Merge pull request #1959 from Infisical/fix/resolved-cli-release-action

fix: resolved secret name mismatch for cli release action

.github/workflows/check-api-for-breaking-changes.yml

@@ -47,7 +47,7 @@ jobs:
       - name: Wait for container to be stable and check logs
         run: |
           SECONDS=0
- r        HEALTHY=0
+          HEALTHY=0
           while [ $SECONDS -lt 60 ]; do
             if docker ps | grep infisical-api | grep -q healthy; then
               echo "Container is healthy."

.github/workflows/release_build_infisical_cli.yml

@@ -22,6 +22,9 @@ jobs:
             CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
             CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
             CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+            CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
+            CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
+            CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
 
     goreleaser:
         runs-on: ubuntu-20.04

.github/workflows/run-cli-tests.yml

@@ -20,7 +20,12 @@ on:
                 required: true
             CLI_TESTS_ENV_SLUG:
                 required: true
-
+            CLI_TESTS_USER_EMAIL:
+                required: true
+            CLI_TESTS_USER_PASSWORD:
+                required: true
+            CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE:
+                required: true
 jobs:
     test:
         defaults:
@@ -43,5 +48,8 @@ jobs:
                   CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
                   CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
                   CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+                  CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
+                  CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
+                  INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
 
               run: go test -v -count=1 ./test

backend/src/ee/routes/v1/secret-approval-policy-router.ts

@@ -1,6 +1,7 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";
 
+import { removeTrailingSlash } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
@@ -19,7 +20,11 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
           workspaceId: z.string(),
           name: z.string().optional(),
           environment: z.string(),
-          secretPath: z.string().optional().nullable(),
+          secretPath: z
+            .string()
+            .optional()
+            .nullable()
+            .transform((val) => (val ? removeTrailingSlash(val) : val)),
           approvers: z.string().array().min(1),
           approvals: z.number().min(1).default(1)
         })
@@ -63,7 +68,11 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
           name: z.string().optional(),
           approvers: z.string().array().min(1),
           approvals: z.number().min(1).default(1),
-          secretPath: z.string().optional().nullable()
+          secretPath: z
+            .string()
+            .optional()
+            .nullable()
+            .transform((val) => (val ? removeTrailingSlash(val) : val))
         })
         .refine((data) => data.approvals <= data.approvers.length, {
           path: ["approvals"],
@@ -157,7 +166,7 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
       querystring: z.object({
         workspaceId: z.string().trim(),
         environment: z.string().trim(),
-        secretPath: z.string().trim()
+        secretPath: z.string().trim().transform(removeTrailingSlash)
       }),
       response: {
         200: z.object({

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -77,7 +77,7 @@ type TLdapConfigServiceFactoryDep = {
   >;
   userAliasDAL: Pick<TUserAliasDALFactory, "create" | "findOne">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
-  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan" | "updateSubscriptionOrgMemberCount">;
 };
 
 export type TLdapConfigServiceFactory = ReturnType<typeof ldapConfigServiceFactory>;
@@ -510,6 +510,7 @@ export const ldapConfigServiceFactory = ({
         return newUserAlias;
       });
     }
+    await licenseService.updateSubscriptionOrgMemberCount(organization.id);
 
     const user = await userDAL.transaction(async (tx) => {
       const newUser = await userDAL.findOne({ id: userAlias.userId }, tx);

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -50,7 +50,7 @@ type TSamlConfigServiceFactoryDep = {
   orgMembershipDAL: Pick<TOrgMembershipDALFactory, "create">;
   orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "create" | "transaction">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
-  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan" | "updateSubscriptionOrgMemberCount">;
   tokenService: Pick<TAuthTokenServiceFactory, "createTokenForUser">;
   smtpService: Pick<TSmtpService, "sendMail">;
 };
@@ -449,6 +449,7 @@ export const samlConfigServiceFactory = ({
         return newUser;
       });
     }
+    await licenseService.updateSubscriptionOrgMemberCount(organization.id);
 
     const isUserCompleted = Boolean(user.isAccepted);
     const providerAuthToken = jwt.sign(

backend/src/ee/services/scim/scim-service.ts

@@ -379,7 +379,7 @@ export const scimServiceFactory = ({
           );
         }
       }
-
+      await licenseService.updateSubscriptionOrgMemberCount(org.id);
       return { user, orgMembership };
     });
 

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -4,6 +4,7 @@ import picomatch from "picomatch";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError } from "@app/lib/errors";
+import { removeTrailingSlash } from "@app/lib/fn";
 import { containsGlobPatterns } from "@app/lib/picomatch";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
@@ -207,7 +208,8 @@ export const secretApprovalPolicyServiceFactory = ({
     return sapPolicies;
   };
 
-  const getSecretApprovalPolicy = async (projectId: string, environment: string, secretPath: string) => {
+  const getSecretApprovalPolicy = async (projectId: string, environment: string, path: string) => {
+    const secretPath = removeTrailingSlash(path);
     const env = await projectEnvDAL.findOne({ slug: environment, projectId });
     if (!env) throw new BadRequestError({ message: "Environment not found" });
 

backend/src/lib/api-docs/constants.ts

@@ -677,6 +677,8 @@ export const INTEGRATION = {
       secretAWSTag: "The tags for AWS secrets.",
       kmsKeyId: "The ID of the encryption key from AWS KMS.",
       shouldDisableDelete: "The flag to disable deletion of secrets in AWS Parameter Store.",
+      shouldMaskSecrets: "Specifies if the secrets synced from Infisical to Gitlab should be marked as 'Masked'.",
+      shouldProtectSecrets: "Specifies if the secrets synced from Infisical to Gitlab should be marked as 'Protected'.",
       shouldEnableDelete: "The flag to enable deletion of secrets"
     }
   },

backend/src/lib/config/env.ts

@@ -39,7 +39,9 @@ const envSchema = z
     HTTPS_ENABLED: zodStrBool,
     // smtp options
     SMTP_HOST: zpStr(z.string().optional()),
-    SMTP_SECURE: zodStrBool,
+    SMTP_IGNORE_TLS: zodStrBool.default("false"),
+    SMTP_REQUIRE_TLS: zodStrBool.default("true"),
+    SMTP_TLS_REJECT_UNAUTHORIZED: zodStrBool.default("true"),
     SMTP_PORT: z.coerce.number().default(587),
     SMTP_USERNAME: zpStr(z.string().optional()),
     SMTP_PASSWORD: zpStr(z.string().optional()),
@@ -153,13 +155,20 @@ export const initEnvConfig = (logger: Logger) => {
   return envCfg;
 };
 
-export const formatSmtpConfig = () => ({
-  host: envCfg.SMTP_HOST,
-  port: envCfg.SMTP_PORT,
-  auth:
-    envCfg.SMTP_USERNAME && envCfg.SMTP_PASSWORD
-      ? { user: envCfg.SMTP_USERNAME, pass: envCfg.SMTP_PASSWORD }
-      : undefined,
-  secure: envCfg.SMTP_SECURE,
-  from: `"${envCfg.SMTP_FROM_NAME}" <${envCfg.SMTP_FROM_ADDRESS}>`
-});
+export const formatSmtpConfig = () => {
+  return {
+    host: envCfg.SMTP_HOST,
+    port: envCfg.SMTP_PORT,
+    auth:
+      envCfg.SMTP_USERNAME && envCfg.SMTP_PASSWORD
+        ? { user: envCfg.SMTP_USERNAME, pass: envCfg.SMTP_PASSWORD }
+        : undefined,
+    secure: envCfg.SMTP_PORT === 465,
+    from: `"${envCfg.SMTP_FROM_NAME}" <${envCfg.SMTP_FROM_ADDRESS}>`,
+    ignoreTLS: envCfg.SMTP_IGNORE_TLS,
+    requireTLS: envCfg.SMTP_REQUIRE_TLS,
+    tls: {
+      rejectUnauthorized: envCfg.SMTP_TLS_REJECT_UNAUTHORIZED
+    }
+  };
+};

backend/src/server/boot-strap-check.ts

@@ -5,7 +5,6 @@ import { createTransport } from "nodemailer";
 
 import { formatSmtpConfig, getConfig } from "@app/lib/config/env";
 import { logger } from "@app/lib/logger";
-import { getTlsOption } from "@app/services/smtp/smtp-service";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 
 type BootstrapOpt = {
@@ -44,7 +43,7 @@ export const bootstrapCheck = async ({ db }: BootstrapOpt) => {
   console.info("Testing smtp connection");
 
   const smtpCfg = formatSmtpConfig();
-  await createTransport({ ...smtpCfg, ...getTlsOption(smtpCfg.host, smtpCfg.secure) })
+  await createTransport(smtpCfg)
     .verify()
     .then(async () => {
       console.info("SMTP successfully connected");

backend/src/services/auth/auth-signup-service.ts

@@ -231,7 +231,7 @@ export const authSignupServiceFactory = ({
 
     const accessToken = jwt.sign(
       {
-        authMethod: AuthMethod.EMAIL,
+        authMethod: authMethod || AuthMethod.EMAIL,
         authTokenType: AuthTokenType.ACCESS_TOKEN,
         userId: updateduser.info.id,
         tokenVersionId: tokenSession.id,
@@ -244,7 +244,7 @@ export const authSignupServiceFactory = ({
 
     const refreshToken = jwt.sign(
       {
-        authMethod: AuthMethod.EMAIL,
+        authMethod: authMethod || AuthMethod.EMAIL,
         authTokenType: AuthTokenType.REFRESH_TOKEN,
         userId: updateduser.info.id,
         tokenVersionId: tokenSession.id,

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -1921,13 +1921,13 @@ const syncSecretsGitLab = async ({
     return allEnvVariables;
   };
 
