
-COPY --from=frontend-builder /app/public ./public
-RUN chown non-root-user:nodejs ./public/data
-
-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
-COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static
-
-USER non-root-user
-
-ENV NEXT_TELEMETRY_DISABLED 1
-
-##
-## BACKEND
-##
-FROM base AS backend-build
-
-ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
-
-RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
-
-WORKDIR /app
-
-# Required for pkcs11js
-RUN apt-get update && apt-get install -y \
-    python3 \
-    make \
-    g++ \
-    && rm -rf /var/lib/apt/lists/*
-
-COPY backend/package*.json ./
-RUN npm ci --only-production
-
-COPY /backend .
-COPY --chown=non-root-user:nodejs standalone-entrypoint.sh standalone-entrypoint.sh
-RUN npm i -D tsconfig-paths
-RUN npm run build
-
-# Production stage
-FROM base AS backend-runner
-
-ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
-
-WORKDIR /app
-
-# Required for pkcs11js
-RUN apt-get update && apt-get install -y \
-    python3 \
-    make \
-    g++ \
-    && rm -rf /var/lib/apt/lists/*
-
-COPY backend/package*.json ./
-RUN npm ci --only-production
-
-COPY --from=backend-build /app .
-
-RUN mkdir frontend-build
-
-# Production stage
-FROM base AS production
-
-# Install necessary packages
-RUN apt-get update && apt-get install -y \
-    ca-certificates \
-    curl \
-    git \
-    && rm -rf /var/lib/apt/lists/*
-
-# Install Infisical CLI
-RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
-    && apt-get update && apt-get install -y infisical=0.31.1 \
-    && rm -rf /var/lib/apt/lists/*
-
-RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
-
-# Give non-root-user permission to update SSL certs
-RUN chown -R non-root-user /etc/ssl/certs
-RUN chown non-root-user /etc/ssl/certs/ca-certificates.crt
-RUN chmod -R u+rwx /etc/ssl/certs
-RUN chmod u+rw /etc/ssl/certs/ca-certificates.crt
-RUN chown non-root-user /usr/sbin/update-ca-certificates
-RUN chmod u+rx /usr/sbin/update-ca-certificates
-
-## set pre baked keys
-ARG POSTHOG_API_KEY
-ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
-    BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
-ARG INTERCOM_ID=intercom-id
-ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
-    BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
-ARG CAPTCHA_SITE_KEY
-ENV NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY \
-    BAKED_NEXT_PUBLIC_CAPTCHA_SITE_KEY=$CAPTCHA_SITE_KEY
-
-WORKDIR / 
-
-COPY --from=backend-runner /app /backend
-
-COPY --from=frontend-runner /app ./backend/frontend-build
-
-ENV PORT 8080
-ENV HOST=0.0.0.0
-ENV HTTPS_ENABLED false 
-ENV NODE_ENV production
-ENV STANDALONE_BUILD true 
-ENV STANDALONE_MODE true
-ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
-
-WORKDIR /backend
-
-ENV TELEMETRY_ENABLED true
-
-EXPOSE 8080
-EXPOSE 443
-
-USER non-root-user
-
-CMD ["./standalone-entrypoint.sh"]

Dockerfile.standalone-infisical

@@ -72,9 +72,6 @@ RUN addgroup --system --gid 1001 nodejs \
 
 WORKDIR /app
 
-# Required for pkcs11js
-RUN apk add --no-cache python3 make g++ 
-
 COPY backend/package*.json ./
 RUN npm ci --only-production
 
@@ -88,9 +85,6 @@ FROM base AS backend-runner
 
 WORKDIR /app
 
-# Required for pkcs11js
-RUN apk add --no-cache python3 make g++ 
-
 COPY backend/package*.json ./
 RUN npm ci --only-production
 

backend/Dockerfile

@@ -3,12 +3,6 @@ FROM node:20-alpine AS build
 
 WORKDIR /app
 
-# Required for pkcs11js
-RUN apk --update add \
-        python3 \
-        make \
-        g++
-
 COPY package*.json ./
 RUN npm ci --only-production
 
@@ -17,17 +11,12 @@ RUN npm run build
 
 # Production stage
 FROM node:20-alpine
+
 WORKDIR /app
 
 ENV npm_config_cache /home/node/.npm
 
 COPY package*.json ./
-
-RUN apk --update add \
-        python3 \
-        make \
-        g++
-
 RUN npm ci --only-production && npm cache clean --force
 
 COPY --from=build /app .

backend/Dockerfile.dev

@@ -1,44 +1,5 @@
 FROM node:20-alpine
 
-# ? Setup a test SoftHSM module. In production a real HSM is used.
-
-ARG SOFTHSM2_VERSION=2.5.0
-
-ENV SOFTHSM2_VERSION=${SOFTHSM2_VERSION} \
-    SOFTHSM2_SOURCES=/tmp/softhsm2
-
-# install build dependencies including python3
-RUN apk --update add \
-        alpine-sdk \
-        autoconf \
-        automake \
-        git \
-        libtool \
-        openssl-dev \
-        python3 \
-        make \
-        g++
-
-# build and install SoftHSM2
-RUN git clone https://github.com/opendnssec/SoftHSMv2.git ${SOFTHSM2_SOURCES}
-WORKDIR ${SOFTHSM2_SOURCES}
-
-RUN git checkout ${SOFTHSM2_VERSION} -b ${SOFTHSM2_VERSION} \
-    && sh autogen.sh \
-    && ./configure --prefix=/usr/local --disable-gost \
-    && make \
-    && make install
-
-WORKDIR /root
-RUN rm -fr ${SOFTHSM2_SOURCES}
-
-# install pkcs11-tool
-RUN apk --update add opensc
-
-RUN softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
-
-# ? App setup
-
 RUN apk add --no-cache bash curl && curl -1sLf \
   'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.alpine.sh' | bash \
   && apk add infisical=0.8.1 && apk add --no-cache git

backend/e2e-test/mocks/smtp.ts

@@ -5,6 +5,9 @@ export const mockSmtpServer = (): TSmtpService => {
   return {
     sendMail: async (data) => {
       storage.push(data);
+    },
+    verify: async () => {
+      return true;
     }
   };
 };

backend/e2e-test/vitest-environment-knex.ts

@@ -16,7 +16,6 @@ import { initDbConnection } from "@app/db";
 import { queueServiceFactory } from "@app/queue";
 import { keyStoreFactory } from "@app/keystore/keystore";
 import { Redis } from "ioredis";
-import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
 
 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@@ -55,12 +54,7 @@ export default {
       const smtp = mockSmtpServer();
       const queue = queueServiceFactory(cfg.REDIS_URL);
       const keyStore = keyStoreFactory(cfg.REDIS_URL);
-
-      const hsmModule = initializeHsmModule();
-      hsmModule.initialize();
-
-      const server = await main({ db, smtp, logger, queue, keyStore, hsmModule: hsmModule.getModule() });
-
+      const server = await main({ db, smtp, logger, queue, keyStore });
       // @ts-expect-error type
       globalThis.testServer = server;
       // @ts-expect-error type

backend/package-lock.json

@@ -83,7 +83,6 @@
         "pg-query-stream": "^4.5.3",
         "picomatch": "^3.0.1",
         "pino": "^8.16.2",
-        "pkcs11js": "^2.1.6",
         "pkijs": "^3.2.4",
         "posthog-node": "^3.6.2",
         "probot": "^13.3.8",
@@ -121,7 +120,6 @@
         "@types/passport-google-oauth20": "^2.0.14",
         "@types/pg": "^8.10.9",
         "@types/picomatch": "^2.3.3",
-        "@types/pkcs11js": "^1.0.4",
         "@types/prompt-sync": "^4.2.3",
         "@types/resolve": "^1.20.6",
         "@types/safe-regex": "^1.1.6",
@@ -8832,17 +8830,6 @@
       "integrity": "sha512-Yll76ZHikRFCyz/pffKGjrCwe/le2CDwOP5F210KQo27kpRE46U2rDnzikNlVn6/ezH3Mhn46bJMTfeVTtcYMg==",
       "dev": true
     },
-    "node_modules/@types/pkcs11js": {
-      "version": "1.0.4",
-      "resolved": "https://registry.npmjs.org/@types/pkcs11js/-/pkcs11js-1.0.4.tgz",
-      "integrity": "sha512-Pkq8VbwZZv7o/6ODFOhxw0s0M8J4ucg4/I4V1dSCn8tUwWgIKIYzuV4Pp2fYuir81DgQXAF5TpGyhBMjJ3FjFw==",
-      "deprecated": "This is a stub types definition for pkcs11js (https://github.com/PeculiarVentures/pkcs11js). pkcs11js provides its own type definitions, so you don't need @types/pkcs11js installed!",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "pkcs11js": "*"
-      }
-    },
     "node_modules/@types/prompt-sync": {
       "version": "4.2.3",
       "resolved": "https://registry.npmjs.org/@types/prompt-sync/-/prompt-sync-4.2.3.tgz",
@@ -17079,20 +17066,6 @@
         "node": ">= 6"
       }
     },
-    "node_modules/pkcs11js": {
-      "version": "2.1.6",
-      "resolved": "https://registry.npmjs.org/pkcs11js/-/pkcs11js-2.1.6.tgz",
-      "integrity": "sha512-+t5jxzB749q8GaEd1yNx3l98xYuaVK6WW/Vjg1Mk1Iy5bMu/A5W4O/9wZGrpOknWF6lFQSb12FXX+eSNxdriwA==",
-      "hasInstallScript": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=18.0.0"
-      },
-      "funding": {
-        "type": "github",
-        "url": "https://github.com/sponsors/PeculiarVentures"
-      }
-    },
     "node_modules/pkg-conf": {
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/pkg-conf/-/pkg-conf-3.1.0.tgz",
@@ -19788,10 +19761,9 @@
       }
     },
     "node_modules/tslib": {
-      "version": "2.8.0",
-      "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.0.tgz",
-      "integrity": "sha512-jWVzBLplnCmoaTr13V9dYbiQ99wvZRd0vNWaDRg+aVYRcjDF3nDksxFDE/+fkXnKhpnUUkmx5pK/v8mCtLVqZA==",
-      "license": "0BSD"
+      "version": "2.6.3",
+      "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.6.3.tgz",
+      "integrity": "sha512-xNvxJEOUiWPGhUuUdQgAJPKOOJfGnIyKySOc09XkKsgdUV/3E2zvwZYdejjmRgPCgcym1juLH3226yA7sEFJKQ=="
     },
     "node_modules/tsup": {
       "version": "8.0.1",

backend/package.json

@@ -84,7 +84,6 @@
     "@types/passport-google-oauth20": "^2.0.14",
     "@types/pg": "^8.10.9",
     "@types/picomatch": "^2.3.3",
-    "@types/pkcs11js": "^1.0.4",
     "@types/prompt-sync": "^4.2.3",
     "@types/resolve": "^1.20.6",
     "@types/safe-regex": "^1.1.6",
@@ -189,7 +188,6 @@
     "pg-query-stream": "^4.5.3",
     "picomatch": "^3.0.1",
     "pino": "^8.16.2",
-    "pkcs11js": "^2.1.6",
     "pkijs": "^3.2.4",
     "posthog-node": "^3.6.2",
     "probot": "^13.3.8",

backend/src/@types/fastify.d.ts

@@ -18,7 +18,6 @@ import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-con
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TOidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { TProjectTemplateServiceFactory } from "@app/ee/services/project-template/project-template-service";
 import { TProjectUserAdditionalPrivilegeServiceFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-service";
 import { TRateLimitServiceFactory } from "@app/ee/services/rate-limit/rate-limit-service";
 import { RateLimitConfiguration } from "@app/ee/services/rate-limit/rate-limit-types";
@@ -44,7 +43,6 @@ import { TCmekServiceFactory } from "@app/services/cmek/cmek-service";
 import { TExternalGroupOrgRoleMappingServiceFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-service";
 import { TExternalMigrationServiceFactory } from "@app/services/external-migration/external-migration-service";
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
-import { THsmServiceFactory } from "@app/services/hsm/hsm-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
 import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
@@ -185,14 +183,12 @@ declare module "fastify" {
       rateLimit: TRateLimitServiceFactory;
       userEngagement: TUserEngagementServiceFactory;
       externalKms: TExternalKmsServiceFactory;
-      hsm: THsmServiceFactory;
       orgAdmin: TOrgAdminServiceFactory;
       slack: TSlackServiceFactory;
       workflowIntegration: TWorkflowIntegrationServiceFactory;
       cmek: TCmekServiceFactory;
       migration: TExternalMigrationServiceFactory;
       externalGroupOrgRoleMapping: TExternalGroupOrgRoleMappingServiceFactory;
-      projectTemplate: TProjectTemplateServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -200,9 +200,6 @@ import {
   TProjectSlackConfigsInsert,
   TProjectSlackConfigsUpdate,
   TProjectsUpdate,
-  TProjectTemplates,
-  TProjectTemplatesInsert,
-  TProjectTemplatesUpdate,
   TProjectUserAdditionalPrivilege,
   TProjectUserAdditionalPrivilegeInsert,
   TProjectUserAdditionalPrivilegeUpdate,
@@ -821,10 +818,5 @@ declare module "knex/types/tables" {
       TExternalGroupOrgRoleMappingsInsert,
       TExternalGroupOrgRoleMappingsUpdate
     >;
-    [TableName.ProjectTemplates]: KnexOriginal.CompositeTableType<
-      TProjectTemplates,
-      TProjectTemplatesInsert,
-      TProjectTemplatesUpdate
-    >;
   }
 }

backend/src/db/migrations/20240802181855_ca-cert-version.ts

@@ -64,25 +64,23 @@ export async function up(knex: Knex): Promise<void> {
   }
 
   if (await knex.schema.hasTable(TableName.Certificate)) {
-    const hasCaCertIdColumn = await knex.schema.hasColumn(TableName.Certificate, "caCertId");
-    if (!hasCaCertIdColumn) {
-      await knex.schema.alterTable(TableName.Certificate, (t) => {
-        t.uuid("caCertId").nullable();
-        t.foreign("caCertId").references("id").inTable(TableName.CertificateAuthorityCert);
-      });
+    await knex.schema.alterTable(TableName.Certificate, (t) => {
+      t.uuid("caCertId").nullable();
+      t.foreign("caCertId").references("id").inTable(TableName.CertificateAuthorityCert);
+    });
 
-      await knex.raw(`
+    await knex.raw(`
         UPDATE "${TableName.Certificate}" cert
         SET "caCertId" = (
           SELECT caCert.id
           FROM "${TableName.CertificateAuthorityCert}" caCert
           WHERE caCert."caId" = cert."caId"
-        )`);
+        )
+      `);
 
-      await knex.schema.alterTable(TableName.Certificate, (t) => {
-        t.uuid("caCertId").notNullable().alter();
-      });
-    }
+    await knex.schema.alterTable(TableName.Certificate, (t) => {
+      t.uuid("caCertId").notNullable().alter();
+    });
   }
 }
 

backend/src/db/migrations/20241101174939_project-templates.ts

@@ -1,28 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "@app/db/schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "@app/db/utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.ProjectTemplates))) {
-    await knex.schema.createTable(TableName.ProjectTemplates, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name", 32).notNullable();
-      t.string("description").nullable();
-      t.jsonb("roles").notNullable();
-      t.jsonb("environments").notNullable();
-      t.uuid("orgId").notNullable().references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.ProjectTemplates);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.ProjectTemplates)) {
-    await dropOnUpdateTrigger(knex, TableName.ProjectTemplates);
-
-    await knex.schema.dropTable(TableName.ProjectTemplates);
-  }
-}

backend/src/db/migrations/20241107112632_skip-bootstrap-cert-validation-est.ts

@@ -1,35 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasDisableBootstrapCertValidationCol = await knex.schema.hasColumn(
-    TableName.CertificateTemplateEstConfig,
-    "disableBootstrapCertValidation"
-  );
-
-  const hasCaChainCol = await knex.schema.hasColumn(TableName.CertificateTemplateEstConfig, "encryptedCaChain");
-
-  await knex.schema.alterTable(TableName.CertificateTemplateEstConfig, (t) => {
-    if (!hasDisableBootstrapCertValidationCol) {
-      t.boolean("disableBootstrapCertValidation").defaultTo(false).notNullable();
-    }
-
-    if (hasCaChainCol) {
-      t.binary("encryptedCaChain").nullable().alter();
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasDisableBootstrapCertValidationCol = await knex.schema.hasColumn(
-    TableName.CertificateTemplateEstConfig,
-    "disableBootstrapCertValidation"
-  );
-
-  await knex.schema.alterTable(TableName.CertificateTemplateEstConfig, (t) => {
-    if (hasDisableBootstrapCertValidationCol) {
-      t.dropColumn("disableBootstrapCertValidation");
-    }
-  });
-}

backend/src/db/migrations/20241111175154_kms-root-cfg-hsm.ts

@@ -1,23 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasEncryptionStrategy = await knex.schema.hasColumn(TableName.KmsServerRootConfig, "encryptionStrategy");
-  const hasTimestampsCol = await knex.schema.hasColumn(TableName.KmsServerRootConfig, "createdAt");
-
-  await knex.schema.alterTable(TableName.KmsServerRootConfig, (t) => {
-    if (!hasEncryptionStrategy) t.string("encryptionStrategy").defaultTo("SOFTWARE");
-    if (!hasTimestampsCol) t.timestamps(true, true, true);
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasEncryptionStrategy = await knex.schema.hasColumn(TableName.KmsServerRootConfig, "encryptionStrategy");
-  const hasTimestampsCol = await knex.schema.hasColumn(TableName.KmsServerRootConfig, "createdAt");
-
-  await knex.schema.alterTable(TableName.KmsServerRootConfig, (t) => {
-    if (hasEncryptionStrategy) t.dropColumn("encryptionStrategy");
-    if (hasTimestampsCol) t.dropTimestamps(true);
-  });
-}

backend/src/db/schemas/certificate-template-est-configs.ts

@@ -12,12 +12,11 @@ import { TImmutableDBKeys } from "./models";
 export const CertificateTemplateEstConfigsSchema = z.object({
   id: z.string().uuid(),
   certificateTemplateId: z.string().uuid(),
-  encryptedCaChain: zodBuffer.nullable().optional(),
+  encryptedCaChain: zodBuffer,
   hashedPassphrase: z.string(),
   isEnabled: z.boolean(),
   createdAt: z.date(),
-  updatedAt: z.date(),
-  disableBootstrapCertValidation: z.boolean().default(false)
+  updatedAt: z.date()
 });
 
 export type TCertificateTemplateEstConfigs = z.infer<typeof CertificateTemplateEstConfigsSchema>;

backend/src/db/schemas/index.ts

@@ -64,7 +64,6 @@ export * from "./project-keys";
 export * from "./project-memberships";
 export * from "./project-roles";
 export * from "./project-slack-configs";
-export * from "./project-templates";
 export * from "./project-user-additional-privilege";
 export * from "./project-user-membership-roles";
 export * from "./projects";

backend/src/db/schemas/kms-root-config.ts

@@ -11,10 +11,7 @@ import { TImmutableDBKeys } from "./models";
 
 export const KmsRootConfigSchema = z.object({
   id: z.string().uuid(),
-  encryptedRootKey: zodBuffer,
-  encryptionStrategy: z.string(),
-  createdAt: z.date(),
-  updatedAt: z.date()
+  encryptedRootKey: zodBuffer
 });
 
 export type TKmsRootConfig = z.infer<typeof KmsRootConfigSchema>;

backend/src/db/schemas/models.ts

@@ -41,7 +41,6 @@ export enum TableName {
   ProjectUserAdditionalPrivilege = "project_user_additional_privilege",
   ProjectUserMembershipRole = "project_user_membership_roles",
   ProjectKeys = "project_keys",
-  ProjectTemplates = "project_templates",
   Secret = "secrets",
   SecretReference = "secret_references",
   SecretSharing = "secret_sharing",

backend/src/db/schemas/project-roles.ts

@@ -15,8 +15,7 @@ export const ProjectRolesSchema = z.object({
   permissions: z.unknown(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  projectId: z.string(),
-  version: z.number().default(1)
+  projectId: z.string()
 });
 
 export type TProjectRoles = z.infer<typeof ProjectRolesSchema>;

backend/src/db/schemas/project-templates.ts

@@ -1,23 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const ProjectTemplatesSchema = z.object({
-  id: z.string().uuid(),
-  name: z.string(),
-  description: z.string().nullable().optional(),
-  roles: z.unknown(),
-  environments: z.unknown(),
-  orgId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TProjectTemplates = z.infer<typeof ProjectTemplatesSchema>;
-export type TProjectTemplatesInsert = Omit<z.input<typeof ProjectTemplatesSchema>, TImmutableDBKeys>;
-export type TProjectTemplatesUpdate = Partial<Omit<z.input<typeof ProjectTemplatesSchema>, TImmutableDBKeys>>;

backend/src/db/utils.ts

@@ -2,9 +2,6 @@ import { Knex } from "knex";
 
 import { TableName } from "./schemas";
 
