fix: update sync job status

.github/workflows/deployment-pipeline.yml

@@ -5,10 +5,6 @@ permissions:
   id-token: write
   contents: read
 
-concurrency: 
-  group: "infisical-core-deployment"
-  cancel-in-progress: true  
-
 jobs:
   infisical-tests:
     name: Integration tests
@@ -101,7 +97,7 @@ jobs:
           image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
           environment-variables: "LOG_LEVEL=info"
       - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
         with:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
           service: infisical-core-gamma-stage
@@ -117,6 +113,10 @@ jobs:
     steps:
       - uses: twingate/github-action@v1
         with:
+        # The Twingate Service Key used to connect Twingate to the proper service
+        # Learn more about [Twingate Services](https://docs.twingate.com/docs/services)
+        #
+        # Required
           service-key: ${{ secrets.TWINGATE_SERVICE_KEY }}
       - name: Checkout code
         uses: actions/checkout@v2
@@ -153,37 +153,12 @@ jobs:
           image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
           environment-variables: "LOG_LEVEL=info"
       - name: Deploy to Amazon ECS service
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
         with:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
           service: infisical-core-platform
           cluster: infisical-core-platform
           wait-for-service-stability: true
-      - name: Post slack message 
-        uses: slackapi/slack-github-action@v2.0.0
-        with:
-          webhook: ${{ secrets.SLACK_DEPLOYMENT_WEBHOOK_URL }}
-          webhook-type: incoming-webhook
-          payload: |
-            text: "*Deployment Status Update*: ${{ job.status }}"
-            blocks:
-              - type: "section"
-                text:
-                  type: "mrkdwn"
-                  text: "*Deployment Status Update*: ${{ job.status }}"
-              - type: "section"
-                fields:
-                  - type: "mrkdwn"
-                    text: "*Application:*\nInfisical Core"
-                  - type: "mrkdwn"
-                    text: "*Instance Type:*\nShared Infisical Cloud"
-              - type: "section"
-                fields:
-                  - type: "mrkdwn"
-                    text: "*Region:*\nUS"
-                  - type: "mrkdwn"
-                    text: "*Git Tag:*\n<https://github.com/Infisical/infisical/commit/${{ steps.commit.outputs.short }}>"
-
 
   production-eu:
       name: EU production deploy
@@ -229,34 +204,9 @@ jobs:
             image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
             environment-variables: "LOG_LEVEL=info"
         - name: Deploy to Amazon ECS service
-          uses: aws-actions/amazon-ecs-deploy-task-definition@v2
+          uses: aws-actions/amazon-ecs-deploy-task-definition@v1
           with:
             task-definition: ${{ steps.render-web-container.outputs.task-definition }}
             service: infisical-core-platform
             cluster: infisical-core-platform
             wait-for-service-stability: true
-        - name: Post slack message 
-          uses: slackapi/slack-github-action@v2.0.0
-          with:
-            webhook: ${{ secrets.SLACK_DEPLOYMENT_WEBHOOK_URL }}
-            webhook-type: incoming-webhook
-            payload: |
-              text: "*Deployment Status Update*: ${{ job.status }}"
-              blocks:
-                - type: "section"
-                  text:
-                    type: "mrkdwn"
-                    text: "*Deployment Status Update*: ${{ job.status }}"
-                - type: "section"
-                  fields:
-                    - type: "mrkdwn"
-                      text: "*Application:*\nInfisical Core"
-                    - type: "mrkdwn"
-                      text: "*Instance Type:*\nShared Infisical Cloud"
-                - type: "section"
-                  fields:
-                    - type: "mrkdwn"
-                      text: "*Region:*\nEU"
-                    - type: "mrkdwn"
-                      text: "*Git Tag:*\n<https://github.com/Infisical/infisical/commit/${{ steps.commit.outputs.short }}>"
-

.infisicalignore

@@ -7,4 +7,3 @@ docs/self-hosting/configuration/envars.mdx:generic-api-key:106
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:451
 docs/mint.json:generic-api-key:651
 backend/src/ee/services/hsm/hsm-service.ts:generic-api-key:134
-docs/documentation/platform/audit-log-streams/audit-log-streams.mdx:generic-api-key:104

README.md

@@ -56,7 +56,7 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical Kubernetes Operator](https://infisical.com/docs/documentation/getting-started/kubernetes)**: Deliver secrets to your Kubernetes workloads and automatically reload deployments.
 - **[Infisical Agent](https://infisical.com/docs/infisical-agent/overview)**: Inject secrets into applications without modifying any code logic.
 
-### Infisical (Internal) PKI:
+### Internal PKI:
 
 - **[Private Certificate Authority](https://infisical.com/docs/documentation/platform/pki/private-ca)**: Create CA hierarchies, configure [certificate templates](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-issuing-certificates) for policy enforcement, and start issuing X.509 certificates.
 - **[Certificate Management](https://infisical.com/docs/documentation/platform/pki/certificates)**: Manage the certificate lifecycle from [issuance](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-issuing-certificates) to [revocation](https://infisical.com/docs/documentation/platform/pki/certificates#guide-to-revoking-certificates) with support for CRL.
@@ -64,17 +64,12 @@ We're on a mission to make security tooling more accessible to everyone, not jus
 - **[Infisical PKI Issuer for Kubernetes](https://infisical.com/docs/documentation/platform/pki/pki-issuer)**: Deliver TLS certificates to your Kubernetes workloads with automatic renewal.
 - **[Enrollment over Secure Transport](https://infisical.com/docs/documentation/platform/pki/est)**: Enroll and manage certificates via EST protocol.
 
-### Infisical Key Management System (KMS):
+### Key Management (KMS):
 
 - **[Cryptographic Keys](https://infisical.com/docs/documentation/platform/kms)**: Centrally manage keys across projects through a user-friendly interface or via the API.
 - **[Encrypt and Decrypt Data](https://infisical.com/docs/documentation/platform/kms#guide-to-encrypting-data)**: Use symmetric keys to encrypt and decrypt data.
 
-### Infisical SSH
-
-- **[Signed SSH Certificates](https://infisical.com/docs/documentation/platform/ssh)**: Issue ephemeral SSH credentials for secure, short-lived, and centralized access to infrastructure.
-
 ### General Platform:
-
 - **Authentication Methods**: Authenticate machine identities with Infisical using a cloud-native or platform agnostic authentication method ([Kubernetes Auth](https://infisical.com/docs/documentation/platform/identities/kubernetes-auth), [GCP Auth](https://infisical.com/docs/documentation/platform/identities/gcp-auth), [Azure Auth](https://infisical.com/docs/documentation/platform/identities/azure-auth), [AWS Auth](https://infisical.com/docs/documentation/platform/identities/aws-auth), [OIDC Auth](https://infisical.com/docs/documentation/platform/identities/oidc-auth/general), [Universal Auth](https://infisical.com/docs/documentation/platform/identities/universal-auth)).
 - **[Access Controls](https://infisical.com/docs/documentation/platform/access-controls/overview)**: Define advanced authorization controls for users and machine identities with [RBAC](https://infisical.com/docs/documentation/platform/access-controls/role-based-access-controls), [additional privileges](https://infisical.com/docs/documentation/platform/access-controls/additional-privileges), [temporary access](https://infisical.com/docs/documentation/platform/access-controls/temporary-access), [access requests](https://infisical.com/docs/documentation/platform/access-controls/access-requests), [approval workflows](https://infisical.com/docs/documentation/platform/pr-workflows), and more.
 - **[Audit logs](https://infisical.com/docs/documentation/platform/audit-logs)**: Track every action taken on the platform.

