improvement: update styling and overflow for audit log filter

FIX: SAN extension field in certificate issuance

.github/workflows/run-backend-tests.yml

@@ -16,16 +16,6 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
-
-
-      - name: Free up disk space
-        run: |
-          sudo rm -rf /usr/share/dotnet
-          sudo rm -rf /opt/ghc
-          sudo rm -rf "/usr/local/share/boost"
-          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
-          docker system prune -af
-          
       - name: ☁️ Checkout source
         uses: actions/checkout@v3
       - uses: KengoTODA/actions-setup-docker-compose@v1
@@ -44,11 +34,6 @@ jobs:
         working-directory: backend
       - name: Start postgres and redis
         run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
-      - name: Login to Oracle Container Registry
-        run: echo "${{ secrets.ORACLE_DOCKER_REGISTRY_PASSWORD }}" | docker login container-registry.oracle.com -u "${{ secrets.ORACLE_DOCKER_REGISTRY_USERNAME }}" --password-stdin
-
-      - name: Start Secret Rotation testing databases
-        run: docker compose -f docker-compose.e2e-dbs.yml up -d --wait --wait-timeout 300
       - name: Run unit test
         run: npm run test:unit
         working-directory: backend

backend/e2e-test/mocks/queue.ts

@@ -0,0 +1,34 @@
+import { TQueueServiceFactory } from "@app/queue";
+
+export const mockQueue = (): TQueueServiceFactory => {
+  const queues: Record<string, unknown> = {};
+  const workers: Record<string, unknown> = {};
+  const job: Record<string, unknown> = {};
+  const events: Record<string, unknown> = {};
+
+  return {
+    queue: async (name, jobData) => {
+      job[name] = jobData;
+    },
+    queuePg: async () => {},
+    schedulePg: async () => {},
+    initialize: async () => {},
+    shutdown: async () => undefined,
+    stopRepeatableJob: async () => true,
+    start: (name, jobFn) => {
+      queues[name] = jobFn;
+      workers[name] = jobFn;
+    },
+    startPg: async () => {},
+    listen: (name, event) => {
+      events[name] = event;
+    },
+    getRepeatableJobs: async () => [],
+    getDelayedJobs: async () => [],
+    clearQueue: async () => {},
+    stopJobById: async () => {},
+    stopJobByIdPg: async () => {},
+    stopRepeatableJobByJobId: async () => true,
+    stopRepeatableJobByKey: async () => true
+  };
+};