-interface PgTriggerResult {
-  rows: Array<{ exists: boolean }>;
-}
 export const createJunctionTable = (knex: Knex, tableName: TableName, table1Name: TableName, table2Name: TableName) =>
   knex.schema.createTable(tableName, (table) => {
     table.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
@@ -31,26 +28,13 @@ DROP FUNCTION IF EXISTS on_update_timestamp() CASCADE;
 
 // we would be using this to apply updatedAt where ever we wanta
 // remember to set `timestamps(true,true,true)` before this on schema
-export const createOnUpdateTrigger = async (knex: Knex, tableName: string) => {
-  const triggerExists = await knex.raw<PgTriggerResult>(`
-    SELECT EXISTS (
-      SELECT 1 
-      FROM pg_trigger 
-      WHERE tgname = '${tableName}_updatedAt'
-    );
-  `);
-
-  if (!triggerExists?.rows?.[0]?.exists) {
-    return knex.raw(`
-      CREATE TRIGGER "${tableName}_updatedAt"
-      BEFORE UPDATE ON ${tableName}
-      FOR EACH ROW
-      EXECUTE PROCEDURE on_update_timestamp();
-    `);
-  }
-
-  return null;
-};
+export const createOnUpdateTrigger = (knex: Knex, tableName: string) =>
+  knex.raw(`
+CREATE TRIGGER "${tableName}_updatedAt"
+BEFORE UPDATE ON ${tableName}
+FOR EACH ROW
+EXECUTE PROCEDURE on_update_timestamp();
+`);
 
 export const dropOnUpdateTrigger = (knex: Knex, tableName: string) =>
   knex.raw(`DROP TRIGGER IF EXISTS "${tableName}_updatedAt" ON ${tableName}`);

backend/src/ee/routes/v1/index.ts

@@ -1,5 +1,3 @@
-import { registerProjectTemplateRouter } from "@app/ee/routes/v1/project-template-router";
-
 import { registerAccessApprovalPolicyRouter } from "./access-approval-policy-router";
 import { registerAccessApprovalRequestRouter } from "./access-approval-request-router";
 import { registerAuditLogStreamRouter } from "./audit-log-stream-router";
@@ -94,6 +92,4 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
   await server.register(registerExternalKmsRouter, {
     prefix: "/external-kms"
   });
-
-  await server.register(registerProjectTemplateRouter, { prefix: "/project-templates" });
 };

backend/src/ee/routes/v1/project-role-router.ts

@@ -192,7 +192,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          roles: ProjectRolesSchema.omit({ permissions: true, version: true }).array()
+          roles: ProjectRolesSchema.omit({ permissions: true }).array()
         })
       }
     },
@@ -225,7 +225,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          role: SanitizedRoleSchemaV1.omit({ version: true })
+          role: SanitizedRoleSchemaV1
         })
       }
     },

backend/src/ee/routes/v1/project-template-router.ts

@@ -1,309 +0,0 @@
-import slugify from "@sindresorhus/slugify";
-import { z } from "zod";
-
-import { ProjectMembershipRole, ProjectTemplatesSchema } from "@app/db/schemas";
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { ProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
-import { ProjectTemplateDefaultEnvironments } from "@app/ee/services/project-template/project-template-constants";
-import { isInfisicalProjectTemplate } from "@app/ee/services/project-template/project-template-fns";
-import { ProjectTemplates } from "@app/lib/api-docs";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-const MAX_JSON_SIZE_LIMIT_IN_BYTES = 32_768;
-
-const SlugSchema = z
-  .string()
-  .trim()
-  .min(1)
-  .max(32)
-  .refine((val) => val.toLowerCase() === val, "Must be lowercase")
-  .refine((v) => slugify(v) === v, {
-    message: "Must be valid slug format"
-  });
-
-const isReservedRoleSlug = (slug: string) =>
-  Object.values(ProjectMembershipRole).includes(slug as ProjectMembershipRole);
-
-const isReservedRoleName = (name: string) =>
-  ["custom", "admin", "viewer", "developer", "no access"].includes(name.toLowerCase());
-
-const SanitizedProjectTemplateSchema = ProjectTemplatesSchema.extend({
-  roles: z
-    .object({
-      name: z.string().trim().min(1),
-      slug: SlugSchema,
-      permissions: UnpackedPermissionSchema.array()
-    })
-    .array(),
-  environments: z
-    .object({
-      name: z.string().trim().min(1),
-      slug: SlugSchema,
-      position: z.number().min(1)
-    })
-    .array()
-});
-
-const ProjectTemplateRolesSchema = z
-  .object({
-    name: z.string().trim().min(1),
-    slug: SlugSchema,
-    permissions: ProjectPermissionV2Schema.array()
-  })
-  .array()
-  .superRefine((roles, ctx) => {
-    if (!roles.length) return;
-
-    if (Buffer.byteLength(JSON.stringify(roles)) > MAX_JSON_SIZE_LIMIT_IN_BYTES)
-      ctx.addIssue({ code: z.ZodIssueCode.custom, message: "Size limit exceeded" });
-
-    if (new Set(roles.map((v) => v.slug)).size !== roles.length)
-      ctx.addIssue({ code: z.ZodIssueCode.custom, message: "Role slugs must be unique" });
-
-    if (new Set(roles.map((v) => v.name)).size !== roles.length)
-      ctx.addIssue({ code: z.ZodIssueCode.custom, message: "Role names must be unique" });
-
-    roles.forEach((role) => {
-      if (isReservedRoleSlug(role.slug))
-        ctx.addIssue({ code: z.ZodIssueCode.custom, message: `Role slug "${role.slug}" is reserved` });
-
-      if (isReservedRoleName(role.name))
-        ctx.addIssue({ code: z.ZodIssueCode.custom, message: `Role name "${role.name}" is reserved` });
-    });
-  });
-
-const ProjectTemplateEnvironmentsSchema = z
-  .object({
-    name: z.string().trim().min(1),
-    slug: SlugSchema,
-    position: z.number().min(1)
-  })
-  .array()
-  .min(1)
-  .superRefine((environments, ctx) => {
-    if (Buffer.byteLength(JSON.stringify(environments)) > MAX_JSON_SIZE_LIMIT_IN_BYTES)
-      ctx.addIssue({ code: z.ZodIssueCode.custom, message: "Size limit exceeded" });
-
-    if (new Set(environments.map((v) => v.name)).size !== environments.length)
-      ctx.addIssue({ code: z.ZodIssueCode.custom, message: "Environment names must be unique" });
-
-    if (new Set(environments.map((v) => v.slug)).size !== environments.length)
-      ctx.addIssue({ code: z.ZodIssueCode.custom, message: "Environment slugs must be unique" });
-
-    if (
-      environments.some((env) => env.position < 1 || env.position > environments.length) ||
-      new Set(environments.map((env) => env.position)).size !== environments.length
-    )
-      ctx.addIssue({
-        code: z.ZodIssueCode.custom,
-        message: "One or more of the positions specified is invalid. Positions must be sequential starting from 1."
-      });
-  });
-
-export const registerProjectTemplateRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "GET",
-    url: "/",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "List project templates for the current organization.",
-      response: {
-        200: z.object({
-          projectTemplates: SanitizedProjectTemplateSchema.array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const projectTemplates = await server.services.projectTemplate.listProjectTemplatesByOrg(req.permission);
-
-      const auditTemplates = projectTemplates.filter((template) => !isInfisicalProjectTemplate(template.name));
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        event: {
-          type: EventType.GET_PROJECT_TEMPLATES,
-          metadata: {
-            count: auditTemplates.length,
-            templateIds: auditTemplates.map((template) => template.id)
-          }
-        }
-      });
-
-      return { projectTemplates };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/:templateId",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "Get a project template by ID.",
-      params: z.object({
-        templateId: z.string().uuid()
-      }),
-      response: {
-        200: z.object({
-          projectTemplate: SanitizedProjectTemplateSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const projectTemplate = await server.services.projectTemplate.findProjectTemplateById(
-        req.params.templateId,
-        req.permission
-      );
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        event: {
-          type: EventType.GET_PROJECT_TEMPLATE,
-          metadata: {
-            templateId: req.params.templateId
-          }
-        }
-      });
-
-      return { projectTemplate };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Create a project template.",
-      body: z.object({
-        name: SlugSchema.refine((val) => !isInfisicalProjectTemplate(val), {
-          message: `The requested project template name is reserved.`
-        }).describe(ProjectTemplates.CREATE.name),
-        description: z.string().max(256).trim().optional().describe(ProjectTemplates.CREATE.description),
-        roles: ProjectTemplateRolesSchema.default([]).describe(ProjectTemplates.CREATE.roles),
-        environments: ProjectTemplateEnvironmentsSchema.default(ProjectTemplateDefaultEnvironments).describe(
-          ProjectTemplates.CREATE.environments
-        )
-      }),
-      response: {
-        200: z.object({
-          projectTemplate: SanitizedProjectTemplateSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const projectTemplate = await server.services.projectTemplate.createProjectTemplate(req.body, req.permission);
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        event: {
-          type: EventType.CREATE_PROJECT_TEMPLATE,
-          metadata: req.body
-        }
-      });
-
-      return { projectTemplate };
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/:templateId",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Update a project template.",
-      params: z.object({ templateId: z.string().uuid().describe(ProjectTemplates.UPDATE.templateId) }),
-      body: z.object({
-        name: SlugSchema.refine((val) => !isInfisicalProjectTemplate(val), {
-          message: `The requested project template name is reserved.`
-        })
-          .optional()
-          .describe(ProjectTemplates.UPDATE.name),
-        description: z.string().max(256).trim().optional().describe(ProjectTemplates.UPDATE.description),
-        roles: ProjectTemplateRolesSchema.optional().describe(ProjectTemplates.UPDATE.roles),
-        environments: ProjectTemplateEnvironmentsSchema.optional().describe(ProjectTemplates.UPDATE.environments)
-      }),
-      response: {
-        200: z.object({
-          projectTemplate: SanitizedProjectTemplateSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const projectTemplate = await server.services.projectTemplate.updateProjectTemplateById(
-        req.params.templateId,
-        req.body,
-        req.permission
-      );
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        event: {
-          type: EventType.UPDATE_PROJECT_TEMPLATE,
-          metadata: {
-            templateId: req.params.templateId,
-            ...req.body
-          }
-        }
-      });
-
-      return { projectTemplate };
-    }
-  });
-
-  server.route({
-    method: "DELETE",
-    url: "/:templateId",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Delete a project template.",
-      params: z.object({ templateId: z.string().uuid().describe(ProjectTemplates.DELETE.templateId) }),
-
-      response: {
-        200: z.object({
-          projectTemplate: SanitizedProjectTemplateSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const projectTemplate = await server.services.projectTemplate.deleteProjectTemplateById(
-        req.params.templateId,
-        req.permission
-      );
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: req.permission.orgId,
-        event: {
-          type: EventType.DELETE_PROJECT_TEMPLATE,
-          metadata: {
-            templateId: req.params.templateId
-          }
-        }
-      });
-
-      return { projectTemplate };
-    }
-  });
-};

backend/src/ee/routes/v2/project-role-router.ts

@@ -186,7 +186,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          roles: ProjectRolesSchema.omit({ permissions: true, version: true }).array()
+          roles: ProjectRolesSchema.omit({ permissions: true }).array()
         })
       }
     },
@@ -219,7 +219,7 @@ export const registerProjectRoleRouter = async (server: FastifyZodProvider) => {
       }),
       response: {
         200: z.object({
-          role: SanitizedRoleSchema.omit({ version: true })
+          role: SanitizedRoleSchema
         })
       }
     },

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -1,7 +1,3 @@
-import {
-  TCreateProjectTemplateDTO,
-  TUpdateProjectTemplateDTO
-} from "@app/ee/services/project-template/project-template-types";
 import { SymmetricEncryption } from "@app/lib/crypto/cipher";
 import { TProjectPermission } from "@app/lib/types";
 import { ActorType } from "@app/services/auth/auth-type";
@@ -196,13 +192,7 @@ export enum EventType {
   CMEK_ENCRYPT = "cmek-encrypt",
   CMEK_DECRYPT = "cmek-decrypt",
   UPDATE_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS = "update-external-group-org-role-mapping",
-  GET_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS = "get-external-group-org-role-mapping",
-  GET_PROJECT_TEMPLATES = "get-project-templates",
-  GET_PROJECT_TEMPLATE = "get-project-template",
-  CREATE_PROJECT_TEMPLATE = "create-project-template",
-  UPDATE_PROJECT_TEMPLATE = "update-project-template",
-  DELETE_PROJECT_TEMPLATE = "delete-project-template",
-  APPLY_PROJECT_TEMPLATE = "apply-project-template"
+  GET_EXTERNAL_GROUP_ORG_ROLE_MAPPINGS = "get-external-group-org-role-mapping"
 }
 
 interface UserActorMetadata {
@@ -1628,46 +1618,6 @@ interface UpdateExternalGroupOrgRoleMappingsEvent {
   };
 }
 
-interface GetProjectTemplatesEvent {
-  type: EventType.GET_PROJECT_TEMPLATES;
-  metadata: {
-    count: number;
-    templateIds: string[];
-  };
-}
-
-interface GetProjectTemplateEvent {
-  type: EventType.GET_PROJECT_TEMPLATE;
-  metadata: {
-    templateId: string;
-  };
-}
-
-interface CreateProjectTemplateEvent {
-  type: EventType.CREATE_PROJECT_TEMPLATE;
-  metadata: TCreateProjectTemplateDTO;
-}
-
-interface UpdateProjectTemplateEvent {
-  type: EventType.UPDATE_PROJECT_TEMPLATE;
-  metadata: TUpdateProjectTemplateDTO & { templateId: string };
-}
-
-interface DeleteProjectTemplateEvent {
-  type: EventType.DELETE_PROJECT_TEMPLATE;
-  metadata: {
-    templateId: string;
-  };
-}
-
-interface ApplyProjectTemplateEvent {
-  type: EventType.APPLY_PROJECT_TEMPLATE;
-  metadata: {
-    template: string;
-    projectId: string;
-  };
-}
-
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -1816,10 +1766,4 @@ export type Event =
   | CmekEncryptEvent
   | CmekDecryptEvent
   | GetExternalGroupOrgRoleMappingsEvent
-  | UpdateExternalGroupOrgRoleMappingsEvent
-  | GetProjectTemplatesEvent
-  | GetProjectTemplateEvent
-  | CreateProjectTemplateEvent
-  | UpdateProjectTemplateEvent
-  | DeleteProjectTemplateEvent
-  | ApplyProjectTemplateEvent;
+  | UpdateExternalGroupOrgRoleMappingsEvent;

backend/src/ee/services/certificate-est/certificate-est-service.ts

@@ -171,29 +171,27 @@ export const certificateEstServiceFactory = ({
       });
     }
 
-    if (!estConfig.disableBootstrapCertValidation) {
-      const caCerts = estConfig.caChain
-        .match(/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g)
-        ?.map((cert) => {
-          return new x509.X509Certificate(cert);
-        });
+    const caCerts = estConfig.caChain
+      .match(/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g)
+      ?.map((cert) => {
+        return new x509.X509Certificate(cert);
+      });
 
-      if (!caCerts) {
-        throw new BadRequestError({ message: "Failed to parse certificate chain" });
-      }
+    if (!caCerts) {
+      throw new BadRequestError({ message: "Failed to parse certificate chain" });
+    }
 
-      const leafCertificate = decodeURIComponent(sslClientCert).match(
-        /-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g
-      )?.[0];
+    const leafCertificate = decodeURIComponent(sslClientCert).match(
+      /-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g
+    )?.[0];
 
-      if (!leafCertificate) {
-        throw new BadRequestError({ message: "Missing client certificate" });
-      }
+    if (!leafCertificate) {
+      throw new BadRequestError({ message: "Missing client certificate" });
+    }
 
-      const certObj = new x509.X509Certificate(leafCertificate);
-      if (!(await isCertChainValid([certObj, ...caCerts]))) {
-        throw new BadRequestError({ message: "Invalid certificate chain" });
-      }
+    const certObj = new x509.X509Certificate(leafCertificate);
+    if (!(await isCertChainValid([certObj, ...caCerts]))) {
+      throw new BadRequestError({ message: "Invalid certificate chain" });
     }
 
     const { certificate } = await certificateAuthorityService.signCertFromCa({

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -9,7 +9,7 @@ import {
 } from "@app/ee/services/permission/project-permission";
 import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
-import { OrderByDirection, OrgServiceActor } from "@app/lib/types";
+import { OrderByDirection, ProjectServiceActor } from "@app/lib/types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 
@@ -457,7 +457,7 @@ export const dynamicSecretServiceFactory = ({
 
   const listDynamicSecretsByFolderIds = async (
     { folderMappings, filters, projectId }: TListDynamicSecretsByFolderMappingsDTO,
-    actor: OrgServiceActor
+    actor: ProjectServiceActor
   ) => {
     const { permission } = await permissionService.getProjectPermission(
       actor.type,

backend/src/ee/services/dynamic-secret/providers/ldap.ts

@@ -7,7 +7,7 @@ import { z } from "zod";
 import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
-import { LdapCredentialType, LdapSchema, TDynamicProviderFns } from "./models";
+import { LdapSchema, TDynamicProviderFns } from "./models";
 
 const generatePassword = () => {
   const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
@@ -193,76 +193,29 @@ export const LdapProvider = (): TDynamicProviderFns => {
     const providerInputs = await validateProviderInputs(inputs);
     const client = await getClient(providerInputs);
 
-    if (providerInputs.credentialType === LdapCredentialType.Static) {
-      const dnMatch = providerInputs.rotationLdif.match(/^dn:\s*(.+)/m);
+    const username = generateUsername();
+    const password = generatePassword();
+    const generatedLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.creationLdif });
 
-      if (dnMatch) {
-        const username = dnMatch[1];
-        const password = generatePassword();
+    try {
+      const dnArray = await executeLdif(client, generatedLdif);
 
-        const generatedLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.rotationLdif });
-
-        try {
-          const dnArray = await executeLdif(client, generatedLdif);
-
-          return { entityId: username, data: { DN_ARRAY: dnArray, USERNAME: username, PASSWORD: password } };
-        } catch (err) {
-          throw new BadRequestError({ message: (err as Error).message });
-        }
-      } else {
-        throw new BadRequestError({
-          message: "Invalid rotation LDIF, missing DN."
-        });
-      }
-    } else {
-      const username = generateUsername();
-      const password = generatePassword();
-      const generatedLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.creationLdif });
-
-      try {
-        const dnArray = await executeLdif(client, generatedLdif);
-
-        return { entityId: username, data: { DN_ARRAY: dnArray, USERNAME: username, PASSWORD: password } };
-      } catch (err) {
-        if (providerInputs.rollbackLdif) {
-          const rollbackLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.rollbackLdif });
-          await executeLdif(client, rollbackLdif);
-        }
-        throw new BadRequestError({ message: (err as Error).message });
+      return { entityId: username, data: { DN_ARRAY: dnArray, USERNAME: username, PASSWORD: password } };
+    } catch (err) {
+      if (providerInputs.rollbackLdif) {
+        const rollbackLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.rollbackLdif });
+        await executeLdif(client, rollbackLdif);
       }
+      throw new BadRequestError({ message: (err as Error).message });
     }
   };
 
   const revoke = async (inputs: unknown, entityId: string) => {
     const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
-
-    if (providerInputs.credentialType === LdapCredentialType.Static) {
-      const dnMatch = providerInputs.rotationLdif.match(/^dn:\s*(.+)/m);
-
-      if (dnMatch) {
-        const username = dnMatch[1];
-        const password = generatePassword();
-
-        const generatedLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.rotationLdif });
-
-        try {
-          const dnArray = await executeLdif(client, generatedLdif);
-
-          return { entityId: username, data: { DN_ARRAY: dnArray, USERNAME: username, PASSWORD: password } };
-        } catch (err) {
-          throw new BadRequestError({ message: (err as Error).message });
-        }
-      } else {
-        throw new BadRequestError({
-          message: "Invalid rotation LDIF, missing DN."
-        });
-      }
-    }
-
+    const connection = await getClient(providerInputs);
     const revocationLdif = generateLDIF({ username: entityId, ldifTemplate: providerInputs.revocationLdif });
 
-    await executeLdif(client, revocationLdif);
+    await executeLdif(connection, revocationLdif);
 
     return { entityId };
   };

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -12,11 +12,6 @@ export enum ElasticSearchAuthTypes {
   ApiKey = "api-key"
 }
 
-export enum LdapCredentialType {
-  Dynamic = "dynamic",
-  Static = "static"
-}
-
 export const DynamicSecretRedisDBSchema = z.object({
   host: z.string().trim().toLowerCase(),
   port: z.number(),
@@ -200,26 +195,16 @@ export const AzureEntraIDSchema = z.object({
   clientSecret: z.string().trim().min(1)
 });
 