backend/src/@types/knex.d.ts

@@ -218,9 +218,6 @@ import {
   TRateLimit,
   TRateLimitInsert,
   TRateLimitUpdate,
-  TResourceMetadata,
-  TResourceMetadataInsert,
-  TResourceMetadataUpdate,
   TSamlConfigs,
   TSamlConfigsInsert,
   TSamlConfigsUpdate,
@@ -891,11 +888,6 @@ declare module "knex/types/tables" {
       TProjectSplitBackfillIdsInsert,
       TProjectSplitBackfillIdsUpdate
     >;
-    [TableName.ResourceMetadata]: KnexOriginal.CompositeTableType<
-      TResourceMetadata,
-      TResourceMetadataInsert,
-      TResourceMetadataUpdate
-    >;
     [TableName.AppConnection]: KnexOriginal.CompositeTableType<
       TAppConnections,
       TAppConnectionsInsert,

backend/src/db/migrations/20241218165837_resource-metadata.ts

@@ -1,40 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.ResourceMetadata))) {
-    await knex.schema.createTable(TableName.ResourceMetadata, (tb) => {
-      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      tb.string("key").notNullable();
-      tb.string("value", 1020).notNullable();
-      tb.uuid("orgId").notNullable();
-      tb.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      tb.uuid("userId");
-      tb.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
-      tb.uuid("identityId");
-      tb.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      tb.uuid("secretId");
-      tb.foreign("secretId").references("id").inTable(TableName.SecretV2).onDelete("CASCADE");
-      tb.timestamps(true, true, true);
-    });
-  }
-
-  const hasSecretMetadataField = await knex.schema.hasColumn(TableName.SecretApprovalRequestSecretV2, "secretMetadata");
-  if (!hasSecretMetadataField) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequestSecretV2, (t) => {
-      t.jsonb("secretMetadata");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.ResourceMetadata);
-
-  const hasSecretMetadataField = await knex.schema.hasColumn(TableName.SecretApprovalRequestSecretV2, "secretMetadata");
-  if (hasSecretMetadataField) {
-    await knex.schema.alterTable(TableName.SecretApprovalRequestSecretV2, (t) => {
-      t.dropColumn("secretMetadata");
-    });
-  }
-}

backend/src/db/migrations/20241219210911_secret-sync.ts

@@ -10,34 +10,30 @@ export async function up(knex: Knex): Promise<void> {
       t.string("name", 32).notNullable();
       t.string("description");
       t.string("destination").notNullable();
-      t.boolean("isAutoSyncEnabled").notNullable().defaultTo(true);
+      t.boolean("isEnabled").notNullable().defaultTo(true);
       t.integer("version").defaultTo(1).notNullable();
       t.jsonb("destinationConfig").notNullable();
       t.jsonb("syncOptions").notNullable();
-      // we're including projectId in addition to folder ID because we allow folderId to be null (if the folder
-      // is deleted), to preserve sync configuration
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.uuid("folderId");
-      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("SET NULL");
+      t.uuid("folderId").notNullable();
+      t.foreign("folderId").references("id").inTable(TableName.SecretFolder).onDelete("CASCADE");
       t.uuid("connectionId").notNullable();
       t.foreign("connectionId").references("id").inTable(TableName.AppConnection);
       t.timestamps(true, true, true);
-      // sync secrets to destination
+      // sync
       t.string("syncStatus");
       t.string("lastSyncJobId");
       t.string("lastSyncMessage");
       t.datetime("lastSyncedAt");
-      // import secrets from destination
+      // import
       t.string("importStatus");
       t.string("lastImportJobId");
       t.string("lastImportMessage");
       t.datetime("lastImportedAt");
-      // remove secrets from destination
-      t.string("removeStatus");
-      t.string("lastRemoveJobId");
-      t.string("lastRemoveMessage");
-      t.datetime("lastRemovedAt");
+      // erase
+      t.string("eraseStatus");
+      t.string("lastEraseJobId");
+      t.string("lastEraseMessage");
+      t.datetime("lastErasedAt");
     });
 
     await createOnUpdateTrigger(knex, TableName.SecretSync);

backend/src/db/migrations/20250115222458_groups-unique-name.ts

@@ -1,49 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  // find any duplicate group names within organizations
-  const duplicates = await knex(TableName.Groups)
-    .select("orgId", "name")
-    .count("* as count")
-    .groupBy("orgId", "name")
-    .having(knex.raw("count(*) > 1"));
-
-  // for each set of duplicates, update all but one with a numbered suffix
-  for await (const duplicate of duplicates) {
-    const groups = await knex(TableName.Groups)
-      .select("id", "name")
-      .where({
-        orgId: duplicate.orgId,
-        name: duplicate.name
-      })
-      .orderBy("createdAt", "asc"); // keep original name for oldest group
-
-    // skip the first (oldest) group, rename others with numbered suffix
-    for (let i = 1; i < groups.length; i += 1) {
-      // eslint-disable-next-line no-await-in-loop
-      await knex(TableName.Groups)
-        .where("id", groups[i].id)
-        .update({
-          name: `${groups[i].name} (${i})`,
-
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore TS doesn't know about Knex's timestamp types
-          updatedAt: new Date()
-        });
-    }
-  }
-
-  // add the unique constraint
-  await knex.schema.alterTable(TableName.Groups, (t) => {
-    t.unique(["orgId", "name"]);
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  // Remove the unique constraint
-  await knex.schema.alterTable(TableName.Groups, (t) => {
-    t.dropUnique(["orgId", "name"]);
-  });
-}

backend/src/db/migrations/20250116092245_add-enforce-capitalization-project-flag.ts

@@ -1,33 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasEnforceCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "enforceCapitalization");
-  const hasAutoCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "autoCapitalization");
-
-  await knex.schema.alterTable(TableName.Project, (t) => {
-    if (!hasEnforceCapitalizationCol) {
-      t.boolean("enforceCapitalization").defaultTo(false).notNullable();
-    }
-
-    if (hasAutoCapitalizationCol) {
-      t.boolean("autoCapitalization").defaultTo(false).alter();
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasEnforceCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "enforceCapitalization");
-  const hasAutoCapitalizationCol = await knex.schema.hasColumn(TableName.Project, "autoCapitalization");
-
-  await knex.schema.alterTable(TableName.Project, (t) => {
-    if (hasEnforceCapitalizationCol) {
-      t.dropColumn("enforceCapitalization");
-    }
-
-    if (hasAutoCapitalizationCol) {
-      t.boolean("autoCapitalization").defaultTo(true).alter();
-    }
-  });
-}

backend/src/db/schemas/index.ts

@@ -71,7 +71,6 @@ export * from "./project-user-additional-privilege";
 export * from "./project-user-membership-roles";
 export * from "./projects";
 export * from "./rate-limit";
-export * from "./resource-metadata";
 export * from "./saml-configs";
 export * from "./scim-tokens";
 export * from "./secret-approval-policies";

backend/src/db/schemas/models.ts

@@ -80,7 +80,6 @@ export enum TableName {
   IdentityProjectAdditionalPrivilege = "identity_project_additional_privilege",
   // used by both identity and users
   IdentityMetadata = "identity_metadata",
-  ResourceMetadata = "resource_metadata",
   ScimToken = "scim_tokens",
   AccessApprovalPolicy = "access_approval_policies",
   AccessApprovalPolicyApprover = "access_approval_policies_approvers",
@@ -216,12 +215,3 @@ export enum ProjectType {
   KMS = "kms",
   SSH = "ssh"
 }
-
-export enum ActionProjectType {
-  SecretManager = ProjectType.SecretManager,
-  CertificateManager = ProjectType.CertificateManager,
-  KMS = ProjectType.KMS,
-  SSH = ProjectType.SSH,
-  // project operations that happen on all types
-  Any = "any"
-}

backend/src/db/schemas/projects.ts

@@ -13,7 +13,7 @@ export const ProjectsSchema = z.object({
   id: z.string(),
   name: z.string(),
   slug: z.string(),
-  autoCapitalization: z.boolean().default(false).nullable().optional(),
+  autoCapitalization: z.boolean().default(true).nullable().optional(),
   orgId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
@@ -25,8 +25,7 @@ export const ProjectsSchema = z.object({
   kmsSecretManagerKeyId: z.string().uuid().nullable().optional(),
   kmsSecretManagerEncryptedDataKey: zodBuffer.nullable().optional(),
   description: z.string().nullable().optional(),
-  type: z.string(),
-  enforceCapitalization: z.boolean().default(false)
+  type: z.string()
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/db/schemas/resource-metadata.ts

@@ -1,24 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const ResourceMetadataSchema = z.object({
-  id: z.string().uuid(),
-  key: z.string(),
-  value: z.string(),
-  orgId: z.string().uuid(),
-  userId: z.string().uuid().nullable().optional(),
-  identityId: z.string().uuid().nullable().optional(),
-  secretId: z.string().uuid().nullable().optional(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TResourceMetadata = z.infer<typeof ResourceMetadataSchema>;
-export type TResourceMetadataInsert = Omit<z.input<typeof ResourceMetadataSchema>, TImmutableDBKeys>;
-export type TResourceMetadataUpdate = Partial<Omit<z.input<typeof ResourceMetadataSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/secret-approval-requests-secrets-v2.ts