backend/e2e-test/routes/v3/secret-rotations.spec.ts

@@ -1,706 +0,0 @@
-/* eslint-disable no-promise-executor-return */
-/* eslint-disable no-await-in-loop */
-import knex from "knex";
-import { v4 as uuidv4 } from "uuid";
-
-import { seedData1 } from "@app/db/seed-data";
-
-enum SecretRotationType {
-  OracleDb = "oracledb",
-  MySQL = "mysql",
-  Postgres = "postgres"
-}
-
-type TGenericSqlCredentials = {
-  host: string;
-  port: number;
-  username: string;
-  password: string;
-  database: string;
-};
-
-type TSecretMapping = {
-  username: string;
-  password: string;
-};
-
-type TDatabaseUserCredentials = {
-  username: string;
-};
-
-const formatSqlUsername = (username: string) => `${username}_${uuidv4().slice(0, 8).replace(/-/g, "").toUpperCase()}`;
-
-const getSecretValue = async (secretKey: string) => {
-  const passwordSecret = await testServer.inject({
-    url: `/api/v3/secrets/raw/${secretKey}`,
-    method: "GET",
-    query: {
-      workspaceId: seedData1.projectV3.id,
-      environment: seedData1.environment.slug
-    },
-    headers: {
-      authorization: `Bearer ${jwtAuthToken}`
-    }
-  });
-
-  expect(passwordSecret.statusCode).toBe(200);
-  expect(passwordSecret.json().secret).toBeDefined();
-
-  const passwordSecretJson = JSON.parse(passwordSecret.payload);
-
-  return passwordSecretJson.secret.secretValue as string;
-};
-
-const deleteSecretRotation = async (id: string, type: SecretRotationType) => {
-  const res = await testServer.inject({
-    method: "DELETE",
-    query: {
-      deleteSecrets: "true",
-      revokeGeneratedCredentials: "true"
-    },
-    url: `/api/v2/secret-rotations/${type}-credentials/${id}`,
-    headers: {
-      authorization: `Bearer ${jwtAuthToken}`
-    }
-  });
-
-  expect(res.statusCode).toBe(200);
-};
-
-const deleteAppConnection = async (id: string, type: SecretRotationType) => {
-  const res = await testServer.inject({
-    method: "DELETE",
-    url: `/api/v1/app-connections/${type}/${id}`,
-    headers: {
-      authorization: `Bearer ${jwtAuthToken}`
-    }
-  });
-
-  expect(res.statusCode).toBe(200);
-};
-
-const createOracleDBAppConnection = async (credentials: TGenericSqlCredentials) => {
-  const createOracleDBAppConnectionReqBody = {
-    credentials: {
-      database: credentials.database,
-      host: credentials.host,
-      username: credentials.username,
-      password: credentials.password,
-      port: credentials.port,
-      sslEnabled: true,
-      sslRejectUnauthorized: true
-    },
-    name: `oracle-db-${uuidv4()}`,
-    description: "Test OracleDB App Connection",
-    gatewayId: null,
-    isPlatformManagedCredentials: false,
-    method: "username-and-password"
-  };
-
-  const res = await testServer.inject({
-    method: "POST",
-    url: `/api/v1/app-connections/oracledb`,
-    headers: {
-      authorization: `Bearer ${jwtAuthToken}`
-    },
-    body: createOracleDBAppConnectionReqBody
-  });
-
-  const json = JSON.parse(res.payload);
-
-  expect(res.statusCode).toBe(200);
-  expect(json.appConnection).toBeDefined();
-
-  return json.appConnection.id as string;
-};
-
-const createMySQLAppConnection = async (credentials: TGenericSqlCredentials) => {
-  const createMySQLAppConnectionReqBody = {
-    name: `mysql-test-${uuidv4()}`,
-    description: "test-mysql",
-    gatewayId: null,
-    method: "username-and-password",
-    credentials: {
-      host: credentials.host,
-      port: credentials.port,
-      database: credentials.database,
-      username: credentials.username,
-      password: credentials.password,
-      sslEnabled: false,
-      sslRejectUnauthorized: true
-    }
-  };
-
-  const res = await testServer.inject({
-    method: "POST",
-    url: `/api/v1/app-connections/mysql`,
-    headers: {
-      authorization: `Bearer ${jwtAuthToken}`
-    },
-    body: createMySQLAppConnectionReqBody
-  });
-
-  const json = JSON.parse(res.payload);
-
-  expect(res.statusCode).toBe(200);
-  expect(json.appConnection).toBeDefined();
-
-  return json.appConnection.id as string;
-};
-
-const createPostgresAppConnection = async (credentials: TGenericSqlCredentials) => {
-  const createPostgresAppConnectionReqBody = {
-    credentials: {
-      host: credentials.host,
-      port: credentials.port,
-      database: credentials.database,
-      username: credentials.username,
-      password: credentials.password,
-      sslEnabled: false,
-      sslRejectUnauthorized: true
-    },
-    name: `postgres-test-${uuidv4()}`,
-    description: "test-postgres",
-    gatewayId: null,
-    method: "username-and-password"
-  };
-
-  const res = await testServer.inject({
-    method: "POST",
-    url: `/api/v1/app-connections/postgres`,
-    headers: {
-      authorization: `Bearer ${jwtAuthToken}`
-    },
-    body: createPostgresAppConnectionReqBody
-  });
-
-  const json = JSON.parse(res.payload);
-
-  expect(res.statusCode).toBe(200);
-  expect(json.appConnection).toBeDefined();
-
-  return json.appConnection.id as string;
-};
-
-const createOracleInfisicalUsers = async (
-  credentials: TGenericSqlCredentials,
-  userCredentials: TDatabaseUserCredentials[]
-) => {
-  const client = knex({
-    client: "oracledb",
-    connection: {
-      database: credentials.database,
-      port: credentials.port,
-      host: credentials.host,
-      user: credentials.username,
-      password: credentials.password,
-      connectionTimeoutMillis: 10000,
-      ssl: {
-        // @ts-expect-error - this is a valid property for the ssl object
-        sslServerDNMatch: true
-      }
-    }
-  });
-
-  for await (const { username } of userCredentials) {
-    // check if user exists, and if it does, don't create it
-    const existingUser = await client.raw(`SELECT * FROM all_users WHERE username = '${username}'`);
-
-    if (!existingUser.length) {
-      await client.raw(`CREATE USER ${username} IDENTIFIED BY "temporary_password"`);
-    }
-    await client.raw(`GRANT ALL PRIVILEGES TO ${username} WITH ADMIN OPTION`);
-  }
-
-  await client.destroy();
-};
-
-const createMySQLInfisicalUsers = async (
-  credentials: TGenericSqlCredentials,
-  userCredentials: TDatabaseUserCredentials[]
-) => {
-  const client = knex({
-    client: "mysql2",
-    connection: {
-      database: credentials.database,
-      port: credentials.port,
-      host: credentials.host,
-      user: credentials.username,
-      password: credentials.password,
-      connectionTimeoutMillis: 10000
-    }
-  });
-
-  // Fix: Ensure root has GRANT OPTION privileges
-  try {
-    await client.raw("GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION;");
-    await client.raw("FLUSH PRIVILEGES;");
-  } catch (error) {
-    // Ignore if already has privileges
-  }
-
-  for await (const { username } of userCredentials) {
-    // check if user exists, and if it does, dont create it
-
-    const existingUser = await client.raw(`SELECT * FROM mysql.user WHERE user = '${username}'`);
-
-    if (!existingUser[0].length) {
-      await client.raw(`CREATE USER '${username}'@'%' IDENTIFIED BY 'temporary_password';`);
-    }
-
-    await client.raw(`GRANT ALL PRIVILEGES ON \`${credentials.database}\`.* TO '${username}'@'%';`);
-    await client.raw("FLUSH PRIVILEGES;");
-  }
-
-  await client.destroy();
-};
-
-const createPostgresInfisicalUsers = async (
-  credentials: TGenericSqlCredentials,
-  userCredentials: TDatabaseUserCredentials[]
-) => {
-  const client = knex({
-    client: "pg",
-    connection: {
-      database: credentials.database,
-      port: credentials.port,
-      host: credentials.host,
-      user: credentials.username,
-      password: credentials.password,
-      connectionTimeoutMillis: 10000
-    }
-  });
-
-  for await (const { username } of userCredentials) {
-    // check if user exists, and if it does, don't create it
-    const existingUser = await client.raw("SELECT * FROM pg_catalog.pg_user WHERE usename = ?", [username]);
-
-    if (!existingUser.rows.length) {
-      await client.raw(`CREATE USER "${username}" WITH PASSWORD 'temporary_password'`);
-    }
-
-    await client.raw("GRANT ALL PRIVILEGES ON DATABASE ?? TO ??", [credentials.database, username]);
-  }
-
-  await client.destroy();
-};
-
-const createOracleDBSecretRotation = async (
-  appConnectionId: string,
-  credentials: TGenericSqlCredentials,
-  userCredentials: TDatabaseUserCredentials[],
-  secretMapping: TSecretMapping
-) => {
-  const now = new Date();
-  const rotationTime = new Date(now.getTime() - 2 * 60 * 1000); // 2 minutes ago
-
-  await createOracleInfisicalUsers(credentials, userCredentials);
-
-  const createOracleDBSecretRotationReqBody = {
-    parameters: userCredentials.reduce(
-      (acc, user, index) => {
-        acc[`username${index + 1}`] = user.username;
-        return acc;
-      },
-      {} as Record<string, string>
-    ),
-    secretsMapping: {
-      username: secretMapping.username,
-      password: secretMapping.password
-    },
-    name: `test-oracle-${uuidv4()}`,
-    description: "Test OracleDB Secret Rotation",
-    secretPath: "/",
-    isAutoRotationEnabled: true,
-    rotationInterval: 5, // 5 seconds for testing
-    rotateAtUtc: {
-      hours: rotationTime.getUTCHours(),
-      minutes: rotationTime.getUTCMinutes()
-    },
-    connectionId: appConnectionId,
-    environment: seedData1.environment.slug,
-    projectId: seedData1.projectV3.id
-  };
-
-  const res = await testServer.inject({
-    method: "POST",
-    url: `/api/v2/secret-rotations/oracledb-credentials`,
-    headers: {
-      authorization: `Bearer ${jwtAuthToken}`
-    },
-    body: createOracleDBSecretRotationReqBody
-  });
-
-  expect(res.statusCode).toBe(200);
-  expect(res.json().secretRotation).toBeDefined();
-
-  return res;
-};
-
-const createMySQLSecretRotation = async (
-  appConnectionId: string,
-  credentials: TGenericSqlCredentials,
-  userCredentials: TDatabaseUserCredentials[],
-  secretMapping: TSecretMapping
-) => {
-  const now = new Date();
-  const rotationTime = new Date(now.getTime() - 2 * 60 * 1000); // 2 minutes ago
-
-  await createMySQLInfisicalUsers(credentials, userCredentials);
-
-  const createMySQLSecretRotationReqBody = {
-    parameters: userCredentials.reduce(