-export const LdapSchema = z.union([
-  z.object({
-    url: z.string().trim().min(1),
-    binddn: z.string().trim().min(1),
-    bindpass: z.string().trim().min(1),
-    ca: z.string().optional(),
-    credentialType: z.literal(LdapCredentialType.Dynamic).optional().default(LdapCredentialType.Dynamic),
-    creationLdif: z.string().min(1),
-    revocationLdif: z.string().min(1),
-    rollbackLdif: z.string().optional()
-  }),
-  z.object({
-    url: z.string().trim().min(1),
-    binddn: z.string().trim().min(1),
-    bindpass: z.string().trim().min(1),
-    ca: z.string().optional(),
-    credentialType: z.literal(LdapCredentialType.Static),
-    rotationLdif: z.string().min(1)
-  })
-]);
+export const LdapSchema = z.object({
+  url: z.string().trim().min(1),
+  binddn: z.string().trim().min(1),
+  bindpass: z.string().trim().min(1),
+  ca: z.string().optional(),
+
+  creationLdif: z.string().min(1),
+  revocationLdif: z.string().min(1),
+  rollbackLdif: z.string().optional()
+});
 
 export enum DynamicSecretProviders {
   SqlDatabase = "sql-database",

backend/src/ee/services/group/group-service.ts

@@ -123,7 +123,7 @@ export const groupServiceFactory = ({
     const plan = await licenseService.getPlan(actorOrgId);
     if (!plan.groups)
       throw new BadRequestError({
-        message: "Failed to update group due to plan restriction Upgrade plan to update group."
+        message: "Failed to update group due to plan restrictio Upgrade plan to update group."
       });
 
     const group = await groupDAL.findOne({ orgId: actorOrgId, id });

backend/src/ee/services/hsm/hsm-fns.ts

@@ -1,58 +0,0 @@
-import * as pkcs11js from "pkcs11js";
-
-import { getConfig } from "@app/lib/config/env";
-import { logger } from "@app/lib/logger";
-
-import { HsmModule } from "./hsm-types";
-
-export const initializeHsmModule = () => {
-  const appCfg = getConfig();
-
-  // Create a new instance of PKCS11 module
-  const pkcs11 = new pkcs11js.PKCS11();
-  let isInitialized = false;
-
-  const initialize = () => {
-    if (!appCfg.isHsmConfigured) {
-      return;
-    }
-
-    try {
-      // Load the PKCS#11 module
-      pkcs11.load(appCfg.HSM_LIB_PATH!);
-
-      // Initialize the module
-      pkcs11.C_Initialize();
-      isInitialized = true;
-
-      logger.info("PKCS#11 module initialized");
-    } catch (err) {
-      logger.error("Failed to initialize PKCS#11 module:", err);
-      throw err;
-    }
-  };
-
-  const finalize = () => {
-    if (isInitialized) {
-      try {
-        pkcs11.C_Finalize();
-        isInitialized = false;
-        logger.info("PKCS#11 module finalized");
-      } catch (err) {
-        logger.error("Failed to finalize PKCS#11 module:", err);
-        throw err;
-      }
-    }
-  };
-
-  const getModule = (): HsmModule => ({
-    pkcs11,
-    isInitialized
-  });
-
-  return {
-    initialize,
-    finalize,
-    getModule
-  };
-};

backend/src/ee/services/hsm/hsm-service.ts

@@ -1,470 +0,0 @@
-import pkcs11js from "pkcs11js";
-
-import { getConfig } from "@app/lib/config/env";
-import { logger } from "@app/lib/logger";
-
-import { HsmKeyType, HsmModule } from "./hsm-types";
-
-type THsmServiceFactoryDep = {
-  hsmModule: HsmModule;
-};
-
-export type THsmServiceFactory = ReturnType<typeof hsmServiceFactory>;
-
-type SyncOrAsync<T> = T | Promise<T>;
-type SessionCallback<T> = (session: pkcs11js.Handle) => SyncOrAsync<T>;
-
-// eslint-disable-next-line no-empty-pattern
-export const hsmServiceFactory = ({ hsmModule: { isInitialized, pkcs11 } }: THsmServiceFactoryDep) => {
-  const appCfg = getConfig();
-
-  // Constants for buffer structures
-  const IV_LENGTH = 16; // Luna HSM typically expects 16-byte IV for cbc
-  const BLOCK_SIZE = 16;
-  const HMAC_SIZE = 32;
-
-  const AES_KEY_SIZE = 256;
-  const HMAC_KEY_SIZE = 256;
-
-  const $withSession = async <T>(callbackWithSession: SessionCallback<T>): Promise<T> => {
-    const RETRY_INTERVAL = 200; // 200ms between attempts
-    const MAX_TIMEOUT = 90_000; // 90 seconds maximum total time
-
-    let sessionHandle: pkcs11js.Handle | null = null;
-
-    const removeSession = () => {
-      if (sessionHandle !== null) {
-        try {
-          pkcs11.C_Logout(sessionHandle);
-          pkcs11.C_CloseSession(sessionHandle);
-          logger.info("HSM: Terminated session successfully");
-        } catch (error) {
-          logger.error(error, "HSM: Failed to terminate session");
-        } finally {
-          sessionHandle = null;
-        }
-      }
-    };
-
-    try {
-      if (!pkcs11 || !isInitialized) {
-        throw new Error("PKCS#11 module is not initialized");
-      }
-
-      // Get slot list
-      let slots: pkcs11js.Handle[];
-      try {
-        slots = pkcs11.C_GetSlotList(false); // false to get all slots
-      } catch (error) {
-        throw new Error(`Failed to get slot list: ${(error as Error)?.message}`);
-      }
-
-      if (slots.length === 0) {
-        throw new Error("No slots available");
-      }
-
-      if (appCfg.HSM_SLOT >= slots.length) {
-        throw new Error(`HSM slot ${appCfg.HSM_SLOT} not found or not initialized`);
-      }
-
-      const slotId = slots[appCfg.HSM_SLOT];
-
-      const startTime = Date.now();
-      while (Date.now() - startTime < MAX_TIMEOUT) {
-        try {
-          // Open session
-          // eslint-disable-next-line no-bitwise
-          sessionHandle = pkcs11.C_OpenSession(slotId, pkcs11js.CKF_SERIAL_SESSION | pkcs11js.CKF_RW_SESSION);
-
-          // Login
-          try {
-            pkcs11.C_Login(sessionHandle, pkcs11js.CKU_USER, appCfg.HSM_PIN);
-            logger.info("HSM: Successfully authenticated");
-            break;
-          } catch (error) {
-            // Handle specific error cases
-            if (error instanceof pkcs11js.Pkcs11Error) {
-              if (error.code === pkcs11js.CKR_PIN_INCORRECT) {
-                // We throw instantly here to prevent further attempts, because if too many attempts are made, the HSM will potentially wipe all key material
-                logger.error(error, `HSM: Incorrect PIN detected for HSM slot ${appCfg.HSM_SLOT}`);
-                throw new Error("HSM: Incorrect HSM Pin detected. Please check the HSM configuration.");
-              }
-              if (error.code === pkcs11js.CKR_USER_ALREADY_LOGGED_IN) {
-                logger.warn("HSM: Session already logged in");
-              }
-            }
-            throw error; // Re-throw other errors
-          }
-        } catch (error) {
-          logger.warn(`HSM: Session creation failed. Retrying... Error: ${(error as Error)?.message}`);
-
-          if (sessionHandle !== null) {
-            try {
-              pkcs11.C_CloseSession(sessionHandle);
-            } catch (closeError) {
-              logger.error(closeError, "HSM: Failed to close session");
-            }
-            sessionHandle = null;
-          }
-
-          // Wait before retrying
-          // eslint-disable-next-line no-await-in-loop
-          await new Promise((resolve) => {
-            setTimeout(resolve, RETRY_INTERVAL);
-          });
-        }
-      }
-
-      if (sessionHandle === null) {
-        throw new Error("HSM: Failed to open session after maximum retries");
-      }
-
-      // Execute callback with session handle
-      const result = await callbackWithSession(sessionHandle);
-      removeSession();
-      return result;
-    } catch (error) {
-      logger.error(error, "HSM: Failed to open session");
-      throw error;
-    } finally {
-      // Ensure cleanup
-      removeSession();
-    }
-  };
-
-  const $findKey = (sessionHandle: pkcs11js.Handle, type: HsmKeyType) => {
-    const label = type === HsmKeyType.HMAC ? `${appCfg.HSM_KEY_LABEL}_HMAC` : appCfg.HSM_KEY_LABEL;
-    const keyType = type === HsmKeyType.HMAC ? pkcs11js.CKK_GENERIC_SECRET : pkcs11js.CKK_AES;
-
-    const template = [
-      { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_SECRET_KEY },
-      { type: pkcs11js.CKA_KEY_TYPE, value: keyType },
-      { type: pkcs11js.CKA_LABEL, value: label }
-    ];
-
-    try {
-      // Initialize search
-      pkcs11.C_FindObjectsInit(sessionHandle, template);
-
-      try {
-        // Find first matching object
-        const handles = pkcs11.C_FindObjects(sessionHandle, 1);
-
-        if (handles.length === 0) {
-          throw new Error("Failed to find master key");
-        }
-
-        return handles[0]; // Return the key handle
-      } finally {
-        // Always finalize the search operation
-        pkcs11.C_FindObjectsFinal(sessionHandle);
-      }
-    } catch (error) {
-      return null;
-    }
-  };
-
-  const $keyExists = (session: pkcs11js.Handle, type: HsmKeyType): boolean => {
-    try {
-      const key = $findKey(session, type);
-      // items(0) will throw an error if no items are found
-      // Return true only if we got a valid object with handle
-      return !!key && key.length > 0;
-    } catch (error) {
-      // If items(0) throws, it means no key was found
-      // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access, @typescript-eslint/no-explicit-any, @typescript-eslint/no-unsafe-call
-      logger.error(error, "HSM: Failed while checking for HSM key presence");
-
-      if (error instanceof pkcs11js.Pkcs11Error) {
-        if (error.code === pkcs11js.CKR_OBJECT_HANDLE_INVALID) {
-          return false;
-        }
-      }
-
-      return false;
-    }
-  };
-
-  const encrypt: {
-    (data: Buffer, providedSession: pkcs11js.Handle): Promise<Buffer>;
-    (data: Buffer): Promise<Buffer>;
-  } = async (data: Buffer, providedSession?: pkcs11js.Handle) => {
-    if (!pkcs11 || !isInitialized) {
-      throw new Error("PKCS#11 module is not initialized");
-    }
-
-    const $performEncryption = (sessionHandle: pkcs11js.Handle) => {
-      try {
-        const aesKey = $findKey(sessionHandle, HsmKeyType.AES);
-        if (!aesKey) {
-          throw new Error("HSM: Encryption failed, AES key not found");
-        }
-
-        const hmacKey = $findKey(sessionHandle, HsmKeyType.HMAC);
-        if (!hmacKey) {
-          throw new Error("HSM: Encryption failed, HMAC key not found");
-        }
-
-        const iv = Buffer.alloc(IV_LENGTH);
-        pkcs11.C_GenerateRandom(sessionHandle, iv);
-
-        const encryptMechanism = {
-          mechanism: pkcs11js.CKM_AES_CBC_PAD,
-          parameter: iv
-        };
-
-        pkcs11.C_EncryptInit(sessionHandle, encryptMechanism, aesKey);
-
-        // Calculate max buffer size (input length + potential full block of padding)
-        const maxEncryptedLength = Math.ceil(data.length / BLOCK_SIZE) * BLOCK_SIZE + BLOCK_SIZE;
-
-        // Encrypt the data - this returns the encrypted data directly
-        const encryptedData = pkcs11.C_Encrypt(sessionHandle, data, Buffer.alloc(maxEncryptedLength));
-
-        // Initialize HMAC
-        const hmacMechanism = {
-          mechanism: pkcs11js.CKM_SHA256_HMAC
-        };
-
-        pkcs11.C_SignInit(sessionHandle, hmacMechanism, hmacKey);
-
-        // Sign the IV and encrypted data
-        pkcs11.C_SignUpdate(sessionHandle, iv);
-        pkcs11.C_SignUpdate(sessionHandle, encryptedData);
-
-        // Get the HMAC
-        const hmac = Buffer.alloc(HMAC_SIZE);
-        pkcs11.C_SignFinal(sessionHandle, hmac);
-
-        // Combine encrypted data and HMAC [Encrypted Data | HMAC]
-        const finalBuffer = Buffer.alloc(encryptedData.length + hmac.length);
-        encryptedData.copy(finalBuffer);
-        hmac.copy(finalBuffer, encryptedData.length);
-
-        return Buffer.concat([iv, finalBuffer]);
-      } catch (error) {
-        logger.error(error, "HSM: Failed to perform encryption");
-        throw new Error(`HSM: Encryption failed: ${(error as Error)?.message}`);
-      }
-    };
-
-    if (providedSession) {
-      return $performEncryption(providedSession);
-    }
-
-    const result = await $withSession($performEncryption);
-    return result;
-  };
-
-  const decrypt: {
-    (encryptedBlob: Buffer, providedSession: pkcs11js.Handle): Promise<Buffer>;
-    (encryptedBlob: Buffer): Promise<Buffer>;
-  } = async (encryptedBlob: Buffer, providedSession?: pkcs11js.Handle) => {
-    if (!pkcs11 || !isInitialized) {
-      throw new Error("PKCS#11 module is not initialized");
-    }
-
-    const $performDecryption = (sessionHandle: pkcs11js.Handle) => {
-      try {
-        // structure is: [IV (16 bytes) | Encrypted Data (N bytes) | HMAC (32 bytes)]
-        const iv = encryptedBlob.subarray(0, IV_LENGTH);
-        const encryptedDataWithHmac = encryptedBlob.subarray(IV_LENGTH);
-
-        // Split encrypted data and HMAC
-        const hmac = encryptedDataWithHmac.subarray(-HMAC_SIZE); // Last 32 bytes are HMAC
-
-        const encryptedData = encryptedDataWithHmac.subarray(0, -HMAC_SIZE); // Everything except last 32 bytes
-
-        // Find the keys
-        const aesKey = $findKey(sessionHandle, HsmKeyType.AES);
-        if (!aesKey) {
-          throw new Error("HSM: Decryption failed, AES key not found");
-        }
-
-        const hmacKey = $findKey(sessionHandle, HsmKeyType.HMAC);
-        if (!hmacKey) {
-          throw new Error("HSM: Decryption failed, HMAC key not found");
-        }
-
-        // Verify HMAC first
-        const hmacMechanism = {
-          mechanism: pkcs11js.CKM_SHA256_HMAC
-        };
-
-        pkcs11.C_VerifyInit(sessionHandle, hmacMechanism, hmacKey);
-        pkcs11.C_VerifyUpdate(sessionHandle, iv);
-        pkcs11.C_VerifyUpdate(sessionHandle, encryptedData);
-
-        try {
-          pkcs11.C_VerifyFinal(sessionHandle, hmac);
-        } catch (error) {
-          logger.error(error, "HSM: HMAC verification failed");
-          throw new Error("HSM: Decryption failed"); // Generic error for failed verification
-        }
-
-        // Only decrypt if verification passed
-        const decryptMechanism = {
-          mechanism: pkcs11js.CKM_AES_CBC_PAD,
-          parameter: iv
-        };
-
-        pkcs11.C_DecryptInit(sessionHandle, decryptMechanism, aesKey);
-
-        const tempBuffer = Buffer.alloc(encryptedData.length);
-        const decryptedData = pkcs11.C_Decrypt(sessionHandle, encryptedData, tempBuffer);
-
-        // Create a new buffer from the decrypted data
-        return Buffer.from(decryptedData);
-      } catch (error) {
-        logger.error(error, "HSM: Failed to perform decryption");
-        throw new Error("HSM: Decryption failed"); // Generic error for failed decryption, to avoid leaking details about why it failed (such as padding related errors)
-      }
-    };
-
-    if (providedSession) {
-      return $performDecryption(providedSession);
-    }
-
-    const result = await $withSession($performDecryption);
-    return result;
-  };
-
-  // We test the core functionality of the PKCS#11 module that we are using throughout Infisical. This is to ensure that the user doesn't configure a faulty or unsupported HSM device.
-  const $testPkcs11Module = async (session: pkcs11js.Handle) => {
-    try {
-      if (!pkcs11 || !isInitialized) {
-        throw new Error("PKCS#11 module is not initialized");
-      }
-
-      if (!session) {
-        throw new Error("HSM: Attempted to run test without a valid session");
-      }
-
-      const randomData = pkcs11.C_GenerateRandom(session, Buffer.alloc(500));
-
-      const encryptedData = await encrypt(randomData, session);
-      const decryptedData = await decrypt(encryptedData, session);
-
-      const randomDataHex = randomData.toString("hex");
-      const decryptedDataHex = decryptedData.toString("hex");
-
-      if (randomDataHex !== decryptedDataHex && Buffer.compare(randomData, decryptedData)) {
-        throw new Error("HSM: Startup test failed. Decrypted data does not match original data");
-      }
-
-      return true;
-    } catch (error) {
-      logger.error(error, "HSM: Error testing PKCS#11 module");
-      return false;
-    }
-  };
-
-  const isActive = async () => {
-    if (!isInitialized || !appCfg.isHsmConfigured) {
-      return false;
-    }
-
-    let pkcs11TestPassed = false;
-
-    try {
-      pkcs11TestPassed = await $withSession($testPkcs11Module);
-    } catch (err) {
-      logger.error(err, "HSM: Error testing PKCS#11 module");
-    }
-
-    return appCfg.isHsmConfigured && isInitialized && pkcs11TestPassed;
-  };
-
-  const startService = async () => {
-    if (!appCfg.isHsmConfigured || !pkcs11 || !isInitialized) return;
-
-    try {
-      await $withSession(async (sessionHandle) => {
-        // Check if master key exists, create if not
-
-        const genericAttributes = [
-          { type: pkcs11js.CKA_TOKEN, value: true }, // Persistent storage
-          { type: pkcs11js.CKA_EXTRACTABLE, value: false }, // Cannot be extracted
-          { type: pkcs11js.CKA_SENSITIVE, value: true }, // Sensitive value
-          { type: pkcs11js.CKA_PRIVATE, value: true } // Requires authentication
-        ];
-
-        if (!$keyExists(sessionHandle, HsmKeyType.AES)) {
-          // Template for generating 256-bit AES master key
-          const keyTemplate = [
-            { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_SECRET_KEY },
-            { type: pkcs11js.CKA_KEY_TYPE, value: pkcs11js.CKK_AES },
-            { type: pkcs11js.CKA_VALUE_LEN, value: AES_KEY_SIZE / 8 },
-            { type: pkcs11js.CKA_LABEL, value: appCfg.HSM_KEY_LABEL! },
-            { type: pkcs11js.CKA_ENCRYPT, value: true }, // Allow encryption
-            { type: pkcs11js.CKA_DECRYPT, value: true }, // Allow decryption
-            ...genericAttributes
-          ];
-
-          // Generate the key
-          pkcs11.C_GenerateKey(
-            sessionHandle,
-            {
-              mechanism: pkcs11js.CKM_AES_KEY_GEN
-            },
-            keyTemplate
-          );
-
-          logger.info(`HSM: Master key created successfully with label: ${appCfg.HSM_KEY_LABEL}`);
-        }
-
-        // Check if HMAC key exists, create if not
-        if (!$keyExists(sessionHandle, HsmKeyType.HMAC)) {
-          const hmacKeyTemplate = [
-            { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_SECRET_KEY },
-            { type: pkcs11js.CKA_KEY_TYPE, value: pkcs11js.CKK_GENERIC_SECRET },
-            { type: pkcs11js.CKA_VALUE_LEN, value: HMAC_KEY_SIZE / 8 }, // 256-bit key
-            { type: pkcs11js.CKA_LABEL, value: `${appCfg.HSM_KEY_LABEL!}_HMAC` },
-            { type: pkcs11js.CKA_SIGN, value: true }, // Allow signing
-            { type: pkcs11js.CKA_VERIFY, value: true }, // Allow verification
-            ...genericAttributes
-          ];
-
-          // Generate the HMAC key
-          pkcs11.C_GenerateKey(
-            sessionHandle,
-            {
-              mechanism: pkcs11js.CKM_GENERIC_SECRET_KEY_GEN
-            },
-            hmacKeyTemplate
-          );
-
-          logger.info(`HSM: HMAC key created successfully with label: ${appCfg.HSM_KEY_LABEL}_HMAC`);
-        }
-
-        // Get slot info to check supported mechanisms
-        const slotId = pkcs11.C_GetSessionInfo(sessionHandle).slotID;
-        const mechanisms = pkcs11.C_GetMechanismList(slotId);
-
-        // Check for AES CBC PAD support
-        const hasAesCbc = mechanisms.includes(pkcs11js.CKM_AES_CBC_PAD);
-
-        if (!hasAesCbc) {
-          throw new Error(`Required mechanism CKM_AEC_CBC_PAD not supported by HSM`);
-        }
-
-        // Run test encryption/decryption
-        const testPassed = await $testPkcs11Module(sessionHandle);
-
-        if (!testPassed) {
-          throw new Error("PKCS#11 module test failed. Please ensure that the HSM is correctly configured.");
-        }
-      });
-    } catch (error) {
-      logger.error(error, "HSM: Error initializing HSM service:");
-      throw error;
-    }
-  };
-
-  return {
-    encrypt,
-    startService,
-    isActive,
-    decrypt
-  };
-};

backend/src/ee/services/hsm/hsm-types.ts

@@ -1,11 +0,0 @@
-import pkcs11js from "pkcs11js";
-
-export type HsmModule = {
-  pkcs11: pkcs11js.PKCS11;
-  isInitialized: boolean;
-};
-
-export enum HsmKeyType {
-  AES = "AES",
-  HMAC = "hmac"
-}

backend/src/ee/services/license/license-fns.ts

@@ -29,7 +29,6 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   auditLogStreams: false,
   auditLogStreamLimit: 3,
   samlSSO: false,
-  hsm: false,
   oidcSSO: false,
   scim: false,
   ldap: false,
@@ -48,8 +47,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
     secretsLimit: 40
   },
   pkiEst: false,
-  enforceMfa: false,
-  projectTemplates: false
+  enforceMfa: false
 });
 
 export const setupLicenseRequestWithStore = (baseURL: string, refreshUrl: string, licenseKey: string) => {

backend/src/ee/services/license/license-types.ts

@@ -46,7 +46,6 @@ export type TFeatureSet = {
   auditLogStreams: false;
   auditLogStreamLimit: 3;
   samlSSO: false;
-  hsm: false;
   oidcSSO: false;
   scim: false;
   ldap: false;
@@ -66,7 +65,6 @@ export type TFeatureSet = {
   };
   pkiEst: boolean;
   enforceMfa: boolean;
-  projectTemplates: false;
 };
 
 export type TOrgPlansTableDTO = {

backend/src/ee/services/oidc/oidc-config-service.ts

@@ -17,7 +17,7 @@ import {
   infisicalSymmetricDecrypt,
   infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
-import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError, OidcAuthError } from "@app/lib/errors";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TokenType } from "@app/services/auth-token/auth-token-types";
@@ -56,7 +56,7 @@ type TOidcConfigServiceFactoryDep = {
   orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "create" | "transaction">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan" | "updateSubscriptionOrgMemberCount">;
   tokenService: Pick<TAuthTokenServiceFactory, "createTokenForUser">;
-  smtpService: Pick<TSmtpService, "sendMail">;
+  smtpService: Pick<TSmtpService, "sendMail" | "verify">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   oidcConfigDAL: Pick<TOidcConfigDALFactory, "findOne" | "update" | "create">;
 };
@@ -223,6 +223,7 @@ export const oidcConfigServiceFactory = ({
         let newUser: TUsers | undefined;
 
         if (serverCfg.trustOidcEmails) {
+          // we prioritize getting the most complete user to create the new alias under
           newUser = await userDAL.findOne(
             {
               email,
@@ -230,6 +231,23 @@ export const oidcConfigServiceFactory = ({
             },
             tx
           );
+
+          if (!newUser) {
+            // this fetches user entries created via invites
+            newUser = await userDAL.findOne(
+              {
+                username: email
+              },
+              tx
+            );
+
+            if (newUser && !newUser.isEmailVerified) {
+              // we automatically mark it as email-verified because we've configured trust for OIDC emails
+              newUser = await userDAL.updateById(newUser.id, {
+                isEmailVerified: true
+              });
+            }
+          }
         }
 
         if (!newUser) {
@@ -332,14 +350,20 @@ export const oidcConfigServiceFactory = ({
         userId: user.id
       });
 