@@ -24,8 +24,7 @@ export const SecretApprovalRequestsSecretsV2Schema = z.object({
   requestId: z.string().uuid(),
   op: z.string(),
   secretId: z.string().uuid().nullable().optional(),
-  secretVersion: z.string().uuid().nullable().optional(),
-  secretMetadata: z.unknown().nullable().optional()
+  secretVersion: z.string().uuid().nullable().optional()
 });
 
 export type TSecretApprovalRequestsSecretsV2 = z.infer<typeof SecretApprovalRequestsSecretsV2Schema>;

backend/src/db/schemas/secret-syncs.ts

@@ -12,12 +12,11 @@ export const SecretSyncsSchema = z.object({
   name: z.string(),
   description: z.string().nullable().optional(),
   destination: z.string(),
-  isAutoSyncEnabled: z.boolean().default(true),
+  isEnabled: z.boolean().default(true),
   version: z.number().default(1),
   destinationConfig: z.unknown(),
   syncOptions: z.unknown(),
-  projectId: z.string(),
-  folderId: z.string().uuid().nullable().optional(),
+  folderId: z.string().uuid(),
   connectionId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
@@ -29,10 +28,10 @@ export const SecretSyncsSchema = z.object({
   lastImportJobId: z.string().nullable().optional(),
   lastImportMessage: z.string().nullable().optional(),
   lastImportedAt: z.date().nullable().optional(),
-  removeStatus: z.string().nullable().optional(),
-  lastRemoveJobId: z.string().nullable().optional(),
-  lastRemoveMessage: z.string().nullable().optional(),
-  lastRemovedAt: z.date().nullable().optional()
+  eraseStatus: z.string().nullable().optional(),
+  lastEraseJobId: z.string().nullable().optional(),
+  lastEraseMessage: z.string().nullable().optional(),
+  lastErasedAt: z.date().nullable().optional()
 });
 
 export type TSecretSyncs = z.infer<typeof SecretSyncsSchema>;

backend/src/ee/routes/v1/index.ts

@@ -22,7 +22,6 @@ import { registerSecretApprovalPolicyRouter } from "./secret-approval-policy-rou
 import { registerSecretApprovalRequestRouter } from "./secret-approval-request-router";
 import { registerSecretRotationProviderRouter } from "./secret-rotation-provider-router";
 import { registerSecretRotationRouter } from "./secret-rotation-router";
-import { registerSecretRouter } from "./secret-router";
 import { registerSecretScanningRouter } from "./secret-scanning-router";
 import { registerSecretVersionRouter } from "./secret-version-router";
 import { registerSnapshotRouter } from "./snapshot-router";
@@ -93,7 +92,6 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
   await server.register(registerLdapRouter, { prefix: "/ldap" });
   await server.register(registerSecretScanningRouter, { prefix: "/secret-scanning" });
   await server.register(registerSecretRotationRouter, { prefix: "/secret-rotations" });
-  await server.register(registerSecretRouter, { prefix: "/secrets" });
   await server.register(registerSecretVersionRouter, { prefix: "/secret" });
   await server.register(registerGroupRouter, { prefix: "/groups" });
   await server.register(registerAuditLogStreamRouter, { prefix: "/audit-log-streams" });

backend/src/ee/routes/v1/org-role-router.ts

@@ -1,6 +1,7 @@
 import { z } from "zod";
 
 import { OrgMembershipRole, OrgMembershipsSchema, OrgRolesSchema } from "@app/db/schemas";
+import { OrgPermissionSchema } from "@app/ee/services/permission/org-permission";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { slugSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -24,8 +25,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
         ),
         name: z.string().trim(),
         description: z.string().trim().nullish(),
-        // TODO(scott): once UI refactored permissions: OrgPermissionSchema.array()
-        permissions: z.any().array()
+        permissions: OrgPermissionSchema.array()
       }),
       response: {
         200: z.object({
@@ -97,8 +97,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
           .optional(),
         name: z.string().trim().optional(),
         description: z.string().trim().nullish(),
-        // TODO(scott): once UI refactored permissions: OrgPermissionSchema.array().optional()
-        permissions: z.any().array().optional()
+        permissions: OrgPermissionSchema.array().optional()
       }),
       response: {
         200: z.object({

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -12,7 +12,6 @@ import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 
 const approvalRequestUser = z.object({ userId: z.string().nullable().optional() }).merge(
   UsersSchema.pick({
@@ -275,7 +274,6 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                 .extend({
                   op: z.string(),
                   tags: tagSchema,
-                  secretMetadata: ResourceMetadataSchema.nullish(),
                   secret: z
                     .object({
                       id: z.string(),
@@ -293,8 +291,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                       secretKey: z.string(),
                       secretValue: z.string().optional(),
                       secretComment: z.string().optional(),
-                      tags: tagSchema,
-                      secretMetadata: ResourceMetadataSchema.nullish()
+                      tags: tagSchema
                     })
                     .optional()
                 })

backend/src/ee/routes/v1/secret-router.ts

@@ -1,71 +0,0 @@
-import z from "zod";
-
-import { ProjectPermissionActions } from "@app/ee/services/permission/project-permission";
-import { RAW_SECRETS } from "@app/lib/api-docs";
-import { removeTrailingSlash } from "@app/lib/fn";
-import { readLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-const AccessListEntrySchema = z
-  .object({
-    allowedActions: z.nativeEnum(ProjectPermissionActions).array(),
-    id: z.string(),
-    membershipId: z.string(),
-    name: z.string()
-  })
-  .array();
-
-export const registerSecretRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "GET",
-    url: "/:secretName/access-list",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "Get list of users, machine identities, and groups with access to a secret",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.secretName)
-      }),
-      querystring: z.object({
-        workspaceId: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.workspaceId),
-        environment: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.environment),
-        secretPath: z
-          .string()
-          .trim()
-          .default("/")
-          .transform(removeTrailingSlash)
-          .describe(RAW_SECRETS.GET_ACCESS_LIST.secretPath)
-      }),
-      response: {
-        200: z.object({
-          groups: AccessListEntrySchema,
-          identities: AccessListEntrySchema,
-          users: AccessListEntrySchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { secretName } = req.params;
-      const { secretPath, environment, workspaceId: projectId } = req.query;
-
-      return server.services.secret.getSecretAccessList({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        secretPath,
-        environment,
-        projectId,
-        secretName
-      });
-    }
-  });
-};

backend/src/ee/routes/v1/secret-scanning-router.ts

@@ -1,13 +1,9 @@
 import { z } from "zod";
 
 import { GitAppOrgSchema, SecretScanningGitRisksSchema } from "@app/db/schemas";
-import {
-  SecretScanningResolvedStatus,
-  SecretScanningRiskStatus
-} from "@app/ee/services/secret-scanning/secret-scanning-types";
+import { SecretScanningRiskStatus } from "@app/ee/services/secret-scanning/secret-scanning-types";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
-import { OrderByDirection } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -101,45 +97,6 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
     }
   });
 
-  server.route({
-    url: "/organization/:organizationId/risks/export",
-    method: "GET",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({ organizationId: z.string().trim() }),
-      querystring: z.object({
-        repositoryNames: z
-          .string()
-          .optional()
-          .nullable()
-          .transform((val) => (val ? val.split(",") : undefined)),
-        resolvedStatus: z.nativeEnum(SecretScanningResolvedStatus).optional()
-      }),
-      response: {
-        200: z.object({
-          risks: SecretScanningGitRisksSchema.array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const risks = await server.services.secretScanning.getAllRisksByOrg({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        orgId: req.params.organizationId,
-        filter: {
-          repositoryNames: req.query.repositoryNames,
-          resolvedStatus: req.query.resolvedStatus
-        }
-      });
-      return { risks };
-    }
-  });
-
   server.route({
     url: "/organization/:organizationId/risks",
     method: "GET",
@@ -148,46 +105,20 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
     },
     schema: {
       params: z.object({ organizationId: z.string().trim() }),
-
-      querystring: z.object({
-        offset: z.coerce.number().min(0).default(0),
-        limit: z.coerce.number().min(1).max(20000).default(100),
-        orderBy: z.enum(["createdAt", "name"]).default("createdAt"),
-        orderDirection: z.nativeEnum(OrderByDirection).default(OrderByDirection.DESC),
-        repositoryNames: z
-          .string()
-          .optional()
-          .nullable()
-          .transform((val) => (val ? val.split(",") : undefined)),
-        resolvedStatus: z.nativeEnum(SecretScanningResolvedStatus).optional()
-      }),
-
       response: {
-        200: z.object({
-          risks: SecretScanningGitRisksSchema.array(),
-          totalCount: z.number(),
-          repos: z.array(z.string())
-        })
+        200: z.object({ risks: SecretScanningGitRisksSchema.array() })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT]),
     handler: async (req) => {
-      const { risks, totalCount, repos } = await server.services.secretScanning.getRisksByOrg({
+      const { risks } = await server.services.secretScanning.getRisksByOrg({
         actor: req.permission.type,
         actorId: req.permission.id,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        orgId: req.params.organizationId,
-        filter: {
-          limit: req.query.limit,
-          offset: req.query.offset,
-          orderBy: req.query.orderBy,
-          orderDirection: req.query.orderDirection,
-          repositoryNames: req.query.repositoryNames,
-          resolvedStatus: req.query.resolvedStatus
-        }
+        orgId: req.params.organizationId
       });
-      return { risks, totalCount, repos };
+      return { risks };
     }
   });
 