-      (acc, user, index) => {
-        acc[`username${index + 1}`] = user.username;
-        return acc;
-      },
-      {} as Record<string, string>
-    ),
-    secretsMapping: {
-      username: secretMapping.username,
-      password: secretMapping.password
-    },
-    name: `test-mysql-rotation-${uuidv4()}`,
-    description: "Test MySQL Secret Rotation",
-    secretPath: "/",
-    isAutoRotationEnabled: true,
-    rotationInterval: 5,
-    rotateAtUtc: {
-      hours: rotationTime.getUTCHours(),
-      minutes: rotationTime.getUTCMinutes()
-    },
-    connectionId: appConnectionId,
-    environment: seedData1.environment.slug,
-    projectId: seedData1.projectV3.id
-  };
-
-  const res = await testServer.inject({
-    method: "POST",
-    url: `/api/v2/secret-rotations/mysql-credentials`,
-    headers: {
-      authorization: `Bearer ${jwtAuthToken}`
-    },
-    body: createMySQLSecretRotationReqBody
-  });
-
-  expect(res.statusCode).toBe(200);
-  expect(res.json().secretRotation).toBeDefined();
-
-  return res;
-};
-
-const createPostgresSecretRotation = async (
-  appConnectionId: string,
-  credentials: TGenericSqlCredentials,
-  userCredentials: TDatabaseUserCredentials[],
-  secretMapping: TSecretMapping
-) => {
-  const now = new Date();
-  const rotationTime = new Date(now.getTime() - 2 * 60 * 1000); // 2 minutes ago
-
-  await createPostgresInfisicalUsers(credentials, userCredentials);
-
-  const createPostgresSecretRotationReqBody = {
-    parameters: userCredentials.reduce(
-      (acc, user, index) => {
-        acc[`username${index + 1}`] = user.username;
-        return acc;
-      },
-      {} as Record<string, string>
-    ),
-    secretsMapping: {
-      username: secretMapping.username,
-      password: secretMapping.password
-    },
-    name: `test-postgres-rotation-${uuidv4()}`,
-    description: "Test Postgres Secret Rotation",
-    secretPath: "/",
-    isAutoRotationEnabled: true,
-    rotationInterval: 5,
-    rotateAtUtc: {
-      hours: rotationTime.getUTCHours(),
-      minutes: rotationTime.getUTCMinutes()
-    },
-    connectionId: appConnectionId,
-    environment: seedData1.environment.slug,
-    projectId: seedData1.projectV3.id
-  };
-
-  const res = await testServer.inject({
-    method: "POST",
-    url: `/api/v2/secret-rotations/postgres-credentials`,
-    headers: {
-      authorization: `Bearer ${jwtAuthToken}`
-    },
-    body: createPostgresSecretRotationReqBody
-  });
-
-  expect(res.statusCode).toBe(200);
-  expect(res.json().secretRotation).toBeDefined();
-
-  return res;
-};
-
-describe("Secret Rotations", async () => {
-  const testCases = [
-    {
-      type: SecretRotationType.MySQL,
-      name: "MySQL (8.4.6) Secret Rotation",
-      dbCredentials: {
-        database: "mysql-test",
-        host: "127.0.0.1",
-        username: "root",
-        password: "mysql-test",
-        port: 3306
-      },
-      secretMapping: {
-        username: formatSqlUsername("MYSQL_USERNAME"),
-        password: formatSqlUsername("MYSQL_PASSWORD")
-      },
-      userCredentials: [
-        {
-          username: formatSqlUsername("MYSQL_USER_1")
-        },
-        {
-          username: formatSqlUsername("MYSQL_USER_2")
-        }
-      ]
-    },
-    {
-      type: SecretRotationType.MySQL,
-      name: "MySQL (8.0.29) Secret Rotation",
-      dbCredentials: {
-        database: "mysql-test",
-        host: "127.0.0.1",
-        username: "root",
-        password: "mysql-test",
-        port: 3307
-      },
-      secretMapping: {
-        username: formatSqlUsername("MYSQL_USERNAME"),
-        password: formatSqlUsername("MYSQL_PASSWORD")
-      },
-      userCredentials: [
-        {
-          username: formatSqlUsername("MYSQL_USER_1")
-        },
-        {
-          username: formatSqlUsername("MYSQL_USER_2")
-        }
-      ]
-    },
-    {
-      type: SecretRotationType.MySQL,
-      name: "MySQL (5.7.31) Secret Rotation",
-      dbCredentials: {
-        database: "mysql-test",
-        host: "127.0.0.1",
-        username: "root",
-        password: "mysql-test",
-        port: 3308
-      },
-      secretMapping: {
-        username: formatSqlUsername("MYSQL_USERNAME"),
-        password: formatSqlUsername("MYSQL_PASSWORD")
-      },
-      userCredentials: [
-        {
-          username: formatSqlUsername("MYSQL_USER_1")
-        },
-        {
-          username: formatSqlUsername("MYSQL_USER_2")
-        }
-      ]
-    },
-    {
-      type: SecretRotationType.OracleDb,
-      name: "OracleDB (23.8) Secret Rotation",
-      dbCredentials: {
-        database: "FREEPDB1",
-        host: "127.0.0.1",
-        username: "system",
-        password: "pdb-password",
-        port: 1521
-      },
-      secretMapping: {
-        username: formatSqlUsername("ORACLEDB_USERNAME"),
-        password: formatSqlUsername("ORACLEDB_PASSWORD")
-      },
-      userCredentials: [
-        {
-          username: formatSqlUsername("INFISICAL_USER_1")
-        },
-        {
-          username: formatSqlUsername("INFISICAL_USER_2")
-        }
-      ]
-    },
-    // {
-    //   type: SecretRotationType.OracleDb,
-    //   name: "OracleDB (19.3) Secret Rotation",
-    //   dbCredentials: {
-    //     database: "ORCLPDB1",
-    //     host: "127.0.0.1",
-    //     username: "system",
-    //     password: "OrCAKF112aaSfAdfdA2Ac3@@!",
-    //     port: 1522
-    //   },
-    //   secretMapping: {
-    //     username: formatSqlUsername("ORACLEDB_USERNAME"),
-    //     password: formatSqlUsername("ORACLEDB_PASSWORD")
-    //   },
-    //   userCredentials: [
-    //     {
-    //       username: formatSqlUsername("INFISICAL_USER_1")
-    //     },
-    //     {
-    //       username: formatSqlUsername("INFISICAL_USER_2")
-    //     }
-    //   ]
-    // },
-    {
-      type: SecretRotationType.Postgres,
-      name: "Postgres (17) Secret Rotation",
-      dbCredentials: {
-        database: "postgres-test",
-        host: "127.0.0.1",
-        username: "postgres-test",
-        password: "postgres-test",
-        port: 5433
-      },
-      secretMapping: {
-        username: formatSqlUsername("POSTGRES_USERNAME"),
-        password: formatSqlUsername("POSTGRES_PASSWORD")
-      },
-      userCredentials: [
-        {
-          username: formatSqlUsername("INFISICAL_USER_1")
-        },
-        {
-          username: formatSqlUsername("INFISICAL_USER_2")
-        }
-      ]
-    },
-    {
-      type: SecretRotationType.Postgres,
-      name: "Postgres (16) Secret Rotation",
-      dbCredentials: {
-        database: "postgres-test",
-        host: "127.0.0.1",
-        username: "postgres-test",
-        password: "postgres-test",
-        port: 5434
-      },
-      secretMapping: {
-        username: formatSqlUsername("POSTGRES_USERNAME"),
-        password: formatSqlUsername("POSTGRES_PASSWORD")
-      },
-      userCredentials: [
-        {
-          username: formatSqlUsername("INFISICAL_USER_1")
-        },
-        {
-          username: formatSqlUsername("INFISICAL_USER_2")
-        }
-      ]
-    },
-    {
-      type: SecretRotationType.Postgres,
-      name: "Postgres (10.12) Secret Rotation",
-      dbCredentials: {
-        database: "postgres-test",
-        host: "127.0.0.1",
-        username: "postgres-test",
-        password: "postgres-test",
-        port: 5435
-      },
-      secretMapping: {
-        username: formatSqlUsername("POSTGRES_USERNAME"),
-        password: formatSqlUsername("POSTGRES_PASSWORD")
-      },
-      userCredentials: [
-        {
-          username: formatSqlUsername("INFISICAL_USER_1")
-        },
-        {
-          username: formatSqlUsername("INFISICAL_USER_2")
-        }
-      ]
-    }
-  ] as {
-    type: SecretRotationType;
-    name: string;
-    dbCredentials: TGenericSqlCredentials;
-    secretMapping: TSecretMapping;
-    userCredentials: TDatabaseUserCredentials[];
-  }[];
-
-  const createAppConnectionMap = {
-    [SecretRotationType.OracleDb]: createOracleDBAppConnection,
-    [SecretRotationType.MySQL]: createMySQLAppConnection,
-    [SecretRotationType.Postgres]: createPostgresAppConnection
-  };
-
-  const createRotationMap = {
-    [SecretRotationType.OracleDb]: createOracleDBSecretRotation,
-    [SecretRotationType.MySQL]: createMySQLSecretRotation,
-    [SecretRotationType.Postgres]: createPostgresSecretRotation
-  };
-
-  const appConnectionIds: { id: string; type: SecretRotationType }[] = [];
-  const secretRotationIds: { id: string; type: SecretRotationType }[] = [];
-
-  afterAll(async () => {
-    for (const { id, type } of secretRotationIds) {
-      await deleteSecretRotation(id, type);
-    }
-
-    for (const { id, type } of appConnectionIds) {
-      await deleteAppConnection(id, type);
-    }
-  });
-
-  test.concurrent.each(testCases)(
-    "Create secret rotation for $name",
-    async ({ dbCredentials, secretMapping, userCredentials, type }) => {
-      const appConnectionId = await createAppConnectionMap[type](dbCredentials);
-
-      if (appConnectionId) {
-        appConnectionIds.push({ id: appConnectionId, type });
-      }
-
-      const res = await createRotationMap[type](appConnectionId, dbCredentials, userCredentials, secretMapping);
-
-      const resJson = JSON.parse(res.payload);
-
-      if (resJson.secretRotation) {
-        secretRotationIds.push({ id: resJson.secretRotation.id, type });
-      }
-
-      const startSecretValue = await getSecretValue(secretMapping.password);
-      expect(startSecretValue).toBeDefined();
-
-      let attempts = 0;
-      while (attempts < 60) {
-        const currentSecretValue = await getSecretValue(secretMapping.password);
-
-        if (currentSecretValue !== startSecretValue) {
-          break;
-        }
-
-        attempts += 1;
-        await new Promise((resolve) => setTimeout(resolve, 2_500));
-      }
-
-      if (attempts >= 60) {
-        throw new Error("Secret rotation failed to rotate after 60 attempts");
-      }
-
-      const finalSecretValue = await getSecretValue(secretMapping.password);
-      expect(finalSecretValue).not.toBe(startSecretValue);
-    },
-    {
-      timeout: 300_000
-    }
-  );
-});