+  const metadata = IntegrationMetadataSchema.parse(integration.metadata);
   const allEnvVariables = await getAllEnvVariables(integration?.appId as string, accessToken);
   const getSecretsRes: GitLabSecret[] = allEnvVariables
     .filter((secret: GitLabSecret) => secret.environment_scope === integration.targetEnvironment)
     .filter((gitLabSecret) => {
       let isValid = true;
 
-      const metadata = z.record(z.any()).parse(integration.metadata);
       if (metadata.secretPrefix && !gitLabSecret.key.startsWith(metadata.secretPrefix)) {
         isValid = false;
       }
@@ -1947,8 +1947,8 @@ const syncSecretsGitLab = async ({
         {
           key,
           value: secrets[key].value,
-          protected: false,
-          masked: false,
+          protected: Boolean(metadata.shouldProtectSecrets),
+          masked: Boolean(metadata.shouldMaskSecrets),
           raw: false,
           environment_scope: integration.targetEnvironment
         },
@@ -1965,7 +1965,9 @@ const syncSecretsGitLab = async ({
         `${gitLabApiUrl}/v4/projects/${integration?.appId}/variables/${existingSecret.key}?filter[environment_scope]=${integration.targetEnvironment}`,
         {
           ...existingSecret,
-          value: secrets[existingSecret.key].value
+          value: secrets[existingSecret.key].value,
+          protected: Boolean(metadata.shouldProtectSecrets),
+          masked: Boolean(metadata.shouldMaskSecrets)
         },
         {
           headers: {

backend/src/services/integration/integration-schema.ts

@@ -31,5 +31,7 @@ export const IntegrationMetadataSchema = z.object({
     .describe(INTEGRATION.CREATE.metadata.secretAWSTag),
   kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId),
   shouldDisableDelete: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldDisableDelete),
-  shouldEnableDelete: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldEnableDelete)
+  shouldEnableDelete: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldEnableDelete),
+  shouldMaskSecrets: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldMaskSecrets),
+  shouldProtectSecrets: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldProtectSecrets)
 });

backend/src/services/integration/integration-types.ts

@@ -29,6 +29,8 @@ export type TCreateIntegrationDTO = {
     }[];
     kmsKeyId?: string;
     shouldDisableDelete?: boolean;
+    shouldMaskSecrets?: boolean;
+    shouldProtectSecrets?: boolean;
     shouldEnableDelete?: boolean;
   };
 } & Omit<TProjectPermission, "projectId">;

backend/src/services/org/org-service.ts

@@ -336,6 +336,7 @@ export const orgServiceFactory = ({
       return org;
     });
 
+    await licenseService.updateSubscriptionOrgMemberCount(organization.id);
     return organization;
   };
 

backend/src/services/secret/secret-fns.ts

@@ -309,7 +309,7 @@ export const interpolateSecrets = ({ projectId, secretEncKey, secretDAL, folderD
   };
 
   const expandSecrets = async (
-    secrets: Record<string, { value: string; comment?: string; skipMultilineEncoding?: boolean }>
+    secrets: Record<string, { value: string; comment?: string; skipMultilineEncoding?: boolean | null }>
   ) => {
     const expandedSec: Record<string, string> = {};
     const interpolatedSec: Record<string, string> = {};
@@ -329,8 +329,8 @@ export const interpolateSecrets = ({ projectId, secretEncKey, secretDAL, folderD
         // should not do multi line encoding if user has set it to skip
         // eslint-disable-next-line
         secrets[key].value = secrets[key].skipMultilineEncoding
-          ? expandedSec[key]
-          : formatMultiValueEnv(expandedSec[key]);
+          ? formatMultiValueEnv(expandedSec[key])
+          : expandedSec[key];
         // eslint-disable-next-line
         continue;
       }
@@ -347,7 +347,7 @@ export const interpolateSecrets = ({ projectId, secretEncKey, secretDAL, folderD
       );
 
       // eslint-disable-next-line
-      secrets[key].value = secrets[key].skipMultilineEncoding ? expandedVal : formatMultiValueEnv(expandedVal);
+      secrets[key].value = secrets[key].skipMultilineEncoding ? formatMultiValueEnv(expandedVal) : expandedVal;
     }
 
     return secrets;
@@ -395,7 +395,8 @@ export const decryptSecretRaw = (
     type: secret.type,
     _id: secret.id,
     id: secret.id,
-    user: secret.userId
+    user: secret.userId,
+    skipMultilineEncoding: secret.skipMultilineEncoding
   };
 };
 

backend/src/services/secret/secret-queue.ts

@@ -1,4 +1,6 @@
 /* eslint-disable no-await-in-loop */
+import { AxiosError } from "axios";
+
 import { getConfig } from "@app/lib/config/env";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { daysToMillisecond, secondsToMillis } from "@app/lib/dates";
@@ -67,7 +69,10 @@ const MAX_SYNC_SECRET_DEPTH = 5;
 export const uniqueSecretQueueKey = (environment: string, secretPath: string) =>
   `secret-queue-dedupe-${environment}-${secretPath}`;
 
-type TIntegrationSecret = Record<string, { value: string; comment?: string; skipMultilineEncoding?: boolean }>;
+type TIntegrationSecret = Record<
+  string,
+  { value: string; comment?: string; skipMultilineEncoding?: boolean | null | undefined }
+>;
 export const secretQueueFactory = ({
   queueService,
   integrationDAL,
@@ -567,11 +572,14 @@ export const secretQueueFactory = ({
           isSynced: true
         });
       } catch (err: unknown) {
-        logger.info("Secret integration sync error:", err);
+        logger.info("Secret integration sync error: %o", err);
+        const message =
+          err instanceof AxiosError ? JSON.stringify((err as AxiosError)?.response?.data) : (err as Error)?.message;
+
         await integrationDAL.updateById(integration.id, {
           lastSyncJobId: job.id,
           lastUsed: new Date(),
-          syncMessage: (err as Error)?.message,
+          syncMessage: message,
           isSynced: false
         });
       }

backend/src/services/secret/secret-service.ts

@@ -952,15 +952,49 @@ export const secretServiceFactory = ({
     });
 
     const decryptedSecrets = secrets.map((el) => decryptSecretRaw(el, botKey));
-    const decryptedImports = (imports || [])?.map(({ secrets: importedSecrets, ...el }) => ({
-      ...el,
-      secrets: importedSecrets.map((sec) =>
+    const processedImports = (imports || [])?.map(({ secrets: importedSecrets, ...el }) => {
+      const decryptedImportSecrets = importedSecrets.map((sec) =>
         decryptSecretRaw(
           { ...sec, environment: el.environment, workspace: projectId, secretPath: el.secretPath },
           botKey
         )
-      )
-    }));
+      );
+
+      // secret-override to handle duplicate keys from different import levels
+      // this prioritizes secret values from direct imports
+      const importedKeys = new Set<string>();
+      const importedEntries = decryptedImportSecrets.reduce(
+        (
+          accum: {
+            secretKey: string;
+            secretPath: string;
+            workspace: string;
+            environment: string;
+            secretValue: string;
+            secretComment: string;
+            version: number;
+            type: string;
+            _id: string;
+            id: string;
+            user: string | null | undefined;
+            skipMultilineEncoding: boolean | null | undefined;
+          }[],
+          sec
+        ) => {
+          if (!importedKeys.has(sec.secretKey)) {
+            importedKeys.add(sec.secretKey);
+            return [...accum, sec];
+          }
+          return accum;
+        },
+        []
+      );
+
+      return {
+        ...el,
+        secrets: importedEntries
+      };
+    });
 
     if (expandSecretReferences) {
       const expandSecrets = interpolateSecrets({
@@ -971,10 +1005,24 @@ export const secretServiceFactory = ({
       });
 
       const batchSecretsExpand = async (
-        secretBatch: { secretKey: string; secretValue: string; secretComment?: string; secretPath: string }[]
+        secretBatch: {
+          secretKey: string;
+          secretValue: string;
+          secretComment?: string;
+          secretPath: string;
+          skipMultilineEncoding: boolean | null | undefined;
+        }[]
       ) => {
         // Group secrets by secretPath
-        const secretsByPath: Record<string, { secretKey: string; secretValue: string; secretComment?: string }[]> = {};
+        const secretsByPath: Record<
+          string,
+          {
+            secretKey: string;
+            secretValue: string;
+            secretComment?: string;
+            skipMultilineEncoding: boolean | null | undefined;
+          }[]
+        > = {};
 
         secretBatch.forEach((secret) => {
           if (!secretsByPath[secret.secretPath]) {
@@ -990,11 +1038,15 @@ export const secretServiceFactory = ({
             continue;
           }
 
-          const secretRecord: Record<string, { value: string; comment?: string; skipMultilineEncoding?: boolean }> = {};
+          const secretRecord: Record<
+            string,
+            { value: string; comment?: string; skipMultilineEncoding: boolean | null | undefined }
+          > = {};
           secretsByPath[secPath].forEach((decryptedSecret) => {
             secretRecord[decryptedSecret.secretKey] = {
               value: decryptedSecret.secretValue,
-              comment: decryptedSecret.secretComment
+              comment: decryptedSecret.secretComment,
+              skipMultilineEncoding: decryptedSecret.skipMultilineEncoding
             };
           });
 
@@ -1011,12 +1063,12 @@ export const secretServiceFactory = ({
       await batchSecretsExpand(decryptedSecrets);
 