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
+import { ProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
@@ -87,14 +87,14 @@ export const accessApprovalPolicyServiceFactory = ({
     if (!groupApprovers && approvals > userApprovers.length + userApproverNames.length)
       throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: project.id,
+      project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
@@ -193,14 +193,7 @@ export const accessApprovalPolicyServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     // Anyone in the project should be able to get the policies.
-    await permissionService.getProjectPermission({
-      actor,
-      actorId,
-      projectId: project.id,
-      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+    await permissionService.getProjectPermission(actor, actorId, project.id, actorAuthMethod, actorOrgId);
 
     const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id, deletedAt: null });
     return accessApprovalPolicies;
@@ -244,14 +237,14 @@ export const accessApprovalPolicyServiceFactory = ({
     if (!accessApprovalPolicy) {
       throw new NotFoundError({ message: `Secret approval policy with ID '${policyId}' not found` });
     }
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: accessApprovalPolicy.projectId,
+      accessApprovalPolicy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
 
@@ -328,14 +321,14 @@ export const accessApprovalPolicyServiceFactory = ({
     const policy = await accessApprovalPolicyDAL.findById(policyId);
     if (!policy) throw new NotFoundError({ message: `Secret approval policy with ID '${policyId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: policy.projectId,
+      policy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
       ProjectPermissionSub.SecretApproval
@@ -379,14 +372,13 @@ export const accessApprovalPolicyServiceFactory = ({
 
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
-    const { membership } = await permissionService.getProjectPermission({
+    const { membership } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: project.id,
+      project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
     }
@@ -419,14 +411,13 @@ export const accessApprovalPolicyServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: policy.projectId,
+      policy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
 

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -1,7 +1,7 @@
 import slugify from "@sindresorhus/slugify";
 import ms from "ms";
 
-import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
+import { ProjectMembershipRole } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -100,14 +100,13 @@ export const accessApprovalRequestServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     // Anyone can create an access approval request.
-    const { membership } = await permissionService.getProjectPermission({
+    const { membership } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: project.id,
+      project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
     }
@@ -274,14 +273,13 @@ export const accessApprovalRequestServiceFactory = ({
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
-    const { membership } = await permissionService.getProjectPermission({
+    const { membership } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: project.id,
+      project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
     }
@@ -320,14 +318,13 @@ export const accessApprovalRequestServiceFactory = ({
       });
     }
 
-    const { membership, hasRole } = await permissionService.getProjectPermission({
+    const { membership, hasRole } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: accessApprovalRequest.projectId,
+      accessApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
 
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
@@ -425,14 +422,13 @@ export const accessApprovalRequestServiceFactory = ({
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
-    const { membership } = await permissionService.getProjectPermission({
+    const { membership } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: project.id,
+      project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     if (!membership) {
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
     }

backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts

@@ -93,7 +93,7 @@ export const auditLogStreamServiceFactory = ({
         }
       )
       .catch((err) => {
-        throw new BadRequestError({ message: `Failed to connect with upstream source: ${(err as Error)?.message}` });
+        throw new Error(`Failed to connect with the source ${(err as Error)?.message}`);
       });
     const encryptedHeaders = headers ? infisicalSymmetricEncypt(JSON.stringify(headers)) : undefined;
     const logStream = await auditLogStreamDAL.create({

backend/src/ee/services/audit-log/audit-log-dal.ts

@@ -100,10 +100,10 @@ export const auditLogDALFactory = (db: TDbClient) => {
 
       // Filter by date range
       if (startDate) {
-        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" >= ?::timestamptz`, [startDate]);
+        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, ">=", startDate);
       }
       if (endDate) {
-        void sqlQuery.whereRaw(`"${TableName.AuditLog}"."createdAt" <= ?::timestamptz`, [endDate]);
+        void sqlQuery.where(`${TableName.AuditLog}.createdAt`, "<=", endDate);
       }
 
       // we timeout long running queries to prevent DB resource issues (2 minutes)

backend/src/ee/services/audit-log/audit-log-service.ts

@@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 
@@ -27,14 +26,13 @@ export const auditLogServiceFactory = ({
   const listAuditLogs = async ({ actorAuthMethod, actorId, actorOrgId, actor, filter }: TListProjectAuditLogDTO) => {
     // Filter logs for specific project
     if (filter.projectId) {
-      const { permission } = await permissionService.getProjectPermission({
+      const { permission } = await permissionService.getProjectPermission(
         actor,
         actorId,
-        projectId: filter.projectId,
+        filter.projectId,
         actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.Any
-      });
+        actorOrgId
+      );
       ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
     } else {
       // Organization-wide logs

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -13,7 +13,7 @@ import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
 import { CaStatus } from "@app/services/certificate-authority/certificate-authority-types";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
 import { PkiItemType } from "@app/services/pki-collection/pki-collection-types";
-import { SecretSync, SecretSyncImportBehavior } from "@app/services/secret-sync/secret-sync-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 import {
   TCreateSecretSyncDTO,
   TDeleteSecretSyncDTO,
@@ -38,7 +38,7 @@ export type TListProjectAuditLogDTO = {
 
 export type TCreateAuditLogDTO = {
   event: Event;
-  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor | PlatformActor | UnknownUserActor;
+  actor: UserActor | IdentityActor | ServiceActor | ScimClientActor | PlatformActor;
   orgId?: string;
   projectId?: string;
 } & BaseAuthData;
@@ -238,17 +238,14 @@ export enum EventType {
   CREATE_APP_CONNECTION = "create-app-connection",
   UPDATE_APP_CONNECTION = "update-app-connection",
   DELETE_APP_CONNECTION = "delete-app-connection",
-  CREATE_SHARED_SECRET = "create-shared-secret",
-  DELETE_SHARED_SECRET = "delete-shared-secret",
-  READ_SHARED_SECRET = "read-shared-secret",
   GET_SECRET_SYNCS = "get-secret-syncs",
   GET_SECRET_SYNC = "get-secret-sync",
   CREATE_SECRET_SYNC = "create-secret-sync",
   UPDATE_SECRET_SYNC = "update-secret-sync",
   DELETE_SECRET_SYNC = "delete-secret-sync",
-  SECRET_SYNC_SYNC_SECRETS = "secret-sync-sync-secrets",
-  SECRET_SYNC_IMPORT_SECRETS = "secret-sync-import-secrets",
-  SECRET_SYNC_REMOVE_SECRETS = "secret-sync-remove-secrets"
+  SYNC_SECRET_SYNC = "sync-secret-sync",
+  IMPORT_SECRET_SYNC = "import-secret-sync",
+  ERASE_SECRET_SYNC = "erase-secret-sync"
 }
 
 interface UserActorMetadata {
@@ -271,8 +268,6 @@ interface ScimClientActorMetadata {}
 
 interface PlatformActorMetadata {}
 
-interface UnknownUserActorMetadata {}
-
 export interface UserActor {
   type: ActorType.USER;
   metadata: UserActorMetadata;
@@ -288,11 +283,6 @@ export interface PlatformActor {
   metadata: PlatformActorMetadata;
 }
 
-export interface UnknownUserActor {
-  type: ActorType.UNKNOWN_USER;
-  metadata: UnknownUserActorMetadata;
-}
-
 export interface IdentityActor {
   type: ActorType.IDENTITY;
   metadata: IdentityActorMetadata;
@@ -1942,35 +1932,6 @@ interface DeleteAppConnectionEvent {
   };
 }
 
-interface CreateSharedSecretEvent {
-  type: EventType.CREATE_SHARED_SECRET;
-  metadata: {
-    id: string;
-    accessType: string;
-    name?: string;
-    expiresAfterViews?: number;
-    usingPassword: boolean;
-    expiresAt: string;
-  };
-}
-
-interface DeleteSharedSecretEvent {
-  type: EventType.DELETE_SHARED_SECRET;
-  metadata: {
-    id: string;
-    name?: string;
-  };
-}
-
-interface ReadSharedSecretEvent {
-  type: EventType.READ_SHARED_SECRET;
-  metadata: {
-    id: string;
-    name?: string;
-    accessType: string;
-  };
-}
-
 interface GetSecretSyncsEvent {
   type: EventType.GET_SECRET_SYNCS;
   metadata: {
@@ -1990,7 +1951,7 @@ interface GetSecretSyncEvent {
 
 interface CreateSecretSyncEvent {
   type: EventType.CREATE_SECRET_SYNC;
-  metadata: Omit<TCreateSecretSyncDTO, "projectId"> & { syncId: string };
+  metadata: TCreateSecretSyncDTO & { syncId: string };
 }
 
 interface UpdateSecretSyncEvent {
@@ -2003,11 +1964,11 @@ interface DeleteSecretSyncEvent {
   metadata: TDeleteSecretSyncDTO;
 }
 