backend/e2e-test/vitest-environment-knex.ts

@@ -18,7 +18,6 @@ import { keyStoreFactory } from "@app/keystore/keystore";
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
 import { buildRedisFromConfig } from "@app/lib/config/redis";
 import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
-import { bootstrapCheck } from "@app/server/boot-strap-check";
 
 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@@ -64,8 +63,6 @@ export default {
       const queue = queueServiceFactory(envCfg, { dbConnectionUrl: envCfg.DB_CONNECTION_URI });
       const keyStore = keyStoreFactory(envCfg);
 
-      await queue.initialize();
-
       const hsmModule = initializeHsmModule(envCfg);
       hsmModule.initialize();
 
@@ -81,13 +78,9 @@ export default {
         envConfig: envCfg
       });
 
-      await bootstrapCheck({ db });
-
       // @ts-expect-error type
       globalThis.testServer = server;
       // @ts-expect-error type
-      globalThis.testQueue = queue;
-      // @ts-expect-error type
       globalThis.testSuperAdminDAL = superAdminDAL;
       // @ts-expect-error type
       globalThis.jwtAuthToken = crypto.jwt().sign(
@@ -112,8 +105,6 @@ export default {
     // custom setup
     return {
       async teardown() {
-        // @ts-expect-error type
-        await globalThis.testQueue.shutdown();
         // @ts-expect-error type
         await globalThis.testServer.close();
         // @ts-expect-error type
@@ -121,9 +112,7 @@ export default {
         // @ts-expect-error type
         delete globalThis.testSuperAdminDAL;
         // @ts-expect-error type
-        delete globalThis.jwtAuthToken;
-        // @ts-expect-error type
-        delete globalThis.testQueue;
+        delete globalThis.jwtToken;
         // called after all tests with this env have been run
         await db.migrate.rollback(
           {

backend/src/db/migrations/20250725144940_fix-secret-reminders-migration.ts

@@ -2,7 +2,7 @@
 import { Knex } from "knex";
 
 import { chunkArray } from "@app/lib/fn";
-import { initLogger, logger } from "@app/lib/logger";
+import { logger } from "@app/lib/logger";
 
 import { TableName } from "../schemas";
 import { TReminders, TRemindersInsert } from "../schemas/reminders";
@@ -107,6 +107,5 @@ export async function up(knex: Knex): Promise<void> {
 }
 
 export async function down(): Promise<void> {
-  initLogger();
   logger.info("Rollback not implemented for secret reminders fix migration");
 }

backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts

@@ -9,7 +9,7 @@ import { getDbConnectionHost } from "@app/lib/knex";
 export const verifyHostInputValidity = async (host: string, isGateway = false) => {
   const appCfg = getConfig();
 
-  if (appCfg.isDevelopmentMode || appCfg.isTestMode) return [host];
+  if (appCfg.isDevelopmentMode) return [host];
 
   if (isGateway) return [host];
 

backend/src/ee/services/license/__mocks__/license-fns.ts

@@ -31,7 +31,7 @@ export const getDefaultOnPremFeatures = () => {
     caCrl: false,
     sshHostGroups: false,
     enterpriseSecretSyncs: false,
-    enterpriseAppConnections: true,
+    enterpriseAppConnections: false,
     machineIdentityAuthTemplates: false
   };
 };

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts

@@ -2,7 +2,6 @@ import { AxiosError } from "axios";
 
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
-import { logger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 
 import { AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./auth0-client-secret";
@@ -14,11 +13,9 @@ import { MYSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mysql-credentials";
 import { OKTA_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./okta-client-secret";
 import { ORACLEDB_CREDENTIALS_ROTATION_LIST_OPTION } from "./oracledb-credentials";
 import { POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION } from "./postgres-credentials";
-import { TSecretRotationV2DALFactory } from "./secret-rotation-v2-dal";
 import { SecretRotation, SecretRotationStatus } from "./secret-rotation-v2-enums";
-import { TSecretRotationV2ServiceFactory, TSecretRotationV2ServiceFactoryDep } from "./secret-rotation-v2-service";
+import { TSecretRotationV2ServiceFactoryDep } from "./secret-rotation-v2-service";
 import {
-  TSecretRotationRotateSecretsJobPayload,
   TSecretRotationV2,
   TSecretRotationV2GeneratedCredentials,
   TSecretRotationV2ListItem,
@@ -77,10 +74,6 @@ export const getNextUtcRotationInterval = (rotateAtUtc?: TSecretRotationV2["rota
   const appCfg = getConfig();
 
   if (appCfg.isRotationDevelopmentMode) {
-    if (appCfg.isTestMode) {
-      // if its test mode, it should always rotate
-      return new Date(Date.now() + 365 * 24 * 60 * 60 * 1000); // Current time + 1 year
-    }
     return getNextUTCMinuteInterval(rotateAtUtc);
   }
 
@@ -270,51 +263,3 @@ export const throwOnImmutableParameterUpdate = (
     // do nothing
   }
 };
-
-export const rotateSecretsFns = async ({
-  job,
-  secretRotationV2DAL,
-  secretRotationV2Service
-}: {
-  job: {
-    data: TSecretRotationRotateSecretsJobPayload;
-    id: string;
-    retryCount: number;
-    retryLimit: number;
-  };
-  secretRotationV2DAL: Pick<TSecretRotationV2DALFactory, "findById">;
-  secretRotationV2Service: Pick<TSecretRotationV2ServiceFactory, "rotateGeneratedCredentials">;
-}) => {
-  const { rotationId, queuedAt, isManualRotation } = job.data;
-  const { retryCount, retryLimit } = job;
-
-  const logDetails = `[rotationId=${rotationId}] [jobId=${job.id}] retryCount=[${retryCount}/${retryLimit}]`;
-
-  try {
-    const secretRotation = await secretRotationV2DAL.findById(rotationId);
-
-    if (!secretRotation) throw new Error(`Secret rotation ${rotationId} not found`);
-
-    if (!secretRotation.isAutoRotationEnabled) {
-      logger.info(`secretRotationV2Queue: Skipping Rotation - Auto-Rotation Disabled Since Queue ${logDetails}`);
-    }
-
-    if (new Date(secretRotation.lastRotatedAt).getTime() >= new Date(queuedAt).getTime()) {
-      // rotated since being queued, skip rotation
-      logger.info(`secretRotationV2Queue: Skipping Rotation - Rotated Since Queue ${logDetails}`);
-      return;
-    }
-
-    await secretRotationV2Service.rotateGeneratedCredentials(secretRotation, {
-      jobId: job.id,
-      shouldSendNotification: true,
-      isFinalAttempt: retryCount === retryLimit,
-      isManualRotation
-    });
-
-    logger.info(`secretRotationV2Queue: Secrets Rotated ${logDetails}`);
-  } catch (error) {
-    logger.error(error, `secretRotationV2Queue: Failed to Rotate Secrets ${logDetails}`);
-    throw error;
-  }
-};