       // expand imports by batch
-      await Promise.all(decryptedImports.map((decryptedImport) => batchSecretsExpand(decryptedImport.secrets)));
+      await Promise.all(processedImports.map((processedImport) => batchSecretsExpand(processedImport.secrets)));
     }
 
     return {
       secrets: decryptedSecrets,
-      imports: decryptedImports
+      imports: processedImports
     };
   };
 

backend/src/services/smtp/smtp-service.ts

@@ -41,21 +41,8 @@ export enum SmtpHost {
   Office365 = "smtp.office365.com"
 }
 
-export const getTlsOption = (host?: SmtpHost | string, secure?: boolean) => {
-  if (!secure) return { secure: false };
-  if (!host) return { secure: true };
-
-  if ((host as SmtpHost) === SmtpHost.Sendgrid) {
-    return { secure: true, port: 465 }; // more details here https://nodemailer.com/smtp/
-  }
-  if (host.includes("amazonaws.com")) {
-    return { tls: { ciphers: "TLSv1.2" } };
-  }
-  return { requireTLS: true, tls: { ciphers: "TLSv1.2" } };
-};
-
 export const smtpServiceFactory = (cfg: TSmtpConfig) => {
-  const smtp = createTransport({ ...cfg, ...getTlsOption(cfg.host, cfg.secure) });
+  const smtp = createTransport(cfg);
   const isSmtpOn = Boolean(cfg.host);
 
   const sendMail = async ({ substitutions, recipients, template, subjectLine }: TSmtpSendMail) => {

backend/src/services/user/user-service.ts

@@ -21,6 +21,7 @@ type TUserServiceFactoryDep = {
     | "findOneUserAction"
     | "createUserAction"
     | "findUserEncKeyByUserId"
+    | "delete"
   >;
   userAliasDAL: Pick<TUserAliasDALFactory, "find" | "insertMany">;
   orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find" | "insertMany">;
@@ -85,7 +86,7 @@ export const userServiceFactory = ({
         tx
       );
 
-      // check if there are users with the same email.
+      // check if there are verified users with the same email.
       const users = await userDAL.find(
         {
           email,
@@ -134,6 +135,15 @@ export const userServiceFactory = ({
           );
         }
       } else {
+        await userDAL.delete(
+          {
+            email,
+            isAccepted: false,
+            isEmailVerified: false
+          },
+          tx
+        );
+
         // update current user's username to [email]
         await userDAL.updateById(
           user.id,

cli/.gitignore

@@ -1,3 +1,4 @@
 .infisical.json
 dist/
 agent-config.test.yaml
+.test.env

cli/go.mod

@@ -3,7 +3,9 @@ module github.com/Infisical/infisical-merge
 go 1.21
 
 require (
+	github.com/bradleyjkemp/cupaloy/v2 v2.8.0
 	github.com/charmbracelet/lipgloss v0.5.0
+	github.com/creack/pty v1.1.21
 	github.com/denisbrodbeck/machineid v1.0.1
 	github.com/fatih/semgroup v1.2.0
 	github.com/gitleaks/go-gitdiff v0.8.0
@@ -29,7 +31,6 @@ require (
 require (
 	github.com/alessio/shellescape v1.4.1 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef // indirect
-	github.com/bradleyjkemp/cupaloy/v2 v2.8.0 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
 	github.com/danieljoos/wincred v1.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect

cli/go.sum

@@ -74,6 +74,8 @@ github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSV
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/creack/pty v1.1.21 h1:1/QdRyBaHHJP61QkWMXlOIBfsgdDeeKfK8SYVUWJKf0=
+github.com/creack/pty v1.1.21/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/danieljoos/wincred v1.2.0 h1:ozqKHaLK0W/ii4KVbbvluM91W2H3Sh0BncbUNPS7jLE=
 github.com/danieljoos/wincred v1.2.0/go.mod h1:FzQLLMKBFdvu+osBrnFODiv32YGwCfx0SkRa/eYHgec=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

cli/packages/util/common.go

@@ -4,6 +4,8 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+
+	"github.com/Infisical/infisical-merge/packages/config"
 )
 
 func GetHomeDir() (string, error) {
@@ -21,7 +23,7 @@ func WriteToFile(fileName string, dataToWrite []byte, filePerm os.FileMode) erro
 	return nil
 }
 
-func CheckIsConnectedToInternet() (ok bool) {
-	_, err := http.Get("http://clients3.google.com/generate_204")
+func ValidateInfisicalAPIConnection() (ok bool) {
+	_, err := http.Get(fmt.Sprintf("%v/status", config.INFISICAL_URL))
 	return err == nil
 }

cli/packages/util/secrets.go

@@ -307,32 +307,33 @@ func FilterSecretsByTag(plainTextSecrets []models.SingleEnvironmentVariable, tag
 }
 
 func GetAllEnvironmentVariables(params models.GetAllSecretsParameters, projectConfigFilePath string) ([]models.SingleEnvironmentVariable, error) {
-	isConnected := CheckIsConnectedToInternet()
 	var secretsToReturn []models.SingleEnvironmentVariable
 	// var serviceTokenDetails api.GetServiceTokenDetailsResponse
 	var errorToReturn error
 
 	if params.InfisicalToken == "" && params.UniversalAuthAccessToken == "" {
-		if isConnected {
-			log.Debug().Msg("GetAllEnvironmentVariables: Connected to internet, checking logged in creds")
-
-			if projectConfigFilePath == "" {
-				RequireLocalWorkspaceFile()
-			} else {
-				ValidateWorkspaceFile(projectConfigFilePath)
-			}
-
-			RequireLogin()
+		if projectConfigFilePath == "" {
+			RequireLocalWorkspaceFile()
+		} else {
+			ValidateWorkspaceFile(projectConfigFilePath)
 		}
 
+		RequireLogin()
+
 		log.Debug().Msg("GetAllEnvironmentVariables: Trying to fetch secrets using logged in details")
 
 		loggedInUserDetails, err := GetCurrentLoggedInUserDetails()
+		isConnected := ValidateInfisicalAPIConnection()
+
+		if isConnected {
+			log.Debug().Msg("GetAllEnvironmentVariables: Connected to Infisical instance, checking logged in creds")
+		}
+
 		if err != nil {
 			return nil, err
 		}
 
-		if loggedInUserDetails.LoginExpired {
+		if isConnected && loggedInUserDetails.LoginExpired {
 			PrintErrorMessageAndExit("Your login session has expired, please run [infisical login] and try again")
 		}
 
@@ -364,12 +365,12 @@ func GetAllEnvironmentVariables(params models.GetAllSecretsParameters, projectCo
 
 		backupSecretsEncryptionKey := []byte(loggedInUserDetails.UserCredentials.PrivateKey)[0:32]
 		if errorToReturn == nil {
-			WriteBackupSecrets(infisicalDotJson.WorkspaceId, params.Environment, backupSecretsEncryptionKey, secretsToReturn)
+			WriteBackupSecrets(infisicalDotJson.WorkspaceId, params.Environment, params.SecretsPath, backupSecretsEncryptionKey, secretsToReturn)
 		}
 
 		// only attempt to serve cached secrets if no internet connection and if at least one secret cached
 		if !isConnected {
-			backedSecrets, err := ReadBackupSecrets(infisicalDotJson.WorkspaceId, params.Environment, backupSecretsEncryptionKey)
+			backedSecrets, err := ReadBackupSecrets(infisicalDotJson.WorkspaceId, params.Environment, params.SecretsPath, backupSecretsEncryptionKey)
 			if len(backedSecrets) > 0 {
 				PrintWarning("Unable to fetch latest secret(s) due to connection error, serving secrets from last successful fetch. For more info, run with --debug")
 				secretsToReturn = backedSecrets
@@ -634,8 +635,9 @@ func GetPlainTextSecrets(key []byte, encryptedSecrets []api.EncryptedSecretV3) (
 	return plainTextSecrets, nil
 }
 
-func WriteBackupSecrets(workspace string, environment string, encryptionKey []byte, secrets []models.SingleEnvironmentVariable) error {
-	fileName := fmt.Sprintf("secrets_%s_%s", workspace, environment)
+func WriteBackupSecrets(workspace string, environment string, secretsPath string, encryptionKey []byte, secrets []models.SingleEnvironmentVariable) error {
+	formattedPath := strings.ReplaceAll(secretsPath, "/", "-")
+	fileName := fmt.Sprintf("secrets_%s_%s_%s", workspace, environment, formattedPath)
 	secrets_backup_folder_name := "secrets-backup"
 
 	_, fullConfigFileDirPath, err := GetFullConfigFilePath()
@@ -672,8 +674,9 @@ func WriteBackupSecrets(workspace string, environment string, encryptionKey []by
 	return nil
 }
 
-func ReadBackupSecrets(workspace string, environment string, encryptionKey []byte) ([]models.SingleEnvironmentVariable, error) {
-	fileName := fmt.Sprintf("secrets_%s_%s", workspace, environment)
+func ReadBackupSecrets(workspace string, environment string, secretsPath string, encryptionKey []byte) ([]models.SingleEnvironmentVariable, error) {
+	formattedPath := strings.ReplaceAll(secretsPath, "/", "-")
+	fileName := fmt.Sprintf("secrets_%s_%s_%s", workspace, environment, formattedPath)
 	secrets_backup_folder_name := "secrets-backup"
 
 	_, fullConfigFileDirPath, err := GetFullConfigFilePath()

cli/scripts/export_test_env.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+TEST_ENV_FILE=".test.env"
+
+# Check if the .env file exists
+if [ ! -f "$TEST_ENV_FILE" ]; then
+    echo "$TEST_ENV_FILE does not exist."
+    exit 1
+fi
+
+# Export the variables
+while IFS= read -r line
+do
+    # Skip empty lines and lines starting with #
+    if [[ -z "$line" || "$line" =~ ^\# ]]; then
+        continue
+    fi
+    # Read the key-value pair
+    IFS='=' read -r key value <<< "$line"
+    eval export $key=\$value
+done < "$TEST_ENV_FILE"
+
+echo "Test environment variables set."