-interface SecretSyncSyncSecretsEvent {
-  type: EventType.SECRET_SYNC_SYNC_SECRETS;
+interface SyncSecretSyncEvent {
+  type: EventType.SYNC_SECRET_SYNC;
   metadata: Pick<
     TSecretSyncRaw,
-    "syncOptions" | "destinationConfig" | "destination" | "syncStatus" | "connectionId" | "folderId"
+    "syncOptions" | "destinationConfig" | "destination" | "syncStatus" | "environment" | "connectionId" | "folderId"
   > & {
     syncId: string;
     syncMessage: string | null;
@@ -2016,28 +1977,27 @@ interface SecretSyncSyncSecretsEvent {
   };
 }
 
-interface SecretSyncImportSecretsEvent {
-  type: EventType.SECRET_SYNC_IMPORT_SECRETS;
+interface ImportSecretSyncEvent {
+  type: EventType.IMPORT_SECRET_SYNC;
   metadata: Pick<
     TSecretSyncRaw,
-    "syncOptions" | "destinationConfig" | "destination" | "importStatus" | "connectionId" | "folderId"
+    "syncOptions" | "destinationConfig" | "destination" | "importStatus" | "environment" | "connectionId" | "folderId"
   > & {
     syncId: string;
     importMessage: string | null;
     jobId: string;
     jobRanAt: Date;
-    importBehavior: SecretSyncImportBehavior;
   };
 }
 
-interface SecretSyncRemoveSecretsEvent {
-  type: EventType.SECRET_SYNC_REMOVE_SECRETS;
+interface EraseSecretSyncEvent {
+  type: EventType.ERASE_SECRET_SYNC;
   metadata: Pick<
     TSecretSyncRaw,
-    "syncOptions" | "destinationConfig" | "destination" | "removeStatus" | "connectionId" | "folderId"
+    "syncOptions" | "destinationConfig" | "destination" | "eraseStatus" | "environment" | "connectionId" | "folderId"
   > & {
     syncId: string;
-    removeMessage: string | null;
+    eraseMessage: string | null;
     jobId: string;
     jobRanAt: Date;
   };
@@ -2221,14 +2181,11 @@ export type Event =
   | CreateAppConnectionEvent
   | UpdateAppConnectionEvent
   | DeleteAppConnectionEvent
-  | CreateSharedSecretEvent
-  | DeleteSharedSecretEvent
-  | ReadSharedSecretEvent
   | GetSecretSyncsEvent
   | GetSecretSyncEvent
   | CreateSecretSyncEvent
   | UpdateSecretSyncEvent
   | DeleteSecretSyncEvent
-  | SecretSyncSyncSecretsEvent
-  | SecretSyncImportSecretsEvent
-  | SecretSyncRemoveSecretsEvent;
+  | SyncSecretSyncEvent
+  | ImportSecretSyncEvent
+  | EraseSecretSyncEvent;

backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts

@@ -1,7 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@@ -67,14 +66,13 @@ export const certificateAuthorityCrlServiceFactory = ({
     const ca = await certificateAuthorityDAL.findById(caId);
     if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,

backend/src/ee/services/dynamic-secret-lease/dynamic-secret-lease-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import ms from "ms";
 
-import { ActionProjectType, SecretKeyEncoding } from "@app/db/schemas";
+import { ProjectType, SecretKeyEncoding } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import {
@@ -67,14 +67,14 @@ export const dynamicSecretLeaseServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.Lease,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -147,14 +147,14 @@ export const dynamicSecretLeaseServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.Lease,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -227,14 +227,14 @@ export const dynamicSecretLeaseServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.Lease,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -297,14 +297,13 @@ export const dynamicSecretLeaseServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.Lease,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -340,14 +339,13 @@ export const dynamicSecretLeaseServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.Lease,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -1,6 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
-import { ActionProjectType, SecretKeyEncoding } from "@app/db/schemas";
+import { ProjectType, SecretKeyEncoding } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import {
@@ -73,14 +73,14 @@ export const dynamicSecretServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.CreateRootCredential,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -145,14 +145,14 @@ export const dynamicSecretServiceFactory = ({
 
     const projectId = project.id;
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.EditRootCredential,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -229,14 +229,14 @@ export const dynamicSecretServiceFactory = ({
 
     const projectId = project.id;
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.DeleteRootCredential,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -290,14 +290,13 @@ export const dynamicSecretServiceFactory = ({
     if (!project) throw new NotFoundError({ message: `Project with slug '${projectSlug}' not found` });
 
     const projectId = project.id;
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.ReadRootCredential,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -341,14 +340,13 @@ export const dynamicSecretServiceFactory = ({
     isInternal
   }: TListDynamicSecretsMultiEnvDTO) => {
     if (!isInternal) {
-      const { permission } = await permissionService.getProjectPermission({
+      const { permission } = await permissionService.getProjectPermission(
         actor,
         actorId,
         projectId,
         actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.SecretManager
-      });
+        actorOrgId
+      );
 
       // verify user has access to each env in request
       environmentSlugs.forEach((environmentSlug) =>
@@ -385,14 +383,13 @@ export const dynamicSecretServiceFactory = ({
     search,
     projectId
   }: TGetDynamicSecretsCountDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.ReadRootCredential,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -434,14 +431,13 @@ export const dynamicSecretServiceFactory = ({
       projectId = project.id;
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionDynamicSecretActions.ReadRootCredential,
       subject(ProjectPermissionSub.DynamicSecrets, { environment: environmentSlug, secretPath: path })
@@ -466,14 +462,13 @@ export const dynamicSecretServiceFactory = ({
     { folderMappings, filters, projectId }: TListDynamicSecretsByFolderMappingsDTO,
     actor: OrgServiceActor
   ) => {
-    const { permission } = await permissionService.getProjectPermission({
-      actor: actor.type,
-      actorId: actor.id,
+    const { permission } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
       projectId,
-      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actor.authMethod,
+      actor.orgId
+    );
 
     const userAccessibleFolderMappings = folderMappings.filter(({ path, environment }) =>
       permission.can(
@@ -512,14 +507,13 @@ export const dynamicSecretServiceFactory = ({
     ...params
   }: TListDynamicSecretsMultiEnvDTO) => {
     if (!isInternal) {
-      const { permission } = await permissionService.getProjectPermission({
+      const { permission } = await permissionService.getProjectPermission(
         actor,
         actorId,
         projectId,
         actorAuthMethod,
-        actorOrgId,
-        actionProjectType: ActionProjectType.SecretManager
-      });
+        actorOrgId
+      );
 
       // verify user has access to each env in request
       environmentSlugs.forEach((environmentSlug) =>

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -34,8 +34,6 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
 
   const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>) => {
     const ssl = providerInputs.ca ? { rejectUnauthorized: false, ca: providerInputs.ca } : undefined;
-    const isMsSQLClient = providerInputs.client === SqlProviders.MsSQL;
-
     const db = knex({
       client: providerInputs.client,
       connection: {
@@ -45,16 +43,7 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
         user: providerInputs.username,
         password: providerInputs.password,
         ssl,
-        pool: { min: 0, max: 1 },
-        // @ts-expect-error this is because of knexjs type signature issue. This is directly passed to driver
-        // https://github.com/knex/knex/blob/b6507a7129d2b9fafebf5f831494431e64c6a8a0/lib/dialects/mssql/index.js#L66
-        // https://github.com/tediousjs/tedious/blob/ebb023ed90969a7ec0e4b036533ad52739d921f7/test/config.ci.ts#L19
-        options: isMsSQLClient
-          ? {
-              trustServerCertificate: !providerInputs.ca,
-              cryptoCredentialsDetails: providerInputs.ca ? { ca: providerInputs.ca } : {}
-            }
-          : undefined
+        pool: { min: 0, max: 1 }
       },
       acquireConnectionTimeout: EXTERNAL_REQUEST_TIMEOUT
     });

backend/src/ee/services/external-kms/external-kms-service.ts

@@ -1,9 +1,7 @@
-import { KMSServiceException } from "@aws-sdk/client-kms";
-import { STSServiceException } from "@aws-sdk/client-sts";
 import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
 