-      await smtpService.sendMail({
-        template: SmtpTemplates.EmailVerification,
-        subjectLine: "Infisical confirmation code",
-        recipients: [user.email],
-        substitutions: {
-          code: token
-        }
-      });
+      await smtpService
+        .sendMail({
+          template: SmtpTemplates.EmailVerification,
+          subjectLine: "Infisical confirmation code",
+          recipients: [user.email],
+          substitutions: {
+            code: token
+          }
+        })
+        .catch((err: Error) => {
+          throw new OidcAuthError({
+            message: `Error sending email confirmation code for user registration - contact the Infisical instance admin. ${err.message}`
+          });
+        });
     }
 
     return { isUserCompleted, providerAuthToken };
@@ -395,6 +419,18 @@ export const oidcConfigServiceFactory = ({
         message: `Organization bot for organization with ID '${org.id}' not found`,
         name: "OrgBotNotFound"
       });
+
+    const serverCfg = await getServerCfg();
+    if (isActive && !serverCfg.trustOidcEmails) {
+      const isSmtpConnected = await smtpService.verify();
+      if (!isSmtpConnected) {
+        throw new BadRequestError({
+          message:
+            "Cannot enable OIDC when there are issues with the instance's SMTP configuration. Bypass this by turning on trust for OIDC emails in the server admin console."
+        });
+      }
+    }
+
     const key = infisicalSymmetricDecrypt({
       ciphertext: orgBot.encryptedSymmetricKey,
       iv: orgBot.symmetricKeyIV,

backend/src/ee/services/permission/org-permission.ts

@@ -26,8 +26,7 @@ export enum OrgPermissionSubjects {
   Identity = "identity",
   Kms = "kms",
   AdminConsole = "organization-admin-console",
-  AuditLogs = "audit-logs",
-  ProjectTemplates = "project-templates"
+  AuditLogs = "audit-logs"
 }
 
 export type OrgPermissionSet =
@@ -46,7 +45,6 @@ export type OrgPermissionSet =
   | [OrgPermissionActions, OrgPermissionSubjects.Identity]
   | [OrgPermissionActions, OrgPermissionSubjects.Kms]
   | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
-  | [OrgPermissionActions, OrgPermissionSubjects.ProjectTemplates]
   | [OrgPermissionAdminConsoleAction, OrgPermissionSubjects.AdminConsole];
 
 const buildAdminPermission = () => {
@@ -120,11 +118,6 @@ const buildAdminPermission = () => {
   can(OrgPermissionActions.Edit, OrgPermissionSubjects.AuditLogs);
   can(OrgPermissionActions.Delete, OrgPermissionSubjects.AuditLogs);
 
-  can(OrgPermissionActions.Read, OrgPermissionSubjects.ProjectTemplates);
-  can(OrgPermissionActions.Create, OrgPermissionSubjects.ProjectTemplates);
-  can(OrgPermissionActions.Edit, OrgPermissionSubjects.ProjectTemplates);
-  can(OrgPermissionActions.Delete, OrgPermissionSubjects.ProjectTemplates);
-
   can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);
 
   return rules;

backend/src/ee/services/permission/permission-fns.ts

@@ -29,18 +29,4 @@ function validateOrgSSO(actorAuthMethod: ActorAuthMethod, isOrgSsoEnforced: TOrg
   }
 }
 
-const escapeHandlebarsMissingMetadata = (obj: Record<string, string>) => {
-  const handler = {
-    get(target: Record<string, string>, prop: string) {
-      if (!(prop in target)) {
-        // eslint-disable-next-line no-param-reassign
-        target[prop] = `{{identity.metadata.${prop}}}`; // Add missing key as an "own" property
-      }
-      return target[prop];
-    }
-  };
-
-  return new Proxy(obj, handler);
-};
-
-export { escapeHandlebarsMissingMetadata, isAuthMethodSaml, validateOrgSSO };
+export { isAuthMethodSaml, validateOrgSSO };

backend/src/ee/services/permission/permission-service.ts

@@ -21,7 +21,7 @@ import { TServiceTokenDALFactory } from "@app/services/service-token/service-tok
 
 import { orgAdminPermissions, orgMemberPermissions, orgNoAccessPermissions, OrgPermissionSet } from "./org-permission";
 import { TPermissionDALFactory } from "./permission-dal";
-import { escapeHandlebarsMissingMetadata, validateOrgSSO } from "./permission-fns";
+import { validateOrgSSO } from "./permission-fns";
 import { TBuildOrgPermissionDTO, TBuildProjectPermissionDTO } from "./permission-service-types";
 import {
   buildServiceTokenProjectPermission,
@@ -227,13 +227,11 @@ export const permissionServiceFactory = ({
       })) || [];
 
     const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
-    const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-    const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
-      objectify(
-        userProjectPermission.metadata,
-        (i) => i.key,
-        (i) => i.value
-      )
+    const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false, strict: true });
+    const metadataKeyValuePair = objectify(
+      userProjectPermission.metadata,
+      (i) => i.key,
+      (i) => i.value
     );
     const interpolateRules = templatedRules(
       {
@@ -294,15 +292,12 @@ export const permissionServiceFactory = ({
       })) || [];
 
     const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
-    const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-    const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
-      objectify(
-        identityProjectPermission.metadata,
-        (i) => i.key,
-        (i) => i.value
-      )
+    const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false, strict: true });
+    const metadataKeyValuePair = objectify(
+      identityProjectPermission.metadata,
+      (i) => i.key,
+      (i) => i.value
     );
-
     const interpolateRules = templatedRules(
       {
         identity: {

backend/src/ee/services/project-template/project-template-constants.ts

@@ -1,5 +0,0 @@
-export const ProjectTemplateDefaultEnvironments = [
-  { name: "Development", slug: "dev", position: 1 },
-  { name: "Staging", slug: "staging", position: 2 },
-  { name: "Production", slug: "prod", position: 3 }
-];

backend/src/ee/services/project-template/project-template-dal.ts

@@ -1,7 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TProjectTemplateDALFactory = ReturnType<typeof projectTemplateDALFactory>;
-
-export const projectTemplateDALFactory = (db: TDbClient) => ormify(db, TableName.ProjectTemplates);

backend/src/ee/services/project-template/project-template-fns.ts

@@ -1,24 +0,0 @@
-import { ProjectTemplateDefaultEnvironments } from "@app/ee/services/project-template/project-template-constants";
-import {
-  InfisicalProjectTemplate,
-  TUnpackedPermission
-} from "@app/ee/services/project-template/project-template-types";
-import { getPredefinedRoles } from "@app/services/project-role/project-role-fns";
-
-export const getDefaultProjectTemplate = (orgId: string) => ({
-  id: "b11b49a9-09a9-4443-916a-4246f9ff2c69", // random ID to appease zod
-  name: InfisicalProjectTemplate.Default,
-  createdAt: new Date(),
-  updatedAt: new Date(),
-  description: "Infisical's default project template",
-  environments: ProjectTemplateDefaultEnvironments,
-  roles: [...getPredefinedRoles("project-template")].map(({ name, slug, permissions }) => ({
-    name,
-    slug,
-    permissions: permissions as TUnpackedPermission[]
-  })),
-  orgId
-});
-
-export const isInfisicalProjectTemplate = (template: string) =>
-  Object.values(InfisicalProjectTemplate).includes(template as InfisicalProjectTemplate);

backend/src/ee/services/project-template/project-template-service.ts

@@ -1,265 +0,0 @@
-import { ForbiddenError } from "@casl/ability";
-import { packRules } from "@casl/ability/extra";
-
-import { TProjectTemplates } from "@app/db/schemas";
-import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
-import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { getDefaultProjectTemplate } from "@app/ee/services/project-template/project-template-fns";
-import {
-  TCreateProjectTemplateDTO,
-  TProjectTemplateEnvironment,
-  TProjectTemplateRole,
-  TUnpackedPermission,
-  TUpdateProjectTemplateDTO
-} from "@app/ee/services/project-template/project-template-types";
-import { BadRequestError, NotFoundError } from "@app/lib/errors";
-import { OrgServiceActor } from "@app/lib/types";
-import { unpackPermissions } from "@app/server/routes/santizedSchemas/permission";
-import { getPredefinedRoles } from "@app/services/project-role/project-role-fns";
-
-import { TProjectTemplateDALFactory } from "./project-template-dal";
-
-type TProjectTemplatesServiceFactoryDep = {
-  licenseService: TLicenseServiceFactory;
-  permissionService: TPermissionServiceFactory;
-  projectTemplateDAL: TProjectTemplateDALFactory;
-};
-
-export type TProjectTemplateServiceFactory = ReturnType<typeof projectTemplateServiceFactory>;
-
-const $unpackProjectTemplate = ({ roles, environments, ...rest }: TProjectTemplates) => ({
-  ...rest,
-  environments: environments as TProjectTemplateEnvironment[],
-  roles: [
-    ...getPredefinedRoles("project-template").map(({ name, slug, permissions }) => ({
-      name,
-      slug,
-      permissions: permissions as TUnpackedPermission[]
-    })),
-    ...(roles as TProjectTemplateRole[]).map((role) => ({
-      ...role,
-      permissions: unpackPermissions(role.permissions)
-    }))
-  ]
-});
-
-export const projectTemplateServiceFactory = ({
-  licenseService,
-  permissionService,
-  projectTemplateDAL
-}: TProjectTemplatesServiceFactoryDep) => {
-  const listProjectTemplatesByOrg = async (actor: OrgServiceActor) => {
-    const plan = await licenseService.getPlan(actor.orgId);
-
-    if (!plan.projectTemplates)
-      throw new BadRequestError({
-        message: "Failed to access project templates due to plan restriction. Upgrade plan to access project templates."
-      });
-
-    const { permission } = await permissionService.getOrgPermission(
-      actor.type,
-      actor.id,
-      actor.orgId,
-      actor.authMethod,
-      actor.orgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.ProjectTemplates);
-
-    const projectTemplates = await projectTemplateDAL.find({
-      orgId: actor.orgId
-    });
-
-    return [
-      getDefaultProjectTemplate(actor.orgId),
-      ...projectTemplates.map((template) => $unpackProjectTemplate(template))
-    ];
-  };
-
-  const findProjectTemplateByName = async (name: string, actor: OrgServiceActor) => {
-    const plan = await licenseService.getPlan(actor.orgId);
-
-    if (!plan.projectTemplates)
-      throw new BadRequestError({
-        message: "Failed to access project template due to plan restriction. Upgrade plan to access project templates."
-      });
-
-    const projectTemplate = await projectTemplateDAL.findOne({ name, orgId: actor.orgId });
-
-    if (!projectTemplate) throw new NotFoundError({ message: `Could not find project template with Name "${name}"` });
-
-    const { permission } = await permissionService.getOrgPermission(
-      actor.type,
-      actor.id,
-      projectTemplate.orgId,
-      actor.authMethod,
-      actor.orgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.ProjectTemplates);
-
-    return {
-      ...$unpackProjectTemplate(projectTemplate),
-      packedRoles: projectTemplate.roles as TProjectTemplateRole[] // preserve packed for when applying template
-    };
-  };
-
-  const findProjectTemplateById = async (id: string, actor: OrgServiceActor) => {
-    const plan = await licenseService.getPlan(actor.orgId);
-
-    if (!plan.projectTemplates)
-      throw new BadRequestError({
-        message: "Failed to access project template due to plan restriction. Upgrade plan to access project templates."
-      });
-
-    const projectTemplate = await projectTemplateDAL.findById(id);
-
-    if (!projectTemplate) throw new NotFoundError({ message: `Could not find project template with ID ${id}` });
-
-    const { permission } = await permissionService.getOrgPermission(
-      actor.type,
-      actor.id,
-      projectTemplate.orgId,
-      actor.authMethod,
-      actor.orgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.ProjectTemplates);
-
-    return {
-      ...$unpackProjectTemplate(projectTemplate),
-      packedRoles: projectTemplate.roles as TProjectTemplateRole[] // preserve packed for when applying template
-    };
-  };
-
-  const createProjectTemplate = async (
-    { roles, environments, ...params }: TCreateProjectTemplateDTO,
-    actor: OrgServiceActor
-  ) => {
-    const plan = await licenseService.getPlan(actor.orgId);
-
-    if (!plan.projectTemplates)
-      throw new BadRequestError({
-        message: "Failed to create project template due to plan restriction. Upgrade plan to access project templates."
-      });
-
-    const { permission } = await permissionService.getOrgPermission(
-      actor.type,
-      actor.id,
-      actor.orgId,
-      actor.authMethod,
-      actor.orgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.ProjectTemplates);
-
-    const isConflictingName = Boolean(
-      await projectTemplateDAL.findOne({
-        name: params.name,
-        orgId: actor.orgId
-      })
-    );
-
-    if (isConflictingName)
-      throw new BadRequestError({
-        message: `A project template with the name "${params.name}" already exists.`
-      });
-
-    const projectTemplate = await projectTemplateDAL.create({
-      ...params,
-      roles: JSON.stringify(roles.map((role) => ({ ...role, permissions: packRules(role.permissions) }))),
-      environments: JSON.stringify(environments),
-      orgId: actor.orgId
-    });
-
-    return $unpackProjectTemplate(projectTemplate);
-  };
-
-  const updateProjectTemplateById = async (
-    id: string,
-    { roles, environments, ...params }: TUpdateProjectTemplateDTO,
-    actor: OrgServiceActor
-  ) => {
-    const plan = await licenseService.getPlan(actor.orgId);
-
-    if (!plan.projectTemplates)
-      throw new BadRequestError({
-        message: "Failed to update project template due to plan restriction. Upgrade plan to access project templates."
-      });
-
-    const projectTemplate = await projectTemplateDAL.findById(id);
-
-    if (!projectTemplate) throw new NotFoundError({ message: `Could not find project template with ID ${id}` });
-
-    const { permission } = await permissionService.getOrgPermission(
-      actor.type,
-      actor.id,
-      projectTemplate.orgId,
-      actor.authMethod,
-      actor.orgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.ProjectTemplates);
-
-    if (params.name && projectTemplate.name !== params.name) {
-      const isConflictingName = Boolean(
-        await projectTemplateDAL.findOne({
-          name: params.name,
-          orgId: projectTemplate.orgId
-        })
-      );
-
-      if (isConflictingName)
-        throw new BadRequestError({
-          message: `A project template with the name "${params.name}" already exists.`
-        });
-    }
-
-    const updatedProjectTemplate = await projectTemplateDAL.updateById(id, {
-      ...params,
-      roles: roles
-        ? JSON.stringify(roles.map((role) => ({ ...role, permissions: packRules(role.permissions) })))
-        : undefined,
-      environments: environments ? JSON.stringify(environments) : undefined
-    });
-
-    return $unpackProjectTemplate(updatedProjectTemplate);
-  };
-
-  const deleteProjectTemplateById = async (id: string, actor: OrgServiceActor) => {
-    const plan = await licenseService.getPlan(actor.orgId);
-
-    if (!plan.projectTemplates)
-      throw new BadRequestError({
-        message: "Failed to delete project template due to plan restriction. Upgrade plan to access project templates."
-      });
-
-    const projectTemplate = await projectTemplateDAL.findById(id);
-
-    if (!projectTemplate) throw new NotFoundError({ message: `Could not find project template with ID ${id}` });
-
-    const { permission } = await permissionService.getOrgPermission(
-      actor.type,
-      actor.id,
-      projectTemplate.orgId,
-      actor.authMethod,
-      actor.orgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.ProjectTemplates);
-
-    const deletedProjectTemplate = await projectTemplateDAL.deleteById(id);
-
-    return $unpackProjectTemplate(deletedProjectTemplate);
-  };
-
-  return {
-    listProjectTemplatesByOrg,
-    createProjectTemplate,
-    updateProjectTemplateById,
-    deleteProjectTemplateById,
-    findProjectTemplateById,
-    findProjectTemplateByName
-  };
-};

backend/src/ee/services/project-template/project-template-types.ts

@@ -1,28 +0,0 @@
-import { z } from "zod";
-
-import { TProjectEnvironments } from "@app/db/schemas";
-import { TProjectPermissionV2Schema } from "@app/ee/services/permission/project-permission";
-import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
-
-export type TProjectTemplateEnvironment = Pick<TProjectEnvironments, "name" | "slug" | "position">;
-
-export type TProjectTemplateRole = {
-  slug: string;
-  name: string;
-  permissions: TProjectPermissionV2Schema[];
-};
-
-export type TCreateProjectTemplateDTO = {
-  name: string;
-  description?: string;
-  roles: TProjectTemplateRole[];
-  environments: TProjectTemplateEnvironment[];
-};
-
-export type TUpdateProjectTemplateDTO = Partial<TCreateProjectTemplateDTO>;
-
-export type TUnpackedPermission = z.infer<typeof UnpackedPermissionSchema>;
-
-export enum InfisicalProjectTemplate {
-  Default = "default"
-}

backend/src/lib/api-docs/constants.ts

@@ -391,8 +391,7 @@ export const PROJECTS = {
   CREATE: {
     organizationSlug: "The slug of the organization to create the project in.",
     projectName: "The name of the project to create.",
-    slug: "An optional slug for the project.",
-    template: "The name of the project template, if specified, to apply to this project."
+    slug: "An optional slug for the project."
   },
   DELETE: {
     workspaceId: "The ID of the project to delete."
@@ -1439,22 +1438,3 @@ export const KMS = {
     ciphertext: "The ciphertext to be decrypted (base64 encoded)."
   }
 };
-
-export const ProjectTemplates = {
-  CREATE: {
-    name: "The name of the project template to be created. Must be slug-friendly.",
-    description: "An optional description of the project template.",
-    roles: "The roles to be created when the template is applied to a project.",
-    environments: "The environments to be created when the template is applied to a project."
-  },
-  UPDATE: {
-    templateId: "The ID of the project template to be updated.",
-    name: "The updated name of the project template. Must be slug-friendly.",
-    description: "The updated description of the project template.",
-    roles: "The updated roles to be created when the template is applied to a project.",
-    environments: "The updated environments to be created when the template is applied to a project."
-  },
-  DELETE: {
-    templateId: "The ID of the project template to be deleted."
-  }
-};