cli/test/.snapshots/test-TestUserAuth_SecretsGetAll

@@ -0,0 +1,7 @@
+┌───────────────┬──────────────┬─────────────┐
+│ SECRET NAME   │ SECRET VALUE │ SECRET TYPE │
+├───────────────┼──────────────┼─────────────┤
+│ TEST-SECRET-1 │ test-value-1 │ shared      │
+│ TEST-SECRET-2 │ test-value-2 │ shared      │
+│ TEST-SECRET-3 │ test-value-3 │ shared      │
+└───────────────┴──────────────┴─────────────┘

cli/test/.snapshots/test-testUserAuth_SecretsGetAllWithoutConnection

@@ -0,0 +1,8 @@
+Warning: Unable to fetch latest secret(s) due to connection error, serving secrets from last successful fetch. For more info, run with --debug 
+┌───────────────┬──────────────┬─────────────┐
+│ SECRET NAME   │ SECRET VALUE │ SECRET TYPE │
+├───────────────┼──────────────┼─────────────┤
+│ TEST-SECRET-1 │ test-value-1 │ shared      │
+│ TEST-SECRET-2 │ test-value-2 │ shared      │
+│ TEST-SECRET-3 │ test-value-3 │ shared      │
+└───────────────┴──────────────┴─────────────┘

cli/test/export_test.go

@@ -8,7 +8,6 @@ import (
 
 func TestUniversalAuth_ExportSecretsWithImports(t *testing.T) {
 	MachineIdentityLoginCmd(t)
-	SetupCli(t)
 
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "export", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent")
 
@@ -24,8 +23,6 @@ func TestUniversalAuth_ExportSecretsWithImports(t *testing.T) {
 }
 
 func TestServiceToken_ExportSecretsWithImports(t *testing.T) {
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "export", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent")
 
 	if err != nil {
@@ -41,8 +38,6 @@ func TestServiceToken_ExportSecretsWithImports(t *testing.T) {
 
 func TestUniversalAuth_ExportSecretsWithoutImports(t *testing.T) {
 	MachineIdentityLoginCmd(t)
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "export", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent", "--include-imports=false")
 
 	if err != nil {
@@ -57,8 +52,6 @@ func TestUniversalAuth_ExportSecretsWithoutImports(t *testing.T) {
 }
 
 func TestServiceToken_ExportSecretsWithoutImports(t *testing.T) {
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "export", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent", "--include-imports=false")
 
 	if err != nil {

cli/test/helper.go

@@ -2,10 +2,10 @@ package tests
 
 import (
 	"fmt"
+	"log"
 	"os"
 	"os/exec"
 	"strings"
-	"testing"
 )
 
 const (
@@ -23,6 +23,8 @@ type Credentials struct {
 	ServiceToken  string
 	ProjectID     string
 	EnvSlug       string
+	UserEmail     string
+	UserPassword  string
 }
 
 var creds = Credentials{
@@ -32,18 +34,21 @@ var creds = Credentials{
 	ServiceToken:  os.Getenv("CLI_TESTS_SERVICE_TOKEN"),
 	ProjectID:     os.Getenv("CLI_TESTS_PROJECT_ID"),
 	EnvSlug:       os.Getenv("CLI_TESTS_ENV_SLUG"),
+	UserEmail:     os.Getenv("CLI_TESTS_USER_EMAIL"),
+	UserPassword:  os.Getenv("CLI_TESTS_USER_PASSWORD"),
 }
 
 func ExecuteCliCommand(command string, args ...string) (string, error) {
 	cmd := exec.Command(command, args...)
 	output, err := cmd.CombinedOutput()
 	if err != nil {
+		fmt.Println(fmt.Sprint(err) + ": " + string(output))
 		return strings.TrimSpace(string(output)), err
 	}
 	return strings.TrimSpace(string(output)), nil
 }
 
-func SetupCli(t *testing.T) {
+func SetupCli() {
 
 	if creds.ClientID == "" || creds.ClientSecret == "" || creds.ServiceToken == "" || creds.ProjectID == "" || creds.EnvSlug == "" {
 		panic("Missing required environment variables")
@@ -57,7 +62,7 @@ func SetupCli(t *testing.T) {
 
 	if !alreadyBuilt {
 		if err := exec.Command("go", "build", "../.").Run(); err != nil {
-			t.Fatal(err)
+			log.Fatal(err)
 		}
 	}
 

cli/test/login_test.go

@@ -1,14 +1,124 @@
 package tests
 
 import (
+	"log"
+	"os/exec"
+	"strings"
 	"testing"
 
+	"github.com/creack/pty"
 	"github.com/stretchr/testify/assert"
 )
 
-func MachineIdentityLoginCmd(t *testing.T) {
-	SetupCli(t)
+func UserInitCmd() {
+	c := exec.Command(FORMATTED_CLI_NAME, "init")
+	ptmx, err := pty.Start(c)
+	if err != nil {
+		log.Fatalf("error running CLI command: %v", err)
+    }
+ 	defer func() { _ = ptmx.Close() }()
 
+	stepChan := make(chan int, 10)
+
+	go func() {
+		buf := make([]byte, 1024)
+		step := -1
+		for {
+			n, err := ptmx.Read(buf)
+			if n > 0 {
+				terminalOut := string(buf)
+				if strings.Contains(terminalOut, "Which Infisical organization would you like to select a project from?") && step < 0  {
+					step += 1
+					stepChan <- step
+				} else if strings.Contains(terminalOut, "Which of your Infisical projects would you like to connect this project to?") && step < 1 {
+					step += 1;
+					stepChan <- step
+				}
+			}
+			if err != nil {
+				close(stepChan)
+				return
+			}
+		}
+	}()
+
+	for i := range stepChan {
+		switch i {
+		case 0: 
+			ptmx.Write([]byte("\n"))
+		case 1:
+			ptmx.Write([]byte("\n"))
+		}
+	}
+}
+
+func UserLoginCmd() {
+	// set vault to file because CI has no keyring
+	vaultCmd := exec.Command(FORMATTED_CLI_NAME, "vault", "set", "file")
+	_, err := vaultCmd.Output()
+	if err != nil {
+		log.Fatalf("error setting vault: %v", err)
+	}
+
+	// Start programmatic interaction with CLI
+	c := exec.Command(FORMATTED_CLI_NAME, "login", "--interactive")
+	ptmx, err := pty.Start(c)
+	if err != nil {
+		log.Fatalf("error running CLI command: %v", err)
+    }
+ 	defer func() { _ = ptmx.Close() }()
+
+	stepChan := make(chan int, 10)
+
+	go func() {
+		buf := make([]byte, 1024)
+		step := -1
+		for {
+			n, err := ptmx.Read(buf)
+			if n > 0 {
+				terminalOut := string(buf)
+				if strings.Contains(terminalOut, "Infisical Cloud") && step < 0 {
+					step += 1;
+					stepChan <- step
+				} else if strings.Contains(terminalOut, "Email") && step < 1 {
+					step += 1;
+					stepChan <- step
+				} else if strings.Contains(terminalOut, "Password") && step < 2 {
+					step += 1;
+					stepChan <- step
+				} else if strings.Contains(terminalOut, "Infisical organization") && step < 3 {
+					step += 1;
+					stepChan <- step
+				} else if strings.Contains(terminalOut, "Enter passphrase") && step < 4 {
+					step += 1;
+					stepChan <- step
+				}
+			}
+			if err != nil {
+				close(stepChan)
+				return
+			}
+		}
+	}()
+
+	for i := range stepChan {
+		switch i {
+		case 0:
+			ptmx.Write([]byte("\n"))
+		case 1:
+			ptmx.Write([]byte(creds.UserEmail))
+			ptmx.Write([]byte("\n"))
+		case 2:
+			ptmx.Write([]byte(creds.UserPassword))
+			ptmx.Write([]byte("\n"))
+		case 3:
+			ptmx.Write([]byte("\n"))
+		}
+	}
+
+}
+
+func MachineIdentityLoginCmd(t *testing.T) {
 	if creds.UAAccessToken != "" {
 		return
 	}

cli/test/main_test.go

@@ -0,0 +1,23 @@
+package tests
+
+import (
+	"fmt"
+	"os"
+	"testing"
+)
+
+func TestMain(m *testing.M) {
+    // Setup
+	fmt.Println("Setting up CLI...")
+	SetupCli()
+	fmt.Println("Performing user login...")
+	UserLoginCmd()
+	fmt.Println("Performing infisical init...")
+	UserInitCmd()
+
+    // Run the tests
+    code := m.Run()
+
+    // Exit
+    os.Exit(code)
+}

cli/test/run_test.go

@@ -8,8 +8,6 @@ import (
 )
 
 func TestServiceToken_RunCmdRecursiveAndImports(t *testing.T) {
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "run", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent", "--", "echo", "hello world")
 
 	if err != nil {
@@ -25,8 +23,6 @@ func TestServiceToken_RunCmdRecursiveAndImports(t *testing.T) {
 	}
 }
 func TestServiceToken_RunCmdWithImports(t *testing.T) {
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "run", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent", "--", "echo", "hello world")
 
 	if err != nil {
@@ -44,8 +40,6 @@ func TestServiceToken_RunCmdWithImports(t *testing.T) {
 
 func TestUniversalAuth_RunCmdRecursiveAndImports(t *testing.T) {
 	MachineIdentityLoginCmd(t)
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "run", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent", "--", "echo", "hello world")
 
 	if err != nil {
@@ -63,8 +57,6 @@ func TestUniversalAuth_RunCmdRecursiveAndImports(t *testing.T) {
 
 func TestUniversalAuth_RunCmdWithImports(t *testing.T) {
 	MachineIdentityLoginCmd(t)
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "run", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent", "--", "echo", "hello world")
 
 	if err != nil {
@@ -83,8 +75,6 @@ func TestUniversalAuth_RunCmdWithImports(t *testing.T) {
 
 func TestUniversalAuth_RunCmdWithoutImports(t *testing.T) {
 	MachineIdentityLoginCmd(t)
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "run", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent", "--include-imports=false", "--", "echo", "hello world")
 