-import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -73,16 +71,7 @@ export const externalKmsServiceFactory = ({
     switch (provider.type) {
       case KmsProviders.Aws:
         {
-          const externalKms = await AwsKmsProviderFactory({ inputs: provider.inputs }).catch((error) => {
-            if (error instanceof STSServiceException || error instanceof KMSServiceException) {
-              throw new InternalServerError({
-                message: error.message ? `AWS error: ${error.message}` : ""
-              });
-            }
-
-            throw error;
-          });
-
+          const externalKms = await AwsKmsProviderFactory({ inputs: provider.inputs });
           // if missing kms key this generate a new kms key id and returns new provider input
           const newProviderInput = await externalKms.generateInputKmsKey();
           sanitizedProviderInput = JSON.stringify(newProviderInput);

backend/src/ee/services/group/group-service.ts

@@ -32,7 +32,7 @@ type TGroupServiceFactoryDep = {
   userDAL: Pick<TUserDALFactory, "find" | "findUserEncKeyByUserIdsBatch" | "transaction" | "findOne">;
   groupDAL: Pick<
     TGroupDALFactory,
-    "create" | "findOne" | "update" | "delete" | "findAllGroupPossibleMembers" | "findById" | "transaction"
+    "create" | "findOne" | "update" | "delete" | "findAllGroupPossibleMembers" | "findById"
   >;
   groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
   orgDAL: Pick<TOrgDALFactory, "findMembership" | "countAllOrgMembers">;
@@ -88,26 +88,12 @@ export const groupServiceFactory = ({
     if (!hasRequiredPriviledges)
       throw new ForbiddenRequestError({ message: "Failed to create a more privileged group" });
 
-    const group = await groupDAL.transaction(async (tx) => {
-      const existingGroup = await groupDAL.findOne({ orgId: actorOrgId, name }, tx);
-      if (existingGroup) {
-        throw new BadRequestError({
-          message: `Failed to create group with name '${name}'. Group with the same name already exists`
-        });
-      }
-
-      const newGroup = await groupDAL.create(
-        {
-          name,
-          slug: slug || slugify(`${name}-${alphaNumericNanoId(4)}`),
-          orgId: actorOrgId,
-          role: isCustomRole ? OrgMembershipRole.Custom : role,
-          roleId: customRole?.id
-        },
-        tx
-      );
-
-      return newGroup;
+    const group = await groupDAL.create({
+      name,
+      slug: slug || slugify(`${name}-${alphaNumericNanoId(4)}`),
+      orgId: actorOrgId,
+      role: isCustomRole ? OrgMembershipRole.Custom : role,
+      roleId: customRole?.id
     });
 
     return group;
@@ -159,36 +145,21 @@ export const groupServiceFactory = ({
       if (isCustomRole) customRole = customOrgRole;
     }
 
-    const updatedGroup = await groupDAL.transaction(async (tx) => {
-      if (name) {
-        const existingGroup = await groupDAL.findOne({ orgId: actorOrgId, name }, tx);
-
-        if (existingGroup && existingGroup.id !== id) {
-          throw new BadRequestError({
-            message: `Failed to update group with name '${name}'. Group with the same name already exists`
-          });
-        }
+    const [updatedGroup] = await groupDAL.update(
+      {
+        id: group.id
+      },
+      {
+        name,
+        slug: slug ? slugify(slug) : undefined,
+        ...(role
+          ? {
+              role: customRole ? OrgMembershipRole.Custom : role,
+              roleId: customRole?.id ?? null
+            }
+          : {})
       }
-
-      const [updated] = await groupDAL.update(
-        {
-          id: group.id
-        },
-        {
-          name,
-          slug: slug ? slugify(slug) : undefined,
-          ...(role
-            ? {
-                role: customRole ? OrgMembershipRole.Custom : role,
-                roleId: customRole?.id ?? null
-              }
-            : {})
-        },
-        tx
-      );
-
-      return updated;
-    });
+    );
 
     return updatedGroup;
   };

backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts

@@ -2,7 +2,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 import { packRules } from "@casl/ability/extra";
 import ms from "ms";
 
-import { ActionProjectType, TableName } from "@app/db/schemas";
+import { TableName } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { unpackPermissions } from "@app/server/routes/santizedSchemas/permission";
@@ -55,26 +55,24 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId })
     );
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityId,
-      projectId: identityProjectMembership.projectId,
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@@ -137,26 +135,24 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
         message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
       });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
     );
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityProjectMembership.identityId,
-      projectId: identityProjectMembership.projectId,
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityProjectMembership.identityId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@@ -219,26 +215,24 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
         message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
       });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
     );
-    const { permission: identityRolePermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityProjectMembership.identityId,
-      projectId: identityProjectMembership.projectId,
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityProjectMembership.identityId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
     if (!hasRequiredPriviledges)
       throw new ForbiddenRequestError({ message: "Failed to update more privileged identity" });
@@ -266,14 +260,13 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
         message: `Failed to find identity with membership ${identityPrivilege.projectMembershipId}`
       });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
@@ -301,14 +294,13 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
     const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })
@@ -337,14 +329,13 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
     const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Identity, { identityId: identityProjectMembership.identityId })

backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts

@@ -2,7 +2,6 @@ import { ForbiddenError, MongoAbility, RawRuleOf, subject } from "@casl/ability"
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 import ms from "ms";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
@@ -63,27 +62,25 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId })
     );
 
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityId,
-      projectId: identityProjectMembership.projectId,
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@@ -146,28 +143,26 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId })
     );
 
-    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityProjectMembership.identityId,
-      projectId: identityProjectMembership.projectId,
+    const { permission: targetIdentityPermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityProjectMembership.identityId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@@ -247,27 +242,25 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId })
     );
 
-    const { permission: identityRolePermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityProjectMembership.identityId,
-      projectId: identityProjectMembership.projectId,
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityProjectMembership.identityId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     const hasRequiredPriviledges = isAtLeastAsPrivileged(permission, identityRolePermission);
     if (!hasRequiredPriviledges)
       throw new ForbiddenRequestError({ message: "Failed to edit more privileged identity" });
@@ -306,14 +299,13 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Identity, { identityId })
@@ -349,14 +341,13 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     const identityProjectMembership = await identityProjectDAL.findOne({ identityId, projectId });
     if (!identityProjectMembership)
       throw new NotFoundError({ message: `Failed to find identity with id ${identityId}` });
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: identityProjectMembership.projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -476,14 +476,14 @@ export const ldapConfigServiceFactory = ({
       });
     } else {
       const plan = await licenseService.getPlan(orgId);
-      if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
+      if (plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
         // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
         throw new BadRequestError({
           message: "Failed to create new member via LDAP due to member limit reached. Upgrade plan to add more members."
         });
       }
 
-      if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
+      if (plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
         // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
         throw new BadRequestError({
           message: "Failed to create new member via LDAP due to member limit reached. Upgrade plan to add more members."

backend/src/ee/services/license/license-fns.ts

@@ -24,7 +24,6 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   rbac: false,
   customRateLimits: false,
   customAlerts: false,
-  secretAccessInsights: false,
   auditLogs: false,
   auditLogsRetentionDays: 0,
   auditLogStreams: false,
@@ -50,7 +49,8 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   },
   pkiEst: false,
   enforceMfa: false,
-  projectTemplates: false
+  projectTemplates: false,
+  appConnections: false
 });
 
 export const setupLicenseRequestWithStore = (baseURL: string, refreshUrl: string, licenseKey: string) => {

backend/src/ee/services/license/license-types.ts

@@ -48,7 +48,6 @@ export type TFeatureSet = {
   samlSSO: false;
   hsm: false;
   oidcSSO: false;
-  secretAccessInsights: false;
   scim: false;
   ldap: false;
   groups: false;
@@ -68,6 +67,7 @@ export type TFeatureSet = {
   pkiEst: boolean;
   enforceMfa: boolean;
   projectTemplates: false;
+  appConnections: false; // TODO: remove once live
 };
 
 export type TOrgPlansTableDTO = {

backend/src/ee/services/permission/org-permission.ts

@@ -245,11 +245,16 @@ const buildAdminPermission = () => {
   can(OrgPermissionActions.Edit, OrgPermissionSubjects.ProjectTemplates);
   can(OrgPermissionActions.Delete, OrgPermissionSubjects.ProjectTemplates);
 