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-queue.ts

@@ -1,12 +1,9 @@
-import { v4 as uuidv4 } from "uuid";
-
 import { ProjectMembershipRole } from "@app/db/schemas";
 import { TSecretRotationV2DALFactory } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-dal";
 import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
 import {
   getNextUtcRotationInterval,
-  getSecretRotationRotateSecretJobOptions,
-  rotateSecretsFns
+  getSecretRotationRotateSecretJobOptions
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-fns";
 import { SECRET_ROTATION_NAME_MAP } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-maps";
 import { TSecretRotationV2ServiceFactory } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-service";
@@ -66,34 +63,14 @@ export const secretRotationV2QueueServiceFactory = async ({
               rotation.lastRotatedAt
             ).toISOString()}] [rotateAt=${new Date(rotation.nextRotationAt!).toISOString()}]`
           );
-
-          const data = {
-            rotationId: rotation.id,
-            queuedAt: currentTime
-          } as TSecretRotationRotateSecretsJobPayload;
-
-          if (appCfg.isTestMode) {
-            logger.warn("secretRotationV2Queue: Manually rotating secrets for test mode");
-            await rotateSecretsFns({
-              job: {
-                id: uuidv4(),
-                data,
-                retryCount: 0,
-                retryLimit: 0
-              },
-              secretRotationV2DAL,
-              secretRotationV2Service
-            });
-          } else {
-            await queueService.queuePg(
-              QueueJobs.SecretRotationV2RotateSecrets,
-              {
-                rotationId: rotation.id,
-                queuedAt: currentTime
-              },
-              getSecretRotationRotateSecretJobOptions(rotation)
-            );
-          }
+          await queueService.queuePg(
+            QueueJobs.SecretRotationV2RotateSecrets,
+            {
+              rotationId: rotation.id,
+              queuedAt: currentTime
+            },
+            getSecretRotationRotateSecretJobOptions(rotation)
+          );
         }
       } catch (error) {
         logger.error(error, "secretRotationV2Queue: Queue Rotations Error:");
@@ -110,14 +87,38 @@ export const secretRotationV2QueueServiceFactory = async ({
   await queueService.startPg<QueueName.SecretRotationV2>(
     QueueJobs.SecretRotationV2RotateSecrets,
     async ([job]) => {
-      await rotateSecretsFns({
-        job: {
-          ...job,
-          data: job.data as TSecretRotationRotateSecretsJobPayload
-        },
-        secretRotationV2DAL,
-        secretRotationV2Service
-      });
+      const { rotationId, queuedAt, isManualRotation } = job.data as TSecretRotationRotateSecretsJobPayload;
+      const { retryCount, retryLimit } = job;
+
+      const logDetails = `[rotationId=${rotationId}] [jobId=${job.id}] retryCount=[${retryCount}/${retryLimit}]`;
+
+      try {
+        const secretRotation = await secretRotationV2DAL.findById(rotationId);
+
+        if (!secretRotation) throw new Error(`Secret rotation ${rotationId} not found`);
+
+        if (!secretRotation.isAutoRotationEnabled) {
+          logger.info(`secretRotationV2Queue: Skipping Rotation - Auto-Rotation Disabled Since Queue ${logDetails}`);
+        }
+
+        if (new Date(secretRotation.lastRotatedAt).getTime() >= new Date(queuedAt).getTime()) {
+          // rotated since being queued, skip rotation
+          logger.info(`secretRotationV2Queue: Skipping Rotation - Rotated Since Queue ${logDetails}`);
+          return;
+        }
+
+        await secretRotationV2Service.rotateGeneratedCredentials(secretRotation, {
+          jobId: job.id,
+          shouldSendNotification: true,
+          isFinalAttempt: retryCount === retryLimit,
+          isManualRotation
+        });
+
+        logger.info(`secretRotationV2Queue: Secrets Rotated ${logDetails}`);
+      } catch (error) {
+        logger.error(error, `secretRotationV2Queue: Failed to Rotate Secrets ${logDetails}`);
+        throw error;
+      }
     },
     {
       batchSize: 1,

backend/src/lib/config/env.ts

@@ -346,9 +346,7 @@ const envSchema = z
     isSmtpConfigured: Boolean(data.SMTP_HOST),
     isRedisConfigured: Boolean(data.REDIS_URL || data.REDIS_SENTINEL_HOSTS),
     isDevelopmentMode: data.NODE_ENV === "development",
-    isTestMode: data.NODE_ENV === "test",
-    isRotationDevelopmentMode:
-      (data.NODE_ENV === "development" && data.ROTATION_DEVELOPMENT_MODE) || data.NODE_ENV === "test",
+    isRotationDevelopmentMode: data.NODE_ENV === "development" && data.ROTATION_DEVELOPMENT_MODE,
     isProductionMode: data.NODE_ENV === "production" || IS_PACKAGED,
     isRedisSentinelMode: Boolean(data.REDIS_SENTINEL_HOSTS),
     REDIS_SENTINEL_HOSTS: data.REDIS_SENTINEL_HOSTS?.trim()

backend/src/services/certificate-authority/certificate-authority-validators.ts

@@ -2,6 +2,7 @@ import { z } from "zod";
 
 import { isValidIp } from "@app/lib/ip";
 import { isFQDN } from "@app/lib/validator/validate-url";
+import { TAltNameMapping, TAltNameType } from "@app/services/certificate/certificate-types";
 
 const isValidDate = (dateString: string) => {
   const date = new Date(dateString);
@@ -56,3 +57,19 @@ export const validateAltNamesField = z
       message: "Each alt name must be a valid hostname, email address, IP address or URL"
     }
   );
+
+export const validateAndMapAltNameType = (name: string): TAltNameMapping | null => {
+  if (isFQDN(name, { allow_wildcard: true, require_tld: false })) {
+    return { type: TAltNameType.DNS, value: name };
+  }
+  if (z.string().url().safeParse(name).success) {
+    return { type: TAltNameType.URL, value: name };
+  }
+  if (z.string().email().safeParse(name).success) {
+    return { type: TAltNameType.EMAIL, value: name };
+  }
+  if (isValidIp(name)) {
+    return { type: TAltNameType.IP, value: name };
+  }
+  return null;
+};

backend/src/services/certificate-authority/internal/internal-certificate-authority-fns.ts

@@ -1,7 +1,6 @@
 /* eslint-disable no-bitwise */
 import * as x509 from "@peculiar/x509";
 import RE2 from "re2";
-import { z } from "zod";
 
 import { TCertificateTemplates, TPkiSubscribers } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
@@ -9,7 +8,6 @@ import { getConfig } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
-import { isFQDN } from "@app/lib/validator/validate-url";
 import { TCertificateBodyDALFactory } from "@app/services/certificate/certificate-body-dal";
 import { TCertificateDALFactory } from "@app/services/certificate/certificate-dal";
 import { TCertificateSecretDALFactory } from "@app/services/certificate/certificate-secret-dal";
@@ -17,7 +15,8 @@ import {
   CertExtendedKeyUsage,
   CertKeyAlgorithm,
   CertKeyUsage,
-  CertStatus
+  CertStatus,
+  TAltNameMapping
 } from "@app/services/certificate/certificate-types";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -34,6 +33,7 @@ import {
 } from "../certificate-authority-fns";
 import { TCertificateAuthoritySecretDALFactory } from "../certificate-authority-secret-dal";
 import { TIssueCertWithTemplateDTO } from "./internal-certificate-authority-types";
+import { validateAndMapAltNameType } from "../certificate-authority-validators";
 
 type TInternalCertificateAuthorityFnsDeps = {
   certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findByIdWithAssociatedCa" | "findById">;
@@ -152,27 +152,15 @@ export const InternalCertificateAuthorityFns = ({
       extensions.push(extendedKeyUsagesExtension);
     }
 