 	if err != nil {
@@ -101,8 +91,6 @@ func TestUniversalAuth_RunCmdWithoutImports(t *testing.T) {
 }
 
 func TestServiceToken_RunCmdWithoutImports(t *testing.T) {
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "run", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--silent", "--include-imports=false", "--", "echo", "hello world")
 
 	if err != nil {

cli/test/secrets_by_name_test.go

@@ -7,8 +7,6 @@ import (
 )
 
 func TestServiceToken_GetSecretsByNameRecursive(t *testing.T) {
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "get", "TEST-SECRET-1", "TEST-SECRET-2", "FOLDER-SECRET-1", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")
 
 	if err != nil {
@@ -23,8 +21,6 @@ func TestServiceToken_GetSecretsByNameRecursive(t *testing.T) {
 }
 
 func TestServiceToken_GetSecretsByNameWithNotFoundSecret(t *testing.T) {
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "get", "TEST-SECRET-1", "TEST-SECRET-2", "FOLDER-SECRET-1", "DOES-NOT-EXIST", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")
 
 	if err != nil {
@@ -39,8 +35,6 @@ func TestServiceToken_GetSecretsByNameWithNotFoundSecret(t *testing.T) {
 }
 
 func TestServiceToken_GetSecretsByNameWithImports(t *testing.T) {
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "get", "TEST-SECRET-1", "STAGING-SECRET-2", "FOLDER-SECRET-1", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")
 
 	if err != nil {
@@ -56,8 +50,6 @@ func TestServiceToken_GetSecretsByNameWithImports(t *testing.T) {
 
 func TestUniversalAuth_GetSecretsByNameRecursive(t *testing.T) {
 	MachineIdentityLoginCmd(t)
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "get", "TEST-SECRET-1", "TEST-SECRET-2", "FOLDER-SECRET-1", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")
 
 	if err != nil {
@@ -73,8 +65,6 @@ func TestUniversalAuth_GetSecretsByNameRecursive(t *testing.T) {
 
 func TestUniversalAuth_GetSecretsByNameWithNotFoundSecret(t *testing.T) {
 	MachineIdentityLoginCmd(t)
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "get", "TEST-SECRET-1", "TEST-SECRET-2", "FOLDER-SECRET-1", "DOES-NOT-EXIST", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")
 
 	if err != nil {
@@ -90,8 +80,6 @@ func TestUniversalAuth_GetSecretsByNameWithNotFoundSecret(t *testing.T) {
 
 func TestUniversalAuth_GetSecretsByNameWithImports(t *testing.T) {
 	MachineIdentityLoginCmd(t)
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "get", "TEST-SECRET-1", "STAGING-SECRET-2", "FOLDER-SECRET-1", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")
 
 	if err != nil {

cli/test/secrets_test.go

@@ -3,12 +3,12 @@ package tests
 import (
 	"testing"
 
+	"github.com/Infisical/infisical-merge/packages/util"
 	"github.com/bradleyjkemp/cupaloy/v2"
 )
 
-func TestServiceToken_SecretsGetWithImportsAndRecursiveCmd(t *testing.T) {
-	SetupCli(t)
 
+func TestServiceToken_SecretsGetWithImportsAndRecursiveCmd(t *testing.T) {
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")
 
 	if err != nil {
@@ -23,8 +23,6 @@ func TestServiceToken_SecretsGetWithImportsAndRecursiveCmd(t *testing.T) {
 }
 
 func TestServiceToken_SecretsGetWithoutImportsAndWithoutRecursiveCmd(t *testing.T) {
-	SetupCli(t)
-
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "--token", creds.ServiceToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--include-imports=false", "--silent")
 
 	if err != nil {
@@ -39,7 +37,6 @@ func TestServiceToken_SecretsGetWithoutImportsAndWithoutRecursiveCmd(t *testing.
 }
 
 func TestUniversalAuth_SecretsGetWithImportsAndRecursiveCmd(t *testing.T) {
-	SetupCli(t)
 	MachineIdentityLoginCmd(t)
 
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--recursive", "--silent")
@@ -56,7 +53,6 @@ func TestUniversalAuth_SecretsGetWithImportsAndRecursiveCmd(t *testing.T) {
 }
 
 func TestUniversalAuth_SecretsGetWithoutImportsAndWithoutRecursiveCmd(t *testing.T) {
-	SetupCli(t)
 	MachineIdentityLoginCmd(t)
 
 	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--include-imports=false", "--silent")
@@ -73,7 +69,6 @@ func TestUniversalAuth_SecretsGetWithoutImportsAndWithoutRecursiveCmd(t *testing
 }
 
 func TestUniversalAuth_SecretsGetWrongEnvironment(t *testing.T) {
-	SetupCli(t)
 	MachineIdentityLoginCmd(t)
 
 	output, _ := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "--token", creds.UAAccessToken, "--projectId", creds.ProjectID, "--env", "invalid-env", "--recursive", "--silent")
@@ -85,3 +80,45 @@ func TestUniversalAuth_SecretsGetWrongEnvironment(t *testing.T) {
 	}
 
 }
+
+func TestUserAuth_SecretsGetAll(t *testing.T) {
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--include-imports=false", "--silent")
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+
+	// explicitly called here because it should happen directly after successful secretsGetAll
+	testUserAuth_SecretsGetAllWithoutConnection(t)
+}
+
+func testUserAuth_SecretsGetAllWithoutConnection(t *testing.T) {
+	originalConfigFile, err := util.GetConfigFile()
+	if err != nil {
+		t.Fatalf("error getting config file")
+	}
+	newConfigFile := originalConfigFile
+
+	// set it to a URL that will always be unreachable
+	newConfigFile.LoggedInUserDomain = "http://localhost:4999"
+	util.WriteConfigFile(&newConfigFile)
+	
+	// restore config file
+	defer util.WriteConfigFile(&originalConfigFile)
+
+	output, err := ExecuteCliCommand(FORMATTED_CLI_NAME, "secrets", "--projectId", creds.ProjectID, "--env", creds.EnvSlug, "--include-imports=false", "--silent")
+	if err != nil {
+		t.Fatalf("error running CLI command: %v", err)
+	}
+
+	// Use cupaloy to snapshot test the output
+	err = cupaloy.Snapshot(output)
+	if err != nil {
+		t.Fatalf("snapshot failed: %v", err)
+	}
+}

docs/mint.json

@@ -384,6 +384,7 @@
       "pages": [
         "sdks/languages/node",
         "sdks/languages/python",
+        "sdks/languages/go",
         "sdks/languages/java",
         "sdks/languages/csharp"
       ]