backend/src/lib/config/env.ts

@@ -163,22 +163,10 @@ const envSchema = z
     SSL_CLIENT_CERTIFICATE_HEADER_KEY: zpStr(z.string().optional()).default("x-ssl-client-cert"),
     WORKFLOW_SLACK_CLIENT_ID: zpStr(z.string().optional()),
     WORKFLOW_SLACK_CLIENT_SECRET: zpStr(z.string().optional()),
-    ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT: zodStrBool.default("true"),
-
-    // HSM
-    HSM_LIB_PATH: zpStr(z.string().optional()),
-    HSM_PIN: zpStr(z.string().optional()),
-    HSM_KEY_LABEL: zpStr(z.string().optional()),
-    HSM_SLOT: z.coerce.number().optional().default(0)
+    ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT: zodStrBool.default("true")
   })
-  // To ensure that basic encryption is always possible.
-  .refine(
-    (data) => Boolean(data.ENCRYPTION_KEY) || Boolean(data.ROOT_ENCRYPTION_KEY),
-    "Either ENCRYPTION_KEY or ROOT_ENCRYPTION_KEY must be defined."
-  )
   .transform((data) => ({
     ...data,
-
     DB_READ_REPLICAS: data.DB_READ_REPLICAS
       ? databaseReadReplicaSchema.parse(JSON.parse(data.DB_READ_REPLICAS))
       : undefined,
@@ -187,14 +175,10 @@ const envSchema = z
     isRedisConfigured: Boolean(data.REDIS_URL),
     isDevelopmentMode: data.NODE_ENV === "development",
     isProductionMode: data.NODE_ENV === "production" || IS_PACKAGED,
-
     isSecretScanningConfigured:
       Boolean(data.SECRET_SCANNING_GIT_APP_ID) &&
       Boolean(data.SECRET_SCANNING_PRIVATE_KEY) &&
       Boolean(data.SECRET_SCANNING_WEBHOOK_SECRET),
-    isHsmConfigured:
-      Boolean(data.HSM_LIB_PATH) && Boolean(data.HSM_PIN) && Boolean(data.HSM_KEY_LABEL) && data.HSM_SLOT !== undefined,
-
     samlDefaultOrgSlug: data.DEFAULT_SAML_ORG_SLUG,
     SECRET_SCANNING_ORG_WHITELIST: data.SECRET_SCANNING_ORG_WHITELIST?.split(",")
   }));

backend/src/lib/errors/index.ts

@@ -133,3 +133,15 @@ export class ScimRequestError extends Error {
     this.status = status;
   }
 }
+
+export class OidcAuthError extends Error {
+  name: string;
+
+  error: unknown;
+
+  constructor({ name, error, message }: { message?: string; name?: string; error?: unknown }) {
+    super(message || "Something went wrong");
+    this.name = name || "OidcAuthError";
+    this.error = error;
+  }
+}

backend/src/lib/types/index.ts

@@ -58,7 +58,7 @@ export enum OrderByDirection {
   DESC = "desc"
 }
 
-export type OrgServiceActor = {
+export type ProjectServiceActor = {
   type: ActorType;
   id: string;
   authMethod: ActorAuthMethod;

backend/src/lib/validator/index.ts

@@ -1,3 +1,2 @@
 export { isDisposableEmail } from "./validate-email";
-export { isValidFolderName, isValidSecretPath } from "./validate-folder-name";
 export { blockLocalAndPrivateIpAddresses } from "./validate-url";

backend/src/lib/validator/validate-folder-name.ts

@@ -1,8 +0,0 @@
-// regex to allow only alphanumeric, dash, underscore
-export const isValidFolderName = (name: string) => /^[a-zA-Z0-9-_]+$/.test(name);
-
-export const isValidSecretPath = (path: string) =>
-  path
-    .split("/")
-    .filter((el) => el.length)
-    .every((name) => isValidFolderName(name));

backend/src/main.ts

@@ -1,8 +1,6 @@
 import dotenv from "dotenv";
 import path from "path";
 
-import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
-
 import { initAuditLogDbConnection, initDbConnection } from "./db";
 import { keyStoreFactory } from "./keystore/keystore";
 import { formatSmtpConfig, initEnvConfig, IS_PACKAGED } from "./lib/config/env";
@@ -55,17 +53,13 @@ const run = async () => {
   const queue = queueServiceFactory(appCfg.REDIS_URL);
   const keyStore = keyStoreFactory(appCfg.REDIS_URL);
 
-  const hsmModule = initializeHsmModule();
-  hsmModule.initialize();
-
-  const server = await main({ db, auditLogDb, hsmModule: hsmModule.getModule(), smtp, logger, queue, keyStore });
+  const server = await main({ db, auditLogDb, smtp, logger, queue, keyStore });
   const bootstrap = await bootstrapCheck({ db });
 
   // eslint-disable-next-line
   process.on("SIGINT", async () => {
     await server.close();
     await db.destroy();
-    hsmModule.finalize();
     process.exit(0);
   });
 
@@ -73,7 +67,6 @@ const run = async () => {
   process.on("SIGTERM", async () => {
     await server.close();
     await db.destroy();
-    hsmModule.finalize();
     process.exit(0);
   });
 

backend/src/server/app.ts

@@ -14,7 +14,6 @@ import fastify from "fastify";
 import { Knex } from "knex";
 import { Logger } from "pino";
 
-import { HsmModule } from "@app/ee/services/hsm/hsm-types";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig, IS_PACKAGED } from "@app/lib/config/env";
 import { TQueueServiceFactory } from "@app/queue";
@@ -37,19 +36,16 @@ type TMain = {
   logger?: Logger;
   queue: TQueueServiceFactory;
   keyStore: TKeyStoreFactory;
-  hsmModule: HsmModule;
 };
 
 // Run the server!
-export const main = async ({ db, hsmModule, auditLogDb, smtp, logger, queue, keyStore }: TMain) => {
+export const main = async ({ db, auditLogDb, smtp, logger, queue, keyStore }: TMain) => {
   const appCfg = getConfig();
-
   const server = fastify({
     logger: appCfg.NODE_ENV === "test" ? false : logger,
     trustProxy: true,
-    connectionTimeout: appCfg.isHsmConfigured ? 90_000 : 30_000,
-    ignoreTrailingSlash: true,
-    pluginTimeout: 40_000
+    connectionTimeout: 30 * 1000,
+    ignoreTrailingSlash: true
   }).withTypeProvider<ZodTypeProvider>();
 
   server.setValidatorCompiler(validatorCompiler);
@@ -99,7 +95,7 @@ export const main = async ({ db, hsmModule, auditLogDb, smtp, logger, queue, key
 
     await server.register(maintenanceMode);
 
-    await server.register(registerRoutes, { smtp, queue, db, auditLogDb, keyStore, hsmModule });
+    await server.register(registerRoutes, { smtp, queue, db, auditLogDb, keyStore });
 
     if (appCfg.isProductionMode) {
       await server.register(registerExternalNextjs, {

backend/src/server/boot-strap-check.ts

@@ -46,10 +46,10 @@ export const bootstrapCheck = async ({ db }: BootstrapOpt) => {
   await createTransport(smtpCfg)
     .verify()
     .then(async () => {
-      console.info("SMTP successfully connected");
+      console.info(`SMTP - Verified connection to ${appCfg.SMTP_HOST}:${appCfg.SMTP_PORT}`);
     })
-    .catch((err) => {
-      console.error(`SMTP - Failed to connect to ${appCfg.SMTP_HOST}:${appCfg.SMTP_PORT}`);
+    .catch((err: Error) => {
+      console.error(`SMTP - Failed to connect to ${appCfg.SMTP_HOST}:${appCfg.SMTP_PORT} - ${err.message}`);
       logger.error(err);
     });
 

backend/src/server/plugins/error-handler.ts

@@ -10,6 +10,7 @@ import {
   GatewayTimeoutError,
   InternalServerError,
   NotFoundError,
+  OidcAuthError,
   RateLimitError,
   ScimRequestError,
   UnauthorizedError
@@ -83,7 +84,10 @@ export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider
         status: error.status,
         detail: error.detail
       });
-      // Handle JWT errors and make them more human-readable for the end-user.
+    } else if (error instanceof OidcAuthError) {
+      void res
+        .status(HttpStatusCodes.InternalServerError)
+        .send({ statusCode: HttpStatusCodes.InternalServerError, message: error.message, error: error.name });
     } else if (error instanceof jwt.JsonWebTokenError) {
       const message = (() => {
         if (error.message === JWTErrors.JwtExpired) {

backend/src/server/routes/index.ts

@@ -1,4 +1,5 @@
 import { CronJob } from "cron";
+// import { Redis } from "ioredis";
 import { Knex } from "knex";
 import { z } from "zod";
 
@@ -30,8 +31,6 @@ import { externalKmsServiceFactory } from "@app/ee/services/external-kms/externa
 import { groupDALFactory } from "@app/ee/services/group/group-dal";
 import { groupServiceFactory } from "@app/ee/services/group/group-service";
 import { userGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
-import { hsmServiceFactory } from "@app/ee/services/hsm/hsm-service";
-import { HsmModule } from "@app/ee/services/hsm/hsm-types";
 import { identityProjectAdditionalPrivilegeDALFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-dal";
 import { identityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { identityProjectAdditionalPrivilegeV2ServiceFactory } from "@app/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service";
@@ -44,8 +43,6 @@ import { oidcConfigDALFactory } from "@app/ee/services/oidc/oidc-config-dal";
 import { oidcConfigServiceFactory } from "@app/ee/services/oidc/oidc-config-service";
 import { permissionDALFactory } from "@app/ee/services/permission/permission-dal";
 import { permissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { projectTemplateDALFactory } from "@app/ee/services/project-template/project-template-dal";
-import { projectTemplateServiceFactory } from "@app/ee/services/project-template/project-template-service";
 import { projectUserAdditionalPrivilegeDALFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-dal";
 import { projectUserAdditionalPrivilegeServiceFactory } from "@app/ee/services/project-user-additional-privilege/project-user-additional-privilege-service";
 import { rateLimitDALFactory } from "@app/ee/services/rate-limit/rate-limit-dal";
@@ -224,18 +221,10 @@ export const registerRoutes = async (
   {
     auditLogDb,
     db,
-    hsmModule,
     smtp: smtpService,
     queue: queueService,
     keyStore
-  }: {
-    auditLogDb?: Knex;
-    db: Knex;
-    hsmModule: HsmModule;
-    smtp: TSmtpService;
-    queue: TQueueServiceFactory;
-    keyStore: TKeyStoreFactory;
-  }
+  }: { auditLogDb?: Knex; db: Knex; smtp: TSmtpService; queue: TQueueServiceFactory; keyStore: TKeyStoreFactory }
 ) => {
   const appCfg = getConfig();
   await server.register(registerSecretScannerGhApp, { prefix: "/ss-webhook" });
@@ -351,8 +340,6 @@ export const registerRoutes = async (
 
   const externalGroupOrgRoleMappingDAL = externalGroupOrgRoleMappingDALFactory(db);
 
-  const projectTemplateDAL = projectTemplateDALFactory(db);
-
   const permissionService = permissionServiceFactory({
     permissionDAL,
     orgRoleDAL,
@@ -361,21 +348,14 @@ export const registerRoutes = async (
     projectDAL
   });
   const licenseService = licenseServiceFactory({ permissionService, orgDAL, licenseDAL, keyStore });
-
-  const hsmService = hsmServiceFactory({
-    hsmModule
-  });
-
   const kmsService = kmsServiceFactory({
     kmsRootConfigDAL,
     keyStore,
     kmsDAL,
     internalKmsDAL,
     orgDAL,
-    projectDAL,
-    hsmService
+    projectDAL
   });
-
   const externalKmsService = externalKmsServiceFactory({
     kmsDAL,
     kmsService,
@@ -572,7 +552,6 @@ export const registerRoutes = async (
     userDAL,
     authService: loginService,
     serverCfgDAL: superAdminDAL,
-    kmsRootConfigDAL,
     orgService,
     keyStore,
     licenseService,
@@ -753,12 +732,6 @@ export const registerRoutes = async (
     permissionService
   });
 
-  const projectTemplateService = projectTemplateServiceFactory({
-    licenseService,
-    permissionService,
-    projectTemplateDAL
-  });
-
   const projectService = projectServiceFactory({
     permissionService,
     projectDAL,
@@ -785,8 +758,7 @@ export const registerRoutes = async (
     projectBotDAL,
     certificateTemplateDAL,
     projectSlackConfigDAL,
-    slackIntegrationDAL,
-    projectTemplateService
+    slackIntegrationDAL
   });
 
   const projectEnvService = projectEnvServiceFactory({
@@ -1278,13 +1250,10 @@ export const registerRoutes = async (
   });
 
   await superAdminService.initServerCfg();
-
+  //
   // setup the communication with license key server
   await licenseService.init();
 
-  // Start HSM service if it's configured/enabled.
-  await hsmService.startService();
-
   await telemetryQueue.startTelemetryCheck();
   await dailyResourceCleanUp.startCleanUp();
   await dailyExpiringPkiItemAlert.startSendingAlerts();
@@ -1362,14 +1331,12 @@ export const registerRoutes = async (
     secretSharing: secretSharingService,
     userEngagement: userEngagementService,
     externalKms: externalKmsService,
-    hsm: hsmService,
     cmek: cmekService,
     orgAdmin: orgAdminService,
     slack: slackService,
     workflowIntegration: workflowIntegrationService,
     migration: migrationService,
-    externalGroupOrgRoleMapping: externalGroupOrgRoleMappingService,
-    projectTemplate: projectTemplateService
+    externalGroupOrgRoleMapping: externalGroupOrgRoleMappingService
   });
 
   const cronJobs: CronJob[] = [];

backend/src/server/routes/v1/admin-router.ts

@@ -7,7 +7,6 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifySuperAdmin } from "@app/server/plugins/auth/superAdmin";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { RootKeyEncryptionStrategy } from "@app/services/kms/kms-types";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { LoginMethod } from "@app/services/super-admin/super-admin-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
@@ -196,57 +195,6 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
     }
   });
 
-  server.route({
-    method: "GET",
-    url: "/encryption-strategies",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      response: {
-        200: z.object({
-          strategies: z
-            .object({
-              strategy: z.nativeEnum(RootKeyEncryptionStrategy),
-              enabled: z.boolean()
-            })
-            .array()
-        })
-      }
-    },
-    onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
-        verifySuperAdmin(req, res, done);
-      });
-    },
-
-    handler: async () => {
-      const encryptionDetails = await server.services.superAdmin.getConfiguredEncryptionStrategies();
-      return encryptionDetails;
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/encryption-strategies",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      body: z.object({
-        strategy: z.nativeEnum(RootKeyEncryptionStrategy)
-      })
-    },
-    onRequest: (req, res, done) => {
-      verifyAuth([AuthMode.JWT])(req, res, () => {
-        verifySuperAdmin(req, res, done);
-      });
-    },
-    handler: async (req) => {
-      await server.services.superAdmin.updateRootEncryptionStrategy(req.body.strategy);
-    }
-  });
-
   server.route({
     method: "POST",
     url: "/signup",

backend/src/server/routes/v1/certificate-template-router.ts

@@ -14,8 +14,7 @@ import { validateTemplateRegexField } from "@app/services/certificate-template/c
 const sanitizedEstConfig = CertificateTemplateEstConfigsSchema.pick({
   id: true,
   certificateTemplateId: true,
-  isEnabled: true,
-  disableBootstrapCertValidation: true
+  isEnabled: true
 });
 
 export const registerCertificateTemplateRouter = async (server: FastifyZodProvider) => {
@@ -242,18 +241,11 @@ export const registerCertificateTemplateRouter = async (server: FastifyZodProvid
       params: z.object({
         certificateTemplateId: z.string().trim()
       }),
-      body: z
-        .object({
-          caChain: z.string().trim().optional(),
-          passphrase: z.string().min(1),
-          isEnabled: z.boolean().default(true),
-          disableBootstrapCertValidation: z.boolean().default(false)
-        })
-        .refine(
-          ({ caChain, disableBootstrapCertValidation }) =>
-            disableBootstrapCertValidation || (!disableBootstrapCertValidation && caChain),
-          "CA chain is required"
-        ),
+      body: z.object({
+        caChain: z.string().trim().min(1),
+        passphrase: z.string().min(1),
+        isEnabled: z.boolean().default(true)
+      }),
       response: {
         200: sanitizedEstConfig
       }
@@ -297,9 +289,8 @@ export const registerCertificateTemplateRouter = async (server: FastifyZodProvid
         certificateTemplateId: z.string().trim()
       }),
       body: z.object({
-        caChain: z.string().trim().optional(),
+        caChain: z.string().trim().min(1).optional(),
         passphrase: z.string().min(1).optional(),
-        disableBootstrapCertValidation: z.boolean().optional(),
         isEnabled: z.boolean().optional()
       }),
       response: {

backend/src/server/routes/v1/dashboard-router.ts

@@ -840,91 +840,4 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
       };
     }
   });
-
-  server.route({
-    method: "GET",
-    url: "/secrets-by-keys",
-    config: {
-      rateLimit: secretsLimit
-    },
-    schema: {
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      querystring: z.object({
-        projectId: z.string().trim(),
-        environment: z.string().trim(),
-        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
-        keys: z.string().trim().transform(decodeURIComponent)
-      }),
-      response: {
-        200: z.object({
-          secrets: secretRawSchema
-            .extend({
-              secretPath: z.string().optional(),
-              tags: SecretTagsSchema.pick({
-                id: true,
-                slug: true,
-                color: true
-              })
-                .extend({ name: z.string() })
-                .array()
-                .optional()
-            })
-            .array()
-            .optional()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { secretPath, projectId, environment } = req.query;
-
-      const keys = req.query.keys?.split(",").filter((key) => Boolean(key.trim())) ?? [];
-      if (!keys.length) throw new BadRequestError({ message: "One or more keys required" });
-
-      const { secrets } = await server.services.secret.getSecretsRaw({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        environment,
-        actorAuthMethod: req.permission.authMethod,
-        projectId,
-        path: secretPath,
-        keys
-      });
-
-      await server.services.auditLog.createAuditLog({
-        projectId,
-        ...req.auditLogInfo,
-        event: {
-          type: EventType.GET_SECRETS,
-          metadata: {
-            environment,
-            secretPath,
-            numberOfSecrets: secrets.length
-          }
-        }
-      });
-
-      if (getUserAgentType(req.headers["user-agent"]) !== UserAgentType.K8_OPERATOR) {
-        await server.services.telemetry.sendPostHogEvents({
-          event: PostHogEventTypes.SecretPulled,
-          distinctId: getTelemetryDistinctId(req),
-          properties: {
-            numberOfSecrets: secrets.length,
-            workspaceId: projectId,
-            environment,
-            secretPath,
-            channel: getUserAgentType(req.headers["user-agent"]),
-            ...req.auditLogInfo
-          }
-        });
-      }
-
-      return { secrets };
-    }
-  });
 };

backend/src/server/routes/v1/integration-auth-router.ts

@@ -891,48 +891,6 @@ export const registerIntegrationAuthRouter = async (server: FastifyZodProvider)
     }
   });
 
-  server.route({
-    method: "GET",
-    url: "/:integrationAuthId/bitbucket/environments",
-    config: {
-      rateLimit: readLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    schema: {
-      params: z.object({
-        integrationAuthId: z.string().trim()
-      }),
-      querystring: z.object({
-        workspaceSlug: z.string().trim().min(1, { message: "Workspace slug required" }),
-        repoSlug: z.string().trim().min(1, { message: "Repo slug required" })
-      }),
-      response: {
-        200: z.object({
-          environments: z
-            .object({
-              name: z.string(),
-              slug: z.string(),
-              uuid: z.string(),
-              type: z.string()
-            })
-            .array()
-        })
-      }
-    },
-    handler: async (req) => {
-      const environments = await server.services.integrationAuth.getBitbucketEnvironments({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        id: req.params.integrationAuthId,
-        workspaceSlug: req.query.workspaceSlug,
-        repoSlug: req.query.repoSlug
-      });
-      return { environments };
-    }
-  });
-
   server.route({
     method: "GET",
     url: "/:integrationAuthId/northflank/secret-groups",

backend/src/server/routes/v1/secret-folder-router.ts

@@ -4,7 +4,6 @@ import { SecretFoldersSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { FOLDERS } from "@app/lib/api-docs";
 import { prefixWithSlash, removeTrailingSlash } from "@app/lib/fn";
-import { isValidFolderName } from "@app/lib/validator";
 import { readLimit, secretsLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -26,13 +25,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
       body: z.object({
         workspaceId: z.string().trim().describe(FOLDERS.CREATE.workspaceId),
         environment: z.string().trim().describe(FOLDERS.CREATE.environment),
-        name: z
-          .string()
-          .trim()
-          .describe(FOLDERS.CREATE.name)
-          .refine((name) => isValidFolderName(name), {
-            message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
-          }),
+        name: z.string().trim().describe(FOLDERS.CREATE.name),
         path: z
           .string()
           .trim()
@@ -104,13 +97,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
       body: z.object({
         workspaceId: z.string().trim().describe(FOLDERS.UPDATE.workspaceId),
         environment: z.string().trim().describe(FOLDERS.UPDATE.environment),
-        name: z
-          .string()
-          .trim()
-          .describe(FOLDERS.UPDATE.name)
-          .refine((name) => isValidFolderName(name), {
-            message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
-          }),
+        name: z.string().trim().describe(FOLDERS.UPDATE.name),
         path: z
           .string()
           .trim()
@@ -183,13 +170,7 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
           .object({
             id: z.string().describe(FOLDERS.UPDATE.folderId),
             environment: z.string().trim().describe(FOLDERS.UPDATE.environment),
-            name: z
-              .string()
-              .trim()
-              .describe(FOLDERS.UPDATE.name)
-              .refine((name) => isValidFolderName(name), {
-                message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
-              }),
+            name: z.string().trim().describe(FOLDERS.UPDATE.name),
             path: z
               .string()
               .trim()

backend/src/server/routes/v2/project-router.ts

@@ -9,7 +9,6 @@ import {
   ProjectKeysSchema
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { InfisicalProjectTemplate } from "@app/ee/services/project-template/project-template-types";
 import { PROJECTS } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
@@ -170,15 +169,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
           })
           .optional()
           .describe(PROJECTS.CREATE.slug),
-        kmsKeyId: z.string().optional(),
-        template: z
-          .string()
-          .refine((v) => slugify(v) === v, {
-            message: "Template name must be in slug format"
-          })
-          .optional()
-          .default(InfisicalProjectTemplate.Default)
-          .describe(PROJECTS.CREATE.template)
+        kmsKeyId: z.string().optional()
       }),
       response: {
         200: z.object({
@@ -195,8 +186,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         actorAuthMethod: req.permission.authMethod,
         workspaceName: req.body.projectName,
         slug: req.body.slug,
-        kmsKeyId: req.body.kmsKeyId,
-        template: req.body.template
+        kmsKeyId: req.body.kmsKeyId
       });
 
       await server.services.telemetry.sendPostHogEvents({
@@ -209,20 +199,6 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         }
       });
 