-    let altNamesArray: { type: "email" | "dns" | "ip" | "url"; value: string }[] = [];
+    let altNamesArray: TAltNameMapping[] = [];
 
     if (subscriber.subjectAlternativeNames?.length) {
       altNamesArray = subscriber.subjectAlternativeNames.map((altName) => {
-        if (z.string().email().safeParse(altName).success) {
-          return { type: "email", value: altName };
+        const altNameType = validateAndMapAltNameType(altName);
+        if (!altNameType) {
+          throw new BadRequestError({ message: `Invalid SAN entry: ${altName}` });
         }
-
-        if (isFQDN(altName, { allow_wildcard: true, require_tld: false })) {
-          return { type: "dns", value: altName };
-        }
-
-        if (z.string().url().safeParse(altName).success) {
-          return { type: "url", value: altName };
-        }
-
-        if (z.string().ip().safeParse(altName).success) {
-          return { type: "ip", value: altName };
-        }
-
-        throw new BadRequestError({ message: `Invalid SAN entry: ${altName}` });
+        return altNameType;
       });
 
       const altNamesExtension = new x509.SubjectAlternativeNameExtension(altNamesArray, false);
@@ -426,27 +414,15 @@ export const InternalCertificateAuthorityFns = ({
       );
     }
 
-    let altNamesArray: { type: "email" | "dns" | "ip" | "url"; value: string }[] = [];
+    let altNamesArray: TAltNameMapping[] = [];
 
     if (altNames) {
       altNamesArray = altNames.split(",").map((altName) => {
-        if (z.string().email().safeParse(altName).success) {
-          return { type: "email", value: altName };
+        const altNameType = validateAndMapAltNameType(altName);
+        if (!altNameType) {
+          throw new BadRequestError({ message: `Invalid SAN entry: ${altName}` });
         }
-
-        if (isFQDN(altName, { allow_wildcard: true, require_tld: false })) {
-          return { type: "dns", value: altName };
-        }
-
-        if (z.string().url().safeParse(altName).success) {
-          return { type: "url", value: altName };
-        }
-
-        if (z.string().ip().safeParse(altName).success) {
-          return { type: "ip", value: altName };
-        }
-
-        throw new BadRequestError({ message: `Invalid SAN entry: ${altName}` });
+        return altNameType;
       });
 
       const altNamesExtension = new x509.SubjectAlternativeNameExtension(altNamesArray, false);

backend/src/services/certificate-authority/internal/internal-certificate-authority-service.ts

@@ -2,7 +2,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import slugify from "@sindresorhus/slugify";
-import { z } from "zod";
 
 import { ActionProjectType, TableName, TCertificateAuthorities, TCertificateTemplates } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
@@ -18,7 +17,6 @@ import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { isFQDN } from "@app/lib/validator/validate-url";
 import { TCertificateBodyDALFactory } from "@app/services/certificate/certificate-body-dal";
 import { TCertificateDALFactory } from "@app/services/certificate/certificate-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -34,7 +32,8 @@ import {
   CertExtendedKeyUsageOIDToName,
   CertKeyAlgorithm,
   CertKeyUsage,
-  CertStatus
+  CertStatus,
+  TAltNameMapping
 } from "../../certificate/certificate-types";
 import { TCertificateTemplateDALFactory } from "../../certificate-template/certificate-template-dal";
 import { validateCertificateDetailsAgainstTemplate } from "../../certificate-template/certificate-template-fns";
@@ -69,6 +68,7 @@ import {
   TSignIntermediateDTO,
   TUpdateCaDTO
 } from "./internal-certificate-authority-types";
+import { validateAndMapAltNameType } from "../certificate-authority-validators";
 
 type TInternalCertificateAuthorityServiceFactoryDep = {
   certificateAuthorityDAL: Pick<
@@ -1364,34 +1364,18 @@ export const internalCertificateAuthorityServiceFactory = ({
       );
     }
 
-    let altNamesArray: {
-      type: "email" | "dns";
-      value: string;
-    }[] = [];
+    let altNamesArray: TAltNameMapping[] = [];
 
     if (altNames) {
       altNamesArray = altNames
         .split(",")
         .map((name) => name.trim())
-        .map((altName) => {
-          // check if the altName is a valid email
-          if (z.string().email().safeParse(altName).success) {
-            return {
-              type: "email",
-              value: altName
-            };
+        .map((altName): TAltNameMapping => {
+          const altNameType = validateAndMapAltNameType(altName);
+          if (!altNameType) {
+            throw new Error(`Invalid altName: ${altName}`);
           }
-
-          // check if the altName is a valid hostname
-          if (isFQDN(altName, { allow_wildcard: true })) {
-            return {
-              type: "dns",
-              value: altName
-            };
-          }
-
-          // If altName is neither a valid email nor a valid hostname, throw an error or handle it accordingly
-          throw new Error(`Invalid altName: ${altName}`);
+          return altNameType;
         });
 
       const altNamesExtension = new x509.SubjectAlternativeNameExtension(altNamesArray, false);
@@ -1766,34 +1750,22 @@ export const internalCertificateAuthorityServiceFactory = ({
     }
 
     let altNamesFromCsr: string = "";
-    let altNamesArray: {
-      type: "email" | "dns";
-      value: string;
-    }[] = [];
+    let altNamesArray: TAltNameMapping[] = [];
+
     if (altNames) {
       altNamesArray = altNames
         .split(",")
         .map((name) => name.trim())
-        .map((altName) => {
-          // check if the altName is a valid email
-          if (z.string().email().safeParse(altName).success) {
-            return {
-              type: "email",
-              value: altName
-            };
+        .map((altName): TAltNameMapping => {
+          const altNameType = validateAndMapAltNameType(altName);
+          if (!altNameType) {
+            throw new Error(`Invalid altName: ${altName}`);
           }
-
-          // check if the altName is a valid hostname
-          if (isFQDN(altName, { allow_wildcard: true })) {
-            return {
-              type: "dns",
-              value: altName
-            };
-          }
-
-          // If altName is neither a valid email nor a valid hostname, throw an error or handle it accordingly
-          throw new Error(`Invalid altName: ${altName}`);
+          return altNameType;
         });
+
+      const altNamesExtension = new x509.SubjectAlternativeNameExtension(altNamesArray, false);
+      extensions.push(altNamesExtension);
     } else {
       // attempt to read from CSR if altNames is not explicitly provided
       const sanExtension = csrObj.extensions.find((ext) => ext.type === "2.5.29.17");
@@ -1801,11 +1773,16 @@ export const internalCertificateAuthorityServiceFactory = ({
         const sanNames = new x509.GeneralNames(sanExtension.value);
 
         altNamesArray = sanNames.items
-          .filter((value) => value.type === "email" || value.type === "dns")
-          .map((name) => ({
-            type: name.type as "email" | "dns",
-            value: name.value
-          }));
+          .filter(
+            (value) => value.type === "email" || value.type === "dns" || value.type === "url" || value.type === "ip"
+          )
+          .map((name): TAltNameMapping => {
+            const altNameType = validateAndMapAltNameType(name.value);
+            if (!altNameType) {
+              throw new Error(`Invalid altName from CSR: ${name.value}`);
+            }
+            return altNameType;
+          });
 
         altNamesFromCsr = sanNames.items.map((item) => item.value).join(",");
       }

backend/src/services/certificate/certificate-types.ts

@@ -104,3 +104,14 @@ export type TGetCertificateCredentialsDTO = {
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
   kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
 };
+
+export enum TAltNameType {
+  EMAIL = "email",
+  DNS = "dns",
+  IP = "ip",
+  URL = "url"
+}
+export type TAltNameMapping = {
+  type: TAltNameType;
+  value: string;
+};