docs/sdks/languages/go.mdx

@@ -0,0 +1,438 @@
+---
+title: "Infisical Go SDK"
+sidebarTitle: "Go"
+icon: "golang"
+---
+
+
+
+If you're working with Go Lang, the official [Infisical Go SDK](https://github.com/infisical/go-sdk) package is the easiest way to fetch and work with secrets for your application.
+
+- [Package](https://pkg.go.dev/github.com/infisical/go-sdk)
+- [Github Repository](https://github.com/infiscial/go-sdk)
+
+## Basic Usage
+
+```go
+package main
+
+import (
+	"fmt"
+	"os"
+
+	infisical "github.com/infisical/go-sdk"
+)
+
+func main() {
+
+	client, err := infisical.NewInfisicalClient(infisical.Config{
+		SiteUrl: "https://app.infisical.com", // Optional, default is https://app.infisical.com
+	})
+
+	if err != nil {
+		fmt.Printf("Error: %v", err)
+		os.Exit(1)
+	}
+
+	_, err = client.Auth().UniversalAuthLogin("YOUR_CLIENT_ID", "YOUR_CLIENT_SECRET")
+
+	if err != nil {
+		fmt.Printf("Authentication failed: %v", err)
+		os.Exit(1)
+	}
+
+	apiKeySecret, err := client.Secrets().Retrieve(infisical.RetrieveSecretOptions{
+		SecretKey:   "API_KEY",
+		Environment: "dev",
+		ProjectID:   "YOUR_PROJECT_ID",
+		SecretPath:  "/",
+	})
+
+	if err != nil {
+		fmt.Printf("Error: %v", err)
+		os.Exit(1)
+	}
+
+	fmt.Printf("API Key Secret: %v", apiKeySecret)
+
+}
+```
+
+This example demonstrates how to use the Infisical Go SDK in a simple Go application. The application retrieves a secret named `API_KEY` from the `dev` environment of the `YOUR_PROJECT_ID` project.
+
+<Warning>
+    We do not recommend hardcoding your [Machine Identity Tokens](/platform/identities/overview). Setting it as an environment variable would be best.
+</Warning>
+
+# Installation
+
+```console
+$ go get github.com/infisical/go-sdk
+```
+# Configuration
+
+Import the SDK and create a client instance.
+
+```go
+client, err := infisical.NewInfisicalClient(infisical.Config{
+		SiteUrl: "https://app.infisical.com", // Optional, default is https://api.infisical.com
+	})
+
+if err != nil {
+  fmt.Printf("Error: %v", err)
+  os.Exit(1)
+}
+```
+
+### ClientSettings methods
+
+<ParamField query="options" type="object">
+    <Expandable title="properties">
+        <ParamField query="SiteUrl" type="string" optional>
+            The URL of the Infisical API. Default is `https://api.infisical.com`.
+        </ParamField>
+
+        <ParamField query="UserAgent" type="string" required>
+            Optionally set the user agent that will be used for HTTP requests. _(Not recommended)_
+        </ParamField>
+    </Expandable>
+
+</ParamField>
+
+### Authentication
+
+The SDK supports a variety of authentication methods. The most common authentication method is Universal Auth, which uses a client ID and client secret to authenticate.
+
+#### Universal Auth
+
+**Using environment variables**
+
+Call `.Auth().UniversalAuthLogin()` with empty arguments to use the following environment variables:
+
+- `INFISICAL_UNIVERSAL_AUTH_CLIENT_ID` - Your machine identity client ID.
+- `INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET` - Your machine identity client secret.
+
+**Using the SDK directly**
+```go
+_, err := client.Auth().UniversalAuthLogin("CLIENT_ID", "CLIENT_SECRET")
+
+if err != nil {
+  fmt.Println(err)
+  os.Exit(1)
+}
+```
+
+#### GCP ID Token Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on Google Cloud Platform.
+  Please [read more](/documentation/platform/identities/gcp-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+
+Call `.Auth().GcpIdTokenAuthLogin()` with empty arguments to use the following environment variables:
+
+- `INFISICAL_GCP_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```go
+_, err := client.Auth().GcpIdTokenAuthLogin("YOUR_MACHINE_IDENTITY_ID")
+
+if err != nil {
+  fmt.Println(err)
+  os.Exit(1)
+}
+```
+
+#### GCP IAM Auth
+
+**Using environment variables**
+
+Call `.Auth().GcpIamAuthLogin()` with empty arguments to use the following environment variables:
+
+- `INFISICAL_GCP_IAM_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+- `INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH` - The path to your GCP service account key file.
+
+**Using the SDK directly**
+```go
+_, err = client.Auth().GcpIamAuthLogin("MACHINE_IDENTITY_ID", "SERVICE_ACCOUNT_KEY_FILE_PATH")
+
+if err != nil {
+  fmt.Println(err)
+  os.Exit(1)
+}
+```
+
+#### AWS IAM Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on AWS.
+  Please [read more](/documentation/platform/identities/aws-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+
+Call `.Auth().AwsIamAuthLogin()` with empty arguments to use the following environment variables:
+
+- `INFISICAL_AWS_IAM_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```go
+_, err = client.Auth().AwsIamAuthLogin("MACHINE_IDENTITY_ID")
+
+if err != nil {
+  fmt.Println(err)
+  os.Exit(1)
+}
+```
+
+
+#### Azure Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on Azure.
+  Please [read more](/documentation/platform/identities/azure-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+
+Call `.Auth().AzureAuthLogin()` with empty arguments to use the following environment variables:
+
+- `INFISICAL_AZURE_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
+
+**Using the SDK directly**
+```go
+_, err = client.Auth().AzureAuthLogin("MACHINE_IDENTITY_ID")
+
+if err != nil {
+  fmt.Println(err)
+  os.Exit(1)
+}
+```
+
+#### Kubernetes Auth
+<Info>
+  Please note that this authentication method will only work if you're running your application on Kubernetes.
+  Please [read more](/documentation/platform/identities/kubernetes-auth) about this authentication method.
+</Info>
+
+**Using environment variables**
+
+Call `.Auth().KubernetesAuthLogin()` with empty arguments to use the following environment variables:
+
+- `INFISICAL_KUBERNETES_IDENTITY_ID` - Your Infisical Machine Identity ID.
+- `INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH_ENV_NAME` - The environment variable name that contains the path to the service account token. This is optional and will default to `/var/run/secrets/kubernetes.io/serviceaccount/token`.
+
+**Using the SDK directly**
+```go
+// Service account token path will default to /var/run/secrets/kubernetes.io/serviceaccount/token if empty value is passed
+_, err = client.Auth().KubernetesAuthLogin("MACHINE_IDENTITY_ID", "SERVICE_ACCOUNT_TOKEN_PATH")
+
+if err != nil {
+  fmt.Println(err)
+  os.Exit(1)
+}
+```
+
+## Working with Secrets
+
+### client.Secrets().List(options)
+
+```go
+secrets, err := client.Secrets().List(infisical.ListSecretsOptions{
+  ProjectID:          "PROJECT_ID",
+  Environment:        "dev",
+  SecretPath:         "/foo/bar",
+  AttachToProcessEnv: false,
+})
+```
+
+Retrieve all secrets within the Infisical project and environment that client is connected to
+
+#### Parameters
+
+<ParamField query="Parameters" type="object">
+    <Expandable title="properties">
+        <ParamField query="Environment" type="string" required>
+            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+        </ParamField>
+
+        <ParamField query="ProjectID" type="string">
+            The project ID where the secret lives in.
+        </ParamField>
+
+         <ParamField query="SecretPath" type="string" optional>
+            The path from where secrets should be fetched from.
+        </ParamField>
+
+        <ParamField query="AttachToProcessEnv" type="boolean" default="false" optional>
+             Whether or not to set the fetched secrets to the process environment. If true, you can access the secrets like so `System.getenv("SECRET_NAME")`.
+        </ParamField>
+
+        <ParamField query="IncludeImports" type="boolean" default="false" optional>
+             Whether or not to include imported secrets from the current path. Read about [secret import](/documentation/platform/secret-reference)
+        </ParamField>
+
+        <ParamField query="Recursive" type="boolean" default="false" optional>
+            Whether or not to fetch secrets recursively from the specified path. Please note that there's a 20-depth limit for recursive fetching.
+        </ParamField>
+
+        <ParamField query="ExpandSecretReferences" type="boolean" default="true" optional>
+            Whether or not to expand secret references in the fetched secrets. Read about [secret reference](/documentation/platform/secret-reference)
+        </ParamField>
+    </Expandable>
+
+</ParamField>
+
+### client.Secrets().Get(options)
+
+```go
+secret, err := client.Secrets().Retrieve(infisical.RetrieveSecretOptions{
+  SecretKey:   "API_KEY",
+  ProjectID:   "PROJECT_ID",
+  Environment: "dev",
+})
+```
+
+Retrieve a secret from Infisical.
+
+By default, `Secrets().Get()` fetches and returns a shared secret.
+
+#### Parameters
+
+<ParamField query="Parameters" type="object" optional>
+    <Expandable title="properties">
+        <ParamField query="SecretKey" type="string" required>
+            The key of the secret to retrieve.
+        </ParamField>
+        <ParamField query="ProjectID" type="string" required>
+            The project ID where the secret lives in.
+        </ParamField>
+        <ParamField query="Environment" type="string" required>
+            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+        </ParamField>
+        <ParamField query="SecretPath" type="string" optional>
+            The path from where secret should be fetched from.
+        </ParamField>
+        <ParamField query="Type" type="string" optional>
+            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+        </ParamField>
+    </Expandable>
+</ParamField>
+
+### client.Secrets().Create(options)
+
+```go
+secret, err := client.Secrets().Create(infisical.CreateSecretOptions{
+  ProjectID:   "PROJECT_ID",
+  Environment: "dev",
+
+  SecretKey:     "NEW_SECRET_KEY",
+  SecretValue:   "NEW_SECRET_VALUE",
+  SecretComment: "This is a new secret",
+})
+```
+
+Create a new secret in Infisical.
+
+#### Parameters
+
+<ParamField query="Parameters" type="object" optional>
+    <Expandable title="properties">
+        <ParamField query="SecretKey" type="string" required>
+            The key of the secret to create.
+        </ParamField>
+        <ParamField query="SecretValue" type="string" required>
+            The value of the secret.
+        </ParamField>
+        <ParamField query="SecretComment" type="string" optional>
+            A comment for the secret.
+        </ParamField>
+        <ParamField query="ProjectID" type="string" required>
+            The project ID where the secret lives in.
+        </ParamField>
+        <ParamField query="Environment" type="string" required>
+            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+        </ParamField>
+        <ParamField query="SecretPath" type="string" optional>
+            The path from where secret should be created.
+        </ParamField>
+        <ParamField query="Type" type="string" optional>
+            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+        </ParamField>
+    </Expandable>
+</ParamField>
+
+### client.Secrets().Update(options)
+
+```go
+secret, err := client.Secrets().Update(infisical.UpdateSecretOptions{
+  ProjectID:                "PROJECT_ID",
+  Environment:              "dev",
+  SecretKey:                "NEW_SECRET_KEY",
+  NewSecretValue:           "NEW_SECRET_VALUE",
+  NewSkipMultilineEncoding: false,
+})
+```
+
+Update an existing secret in Infisical.
+
+#### Parameters
+
+<ParamField query="Parameters" type="object" optional>
+    <Expandable title="properties">
+        <ParamField query="SecretKey" type="string" required>
+            The key of the secret to update.
+        </ParamField>
+        <ParamField query="NewSecretValue" type="string" required>
+            The new value of the secret.
+        </ParamField>
+        <ParamField query="NewSkipMultilineEncoding" type="boolean" default="false" optional>
+            Whether or not to skip multiline encoding for the new secret value.
+        </ParamField>
+        <ParamField query="ProjectID" type="string" required>
+            The project ID where the secret lives in.
+        </ParamField>
+        <ParamField query="Environment" type="string" required>
+            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+        </ParamField>
+        <ParamField query="SecretPath" type="string" optional>
+            The path from where secret should be updated.
+        </ParamField>
+        <ParamField query="Type" type="string" optional>
+            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+        </ParamField>
+    </Expandable>
+</ParamField>
+
+### client.Secrets().Delete(options)
+
+```go
+secret, err := client.Secrets().Delete(infisical.DeleteSecretOptions{
+  ProjectID:   "PROJECT_ID",
+  Environment: "dev",
+  SecretKey:   "SECRET_KEY",
+})
+```
+
+Delete a secret in Infisical.
+
+#### Parameters
+
+<ParamField query="Parameters" type="object" optional>
+    <Expandable title="properties">
+        <ParamField query="SecretKey" type="string">
+            The key of the secret to update.
+        </ParamField>
+        <ParamField query="ProjectID" type="string" required>
+            The project ID where the secret lives in.
+        </ParamField>
+        <ParamField query="Environment" type="string" required>
+            The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
+        </ParamField>
+        <ParamField query="SecretPath" type="string" optional>
+            The path from where secret should be deleted.
+        </ParamField>
+        <ParamField query="Type" type="string" optional>
+            The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".
+        </ParamField>
+    </Expandable>
+</ParamField>

docs/self-hosting/configuration/envars.mdx

@@ -48,44 +48,44 @@ The platform utilizes Postgres to persist all of its data and Redis for caching
 Without email configuration, Infisical's core functions like sign-up/login and secret operations work, but this disables multi-factor authentication, email invites for projects, alerts for suspicious logins, and all other email-dependent features.
 