-      if (req.body.template) {
-        await server.services.auditLog.createAuditLog({
-          ...req.auditLogInfo,
-          orgId: req.permission.orgId,
-          event: {
-            type: EventType.APPLY_PROJECT_TEMPLATE,
-            metadata: {
-              template: req.body.template,
-              projectId: project.id
-            }
-          }
-        });
-      }
-
       return { project };
     }
   });

backend/src/services/certificate-template/certificate-template-service.ts

@@ -235,8 +235,7 @@ export const certificateTemplateServiceFactory = ({
     actorId,
     actorAuthMethod,
     actor,
-    actorOrgId,
-    disableBootstrapCertValidation
+    actorOrgId
   }: TCreateEstConfigurationDTO) => {
     const plan = await licenseService.getPlan(actorOrgId);
     if (!plan.pkiEst) {
@@ -267,45 +266,39 @@ export const certificateTemplateServiceFactory = ({
 
     const appCfg = getConfig();
 
-    let encryptedCaChain: Buffer | undefined;
-    if (caChain) {
-      const certificateManagerKmsId = await getProjectKmsCertificateKeyId({
-        projectId: certTemplate.projectId,
-        projectDAL,
-        kmsService
-      });
+    const certificateManagerKmsId = await getProjectKmsCertificateKeyId({
+      projectId: certTemplate.projectId,
+      projectDAL,
+      kmsService
+    });
 
-      // validate CA chain
-      const certificates = caChain
-        .match(/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g)
-        ?.map((cert) => new x509.X509Certificate(cert));
+    // validate CA chain
+    const certificates = caChain
+      .match(/-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g)
+      ?.map((cert) => new x509.X509Certificate(cert));
 
-      if (!certificates) {
-        throw new BadRequestError({ message: "Failed to parse certificate chain" });
-      }
-
-      if (!(await isCertChainValid(certificates))) {
-        throw new BadRequestError({ message: "Invalid certificate chain" });
-      }
-
-      const kmsEncryptor = await kmsService.encryptWithKmsKey({
-        kmsId: certificateManagerKmsId
-      });
-
-      const { cipherTextBlob } = await kmsEncryptor({
-        plainText: Buffer.from(caChain)
-      });
-
-      encryptedCaChain = cipherTextBlob;
+    if (!certificates) {
+      throw new BadRequestError({ message: "Failed to parse certificate chain" });
     }
 
+    if (!(await isCertChainValid(certificates))) {
+      throw new BadRequestError({ message: "Invalid certificate chain" });
+    }
+
+    const kmsEncryptor = await kmsService.encryptWithKmsKey({
+      kmsId: certificateManagerKmsId
+    });
+
+    const { cipherTextBlob: encryptedCaChain } = await kmsEncryptor({
+      plainText: Buffer.from(caChain)
+    });
+
     const hashedPassphrase = await bcrypt.hash(passphrase, appCfg.SALT_ROUNDS);
     const estConfig = await certificateTemplateEstConfigDAL.create({
       certificateTemplateId,
       hashedPassphrase,
       encryptedCaChain,
-      isEnabled,
-      disableBootstrapCertValidation
+      isEnabled
     });
 
     return { ...estConfig, projectId: certTemplate.projectId };
@@ -319,8 +312,7 @@ export const certificateTemplateServiceFactory = ({
     actorId,
     actorAuthMethod,
     actor,
-    actorOrgId,
-    disableBootstrapCertValidation
+    actorOrgId
   }: TUpdateEstConfigurationDTO) => {
     const plan = await licenseService.getPlan(actorOrgId);
     if (!plan.pkiEst) {
@@ -368,8 +360,7 @@ export const certificateTemplateServiceFactory = ({
     });
 
     const updatedData: TCertificateTemplateEstConfigsUpdate = {
-      isEnabled,
-      disableBootstrapCertValidation
+      isEnabled
     };
 
     if (caChain) {
@@ -451,24 +442,18 @@ export const certificateTemplateServiceFactory = ({
       kmsId: certificateManagerKmsId
     });
 
-    let decryptedCaChain = "";
-    if (estConfig.encryptedCaChain) {
-      decryptedCaChain = (
-        await kmsDecryptor({
-          cipherTextBlob: estConfig.encryptedCaChain
-        })
-      ).toString();
-    }
+    const decryptedCaChain = await kmsDecryptor({
+      cipherTextBlob: estConfig.encryptedCaChain
+    });
 
     return {
       certificateTemplateId,
       id: estConfig.id,
       isEnabled: estConfig.isEnabled,
-      caChain: decryptedCaChain,
+      caChain: decryptedCaChain.toString(),
       hashedPassphrase: estConfig.hashedPassphrase,
       projectId: certTemplate.projectId,
-      orgId: certTemplate.orgId,
-      disableBootstrapCertValidation: estConfig.disableBootstrapCertValidation
+      orgId: certTemplate.orgId
     };
   };
 

backend/src/services/certificate-template/certificate-template-types.ts

@@ -34,10 +34,9 @@ export type TDeleteCertTemplateDTO = {
 
 export type TCreateEstConfigurationDTO = {
   certificateTemplateId: string;
-  caChain?: string;
+  caChain: string;
   passphrase: string;
   isEnabled: boolean;
-  disableBootstrapCertValidation: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateEstConfigurationDTO = {
@@ -45,7 +44,6 @@ export type TUpdateEstConfigurationDTO = {
   caChain?: string;
   passphrase?: string;
   isEnabled?: boolean;
-  disableBootstrapCertValidation?: boolean;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TGetEstConfigurationDTO =

backend/src/services/cmek/cmek-service.ts

@@ -3,7 +3,7 @@ import { ForbiddenError } from "@casl/ability";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionCmekActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
-import { OrgServiceActor } from "@app/lib/types";
+import { ProjectServiceActor } from "@app/lib/types";
 import {
   TCmekDecryptDTO,
   TCmekEncryptDTO,
@@ -23,7 +23,7 @@ type TCmekServiceFactoryDep = {
 export type TCmekServiceFactory = ReturnType<typeof cmekServiceFactory>;
 
 export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TCmekServiceFactoryDep) => {
-  const createCmek = async ({ projectId, ...dto }: TCreateCmekDTO, actor: OrgServiceActor) => {
+  const createCmek = async ({ projectId, ...dto }: TCreateCmekDTO, actor: ProjectServiceActor) => {
     const { permission } = await permissionService.getProjectPermission(
       actor.type,
       actor.id,
@@ -43,7 +43,7 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
     return cmek;
   };
 
-  const updateCmekById = async ({ keyId, ...data }: TUpdabteCmekByIdDTO, actor: OrgServiceActor) => {
+  const updateCmekById = async ({ keyId, ...data }: TUpdabteCmekByIdDTO, actor: ProjectServiceActor) => {
     const key = await kmsDAL.findById(keyId);
 
     if (!key) throw new NotFoundError({ message: `Key with ID ${keyId} not found` });
@@ -65,7 +65,7 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
     return cmek;
   };
 
-  const deleteCmekById = async (keyId: string, actor: OrgServiceActor) => {
+  const deleteCmekById = async (keyId: string, actor: ProjectServiceActor) => {
     const key = await kmsDAL.findById(keyId);
 
     if (!key) throw new NotFoundError({ message: `Key with ID ${keyId} not found` });
@@ -87,7 +87,10 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
     return cmek;
   };
 
-  const listCmeksByProjectId = async ({ projectId, ...filters }: TListCmeksByProjectIdDTO, actor: OrgServiceActor) => {
+  const listCmeksByProjectId = async (
+    { projectId, ...filters }: TListCmeksByProjectIdDTO,
+    actor: ProjectServiceActor
+  ) => {
     const { permission } = await permissionService.getProjectPermission(
       actor.type,
       actor.id,
@@ -103,7 +106,7 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
     return { cmeks, totalCount };
   };
 
-  const cmekEncrypt = async ({ keyId, plaintext }: TCmekEncryptDTO, actor: OrgServiceActor) => {
+  const cmekEncrypt = async ({ keyId, plaintext }: TCmekEncryptDTO, actor: ProjectServiceActor) => {
     const key = await kmsDAL.findById(keyId);
 
     if (!key) throw new NotFoundError({ message: `Key with ID ${keyId} not found` });
@@ -129,7 +132,7 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService }: TC
     return cipherTextBlob.toString("base64");
   };
 
-  const cmekDecrypt = async ({ keyId, ciphertext }: TCmekDecryptDTO, actor: OrgServiceActor) => {
+  const cmekDecrypt = async ({ keyId, ciphertext }: TCmekDecryptDTO, actor: ProjectServiceActor) => {
     const key = await kmsDAL.findById(keyId);
 
     if (!key) throw new NotFoundError({ message: `Key with ID ${keyId} not found` });

backend/src/services/external-group-org-role-mapping/external-group-org-role-mapping-service.ts

@@ -3,7 +3,7 @@ import { ForbiddenError } from "@casl/ability";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { OrgServiceActor } from "@app/lib/types";
+import { ProjectServiceActor } from "@app/lib/types";
 import { constructGroupOrgMembershipRoleMappings } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-fns";
 import { TSyncExternalGroupOrgMembershipRoleMappingsDTO } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-types";
 import { TOrgRoleDALFactory } from "@app/services/org/org-role-dal";
@@ -25,7 +25,7 @@ export const externalGroupOrgRoleMappingServiceFactory = ({
   permissionService,
   orgRoleDAL
 }: TExternalGroupOrgRoleMappingServiceFactoryDep) => {
-  const listExternalGroupOrgRoleMappings = async (actor: OrgServiceActor) => {
+  const listExternalGroupOrgRoleMappings = async (actor: ProjectServiceActor) => {
     const { permission } = await permissionService.getOrgPermission(
       actor.type,
       actor.id,
@@ -46,7 +46,7 @@ export const externalGroupOrgRoleMappingServiceFactory = ({
 
   const updateExternalGroupOrgRoleMappings = async (
     dto: TSyncExternalGroupOrgMembershipRoleMappingsDTO,
-    actor: OrgServiceActor
+    actor: ProjectServiceActor
   ) => {
     const { permission } = await permissionService.getOrgPermission(
       actor.type,

backend/src/services/integration-auth/integration-auth-service.ts

@@ -20,7 +20,6 @@ import { getApps } from "./integration-app-list";
 import { TIntegrationAuthDALFactory } from "./integration-auth-dal";
 import { IntegrationAuthMetadataSchema, TIntegrationAuthMetadata } from "./integration-auth-schema";
 import {
-  TBitbucketEnvironment,
   TBitbucketWorkspace,
   TChecklyGroups,
   TDeleteIntegrationAuthByIdDTO,
@@ -31,7 +30,6 @@ import {
   THerokuPipelineCoupling,
   TIntegrationAuthAppsDTO,
   TIntegrationAuthAwsKmsKeyDTO,
-  TIntegrationAuthBitbucketEnvironmentsDTO,
   TIntegrationAuthBitbucketWorkspaceDTO,
   TIntegrationAuthChecklyGroupsDTO,
   TIntegrationAuthGithubEnvsDTO,
@@ -1263,55 +1261,6 @@ export const integrationAuthServiceFactory = ({
     return workspaces;
   };
 
-  const getBitbucketEnvironments = async ({
-    workspaceSlug,
-    repoSlug,
-    actorId,
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    id
-  }: TIntegrationAuthBitbucketEnvironmentsDTO) => {
-    const integrationAuth = await integrationAuthDAL.findById(id);
-    if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      integrationAuth.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
-    const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
-    const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
-    const environments: TBitbucketEnvironment[] = [];
-    let hasNextPage = true;
-
-    let environmentsUrl = `${IntegrationUrls.BITBUCKET_API_URL}/2.0/repositories/${workspaceSlug}/${repoSlug}/environments`;
-
-    while (hasNextPage) {
-      // eslint-disable-next-line
-      const { data }: { data: { values: TBitbucketEnvironment[]; next: string } } = await request.get(environmentsUrl, {
-        headers: {
-          Authorization: `Bearer ${accessToken}`,
-          "Accept-Encoding": "application/json"
-        }
-      });
-
-      if (data?.values.length > 0) {
-        environments.push(...data.values);
-      }
-
-      if (data.next) {
-        environmentsUrl = data.next;
-      } else {
-        hasNextPage = false;
-      }
-    }
-    return environments;
-  };
-
   const getNorthFlankSecretGroups = async ({
     id,
     actor,
@@ -1550,7 +1499,6 @@ export const integrationAuthServiceFactory = ({
     getNorthFlankSecretGroups,
     getTeamcityBuildConfigs,
     getBitbucketWorkspaces,
-    getBitbucketEnvironments,
     getIntegrationAccessToken,
     duplicateIntegrationAuth
   };

backend/src/services/integration-auth/integration-auth-types.ts

@@ -99,12 +99,6 @@ export type TIntegrationAuthBitbucketWorkspaceDTO = {
   id: string;
 } & Omit<TProjectPermission, "projectId">;
 
-export type TIntegrationAuthBitbucketEnvironmentsDTO = {
-  workspaceSlug: string;
-  repoSlug: string;
-  id: string;
-} & Omit<TProjectPermission, "projectId">;
-
 export type TIntegrationAuthNorthflankSecretGroupDTO = {
   id: string;
   appId: string;
@@ -154,13 +148,6 @@ export type TBitbucketWorkspace = {
   updated_on: string;
 };
 
-export type TBitbucketEnvironment = {
-  type: string;
-  uuid: string;
-  name: string;
-  slug: string;
-};
-
 export type TNorthflankSecretGroup = {
   id: string;
   name: string;

backend/src/services/integration-auth/integration-list.ts

@@ -334,7 +334,7 @@ export const getIntegrationOptions = async () => {
       docsLink: ""
     },
     {
-      name: "Bitbucket",
+      name: "BitBucket",
       slug: "bitbucket",
       image: "BitBucket.png",
       isAvailable: true,

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -3631,14 +3631,7 @@ const syncSecretsBitBucket = async ({
   const res: { [key: string]: BitbucketVariable } = {};
 
   let hasNextPage = true;
-
-  const rootUrl = integration.targetServiceId
-    ? // scope: deployment environment
-      `${IntegrationUrls.BITBUCKET_API_URL}/2.0/repositories/${integration.targetEnvironmentId}/${integration.appId}/deployments_config/environments/${integration.targetServiceId}/variables`
-    : // scope: repository
-      `${IntegrationUrls.BITBUCKET_API_URL}/2.0/repositories/${integration.targetEnvironmentId}/${integration.appId}/pipelines_config/variables`;
-
-  let variablesUrl = rootUrl;
+  let variablesUrl = `${IntegrationUrls.BITBUCKET_API_URL}/2.0/repositories/${integration.targetEnvironmentId}/${integration.appId}/pipelines_config/variables`;
 
   while (hasNextPage) {
     const { data }: { data: VariablesResponse } = await request.get(variablesUrl, {
@@ -3665,7 +3658,7 @@ const syncSecretsBitBucket = async ({
     if (key in res) {
       // update existing secret
       await request.put(
-        `${rootUrl}/${res[key].uuid}`,
+        `${variablesUrl}/${res[key].uuid}`,
         {
           key,
           value: secrets[key].value,
@@ -3681,7 +3674,7 @@ const syncSecretsBitBucket = async ({
     } else {
       // create new secret
       await request.post(
-        rootUrl,
+        variablesUrl,
         {
           key,
           value: secrets[key].value,

backend/src/services/kms/kms-fns.ts

@@ -1,7 +1,5 @@
 import { SymmetricEncryption } from "@app/lib/crypto/cipher";
 
-export const KMS_ROOT_CONFIG_UUID = "00000000-0000-0000-0000-000000000000";
-
 export const getByteLengthForAlgorithm = (encryptionAlgorithm: SymmetricEncryption) => {
   switch (encryptionAlgorithm) {
     case SymmetricEncryption.AES_GCM_128:

backend/src/services/kms/kms-service.ts

@@ -2,14 +2,13 @@ import slugify from "@sindresorhus/slugify";
 import { Knex } from "knex";
 import { z } from "zod";
 
-import { KmsKeysSchema, TKmsRootConfig } from "@app/db/schemas";
+import { KmsKeysSchema } from "@app/db/schemas";
 import { AwsKmsProviderFactory } from "@app/ee/services/external-kms/providers/aws-kms";
 import {
   ExternalKmsAwsSchema,
   KmsProviders,
   TExternalKmsProviderFns
 } from "@app/ee/services/external-kms/providers/model";
-import { THsmServiceFactory } from "@app/ee/services/hsm/hsm-service";
 import { KeyStorePrefixes, TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { randomSecureBytes } from "@app/lib/crypto";
@@ -18,7 +17,7 @@ import { generateHash } from "@app/lib/crypto/encryption";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { getByteLengthForAlgorithm, KMS_ROOT_CONFIG_UUID } from "@app/services/kms/kms-fns";
+import { getByteLengthForAlgorithm } from "@app/services/kms/kms-fns";
 
 import { TOrgDALFactory } from "../org/org-dal";
 import { TProjectDALFactory } from "../project/project-dal";
@@ -28,7 +27,6 @@ import { TKmsRootConfigDALFactory } from "./kms-root-config-dal";
 import {
   KmsDataKey,
   KmsType,
-  RootKeyEncryptionStrategy,
   TDecryptWithKeyDTO,
   TDecryptWithKmsDTO,
   TEncryptionWithKeyDTO,
@@ -42,14 +40,15 @@ type TKmsServiceFactoryDep = {
   kmsDAL: TKmsKeyDALFactory;
   projectDAL: Pick<TProjectDALFactory, "findById" | "updateById" | "transaction">;
   orgDAL: Pick<TOrgDALFactory, "findById" | "updateById" | "transaction">;
-  kmsRootConfigDAL: Pick<TKmsRootConfigDALFactory, "findById" | "create" | "updateById">;
+  kmsRootConfigDAL: Pick<TKmsRootConfigDALFactory, "findById" | "create">;
   keyStore: Pick<TKeyStoreFactory, "acquireLock" | "waitTillReady" | "setItemWithExpiry">;
   internalKmsDAL: Pick<TInternalKmsDALFactory, "create">;
-  hsmService: THsmServiceFactory;
 };
 
 export type TKmsServiceFactory = ReturnType<typeof kmsServiceFactory>;
 
+const KMS_ROOT_CONFIG_UUID = "00000000-0000-0000-0000-000000000000";
+
 const KMS_ROOT_CREATION_WAIT_KEY = "wait_till_ready_kms_root_key";
 const KMS_ROOT_CREATION_WAIT_TIME = 10;
 
@@ -64,8 +63,7 @@ export const kmsServiceFactory = ({
   keyStore,
   internalKmsDAL,
   orgDAL,
-  projectDAL,
-  hsmService
+  projectDAL
 }: TKmsServiceFactoryDep) => {
   let ROOT_ENCRYPTION_KEY = Buffer.alloc(0);
 
@@ -612,65 +610,6 @@ export const kmsServiceFactory = ({
     }
   };
 