docker-compose.e2e-dbs.yml

@@ -1,183 +0,0 @@
-version: '3.8'
-
-services:
-  # Oracle Databases
-  oracle-db-23.8:
-    image: container-registry.oracle.com/database/free:23.8.0.0
-    container_name: oracle-db-23.8
-    ports:
-      - "1521:1521"
-    environment:
-      - ORACLE_PDB=pdb
-      - ORACLE_PWD=pdb-password
-    volumes:
-      - oracle-data-23.8:/opt/oracle/oradata
-    restart: unless-stopped
-    healthcheck:
-      test: ["CMD", "sqlplus", "-L", "system/pdb-password@//localhost:1521/FREEPDB1", "<<<", "SELECT 1 FROM DUAL;"]
-      interval: 10s
-      timeout: 10s
-      retries: 30
-      start_period: 30s
-
-  # Oracle DB 19.3 is MASSIVE and takes up a lot of compute in github actions...
-  # oracle-db-19.3:
-  #   # Official Oracle 19.19.0.0 - requires docker login container-registry.oracle.com
-  #   image: container-registry.oracle.com/database/enterprise:19.3.0.0
-  #   container_name: oracle-db-19.3
-  #   platform: linux/amd64
-  #   ports:
-  #     - "1522:1521"
-  #   environment:
-  #     - ORACLE_SID=ORCLCDB
-  #     - ORACLE_PDB=ORCLPDB1
-  #     - ORACLE_PWD=OrCAKF112aaSfAdfdA2Ac3@@!
-  #     - ORACLE_EDITION=enterprise
-  #     - ORACLE_CHARACTERSET=AL32UTF8
-  #   volumes:
-  #     - oracle-data-19.3:/opt/oracle/oradata
-  #   shm_size: 2gb
-  #   restart: unless-stopped
-  #   healthcheck:
-  #     test: ["CMD", "sqlplus", "-L", "system/OrCAKF112aaSfAdfdA2Ac3@@!@//localhost:1521/ORCLCDB", "<<<", "SELECT 1 FROM DUAL;"]
-  #     interval: 10s
-  #     timeout: 10s
-  #     retries: 30
-  #     start_period: 30s
-
-  # MySQL Databases
-  mysql-8.4.6:
-    image: mysql:8.4.6
-    container_name: mysql-8.4.6
-    ports:
-      - "3306:3306"
-    environment:
-      - MYSQL_ROOT_PASSWORD=mysql-test
-      - MYSQL_DATABASE=mysql-test
-      - MYSQL_ROOT_HOST=% 
-      - MYSQL_USER=mysql-test
-      - MYSQL_PASSWORD=mysql-test
-    volumes:
-      - mysql-data-8.4.6:/var/lib/mysql
-    restart: unless-stopped
-    healthcheck:
-      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "mysql-test", "-pmysql-test"]
-      interval: 10s
-      timeout: 10s
-      retries: 30
-      start_period: 30s
-
-  mysql-8.0.29:
-    image: mysql:8.0.29
-    container_name: mysql-8.0.28
-    ports:
-      - "3307:3306"
-    environment:
-      - MYSQL_ROOT_PASSWORD=mysql-test
-      - MYSQL_DATABASE=mysql-test
-      - MYSQL_ROOT_HOST=%
-      - MYSQL_USER=mysql-test
-      - MYSQL_PASSWORD=mysql-test
-    volumes:
-      - mysql-data-8.0.29:/var/lib/mysql
-    restart: unless-stopped
-    healthcheck:
-      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "mysql-test", "-pmysql-test"]
-      interval: 10s
-      timeout: 10s
-      retries: 30
-      start_period: 30s
-
-  mysql-5.7.31:
-    image: mysql:5.7.31
-    container_name: mysql-5.7.31
-    platform: linux/amd64
-    ports:
-      - "3308:3306"
-    environment:
-      - MYSQL_ROOT_PASSWORD=mysql-test
-      - MYSQL_DATABASE=mysql-test
-      - MYSQL_ROOT_HOST=%
-      - MYSQL_USER=mysql-test
-      - MYSQL_PASSWORD=mysql-test
-    volumes:
-      - mysql-data-5.7.31:/var/lib/mysql
-    restart: unless-stopped
-    healthcheck:
-      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "mysql-test", "-pmysql-test"]
-      interval: 10s
-      timeout: 10s
-      retries: 30
-      start_period: 30s
-
-
-  # PostgreSQL Databases
-  postgres-17:
-    image: postgres:17
-    platform: linux/amd64
-    container_name: postgres-17
-    ports:
-      - "5433:5432"
-    environment:
-      - POSTGRES_DB=postgres-test
-      - POSTGRES_USER=postgres-test
-      - POSTGRES_PASSWORD=postgres-test
-    volumes:
-      - postgres-data-17:/var/lib/postgresql/data
-    restart: unless-stopped
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U postgres-test -d postgres-test"]
-      interval: 10s
-      timeout: 10s
-      retries: 30
-      start_period: 30s
-
-  postgres-16:
-    image: postgres:16
-    platform: linux/amd64
-    container_name: postgres-16
-    ports:
-      - "5434:5432"
-    environment:
-      - POSTGRES_DB=postgres-test
-      - POSTGRES_USER=postgres-test
-      - POSTGRES_PASSWORD=postgres-test
-    volumes:
-      - postgres-data-16:/var/lib/postgresql/data
-    restart: unless-stopped
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U postgres-test -d postgres-test"]
-      interval: 10s
-      timeout: 10s
-      retries: 30
-      start_period: 30s
-
-  postgres-10.12:
-    image: postgres:10.12
-    platform: linux/amd64
-    container_name: postgres-10.12
-    ports:
-      - "5435:5432"
-    environment:
-      - POSTGRES_DB=postgres-test
-      - POSTGRES_USER=postgres-test
-      - POSTGRES_PASSWORD=postgres-test
-    volumes:
-      - postgres-data-10.12:/var/lib/postgresql/data
-    restart: unless-stopped
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U postgres-test -d postgres-test"]
-      interval: 10s
-      timeout: 10s
-      retries: 30
-      start_period: 30s
-
-volumes:
-  oracle-data-23.8:
-  # oracle-data-19.3:
-  mysql-data-8.4.6:
-  mysql-data-8.0.29:
-  mysql-data-5.7.31:
-  postgres-data-17:
-  postgres-data-16:
-  postgres-data-10.12:

docs/documentation/platform/secret-rotation/azure-client-secret.mdx

@@ -6,6 +6,7 @@ description: "Learn how to automatically rotate Azure Client Secrets."
 ## Prerequisites
 
 - Create an [Azure Client Secret Connection](/integrations/app-connections/azure-client-secrets).
+- Ensure your network security policies allow incoming requests from Infisical to this rotation provider, if network restrictions apply.
 
 ## Create an Azure Client Secret Rotation in Infisical
 

docs/documentation/platform/secret-rotation/ldap-password.mdx

@@ -14,6 +14,7 @@ description: "Learn how to automatically rotate LDAP passwords."
 ## Prerequisites
 
 - Create an [LDAP Connection](/integrations/app-connections/ldap) with the **Secret Rotation** requirements
+- Ensure your network security policies allow incoming requests from Infisical to this rotation provider, if network restrictions apply.
 
 ## Create an LDAP Password Rotation in Infisical
 

docs/documentation/platform/secret-rotation/mssql-credentials.mdx

@@ -30,6 +30,7 @@ An example creation statement might look like:
     To learn more about Microsoft SQL Server's permission system, please visit their [documentation](https://learn.microsoft.com/en-us/sql/t-sql/statements/grant-transact-sql?view=sql-server-ver16).
 </Tip>
 
+3. Ensure your network security policies allow incoming requests from Infisical to this rotation provider, if network restrictions apply.
 
 ## Create a Microsoft SQL Server Credentials Rotation in Infisical
 

docs/documentation/platform/secret-rotation/mysql-credentials.mdx

@@ -25,7 +25,7 @@ description: "Learn how to automatically rotate MySQL credentials."
     <Tip>
         To learn more about the MySQL permission system, please visit their [documentation](https://dev.mysql.com/doc/refman/8.4/en/grant.html).
     </Tip>
-
+3. Ensure your network security policies allow incoming requests from Infisical to this rotation provider, if network restrictions apply.
 