 <Accordion title="Generic Configuration">
-  <ParamField query="SMTP_HOST" type="string" default="none" optional>
-    Hostname to connect to for establishing SMTP connections
-  </ParamField>
-
-{" "}
-
-<ParamField query="SMTP_USERNAME" type="string" default="none" optional>
-  Credential to connect to host (e.g. team@infisical.com)
+<ParamField query="SMTP_HOST" type="string" default="none" optional>
+  Hostname to connect to for establishing SMTP connections
 </ParamField>
 
-{" "}
-
-<ParamField query="SMTP_PASSWORD" type="string" default="none" optional>
-  Credential to connect to host
-</ParamField>
-
-{" "}
-
 <ParamField query="SMTP_PORT" type="string" default="587" optional>
   Port to connect to for establishing SMTP connections
 </ParamField>
 
-{" "}
-
-<ParamField query="SMTP_SECURE" type="string" default="none" optional>
-  If true, use TLS when connecting to host. If false, TLS will be used if
-  STARTTLS is supported
+<ParamField query="SMTP_USERNAME" type="string" default="none" optional>
+  Credential to connect to host (e.g. team@infisical.com)
 </ParamField>
 
-{" "}
+<ParamField query="SMTP_PASSWORD" type="string" default="none" optional>
+  Credential to connect to host
+</ParamField>
 
 <ParamField query="SMTP_FROM_ADDRESS" type="string" default="none" optional>
   Email address to be used for sending emails
 </ParamField>
 
-  <ParamField query="SMTP_FROM_NAME" type="string" default="none" optional>
-    Name label to be used in From field (e.g. Team)
-  </ParamField>
+<ParamField query="SMTP_FROM_NAME" type="string" default="none" optional>
+  Name label to be used in From field (e.g. Team)
+</ParamField>
+
+<ParamField query="SMTP_IGNORE_TLS" type="bool" default="false" optional>
+  If this is `true` and `SMTP_PORT` is not 465 then TLS is not used even if the
+  server supports STARTTLS extension.
+</ParamField>
+
+<ParamField query="SMTP_REQUIRE_TLS" type="bool" default="true" optional>
+  If this is `true` and `SMTP_PORT` is not 465 then Infisical tries to use
+  STARTTLS even if the server does not advertise support for it. If the
+  connection can not be encrypted then message is not sent.
+</ParamField>
+
+<ParamField query="SMTP_TLS_REJECT_UNAUTHORIZED" type="bool" default="true" optional>
+  If this is `true`, Infisical will validate the server's SSL/TLS certificate and reject the connection if the certificate is invalid or not trusted. If set to `false`, the client will accept the server's certificate regardless of its validity, which can be useful in development or testing environments but is not recommended for production use.
+</ParamField>
 </Accordion>
 