-  const $getBasicEncryptionKey = () => {
-    const appCfg = getConfig();
-
-    const encryptionKey = appCfg.ENCRYPTION_KEY || appCfg.ROOT_ENCRYPTION_KEY;
-    const isBase64 = !appCfg.ENCRYPTION_KEY;
-    if (!encryptionKey)
-      throw new Error(
-        "Root encryption key not found for KMS service. Did you set the ENCRYPTION_KEY or ROOT_ENCRYPTION_KEY environment variables?"
-      );
-
-    const encryptionKeyBuffer = Buffer.from(encryptionKey, isBase64 ? "base64" : "utf8");
-
-    return encryptionKeyBuffer;
-  };
-
-  const $decryptRootKey = async (kmsRootConfig: TKmsRootConfig) => {
-    // case 1: root key is encrypted with HSM
-    if (kmsRootConfig.encryptionStrategy === RootKeyEncryptionStrategy.HSM) {
-      const hsmIsActive = await hsmService.isActive();
-      if (!hsmIsActive) {
-        throw new Error("Unable to decrypt root KMS key. HSM service is inactive. Did you configure the HSM?");
-      }
-
-      const decryptedKey = await hsmService.decrypt(kmsRootConfig.encryptedRootKey);
-      return decryptedKey;
-    }
-
-    // case 2: root key is encrypted with software encryption
-    if (kmsRootConfig.encryptionStrategy === RootKeyEncryptionStrategy.Software) {
-      const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
-      const encryptionKeyBuffer = $getBasicEncryptionKey();
-
-      return cipher.decrypt(kmsRootConfig.encryptedRootKey, encryptionKeyBuffer);
-    }
-
-    throw new Error(`Invalid root key encryption strategy: ${kmsRootConfig.encryptionStrategy}`);
-  };
-
-  const $encryptRootKey = async (plainKeyBuffer: Buffer, strategy: RootKeyEncryptionStrategy) => {
-    if (strategy === RootKeyEncryptionStrategy.HSM) {
-      const hsmIsActive = await hsmService.isActive();
-      if (!hsmIsActive) {
-        throw new Error("Unable to encrypt root KMS key. HSM service is inactive. Did you configure the HSM?");
-      }
-      const encrypted = await hsmService.encrypt(plainKeyBuffer);
-      return encrypted;
-    }
-
-    if (strategy === RootKeyEncryptionStrategy.Software) {
-      const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
-      const encryptionKeyBuffer = $getBasicEncryptionKey();
-
-      return cipher.encrypt(plainKeyBuffer, encryptionKeyBuffer);
-    }
-
-    // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
-    throw new Error(`Invalid root key encryption strategy: ${strategy}`);
-  };
-
   // by keeping the decrypted data key in inner scope
   // none of the entities outside can interact directly or expose the data key
   // NOTICE: If changing here update migrations/utils/kms
@@ -832,6 +771,7 @@ export const kmsServiceFactory = ({
         },
         tx
       );
+
       return kmsDAL.findByIdWithAssociatedKms(key.id, tx);
     });
 
@@ -854,6 +794,14 @@ export const kmsServiceFactory = ({
 
   // akhilmhdh: a copy of this is made in migrations/utils/kms
   const startService = async () => {
+    const appCfg = getConfig();
+    // This will switch to a seal process and HMS flow in future
+    const encryptionKey = appCfg.ENCRYPTION_KEY || appCfg.ROOT_ENCRYPTION_KEY;
+    // if root key its base64 encoded
+    const isBase64 = !appCfg.ENCRYPTION_KEY;
+    if (!encryptionKey) throw new Error("Root encryption key not found for KMS service.");
+    const encryptionKeyBuffer = Buffer.from(encryptionKey, isBase64 ? "base64" : "utf8");
+
     const lock = await keyStore.acquireLock([`KMS_ROOT_CFG_LOCK`], 3000, { retryCount: 3 }).catch(() => null);
     if (!lock) {
       await keyStore.waitTillReady({
@@ -865,69 +813,31 @@ export const kmsServiceFactory = ({
 
     // check if KMS root key was already generated and saved in DB
     const kmsRootConfig = await kmsRootConfigDAL.findById(KMS_ROOT_CONFIG_UUID);
-
-    // case 1: a root key already exists in the DB
+    const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
     if (kmsRootConfig) {
       if (lock) await lock.release();
-      logger.info(`KMS: Encrypted ROOT Key found from DB. Decrypting. [strategy=${kmsRootConfig.encryptionStrategy}]`);
-
-      const decryptedRootKey = await $decryptRootKey(kmsRootConfig);
-
-      // set the flag so that other instance nodes can start
+      logger.info("KMS: Encrypted ROOT Key found from DB. Decrypting.");
+      const decryptedRootKey = cipher.decrypt(kmsRootConfig.encryptedRootKey, encryptionKeyBuffer);
+      // set the flag so that other instancen nodes can start
       await keyStore.setItemWithExpiry(KMS_ROOT_CREATION_WAIT_KEY, KMS_ROOT_CREATION_WAIT_TIME, "true");
       logger.info("KMS: Loading ROOT Key into Memory.");
       ROOT_ENCRYPTION_KEY = decryptedRootKey;
       return;
     }
 
-    // case 2: no config is found, so we create a new root key with basic encryption
-    logger.info("KMS: Generating new ROOT Key");
+    logger.info("KMS: Generating ROOT Key");
     const newRootKey = randomSecureBytes(32);
-    const encryptedRootKey = await $encryptRootKey(newRootKey, RootKeyEncryptionStrategy.Software).catch((err) => {
-      logger.error({ hsmEnabled: hsmService.isActive() }, "KMS: Failed to encrypt ROOT Key");
-      throw err;
-    });
+    const encryptedRootKey = cipher.encrypt(newRootKey, encryptionKeyBuffer);
+    // @ts-expect-error id is kept as fixed for idempotence and to avoid race condition
+    await kmsRootConfigDAL.create({ encryptedRootKey, id: KMS_ROOT_CONFIG_UUID });
 
-    await kmsRootConfigDAL.create({
-      // @ts-expect-error id is kept as fixed for idempotence and to avoid race condition
-      id: KMS_ROOT_CONFIG_UUID,
-      encryptedRootKey,
-      encryptionStrategy: RootKeyEncryptionStrategy.Software
-    });
-
-    // set the flag so that other instance nodes can start
+    // set the flag so that other instancen nodes can start
     await keyStore.setItemWithExpiry(KMS_ROOT_CREATION_WAIT_KEY, KMS_ROOT_CREATION_WAIT_TIME, "true");
     logger.info("KMS: Saved and loaded ROOT Key into memory");
     if (lock) await lock.release();
     ROOT_ENCRYPTION_KEY = newRootKey;
   };
 
-  const updateEncryptionStrategy = async (strategy: RootKeyEncryptionStrategy) => {
-    const kmsRootConfig = await kmsRootConfigDAL.findById(KMS_ROOT_CONFIG_UUID);
-    if (!kmsRootConfig) {
-      throw new NotFoundError({ message: "KMS root config not found" });
-    }
-
-    if (kmsRootConfig.encryptionStrategy === strategy) {
-      return;
-    }
-
-    const decryptedRootKey = await $decryptRootKey(kmsRootConfig);
-    const encryptedRootKey = await $encryptRootKey(decryptedRootKey, strategy);
-
-    if (!encryptedRootKey) {
-      logger.error("KMS: Failed to re-encrypt ROOT Key with selected strategy");
-      throw new Error("Failed to re-encrypt ROOT Key with selected strategy");
-    }
-
-    await kmsRootConfigDAL.updateById(KMS_ROOT_CONFIG_UUID, {
-      encryptedRootKey,
-      encryptionStrategy: strategy
-    });
-
-    ROOT_ENCRYPTION_KEY = decryptedRootKey;
-  };
-
   return {
     startService,
     generateKmsKey,
@@ -939,7 +849,6 @@ export const kmsServiceFactory = ({
     encryptWithRootKey,
     decryptWithRootKey,
     getOrgKmsKeyId,
-    updateEncryptionStrategy,
     getProjectSecretManagerKmsKeyId,
     updateProjectSecretManagerKmsKey,
     getProjectKeyBackup,

backend/src/services/kms/kms-types.ts

@@ -56,8 +56,3 @@ export type TUpdateProjectSecretManagerKmsKeyDTO = {
   projectId: string;
   kms: { type: KmsType.Internal } | { type: KmsType.External; kmsId: string };
 };
-
-export enum RootKeyEncryptionStrategy {
-  Software = "SOFTWARE",
-  HSM = "HSM"
-}

backend/src/services/project/project-service.ts

@@ -6,8 +6,6 @@ import { TLicenseServiceFactory } from "@app/ee/services/license/license-service
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { TProjectTemplateServiceFactory } from "@app/ee/services/project-template/project-template-service";
-import { InfisicalProjectTemplate } from "@app/ee/services/project-template/project-template-types";
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
@@ -96,7 +94,7 @@ type TProjectServiceFactoryDep = {
   orgDAL: Pick<TOrgDALFactory, "findOne">;
   keyStore: Pick<TKeyStoreFactory, "deleteItem">;
   projectBotDAL: Pick<TProjectBotDALFactory, "create">;
-  projectRoleDAL: Pick<TProjectRoleDALFactory, "find" | "insertMany">;
+  projectRoleDAL: Pick<TProjectRoleDALFactory, "find">;
   kmsService: Pick<
     TKmsServiceFactory,
     | "updateProjectSecretManagerKmsKey"
@@ -106,7 +104,6 @@ type TProjectServiceFactoryDep = {
     | "getProjectSecretManagerKmsKeyId"
     | "deleteInternalKms"
   >;
-  projectTemplateService: TProjectTemplateServiceFactory;
 };
 
 export type TProjectServiceFactory = ReturnType<typeof projectServiceFactory>;
@@ -137,8 +134,7 @@ export const projectServiceFactory = ({
   kmsService,
   projectBotDAL,
   projectSlackConfigDAL,
-  slackIntegrationDAL,
-  projectTemplateService
+  slackIntegrationDAL
 }: TProjectServiceFactoryDep) => {
   /*
    * Create workspace. Make user the admin
@@ -152,8 +148,7 @@ export const projectServiceFactory = ({
     slug: projectSlug,
     kmsKeyId,
     tx: trx,
-    createDefaultEnvs = true,
-    template = InfisicalProjectTemplate.Default
+    createDefaultEnvs = true
   }: TCreateProjectDTO) => {
     const organization = await orgDAL.findOne({ id: actorOrgId });
 
@@ -188,21 +183,6 @@ export const projectServiceFactory = ({
         }
       }
 
-      let projectTemplate: Awaited<ReturnType<typeof projectTemplateService.findProjectTemplateByName>> | null = null;
-
-      switch (template) {
-        case InfisicalProjectTemplate.Default:
-          projectTemplate = null;
-          break;
-        default:
-          projectTemplate = await projectTemplateService.findProjectTemplateByName(template, {
-            id: actorId,
-            orgId: organization.id,
-            type: actor,
-            authMethod: actorAuthMethod
-          });
-      }
-
       const project = await projectDAL.create(
         {
           name: workspaceName,
@@ -230,24 +210,7 @@ export const projectServiceFactory = ({
 
       // set default environments and root folder for provided environments
       let envs: TProjectEnvironments[] = [];
-      if (projectTemplate) {
-        envs = await projectEnvDAL.insertMany(
-          projectTemplate.environments.map((env) => ({ ...env, projectId: project.id })),
-          tx
-        );
-        await folderDAL.insertMany(
-          envs.map(({ id }) => ({ name: ROOT_FOLDER_NAME, envId: id, version: 1 })),
-          tx
-        );
-        await projectRoleDAL.insertMany(
-          projectTemplate.packedRoles.map((role) => ({
-            ...role,
-            permissions: JSON.stringify(role.permissions),
-            projectId: project.id
-          })),
-          tx
-        );
-      } else if (createDefaultEnvs) {
+      if (createDefaultEnvs) {
         envs = await projectEnvDAL.insertMany(
           DEFAULT_PROJECT_ENVS.map((el, i) => ({ ...el, projectId: project.id, position: i + 1 })),
           tx

backend/src/services/project/project-types.ts

@@ -32,7 +32,6 @@ export type TCreateProjectDTO = {
   slug?: string;
   kmsKeyId?: string;
   createDefaultEnvs?: boolean;
-  template?: string;
   tx?: Knex;
 };
 

backend/src/services/secret-folder/secret-folder-dal.ts

@@ -6,7 +6,6 @@ import { BadRequestError, DatabaseError } from "@app/lib/errors";
 import { groupBy, removeTrailingSlash } from "@app/lib/fn";
 import { ormify, selectAllTableCols } from "@app/lib/knex";
 import { OrderByDirection } from "@app/lib/types";
-import { isValidSecretPath } from "@app/lib/validator";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
 
 import { TFindFoldersDeepByParentIdsDTO } from "./secret-folder-types";
@@ -215,12 +214,6 @@ export const secretFolderDALFactory = (db: TDbClient) => {
   const secretFolderOrm = ormify(db, TableName.SecretFolder);
 
   const findBySecretPath = async (projectId: string, environment: string, path: string, tx?: Knex) => {
-    const isValidPath = isValidSecretPath(path);
-    if (!isValidPath)
-      throw new BadRequestError({
-        message: "Invalid secret path. Only alphanumeric characters, dashes, and underscores are allowed."
-      });
-
     try {
       const folder = await sqlFindFolderByPathQuery(
         tx || db.replicaNode(),
@@ -243,12 +236,6 @@ export const secretFolderDALFactory = (db: TDbClient) => {
 
   // finds folders by path for multiple envs
   const findBySecretPathMultiEnv = async (projectId: string, environments: string[], path: string, tx?: Knex) => {
-    const isValidPath = isValidSecretPath(path);
-    if (!isValidPath)
-      throw new BadRequestError({
-        message: "Invalid secret path. Only alphanumeric characters, dashes, and underscores are allowed."
-      });
-
     try {
       const pathDepth = removeTrailingSlash(path).split("/").filter(Boolean).length + 1;
 
@@ -280,12 +267,6 @@ export const secretFolderDALFactory = (db: TDbClient) => {
   // even if its the original given /path1/path2
   // it will stop automatically at /path2
   const findClosestFolder = async (projectId: string, environment: string, path: string, tx?: Knex) => {
-    const isValidPath = isValidSecretPath(path);
-    if (!isValidPath)
-      throw new BadRequestError({
-        message: "Invalid secret path. Only alphanumeric characters, dashes, and underscores are allowed."
-      });
-
     try {
       const folder = await sqlFindFolderByPathQuery(
         tx || db.replicaNode(),

backend/src/services/secret-folder/secret-folder-service.ts

@@ -7,7 +7,7 @@ import { TPermissionServiceFactory } from "@app/ee/services/permission/permissio
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSecretSnapshotServiceFactory } from "@app/ee/services/secret-snapshot/secret-snapshot-service";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
-import { OrderByDirection, OrgServiceActor } from "@app/lib/types";
+import { OrderByDirection, ProjectServiceActor } from "@app/lib/types";
 
 import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
@@ -514,7 +514,7 @@ export const secretFolderServiceFactory = ({
 
   const getFoldersDeepByEnvs = async (
     { projectId, environments, secretPath }: TGetFoldersDeepByEnvsDTO,
-    actor: OrgServiceActor
+    actor: ProjectServiceActor
   ) => {
     // folder list is allowed to be read by anyone
     // permission to check does user have access

backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts

@@ -361,10 +361,6 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
               void bd.whereILike(`${TableName.SecretV2}.key`, `%${filters?.search}%`);
             }
           }
-
-          if (filters?.keys) {
-            void bd.whereIn(`${TableName.SecretV2}.key`, filters.keys);
-          }
         })
         .where((bd) => {
           void bd.whereNull(`${TableName.SecretV2}.userId`).orWhere({ userId: userId || null });

backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts

@@ -10,9 +10,9 @@ import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretV2BridgeDALFactory } from "./secret-v2-bridge-dal";
 import { TFnSecretBulkDelete, TFnSecretBulkInsert, TFnSecretBulkUpdate } from "./secret-v2-bridge-types";
 
-const INTERPOLATION_SYNTAX_REG = /\${([a-zA-Z0-9-_.]+)}/g;
+const INTERPOLATION_SYNTAX_REG = /\${([^}]+)}/g;
 // akhilmhdh: JS regex with global save state in .test
-const INTERPOLATION_SYNTAX_REG_NON_GLOBAL = /\${([a-zA-Z0-9-_.]+)}/;
+const INTERPOLATION_SYNTAX_REG_NON_GLOBAL = /\${([^}]+)}/;
 
 export const shouldUseSecretV2Bridge = (version: number) => version === 3;
 
@@ -518,10 +518,7 @@ export const expandSecretReferencesFactory = ({
           }
 
           if (referencedSecretValue) {
-            expandedValue = expandedValue.replaceAll(
-              interpolationSyntax,
-              () => referencedSecretValue // prevents special characters from triggering replacement patterns
-            );
+            expandedValue = expandedValue.replaceAll(interpolationSyntax, referencedSecretValue);
           }
         }
       }

backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts

@@ -150,13 +150,9 @@ export const secretV2BridgeServiceFactory = ({
       }
     });
 
-    if (
-      referredSecrets.length !==
-      new Set(references.map(({ secretKey, secretPath, environment }) => `${secretKey}.${secretPath}.${environment}`))
-        .size // only count unique references
-    )
+    if (referredSecrets.length !== references.length)
       throw new BadRequestError({
-        message: `Referenced secret(s) not found: ${diff(
+        message: `Referenced secret not found. Found only ${diff(
           references.map((el) => el.secretKey),
           referredSecrets.map((el) => el.key)
         ).join(",")}`

backend/src/services/secret-v2-bridge/secret-v2-bridge-types.ts

@@ -33,7 +33,6 @@ export type TGetSecretsDTO = {
   offset?: number;
   limit?: number;
   search?: string;
-  keys?: string[];
 } & TProjectPermission;
 
 export type TGetASecretDTO = {
@@ -295,7 +294,6 @@ export type TFindSecretsByFolderIdsFilter = {
   search?: string;
   tagSlugs?: string[];
   includeTagsInSearch?: boolean;
-  keys?: string[];
 };
 
 export type TGetSecretsRawByFolderMappingsDTO = {

backend/src/services/secret/secret-service.ts

@@ -27,7 +27,7 @@ import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/
 import { groupBy, pick } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { OrgServiceActor } from "@app/lib/types";
+import { ProjectServiceActor } from "@app/lib/types";
 import { TGetSecretsRawByFolderMappingsDTO } from "@app/services/secret-v2-bridge/secret-v2-bridge-types";
 
 import { ActorType } from "../auth/auth-type";
@@ -2849,7 +2849,7 @@ export const secretServiceFactory = ({
 
   const getSecretsRawByFolderMappings = async (
     params: Omit<TGetSecretsRawByFolderMappingsDTO, "userId">,
-    actor: OrgServiceActor
+    actor: ProjectServiceActor
   ) => {
     const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(params.projectId);
 

backend/src/services/secret/secret-types.ts

@@ -185,7 +185,6 @@ export type TGetSecretsRawDTO = {
   offset?: number;
   limit?: number;
   search?: string;
-  keys?: string[];
 } & TProjectPermission;
 
 export type TGetASecretRawDTO = {

backend/src/services/smtp/smtp-service.ts

@@ -77,5 +77,21 @@ export const smtpServiceFactory = (cfg: TSmtpConfig) => {
     }
   };
 
-  return { sendMail };
+  const verify = async () => {
+    const isConnected = smtp
+      .verify()
+      .then(async () => {
+        logger.info("SMTP connected");
+        return true;
+      })
+      .catch((err: Error) => {
+        logger.error("SMTP error");
+        logger.error(err);
+        return false;
+      });
+
+    return isConnected;
+  };
+
+  return { sendMail, verify };
 };

backend/src/services/super-admin/super-admin-service.ts

@@ -10,10 +10,7 @@ import { BadRequestError, NotFoundError } from "@app/lib/errors";
 
 import { TAuthLoginFactory } from "../auth/auth-login-service";
 import { AuthMethod } from "../auth/auth-type";
-import { KMS_ROOT_CONFIG_UUID } from "../kms/kms-fns";
-import { TKmsRootConfigDALFactory } from "../kms/kms-root-config-dal";
 import { TKmsServiceFactory } from "../kms/kms-service";
-import { RootKeyEncryptionStrategy } from "../kms/kms-types";
 import { TOrgServiceFactory } from "../org/org-service";
 import { TUserDALFactory } from "../user/user-dal";
 import { TSuperAdminDALFactory } from "./super-admin-dal";
@@ -23,8 +20,7 @@ type TSuperAdminServiceFactoryDep = {
   serverCfgDAL: TSuperAdminDALFactory;
   userDAL: TUserDALFactory;
   authService: Pick<TAuthLoginFactory, "generateUserTokens">;
-  kmsService: Pick<TKmsServiceFactory, "encryptWithRootKey" | "decryptWithRootKey" | "updateEncryptionStrategy">;
-  kmsRootConfigDAL: TKmsRootConfigDALFactory;
+  kmsService: Pick<TKmsServiceFactory, "encryptWithRootKey" | "decryptWithRootKey">;
   orgService: Pick<TOrgServiceFactory, "createOrganization">;
   keyStore: Pick<TKeyStoreFactory, "getItem" | "setItemWithExpiry" | "deleteItem">;
   licenseService: Pick<TLicenseServiceFactory, "onPremFeatures">;
@@ -51,7 +47,6 @@ export const superAdminServiceFactory = ({
   authService,
   orgService,
   keyStore,
-  kmsRootConfigDAL,
   kmsService,
   licenseService
 }: TSuperAdminServiceFactoryDep) => {
@@ -293,70 +288,12 @@ export const superAdminServiceFactory = ({
     };
   };
 