-  can(OrgPermissionAppConnectionActions.Read, OrgPermissionSubjects.AppConnections);
-  can(OrgPermissionAppConnectionActions.Create, OrgPermissionSubjects.AppConnections);
-  can(OrgPermissionAppConnectionActions.Edit, OrgPermissionSubjects.AppConnections);
-  can(OrgPermissionAppConnectionActions.Delete, OrgPermissionSubjects.AppConnections);
-  can(OrgPermissionAppConnectionActions.Connect, OrgPermissionSubjects.AppConnections);
+  can(
+    [
+      OrgPermissionAppConnectionActions.Create,
+      OrgPermissionAppConnectionActions.Edit,
+      OrgPermissionAppConnectionActions.Delete,
+      OrgPermissionAppConnectionActions.Read,
+      OrgPermissionAppConnectionActions.Connect
+    ],
+    OrgPermissionSubjects.AppConnections
+  );
 
   can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);
 

backend/src/ee/services/permission/permission-dal.ts

@@ -125,404 +125,6 @@ export const permissionDALFactory = (db: TDbClient) => {
     }
   };
 
-  const getProjectGroupPermissions = async (projectId: string) => {
-    try {
-      const docs = await db
-        .replicaNode()(TableName.GroupProjectMembership)
-        .join(TableName.Groups, `${TableName.Groups}.id`, `${TableName.GroupProjectMembership}.groupId`)
-        .join(
-          TableName.GroupProjectMembershipRole,
-          `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
-          `${TableName.GroupProjectMembership}.id`
-        )
-        .leftJoin<TProjectRoles>(
-          { groupCustomRoles: TableName.ProjectRoles },
-          `${TableName.GroupProjectMembershipRole}.customRoleId`,
-          `groupCustomRoles.id`
-        )
-        .where(`${TableName.GroupProjectMembership}.projectId`, "=", projectId)
-        .select(
-          db.ref("id").withSchema(TableName.GroupProjectMembership).as("membershipId"),
-          db.ref("id").withSchema(TableName.Groups).as("groupId"),
-          db.ref("name").withSchema(TableName.Groups).as("groupName"),
-          db.ref("slug").withSchema("groupCustomRoles").as("groupProjectMembershipRoleCustomRoleSlug"),
-          db.ref("permissions").withSchema("groupCustomRoles").as("groupProjectMembershipRolePermission"),
-          db.ref("id").withSchema(TableName.GroupProjectMembershipRole).as("groupProjectMembershipRoleId"),
-          db.ref("role").withSchema(TableName.GroupProjectMembershipRole).as("groupProjectMembershipRole"),
-          db
-            .ref("customRoleId")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleCustomRoleId"),
-          db
-            .ref("isTemporary")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleIsTemporary"),
-          db
-            .ref("temporaryMode")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleTemporaryMode"),
-          db
-            .ref("temporaryRange")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleTemporaryRange"),
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("groupProjectMembershipRoleTemporaryAccessEndTime")
-        );
-
-      const groupPermissions = sqlNestRelationships({
-        data: docs,
-        key: "groupId",
-        parentMapper: ({ groupId, groupName, membershipId }) => ({
-          groupId,
-          username: groupName,
-          id: membershipId
-        }),
-        childrenMapper: [
-          {
-            key: "groupProjectMembershipRoleId",
-            label: "groupRoles" as const,
-            mapper: ({
-              groupProjectMembershipRoleId,
-              groupProjectMembershipRole,
-              groupProjectMembershipRolePermission,
-              groupProjectMembershipRoleCustomRoleSlug,
-              groupProjectMembershipRoleIsTemporary,
-              groupProjectMembershipRoleTemporaryMode,
-              groupProjectMembershipRoleTemporaryAccessEndTime,
-              groupProjectMembershipRoleTemporaryAccessStartTime,
-              groupProjectMembershipRoleTemporaryRange
-            }) => ({
-              id: groupProjectMembershipRoleId,
-              role: groupProjectMembershipRole,
-              customRoleSlug: groupProjectMembershipRoleCustomRoleSlug,
-              permissions: groupProjectMembershipRolePermission,
-              temporaryRange: groupProjectMembershipRoleTemporaryRange,
-              temporaryMode: groupProjectMembershipRoleTemporaryMode,
-              temporaryAccessStartTime: groupProjectMembershipRoleTemporaryAccessStartTime,
-              temporaryAccessEndTime: groupProjectMembershipRoleTemporaryAccessEndTime,
-              isTemporary: groupProjectMembershipRoleIsTemporary
-            })
-          }
-        ]
-      });
-
-      return groupPermissions
-        .map((groupPermission) => {
-          if (!groupPermission) return undefined;
-
-          const activeGroupRoles =
-            groupPermission?.groupRoles?.filter(
-              ({ isTemporary, temporaryAccessEndTime }) =>
-                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-            ) ?? [];
-
-          return {
-            ...groupPermission,
-            roles: activeGroupRoles
-          };
-        })
-        .filter((item): item is NonNullable<typeof item> => Boolean(item));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "GetProjectGroupPermissions" });
-    }
-  };
-
-  const getProjectUserPermissions = async (projectId: string) => {
-    try {
-      const docs = await db
-        .replicaNode()(TableName.Users)
-        .where("isGhost", "=", false)
-        .leftJoin(TableName.GroupProjectMembership, (queryBuilder) => {
-          void queryBuilder.on(`${TableName.GroupProjectMembership}.projectId`, db.raw("?", [projectId]));
-        })
-        .leftJoin(
-          TableName.GroupProjectMembershipRole,
-          `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
-          `${TableName.GroupProjectMembership}.id`
-        )
-        .leftJoin<TProjectRoles>(
-          { groupCustomRoles: TableName.ProjectRoles },
-          `${TableName.GroupProjectMembershipRole}.customRoleId`,
-          `groupCustomRoles.id`
-        )
-        .join(TableName.ProjectMembership, (queryBuilder) => {
-          void queryBuilder
-            .on(`${TableName.ProjectMembership}.projectId`, db.raw("?", [projectId]))
-            .andOn(`${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`);
-        })
-        .leftJoin(
-          TableName.ProjectUserMembershipRole,
-          `${TableName.ProjectUserMembershipRole}.projectMembershipId`,
-          `${TableName.ProjectMembership}.id`
-        )
-        .leftJoin(
-          TableName.ProjectRoles,
-          `${TableName.ProjectUserMembershipRole}.customRoleId`,
-          `${TableName.ProjectRoles}.id`
-        )
-        .leftJoin(TableName.ProjectUserAdditionalPrivilege, (queryBuilder) => {
-          void queryBuilder
-            .on(`${TableName.ProjectUserAdditionalPrivilege}.projectId`, db.raw("?", [projectId]))
-            .andOn(`${TableName.ProjectUserAdditionalPrivilege}.userId`, `${TableName.Users}.id`);
-        })
-        .join<TProjects>(TableName.Project, `${TableName.Project}.id`, db.raw("?", [projectId]))
-        .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
-        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
-          void queryBuilder
-            .on(`${TableName.Users}.id`, `${TableName.IdentityMetadata}.userId`)
-            .andOn(`${TableName.Organization}.id`, `${TableName.IdentityMetadata}.orgId`);
-        })
-        .select(
-          db.ref("id").withSchema(TableName.Users).as("userId"),
-          db.ref("username").withSchema(TableName.Users).as("username"),
-          // groups specific
-          db.ref("id").withSchema(TableName.GroupProjectMembership).as("groupMembershipId"),
-          db.ref("createdAt").withSchema(TableName.GroupProjectMembership).as("groupMembershipCreatedAt"),
-          db.ref("updatedAt").withSchema(TableName.GroupProjectMembership).as("groupMembershipUpdatedAt"),
-          db.ref("slug").withSchema("groupCustomRoles").as("userGroupProjectMembershipRoleCustomRoleSlug"),
-          db.ref("permissions").withSchema("groupCustomRoles").as("userGroupProjectMembershipRolePermission"),
-          db.ref("id").withSchema(TableName.GroupProjectMembershipRole).as("userGroupProjectMembershipRoleId"),
-          db.ref("role").withSchema(TableName.GroupProjectMembershipRole).as("userGroupProjectMembershipRole"),
-          db
-            .ref("customRoleId")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleCustomRoleId"),
-          db
-            .ref("isTemporary")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleIsTemporary"),
-          db
-            .ref("temporaryMode")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleTemporaryMode"),
-          db
-            .ref("temporaryRange")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleTemporaryRange"),
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.GroupProjectMembershipRole)
-            .as("userGroupProjectMembershipRoleTemporaryAccessEndTime"),
-          // user specific
-          db.ref("id").withSchema(TableName.ProjectMembership).as("membershipId"),
-          db.ref("createdAt").withSchema(TableName.ProjectMembership).as("membershipCreatedAt"),
-          db.ref("updatedAt").withSchema(TableName.ProjectMembership).as("membershipUpdatedAt"),
-          db.ref("slug").withSchema(TableName.ProjectRoles).as("userProjectMembershipRoleCustomRoleSlug"),
-          db.ref("permissions").withSchema(TableName.ProjectRoles).as("userProjectCustomRolePermission"),
-          db.ref("id").withSchema(TableName.ProjectUserMembershipRole).as("userProjectMembershipRoleId"),