 <Accordion title="Twilio SendGrid">
@@ -105,7 +105,6 @@ SMTP_HOST=smtp.sendgrid.net
 SMTP_USERNAME=apikey
 SMTP_PASSWORD=SG.rqFsfjxYPiqE1lqZTgD_lz7x8IVLx # your SendGrid API Key from step above
 SMTP_PORT=587
-SMTP_SECURE=true
 SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
 SMTP_FROM_NAME=Infisical
 ```
@@ -128,7 +127,6 @@ SMTP_HOST=smtp.mailgun.org # obtained from credentials page
 SMTP_USERNAME=postmaster@example.mailgun.org # obtained from credentials page
 SMTP_PASSWORD=password # obtained from credentials page
 SMTP_PORT=587
-SMTP_SECURE=true
 SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
 SMTP_FROM_NAME=Infisical
 ```
@@ -159,7 +157,6 @@ SMTP_FROM_NAME=Infisical
       SMTP_USERNAME=xxx # your SMTP username
       SMTP_PASSWORD=xxx # your SMTP password
       SMTP_PORT=465
-      SMTP_SECURE=true
       SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
       SMTP_FROM_NAME=Infisical
       ```
@@ -187,7 +184,6 @@ SMTP_HOST=smtp.socketlabs.com
 SMTP_USERNAME=username # obtained from your credentials
 SMTP_PASSWORD=password # obtained from your credentials
 SMTP_PORT=587
-SMTP_SECURE=true
 SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
 SMTP_FROM_NAME=Infisical
 ```
@@ -229,7 +225,6 @@ SMTP_HOST=smtp.resend.com
 SMTP_USERNAME=resend
 SMTP_PASSWORD=YOUR_API_KEY
 SMTP_PORT=587
-SMTP_SECURE=true
 SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
 SMTP_FROM_NAME=Infisical
 ```
@@ -253,7 +248,6 @@ SMTP_HOST=smtp.gmail.com
 SMTP_USERNAME=hey@gmail.com # your email
 SMTP_PASSWORD=password # your password
 SMTP_PORT=587
-SMTP_SECURE=true
 SMTP_FROM_ADDRESS=hey@gmail.com
 SMTP_FROM_NAME=Infisical
 ```
@@ -277,7 +271,6 @@ SMTP_HOST=smtp.office365.com
 SMTP_USERNAME=username@yourdomain.com # your username
 SMTP_PASSWORD=password # your password
 SMTP_PORT=587
-SMTP_SECURE=true
 SMTP_FROM_ADDRESS=username@yourdomain.com
 SMTP_FROM_NAME=Infisical
 ```
@@ -294,7 +287,6 @@ SMTP_HOST=smtp.zoho.com
 SMTP_USERNAME=username # your email
 SMTP_PASSWORD=password # your password
 SMTP_PORT=587
-SMTP_SECURE=true
 SMTP_FROM_ADDRESS=hey@example.com # your personal Zoho email or domain-based email linked to Zoho Mail
 SMTP_FROM_NAME=Infisical
 ```
@@ -320,7 +312,8 @@ To login into Infisical with OAuth providers such as Google, configure the assoc
 
 <ParamField query="DEFAULT_SAML_ORG_SLUG" type="string">
 
-  When set, all visits to the Infisical login page will automatically redirect users of your Infisical instance to the SAML identity provider associated with the specified organization slug.
+When set, all visits to the Infisical login page will automatically redirect users of your Infisical instance to the SAML identity provider associated with the specified organization slug.
+
 </ParamField>
 
 <Accordion title="Google">

frontend/src/components/v2/SecretPathInput/SecretPathInput.tsx

@@ -78,7 +78,8 @@ export const SecretPathInput = ({
     const validPaths = inputValue.split("/");
     validPaths.pop();
 
-    const newValue = `${validPaths.join("/")}/${suggestions[selectedIndex]}/`;
+    // removed trailing slash
+    const newValue = `${validPaths.join("/")}/${suggestions[selectedIndex]}`;
     onChange?.(newValue);
     setInputValue(newValue);
     setSecretPath(newValue);

frontend/src/helpers/project.ts

@@ -93,27 +93,29 @@ const initProjectHelper = async ({ projectName }: { projectName: string }) => {
   });
 
   try {
-    secrets?.forEach((secret) => {
-      createSecret({
-        workspaceId: project.id,
-        environment: secret.environment,
-        type: secret.type,
-        secretKey: secret.secretName,
-        secretKeyCiphertext: secret.secretKeyCiphertext,
-        secretKeyIV: secret.secretKeyIV,
-        secretKeyTag: secret.secretKeyTag,
-        secretValueCiphertext: secret.secretValueCiphertext,
-        secretValueIV: secret.secretValueIV,
-        secretValueTag: secret.secretValueTag,
-        secretCommentCiphertext: secret.secretCommentCiphertext,
-        secretCommentIV: secret.secretCommentIV,
-        secretCommentTag: secret.secretCommentTag,
-        secretPath: "/",
-        metadata: {
-          source: "signup"
-        }
-      });
-    });
+    await Promise.allSettled(
+      (secrets || []).map((secret) =>
+        createSecret({
+          workspaceId: project.id,
+          environment: secret.environment,
+          type: secret.type,
+          secretKey: secret.secretName,
+          secretKeyCiphertext: secret.secretKeyCiphertext,
+          secretKeyIV: secret.secretKeyIV,
+          secretKeyTag: secret.secretKeyTag,
+          secretValueCiphertext: secret.secretValueCiphertext,
+          secretValueIV: secret.secretValueIV,
+          secretValueTag: secret.secretValueTag,
+          secretCommentCiphertext: secret.secretCommentCiphertext,
+          secretCommentIV: secret.secretCommentIV,
+          secretCommentTag: secret.secretCommentTag,
+          secretPath: "/",
+          metadata: {
+            source: "signup"
+          }
+        })
+      )
+    );
   } catch (err) {
     console.error("Failed to upload secrets", err);
   }

frontend/src/hooks/api/integrations/queries.tsx

@@ -73,6 +73,8 @@ export const useCreateIntegration = () => {
         }[];
         kmsKeyId?: string;
         shouldDisableDelete?: boolean;
+        shouldMaskSecrets?: boolean;
+        shouldProtectSecrets?: boolean;
         shouldEnableDelete?: boolean;
       };
     }) => {

frontend/src/hooks/api/secretImports/queries.tsx

@@ -264,13 +264,12 @@ export const useGetImportedSecretsAllEnvs = ({
   });
 
   const isImportedSecretPresentInEnv = useCallback(
-    (secPath: string, envSlug: string, secretName: string) => {
+    (envSlug: string, secretName: string) => {
       const selectedEnvIndex = environments.indexOf(envSlug);
 
       if (selectedEnvIndex !== -1) {
-        const isPresent = secretImports?.[selectedEnvIndex]?.data?.find(
-          ({ secretPath, secrets }) =>
-            secretPath === secPath && secrets.some((s) => s.key === secretName)
+        const isPresent = secretImports?.[selectedEnvIndex]?.data?.find(({ secrets }) =>
+          secrets.some((s) => s.key === secretName)
         );
 
         return Boolean(isPresent);

frontend/src/pages/integrations/gitlab/create.tsx

@@ -25,6 +25,7 @@ import {
   ModalContent,
   Select,
   SelectItem,
+  Switch,
   Tab,
   TabList,
   TabPanel,
@@ -58,7 +59,9 @@ const schema = yup.object({
   targetAppId: yup.string().required("GitLab project is required"),
   targetEnvironment: yup.string(),
   secretPrefix: yup.string(),
-  secretSuffix: yup.string()
+  secretSuffix: yup.string(),
+  shouldMaskSecrets: yup.boolean(),
+  shouldProtectSecrets: yup.boolean()
 });
 
 type FormData = yup.InferType<typeof schema>;
@@ -138,7 +141,9 @@ export default function GitLabCreateIntegrationPage() {
     targetAppId,
     targetEnvironment,
     secretPrefix,
-    secretSuffix
+    secretSuffix,
+    shouldMaskSecrets,
+    shouldProtectSecrets
   }: FormData) => {
     try {
       setIsLoading(true);
@@ -156,7 +161,9 @@ export default function GitLabCreateIntegrationPage() {
         secretPath,
         metadata: {
           secretPrefix,
-          secretSuffix
+          secretSuffix,
+          shouldMaskSecrets,
+          shouldProtectSecrets
         }
       });
 
@@ -390,6 +397,36 @@ export default function GitLabCreateIntegrationPage() {
               exit={{ opacity: 0, translateX: 30 }}
               className="pb-[14.25rem]"
             >
+              <div className="ml-1">
+                <Controller
+                  control={control}
+                  name="shouldMaskSecrets"
+                  render={({ field: { onChange, value } }) => (
+                    <Switch
+                      id="should-mask-secrets"
+                      onCheckedChange={(isChecked) => onChange(isChecked)}
+                      isChecked={value}
+                    >
+                      <div className="max-w-md">Mark Infisical secrets in Gitlab as &apos;Masked&apos; secrets</div>
+                    </Switch>
+                  )}
+                />
+              </div>
+              <div className="ml-1 mt-4 mb-5">
+                <Controller
+                  control={control}
+                  name="shouldProtectSecrets"
+                  render={({ field: { onChange, value } }) => (
+                    <Switch
+                      id="should-protect-secrets"
+                      onCheckedChange={(isChecked) => onChange(isChecked)}
+                      isChecked={value}
+                    >
+                      Mark Infisical secrets in Gitlab as &apos;Protected&apos; secrets
+                    </Switch>
+                  )}
+                />
+              </div>
               <Controller
                 control={control}
                 name="secretPrefix"

frontend/src/views/SecretMainPage/components/SecretImportListView/SecretImportListView.tsx

@@ -45,7 +45,6 @@ export const computeImportedSecretRows = (
   if (importedSecIndex === -1) return [];
 
   const importedSec = importSecrets[importedSecIndex];
-
   const overridenSec: Record<string, { env: string; secretPath: string }> = {};
 
   for (let i = importedSecIndex + 1; i < importSecrets.length; i += 1) {
@@ -61,11 +60,28 @@ export const computeImportedSecretRows = (
     overridenSec[el.key] = { env: SECRET_IN_DASHBOARD, secretPath: "" };
   });
 
-  return importedSec.secrets.map(({ key, value }) => ({
-    key,
-    value,
-    overriden: overridenSec?.[key]
-  }));
+  const importedEntry: Record<string, boolean> = {};
+  const importedSecretEntries: {
+    key: string;
+    value: string;
+    overriden: {
+      env: string;
+      secretPath: string;
+    };
+  }[] = [];
+
+  importedSec.secrets.forEach(({ key, value }) => {
+    if (!importedEntry[key]) {
+      importedSecretEntries.push({
+        key,
+        value,
+        overriden: overridenSec?.[key]
+      });
+      importedEntry[key] = true;
+    }
+  });
+
+  return importedSecretEntries;
 };
 
 type Props = {
@@ -159,8 +175,9 @@ export const SecretImportListView = ({
         importEnv.slug === environment &&
         isReserved &&
         importPath ===
-        `${secretPath === "/" ? "" : secretPath}/${ReservedFolders.SecretReplication
-        }${replicationImportId}`
+          `${secretPath === "/" ? "" : secretPath}/${
+            ReservedFolders.SecretReplication
+          }${replicationImportId}`
     );
     if (reservedImport) {
       setReplicationSecrets((state) => ({
@@ -206,8 +223,9 @@ export const SecretImportListView = ({
         isOpen={popUp.deleteSecretImport.isOpen}
         deleteKey="unlink"
         title="Do you want to remove this secret import?"
-        subTitle={`This will unlink secrets from environment ${(popUp.deleteSecretImport?.data as TSecretImport)?.importEnv
-          } of path ${(popUp.deleteSecretImport?.data as TSecretImport)?.importPath}?`}
+        subTitle={`This will unlink secrets from environment ${
+          (popUp.deleteSecretImport?.data as TSecretImport)?.importEnv
+        } of path ${(popUp.deleteSecretImport?.data as TSecretImport)?.importPath}?`}
         onChange={(isOpen) => handlePopUpToggle("deleteSecretImport", isOpen)}
         onDeleteApproved={handleSecretImportDelete}
       />

frontend/src/views/SecretMainPage/components/SecretListView/SecretDetaiSidebar.tsx

@@ -393,15 +393,15 @@ export const SecretDetailSidebar = ({
                       {(isAllowed) => (
                         <Switch
                           id="skipmultiencoding-option"
-                          onCheckedChange={(isChecked) => onChange(!isChecked)}
-                          isChecked={!value}
+                          onCheckedChange={(isChecked) => onChange(isChecked)}
+                          isChecked={value}
                           onBlur={onBlur}
                           isDisabled={!isAllowed}
                           className="items-center"
                         >
-                          Enable multi line encoding
+                          Multi line encoding
                           <Tooltip
-                            content="Infisical encodes multiline secrets by escaping newlines and wrapping in quotes. To disable, enable this option"
+                            content="When enabled, multiline secrets will be handled by escaping newlines and enclosing the entire value in double quotes."
                             className="z-[100]"
                           >
                             <FontAwesomeIcon icon={faCircleQuestion} className="ml-1" size="sm" />

frontend/src/views/SecretOverviewPage/components/SecretOverviewTableRow/SecretOverviewTableRow.tsx

@@ -29,7 +29,7 @@ type Props = {
   onSecretCreate: (env: string, key: string, value: string) => Promise<void>;
   onSecretUpdate: (env: string, key: string, value: string, secretId?: string) => Promise<void>;
   onSecretDelete: (env: string, key: string, secretId?: string) => Promise<void>;
-  isImportedSecretPresentInEnv: (name: string, env: string, secretName: string) => boolean;
+  isImportedSecretPresentInEnv: (env: string, secretName: string) => boolean;
 };
 
 export const SecretOverviewTableRow = ({
@@ -53,9 +53,8 @@ export const SecretOverviewTableRow = ({
     <>
       <Tr isHoverable isSelectable onClick={() => setIsFormExpanded.toggle()} className="group">
         <Td
-          className={`sticky left-0 z-10 bg-mineshaft-800 bg-clip-padding py-0 px-0 group-hover:bg-mineshaft-700 ${
-            isFormExpanded && "border-t-2 border-mineshaft-500"
-          }`}
+          className={`sticky left-0 z-10 bg-mineshaft-800 bg-clip-padding py-0 px-0 group-hover:bg-mineshaft-700 ${isFormExpanded && "border-t-2 border-mineshaft-500"
+            }`}
         >
           <div className="h-full w-full border-r border-mineshaft-600 py-2.5 px-5">
             <div className="flex items-center space-x-5">
@@ -83,7 +82,7 @@ export const SecretOverviewTableRow = ({
         {environments.map(({ slug }, i) => {
           const secret = getSecretByKey(slug, secretKey);
 
-          const isSecretImported = isImportedSecretPresentInEnv(secretPath, slug, secretKey);
+          const isSecretImported = isImportedSecretPresentInEnv(slug, secretKey);
 
           const isSecretPresent = Boolean(secret);
           const isSecretEmpty = secret?.value === "";
@@ -108,8 +107,8 @@ export const SecretOverviewTableRow = ({
                         isSecretPresent
                           ? "Present secret"
                           : isSecretImported
-                          ? "Imported secret"
-                          : "Missing secret"
+                            ? "Imported secret"
+                            : "Missing secret"
                       }
                     >
                       <FontAwesomeIcon
@@ -133,9 +132,8 @@ export const SecretOverviewTableRow = ({
         <Tr>
           <Td
             colSpan={totalCols}
-            className={`bg-bunker-600 px-0 py-0 ${
-              isFormExpanded && "border-b-2 border-mineshaft-500"
-            }`}
+            className={`bg-bunker-600 px-0 py-0 ${isFormExpanded && "border-b-2 border-mineshaft-500"
+              }`}
           >
             <div
               className="ml-2 p-2"
@@ -180,11 +178,7 @@ export const SecretOverviewTableRow = ({
                       const secret = getSecretByKey(slug, secretKey);
                       const isCreatable = !secret;
 
-                      const isImportedSecret = isImportedSecretPresentInEnv(
-                        secretPath,
-                        slug,
-                        secretKey
-                      );
+                      const isImportedSecret = isImportedSecretPresentInEnv(slug, secretKey);
 
                       return (
                         <tr