-  const getConfiguredEncryptionStrategies = async () => {
-    const appCfg = getConfig();
-
-    const kmsRootCfg = await kmsRootConfigDAL.findById(KMS_ROOT_CONFIG_UUID);
-
-    if (!kmsRootCfg) {
-      throw new NotFoundError({ name: "KmsRootConfig", message: "KMS root configuration not found" });
-    }
-
-    const selectedStrategy = kmsRootCfg.encryptionStrategy;
-    const enabledStrategies: { enabled: boolean; strategy: RootKeyEncryptionStrategy }[] = [];
-
-    if (appCfg.ROOT_ENCRYPTION_KEY || appCfg.ENCRYPTION_KEY) {
-      const basicStrategy = RootKeyEncryptionStrategy.Software;
-
-      enabledStrategies.push({
-        enabled: selectedStrategy === basicStrategy,
-        strategy: basicStrategy
-      });
-    }
-    if (appCfg.isHsmConfigured) {
-      const hsmStrategy = RootKeyEncryptionStrategy.HSM;
-
-      enabledStrategies.push({
-        enabled: selectedStrategy === hsmStrategy,
-        strategy: hsmStrategy
-      });
-    }
-
-    return {
-      strategies: enabledStrategies
-    };
-  };
-
-  const updateRootEncryptionStrategy = async (strategy: RootKeyEncryptionStrategy) => {
-    if (!licenseService.onPremFeatures.hsm) {
-      throw new BadRequestError({
-        message: "Failed to update encryption strategy due to plan restriction. Upgrade to Infisical's Enterprise plan."
-      });
-    }
-
-    const configuredStrategies = await getConfiguredEncryptionStrategies();
-
-    const foundStrategy = configuredStrategies.strategies.find((s) => s.strategy === strategy);
-
-    if (!foundStrategy) {
-      throw new BadRequestError({ message: "Invalid encryption strategy" });
-    }
-
-    if (foundStrategy.enabled) {
-      throw new BadRequestError({ message: "The selected encryption strategy is already enabled" });
-    }
-
-    await kmsService.updateEncryptionStrategy(strategy);
-  };
-
   return {
     initServerCfg,
     updateServerCfg,
     adminSignUp,
     getUsers,
     deleteUser,
-    getAdminSlackConfig,
-    updateRootEncryptionStrategy,
-    getConfiguredEncryptionStrategies
+    getAdminSlackConfig
   };
 };

cli/packages/api/model.go

@@ -136,8 +136,8 @@ type GetOrganizationsResponse struct {
 }
 
 type SelectOrganizationResponse struct {
-	Token      string `json:"token"`
-	MfaEnabled bool   `json:"isMfaEnabled"`
+	Token string `json:"token"`
+	MfaEnabled bool `json:"isMfaEnabled"`
 }
 
 type SelectOrganizationRequest struct {

cli/packages/cmd/login.go

@@ -532,7 +532,7 @@ func askForDomain() error {
 	const (
 		INFISICAL_CLOUD_US = "Infisical Cloud (US Region)"
 		INFISICAL_CLOUD_EU = "Infisical Cloud (EU Region)"
-		SELF_HOSTING       = "Self-Hosting or Dedicated Instance"
+		SELF_HOSTING       = "Self-Hosting"
 		ADD_NEW_DOMAIN     = "Add a new domain"
 	)
 

docker-compose.prod.yml

@@ -69,4 +69,4 @@ volumes:
     driver: local
 
 networks:
-  infisical:
+  infisical:

docs/api-reference/endpoints/project-templates/create.mdx

@@ -1,8 +0,0 @@
----
-title: "Create"
-openapi: "POST /api/v1/project-templates"
----
-
-<Note>
-  You can read more about the role's permissions field in the [permissions documentation](/internals/permissions).
-</Note>

docs/api-reference/endpoints/project-templates/delete.mdx

@@ -1,4 +0,0 @@
----
-title: "Delete"
-openapi: "DELETE /api/v1/project-templates/{templateId}"
----

docs/api-reference/endpoints/project-templates/get-by-id.mdx

@@ -1,4 +0,0 @@
----
-title: "Get By ID"
-openapi: "GET /api/v1/project-templates/{templateId}"
----

docs/api-reference/endpoints/project-templates/list.mdx

@@ -1,4 +0,0 @@
----
-title: "List"
-openapi: "GET /api/v1/project-templates"
----

docs/api-reference/endpoints/project-templates/update.mdx

@@ -1,8 +0,0 @@
----
-title: "Update"
-openapi: "PATCH /api/v1/project-templates/{templateId}"
----
-
-<Note>
-  You can read more about the role's permissions field in the [permissions documentation](/internals/permissions).
-</Note>

docs/cli/overview.mdx

@@ -9,7 +9,7 @@ You can use it across various environments, whether it's local development, CI/C
 ## Installation
 
 <Tabs>
-  <Tab title="MacOS">
+   <Tab title="MacOS">
   	Use [brew](https://brew.sh/) package manager
 
     	```bash
@@ -21,8 +21,9 @@ You can use it across various environments, whether it's local development, CI/C
     	```bash
     	brew update && brew upgrade infisical
     	```
-  </Tab>
-  <Tab title="Windows">
+
+   </Tab>
+   <Tab title="Windows">
       Use [Scoop](https://scoop.sh/) package manager
 
     		```bash
@@ -39,20 +40,7 @@ You can use it across various environments, whether it's local development, CI/C
     		scoop update infisical
     		```
 
-  </Tab>
-  <Tab title="NPM">
-      Use [NPM](https://www.npmjs.com/) package manager
-
-    	```bash
-      npm install -g @infisical/cli
-    	```
-
-    	### Updates
-
-    	```bash
-    	npm update -g @infisical/cli
-    	```
-  </Tab>
+   </Tab>
 	 <Tab title="Alpine">
 	 Install prerequisite
 		```bash

docs/documentation/platform/dynamic-secrets/ldap.mdx

@@ -10,253 +10,143 @@ The Infisical LDAP dynamic secret allows you to generate user credentials on dem
 1. Create a user with the necessary permissions to create users in your LDAP server.
 2. Ensure your LDAP server is reachable via Infisical instance.
 
-## Create LDAP Credentials
+## Set up Dynamic Secrets with LDAP
 
-<Tabs>
-  <Tab title="Dynamic">
-    <Steps>
-      <Step title="Open Secret Overview Dashboard">
-        Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret.
-      </Step>
-      <Step title="Click on the 'Add Dynamic Secret' button">
-      ![Add Dynamic Secret Button](../../../images/platform/dynamic-secrets/add-dynamic-secret-button.png)
-      </Step>
-      <Step title="Select 'LDAP'">
-      ![Dynamic Secret Modal](../../../images/platform/dynamic-secrets/dynamic-secret-ldap-select.png)
-      </Step>
+<Steps>
+  <Step title="Open Secret Overview Dashboard">
+	Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret.
+  </Step>
+  <Step title="Click on the 'Add Dynamic Secret' button">
+	![Add Dynamic Secret Button](../../../images/platform/dynamic-secrets/add-dynamic-secret-button.png)
+  </Step>
+  <Step title="Select 'LDAP'">
+	![Dynamic Secret Modal](../../../images/platform/dynamic-secrets/dynamic-secret-ldap-select.png)
+  </Step>
 
-      <Step title="Provide the inputs for dynamic secret parameters">
-        <ParamField path="Secret Name" type="string" required>
-          Name by which you want the secret to be referenced
-        </ParamField>
+    <Step title="Provide the inputs for dynamic secret parameters">
+    <ParamField path="Secret Name" type="string" required>
+    	Name by which you want the secret to be referenced
+    </ParamField>
 
-        <ParamField path="Default TTL" type="string" required>
-          Default time-to-live for a generated secret (it is possible to modify this value when a secret is generate)
-        </ParamField>
+    <ParamField path="Default TTL" type="string" required>
+    	Default time-to-live for a generated secret (it is possible to modify this value when a secret is generate)
+    </ParamField>
 
-        <ParamField path="Max TTL" type="string" required>
-          Maximum time-to-live for a generated secret.
-        </ParamField>
+    <ParamField path="Max TTL" type="string" required>
+    	Maximum time-to-live for a generated secret.
+    </ParamField>
 
-        <ParamField path="URL" type="string" required>
-          LDAP url to connect to. _(Example: ldap://your-ldap-ip:389 or ldaps://domain:636)_
-        </ParamField>
+    <ParamField path="URL" type="string" required>
+    	LDAP url to connect to. _(Example: ldap://your-ldap-ip:389 or ldaps://domain:636)_
+    </ParamField>
 
-        <ParamField path="BIND DN" type="string" required>
-            DN to bind to. This should have permissions to create a new users.
-        </ParamField>
+    <ParamField path="BIND DN" type="string" required>
+        DN to bind to. This should have permissions to create a new users.
+    </ParamField>
 
-        <ParamField path="BIND Password" type="string" required>
-            Password for the given DN.
-        </ParamField>
+    <ParamField path="BIND Password" type="string" required>
+        Password for the given DN.
+    </ParamField>
 
-        <ParamField path="CA" type="text">
-          CA certificate to use for TLS in case of a secure connection.
-        </ParamField>
+    <ParamField path="CA" type="text">
+    	CA certificate to use for TLS in case of a secure connection.
+    </ParamField>
 
-        <ParamField path="Credential Type" type="enum">
-          The type of LDAP credential - select Dynamic.
-        </ParamField>
+    <ParamField path="Creation LDIF" type="text" required>
+    	LDIF to run while creating a user in LDAP. This can include extra steps to assign the user to groups or set permissions.
+        Here `{{Username}}`, `{{Password}}` and `{{EncodedPassword}}` are templatized variables for the username and password generated by the dynamic secret.
 
-        <ParamField path="Creation LDIF" type="text" required>
-          LDIF to run while creating a user in LDAP. This can include extra steps to assign the user to groups or set permissions.
-            Here `{{Username}}`, `{{Password}}` and `{{EncodedPassword}}` are templatized variables for the username and password generated by the dynamic secret.
+        `{{EncodedPassword}}` is the encoded password required for the `unicodePwd` field in Active Directory as described [here](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/change-windows-active-directory-user-password).
 
-            `{{EncodedPassword}}` is the encoded password required for the `unicodePwd` field in Active Directory as described [here](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/change-windows-active-directory-user-password).
+        **OpenLDAP** Example:
+        ```
+        dn: uid={{Username}},dc=infisical,dc=com
+        changetype: add
+        objectClass: top
+        objectClass: person
+        objectClass: organizationalPerson
+        objectClass: inetOrgPerson
+        cn: John Doe
+        sn: Doe
+        uid: jdoe
+        mail: jdoe@infisical.com
+        userPassword: {{Password}}
+        ```
 
-            **OpenLDAP** Example:
-            ```
-            dn: uid={{Username}},dc=infisical,dc=com
-            changetype: add
-            objectClass: top
-            objectClass: person
-            objectClass: organizationalPerson
-            objectClass: inetOrgPerson
-            cn: John Doe
-            sn: Doe
-            uid: jdoe
-            mail: jdoe@infisical.com
-            userPassword: {{Password}}
-            ```
+        **Active Directory** Example:
+        ```
+        dn: CN={{Username}},OU=Test Create,DC=infisical,DC=com
+        changetype: add
+        objectClass: top
+        objectClass: person
+        objectClass: organizationalPerson
+        objectClass: user
+        userPrincipalName: {{Username}}@infisical.com
+        sAMAccountName: {{Username}}
+        unicodePwd::{{EncodedPassword}}
+        userAccountControl: 66048
 
-            **Active Directory** Example:
-            ```
-            dn: CN={{Username}},OU=Test Create,DC=infisical,DC=com
-            changetype: add
-            objectClass: top
-            objectClass: person
-            objectClass: organizationalPerson
-            objectClass: user
-            userPrincipalName: {{Username}}@infisical.com
-            sAMAccountName: {{Username}}
-            unicodePwd::{{EncodedPassword}}
-            userAccountControl: 66048
+        dn: CN=test-group,OU=Test Create,DC=infisical,DC=com
+        changetype: modify
+        add: member
+        member:  CN={{Username}},OU=Test Create,DC=infisical,DC=com
+        -
+        ```
+    </ParamField>
 
-            dn: CN=test-group,OU=Test Create,DC=infisical,DC=com
-            changetype: modify
-            add: member
-            member:  CN={{Username}},OU=Test Create,DC=infisical,DC=com
-            -
-            ```
-        </ParamField>
+    <ParamField path="Revocation LDIF" type="text" required>
+    	LDIF to run while revoking a user in LDAP. This can include extra steps to remove the user from groups or set permissions.
+        Here `{{Username}}` is a templatized variable for the username generated by the dynamic secret.
 
-        <ParamField path="Revocation LDIF" type="text" required>
-          LDIF to run while revoking a user in LDAP. This can include extra steps to remove the user from groups or set permissions.
-            Here `{{Username}}` is a templatized variable for the username generated by the dynamic secret.
+        **OpenLDAP / Active Directory** Example:
+        ```
+        dn: CN={{Username}},OU=Test Create,DC=infisical,DC=com
+        changetype: delete
+        ```
+    </ParamField>
 
-            **OpenLDAP / Active Directory** Example:
-            ```
-            dn: CN={{Username}},OU=Test Create,DC=infisical,DC=com
-            changetype: delete
-            ```
-        </ParamField>
+    <ParamField path="Rollback LDIF" type="text">
+    	LDIF to run incase Creation LDIF fails midway. 
 
-        <ParamField path="Rollback LDIF" type="text">
-          LDIF to run incase Creation LDIF fails midway.
+        For the creation example shown above, if the user is created successfully but not added to a group, this LDIF can be used to remove the user.
+        Here `{{Username}}`, `{{Password}}` and `{{EncodedPassword}}` are templatized variables for the username generated by the dynamic secret.
 
-            For the creation example shown above, if the user is created successfully but not added to a group, this LDIF can be used to remove the user.
-            Here `{{Username}}`, `{{Password}}` and `{{EncodedPassword}}` are templatized variables for the username generated by the dynamic secret.
+        **OpenLDAP / Active Directory** Example:
+        ```
+        dn: CN={{Username}},OU=Test Create,DC=infisical,DC=com
+        changetype: delete
+        ```
+    </ParamField>
 
-            **OpenLDAP / Active Directory** Example:
-            ```
-            dn: CN={{Username}},OU=Test Create,DC=infisical,DC=com
-            changetype: delete
-            ```
-        </ParamField>
-      </Step>
+</Step>
 
-      <Step title="Click `Submit`">
-        After submitting the form, you will see a dynamic secret created in the dashboard.
-      </Step>
-      <Step title="Generate dynamic secrets">
-      Once you've successfully configured the dynamic secret, you're ready to generate on-demand credentials.
-      To do this, simply click on the 'Generate' button which appears when hovering over the dynamic secret item.
-      Alternatively, you can initiate the creation of a new lease by selecting 'New Lease' from the dynamic secret lease list section.
+  <Step title="Click `Submit`">
+  	After submitting the form, you will see a dynamic secret created in the dashboard. 
+  </Step>
+  <Step title="Generate dynamic secrets">
+	Once you've successfully configured the dynamic secret, you're ready to generate on-demand credentials. 
+	To do this, simply click on the 'Generate' button which appears when hovering over the dynamic secret item. 
+	Alternatively, you can initiate the creation of a new lease by selecting 'New Lease' from the dynamic secret lease list section.
 
-        ![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-generate-redis.png)
-        ![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-lease-empty-redis.png)
+    ![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-generate-redis.png)
+    ![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-lease-empty-redis.png)
 
-        When generating these secrets, it's important to specify a Time-to-Live (TTL) duration. This will dictate  how long the credentials are valid for.
+    When generating these secrets, it's important to specify a Time-to-Live (TTL) duration. This will dictate  how long the credentials are valid for.
 
-        ![Provision Lease](/images/platform/dynamic-secrets/provision-lease.png)
+    ![Provision Lease](/images/platform/dynamic-secrets/provision-lease.png)
 
-        <Tip>
-          Ensure that the TTL for the lease fall within the maximum TTL defined when configuring the dynamic secret.
-        </Tip>
+    <Tip>
+    	Ensure that the TTL for the lease fall within the maximum TTL defined when configuring the dynamic secret.
+    </Tip>
 
 
-        Once you click the `Submit` button, a new secret lease will be generated and the credentials from it will be shown to you with an array of DN's altered depending on the Creation LDIF.
+    Once you click the `Submit` button, a new secret lease will be generated and the credentials from it will be shown to you with an array of DN's altered depending on the Creation LDIF.
 
-        ![Provision Lease](/images/platform/dynamic-secrets/dynamic-secret-ldap-lease.png)
-     </Step>
+    ![Provision Lease](/images/platform/dynamic-secrets/dynamic-secret-ldap-lease.png)
 
-    </Steps>
+  </Step>
 
-  </Tab>
-  <Tab title="Static">
-    <Steps>
-      <Step title="Open Secret Overview Dashboard">
-        Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret.
-      </Step>
-      <Step title="Click on the 'Add Dynamic Secret' button">
-      ![Add Dynamic Secret Button](../../../images/platform/dynamic-secrets/add-dynamic-secret-button.png)
-      </Step>
-      <Step title="Select 'LDAP'">
-      ![Dynamic Secret Modal](../../../images/platform/dynamic-secrets/dynamic-secret-ldap-select.png)
-      </Step>
-
-      <Step title="Provide the inputs for dynamic secret parameters">
-        <ParamField path="Secret Name" type="string" required>
-          Name by which you want the secret to be referenced
-        </ParamField>
-
-        <ParamField path="Default TTL" type="string" required>
-          Default time-to-live for a generated secret (it is possible to modify this value when a secret is generate)
-        </ParamField>
-
-        <ParamField path="Max TTL" type="string" required>
-          Maximum time-to-live for a generated secret.
-        </ParamField>
-
-        <ParamField path="URL" type="string" required>
-          LDAP url to connect to. _(Example: ldap://your-ldap-ip:389 or ldaps://domain:636)_
-        </ParamField>
-
-        <ParamField path="BIND DN" type="string" required>
-            DN to bind to. This should have permissions to create a new users.
-        </ParamField>
-
-        <ParamField path="BIND Password" type="string" required>
-            Password for the given DN.
-        </ParamField>
-
-        <ParamField path="CA" type="text">
-          CA certificate to use for TLS in case of a secure connection.
-        </ParamField>
-
-        <ParamField path="Credential Type" type="enum">
-          The type of LDAP credential - select Static.
-        </ParamField>
-
-        <ParamField path="Rotation LDIF" type="text" required>
-            LDIF to run for rotating the credentals of an LDAP user. This can include extra LDAP steps based on your needs.
-            Here `{{Password}}` and `{{EncodedPassword}}` are templatized variables for the password generated by the dynamic secret.
-
-            Note that the `-` characters and the empty lines found at the end of the examples are necessary based on the LDIF format.
-
-            **OpenLDAP** Example:
-            ```
-            dn: cn=sheencaps capadngan,ou=people,dc=acme,dc=com
-            changetype: modify
-            replace: userPassword
-            password: {{Password}}
-            -
-
-            ```
-
-            **Active Directory** Example:
-            ```
-            dn: cn=sheencaps capadngan,ou=people,dc=acme,dc=com
-            changetype: modify
-            replace: unicodePwd
-            unicodePwd::{{EncodedPassword}}
-            -
-
-            ```
-            `{{EncodedPassword}}` is the encoded password required for the `unicodePwd` field in Active Directory as described [here](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/change-windows-active-directory-user-password).
-
-        </ParamField>
-      </Step>
-
-      <Step title="Click `Submit`">
-        After submitting the form, you will see a dynamic secret created in the dashboard.
-      </Step>
-      <Step title="Generate dynamic secrets">
-      Once you've successfully configured the dynamic secret, you're ready to generate on-demand credentials.
-      To do this, simply click on the 'Generate' button which appears when hovering over the dynamic secret item.
-      Alternatively, you can initiate the creation of a new lease by selecting 'New Lease' from the dynamic secret lease list section.
-
-        ![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-generate-redis.png)
-        ![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-lease-empty-redis.png)
-
-        When generating these secrets, it's important to specify a Time-to-Live (TTL) duration. This will dictate  how long the credentials are valid for.
-
-        ![Provision Lease](/images/platform/dynamic-secrets/provision-lease.png)
-
-        <Tip>
-          Ensure that the TTL for the lease fall within the maximum TTL defined when configuring the dynamic secret.
-        </Tip>
-
-
-        Once you click the `Submit` button, a new secret lease will be generated and the credentials from it will be shown to you with an array of DN's altered depending on the Creation LDIF.
-
-        ![Provision Lease](/images/platform/dynamic-secrets/dynamic-secret-ldap-lease.png)
-     </Step>
-
-    </Steps>
-
-  </Tab>
-</Tabs>
+</Steps>
 
 ## Active Directory Integration