 ## Create a MySQL Credentials Rotation in Infisical
 

docs/documentation/platform/secret-rotation/oracledb-credentials.mdx

@@ -31,6 +31,7 @@ description: "Learn how to automatically rotate Oracle Database credentials."
         To learn more about the Oracle Database permission system, please visit their [documentation](https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/configuring-privilege-and-role-authorization.html).
     </Tip>
 
+3. Ensure your network security policies allow incoming requests from Infisical to this rotation provider, if network restrictions apply.
 
 ## Create an Oracle Database Credentials Rotation in Infisical
 

docs/documentation/platform/secret-rotation/postgres-credentials.mdx

@@ -27,6 +27,7 @@ description: "Learn how to automatically rotate PostgreSQL credentials."
         To learn more about PostgreSQL's permission system, please visit their [documentation](https://www.postgresql.org/docs/current/sql-grant.html).
     </Tip>
 
+3. Ensure your network security policies allow incoming requests from Infisical to this rotation provider, if network restrictions apply.
 
 ## Create a PostgreSQL Credentials Rotation in Infisical
 

docs/integrations/secret-syncs/aws-parameter-store.mdx

@@ -7,6 +7,7 @@ description: "Learn how to configure an AWS Parameter Store Sync for Infisical."
 
         - Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
         - Create an [AWS Connection](/integrations/app-connections/aws) with the required **Secret Sync** permissions
+        - Ensure your network security policies allow incoming requests from Infisical to this secret sync provider, if network restrictions apply.
 
 <Tabs>
     <Tab title="Infisical UI">

docs/integrations/secret-syncs/aws-secrets-manager.mdx

@@ -7,6 +7,7 @@ description: "Learn how to configure an AWS Secrets Manager Sync for Infisical."
 
         - Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
         - Create an [AWS Connection](/integrations/app-connections/aws) with the required **Secret Sync** permissions
+        - Ensure your network security policies allow incoming requests from Infisical to this secret sync provider, if network restrictions apply.
 
 <Tabs>
     <Tab title="Infisical UI">

docs/integrations/secret-syncs/azure-app-configuration.mdx

@@ -7,6 +7,7 @@ description: "Learn how to configure an Azure App Configuration Sync for Infisic
 
         - Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
         - Create an [Azure App Configuration Connection](/integrations/app-connections/azure-app-configuration)
+        - Ensure your network security policies allow incoming requests from Infisical to this secret sync provider, if network restrictions apply.
 
 <Note>
   The Azure App Configuration Secret Sync requires the following permissions to be set on the user / service principal

docs/integrations/secret-syncs/azure-devops.mdx

@@ -7,6 +7,7 @@ description: "Learn how to configure a Azure DevOps Sync for Infisical."
 
 - Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
 - Create an [Azure DevOps Connection](/integrations/app-connections/azure-devops)
+- Ensure your network security policies allow incoming requests from Infisical to this secret sync provider, if network restrictions apply.
 
 <Tabs>
     <Tab title="Infisical UI">

docs/integrations/secret-syncs/azure-key-vault.mdx

@@ -7,6 +7,7 @@ description: "Learn how to configure a Azure Key Vault Sync for Infisical."
 
         - Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
         - Create an [Azure Key Vault Connection](/integrations/app-connections/azure-key-vault)
+        - Ensure your network security policies allow incoming requests from Infisical to this secret sync provider, if network restrictions apply.
 
 <Note>
   The Azure Key Vault Secret Sync requires the following secrets permissions to be set on the user / service principal

docs/integrations/secret-syncs/gcp-secret-manager.mdx

@@ -11,6 +11,7 @@ description: "Learn how to configure a GCP Secret Manager Sync for Infisical."
             ![Secret Syncs Tab](/images/secret-syncs/gcp-secret-manager/enable-resource-manager-api.png)
             ![Secret Syncs Tab](/images/secret-syncs/gcp-secret-manager/enable-secret-manager-api.png)
             ![Secret Syncs Tab](/images/secret-syncs/gcp-secret-manager/enable-service-usage-api.png)
+        - Ensure your network security policies allow incoming requests from Infisical to this secret sync provider, if network restrictions apply.
 
 <Tabs>
     <Tab title="Infisical UI">

docs/integrations/secret-syncs/github.mdx

@@ -7,6 +7,7 @@ description: "Learn how to configure a GitHub Sync for Infisical."
 
         - Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
         - Create a [GitHub Connection](/integrations/app-connections/github)
+        - Ensure your network security policies allow incoming requests from Infisical to this secret sync provider, if network restrictions apply.
 
 <Tabs>
     <Tab title="Infisical UI">

docs/integrations/secret-syncs/gitlab.mdx

@@ -7,6 +7,7 @@ description: "Learn how to configure a GitLab Sync for Infisical."
 
     - Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
     - Create a [GitLab Connection](/integrations/app-connections/gitlab)
+    - Ensure your network security policies allow incoming requests from Infisical to this secret sync provider, if network restrictions apply.
 
 <Tabs>
     <Tab title="Infisical UI">

docs/integrations/secret-syncs/oci-vault.mdx

@@ -14,6 +14,7 @@ description: "Learn how to configure an Oracle Cloud Infrastructure Vault Sync f
 - Create an [OCI Connection](/integrations/app-connections/oci) with the required **Secret Sync** permissions
 - [Create](https://docs.oracle.com/en-us/iaas/Content/Identity/compartments/To_create_a_compartment.htm) or use an existing OCI Compartment (which the OCI Connection is authorized to access)
 - [Create](https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingvaults_topic-To_create_a_new_vault.htm#createnewvault) or use an existing OCI Vault
+- Ensure your network security policies allow incoming requests from Infisical to this secret sync provider, if network restrictions apply.
 
 <Tabs>
     <Tab title="Infisical UI">

frontend/src/pages/organization/AuditLogsPage/components/LogsFilter.tsx

@@ -119,7 +119,7 @@ export const LogsFilter = ({ presets, setFilter, filter, project }: Props) => {
           )}
         </Button>
       </DropdownMenuTrigger>
-      <DropdownMenuContent align="end" className="mt-4 py-4">
+      <DropdownMenuContent align="end" className="mt-4 overflow-visible py-4">
         <form onSubmit={handleSubmit(setFilter)}>
           <div className="flex min-w-64 flex-col font-inter">
             <div className="mb-3 flex items-center border-b border-b-mineshaft-500 px-3 pb-2">
@@ -176,7 +176,8 @@ export const LogsFilter = ({ presets, setFilter, filter, project }: Props) => {
                           </div>
                         </DropdownMenuTrigger>
                         <DropdownMenuContent
-                          align="start"
+                          align="end"
+                          sideOffset={2}
                           className="thin-scrollbar z-[100] max-h-80 overflow-hidden"
                         >
                           <div className="max-h-80 overflow-y-auto">
@@ -258,6 +259,7 @@ export const LogsFilter = ({ presets, setFilter, filter, project }: Props) => {
                           else setValue("userAgentType", e as UserAgentType, { shouldDirty: true });
                         }}
                         className={twMerge("w-full border border-mineshaft-500 bg-mineshaft-700")}
+                        position="popper"
                       >
                         <SelectItem value="all" key="all">
                           All sources
@@ -319,7 +321,6 @@ export const LogsFilter = ({ presets, setFilter, filter, project }: Props) => {
               <AnimatePresence initial={false}>
                 {showSecretsSection && (
                   <motion.div
-                    className="overflow-hidden"
                     initial={{ opacity: 0, height: 0 }}
                     animate={{ opacity: 1, height: "auto" }}
                     exit={{ opacity: 0, height: 0 }}
@@ -352,6 +353,7 @@ export const LogsFilter = ({ presets, setFilter, filter, project }: Props) => {
                           >
                             <FilterableSelect
                               value={value}
+                              menuPlacement="top"
                               key={value?.name || "filter-environment"}
                               isClearable
                               isDisabled={!selectedProject}