-          db.ref("role").withSchema(TableName.ProjectUserMembershipRole).as("userProjectMembershipRole"),
-          db
-            .ref("temporaryMode")
-            .withSchema(TableName.ProjectUserMembershipRole)
-            .as("userProjectMembershipRoleTemporaryMode"),
-          db
-            .ref("isTemporary")
-            .withSchema(TableName.ProjectUserMembershipRole)
-            .as("userProjectMembershipRoleIsTemporary"),
-          db
-            .ref("temporaryRange")
-            .withSchema(TableName.ProjectUserMembershipRole)
-            .as("userProjectMembershipRoleTemporaryRange"),
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.ProjectUserMembershipRole)
-            .as("userProjectMembershipRoleTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.ProjectUserMembershipRole)
-            .as("userProjectMembershipRoleTemporaryAccessEndTime"),
-          db.ref("id").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userAdditionalPrivilegesId"),
-          db
-            .ref("permissions")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesPermissions"),
-          db
-            .ref("temporaryMode")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesTemporaryMode"),
-          db
-            .ref("isTemporary")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesIsTemporary"),
-          db
-            .ref("temporaryRange")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesTemporaryRange"),
-          db.ref("userId").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userAdditionalPrivilegesUserId"),
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("userAdditionalPrivilegesTemporaryAccessEndTime"),
-          // general
-          db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
-          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
-          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue"),
-          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
-          db.ref("orgId").withSchema(TableName.Project),
-          db.ref("type").withSchema(TableName.Project).as("projectType"),
-          db.ref("id").withSchema(TableName.Project).as("projectId")
-        );
-
-      const userPermissions = sqlNestRelationships({
-        data: docs,
-        key: "userId",
-        parentMapper: ({
-          orgId,
-          username,
-          orgAuthEnforced,
-          membershipId,
-          groupMembershipId,
-          membershipCreatedAt,
-          groupMembershipCreatedAt,
-          groupMembershipUpdatedAt,
-          membershipUpdatedAt,
-          projectType,
-          userId
-        }) => ({
-          orgId,
-          orgAuthEnforced,
-          userId,
-          projectId,
-          username,
-          projectType,
-          id: membershipId || groupMembershipId,
-          createdAt: membershipCreatedAt || groupMembershipCreatedAt,
-          updatedAt: membershipUpdatedAt || groupMembershipUpdatedAt
-        }),
-        childrenMapper: [
-          {
-            key: "userGroupProjectMembershipRoleId",
-            label: "userGroupRoles" as const,
-            mapper: ({
-              userGroupProjectMembershipRoleId,
-              userGroupProjectMembershipRole,
-              userGroupProjectMembershipRolePermission,
-              userGroupProjectMembershipRoleCustomRoleSlug,
-              userGroupProjectMembershipRoleIsTemporary,
-              userGroupProjectMembershipRoleTemporaryMode,
-              userGroupProjectMembershipRoleTemporaryAccessEndTime,
-              userGroupProjectMembershipRoleTemporaryAccessStartTime,
-              userGroupProjectMembershipRoleTemporaryRange
-            }) => ({
-              id: userGroupProjectMembershipRoleId,
-              role: userGroupProjectMembershipRole,
-              customRoleSlug: userGroupProjectMembershipRoleCustomRoleSlug,
-              permissions: userGroupProjectMembershipRolePermission,
-              temporaryRange: userGroupProjectMembershipRoleTemporaryRange,
-              temporaryMode: userGroupProjectMembershipRoleTemporaryMode,
-              temporaryAccessStartTime: userGroupProjectMembershipRoleTemporaryAccessStartTime,
-              temporaryAccessEndTime: userGroupProjectMembershipRoleTemporaryAccessEndTime,
-              isTemporary: userGroupProjectMembershipRoleIsTemporary
-            })
-          },
-          {
-            key: "userProjectMembershipRoleId",
-            label: "projectMembershipRoles" as const,
-            mapper: ({
-              userProjectMembershipRoleId,
-              userProjectMembershipRole,
-              userProjectCustomRolePermission,
-              userProjectMembershipRoleIsTemporary,
-              userProjectMembershipRoleTemporaryMode,
-              userProjectMembershipRoleTemporaryRange,
-              userProjectMembershipRoleTemporaryAccessEndTime,
-              userProjectMembershipRoleTemporaryAccessStartTime,
-              userProjectMembershipRoleCustomRoleSlug
-            }) => ({
-              id: userProjectMembershipRoleId,
-              role: userProjectMembershipRole,
-              customRoleSlug: userProjectMembershipRoleCustomRoleSlug,
-              permissions: userProjectCustomRolePermission,
-              temporaryRange: userProjectMembershipRoleTemporaryRange,
-              temporaryMode: userProjectMembershipRoleTemporaryMode,
-              temporaryAccessStartTime: userProjectMembershipRoleTemporaryAccessStartTime,
-              temporaryAccessEndTime: userProjectMembershipRoleTemporaryAccessEndTime,
-              isTemporary: userProjectMembershipRoleIsTemporary
-            })
-          },
-          {
-            key: "userAdditionalPrivilegesId",
-            label: "additionalPrivileges" as const,
-            mapper: ({
-              userAdditionalPrivilegesId,
-              userAdditionalPrivilegesPermissions,
-              userAdditionalPrivilegesIsTemporary,
-              userAdditionalPrivilegesTemporaryMode,
-              userAdditionalPrivilegesTemporaryRange,
-              userAdditionalPrivilegesTemporaryAccessEndTime,
-              userAdditionalPrivilegesTemporaryAccessStartTime
-            }) => ({
-              id: userAdditionalPrivilegesId,
-              permissions: userAdditionalPrivilegesPermissions,
-              temporaryRange: userAdditionalPrivilegesTemporaryRange,
-              temporaryMode: userAdditionalPrivilegesTemporaryMode,
-              temporaryAccessStartTime: userAdditionalPrivilegesTemporaryAccessStartTime,
-              temporaryAccessEndTime: userAdditionalPrivilegesTemporaryAccessEndTime,
-              isTemporary: userAdditionalPrivilegesIsTemporary
-            })
-          },
-          {
-            key: "metadataId",
-            label: "metadata" as const,
-            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
-              id: metadataId,
-              key: metadataKey,
-              value: metadataValue
-            })
-          }
-        ]
-      });
-
-      return userPermissions
-        .map((userPermission) => {
-          if (!userPermission) return undefined;
-          if (!userPermission?.userGroupRoles?.[0] && !userPermission?.projectMembershipRoles?.[0]) return undefined;
-
-          // when introducting cron mode change it here
-          const activeRoles =
-            userPermission?.projectMembershipRoles?.filter(
-              ({ isTemporary, temporaryAccessEndTime }) =>
-                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-            ) ?? [];
-
-          const activeGroupRoles =
-            userPermission?.userGroupRoles?.filter(
-              ({ isTemporary, temporaryAccessEndTime }) =>
-                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-            ) ?? [];
-
-          const activeAdditionalPrivileges =
-            userPermission?.additionalPrivileges?.filter(
-              ({ isTemporary, temporaryAccessEndTime }) =>
-                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-            ) ?? [];
-
-          return {
-            ...userPermission,
-            roles: [...activeRoles, ...activeGroupRoles],
-            additionalPrivileges: activeAdditionalPrivileges
-          };
-        })
-        .filter((item): item is NonNullable<typeof item> => Boolean(item));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "GetProjectUserPermissions" });
-    }
-  };
-
   const getProjectPermission = async (userId: string, projectId: string) => {
     try {
       const subQueryUserGroups = db(TableName.UserGroupMembership).where("userId", userId).select("groupId");
@@ -812,163 +414,6 @@ export const permissionDALFactory = (db: TDbClient) => {
     }
   };
 
-  const getProjectIdentityPermissions = async (projectId: string) => {
-    try {
-      const docs = await db
-        .replicaNode()(TableName.IdentityProjectMembership)
-        .join(
-          TableName.IdentityProjectMembershipRole,
-          `${TableName.IdentityProjectMembershipRole}.projectMembershipId`,
-          `${TableName.IdentityProjectMembership}.id`
-        )
-        .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.IdentityProjectMembership}.identityId`)
-        .leftJoin(
-          TableName.ProjectRoles,
-          `${TableName.IdentityProjectMembershipRole}.customRoleId`,
-          `${TableName.ProjectRoles}.id`
-        )
-        .leftJoin(
-          TableName.IdentityProjectAdditionalPrivilege,
-          `${TableName.IdentityProjectAdditionalPrivilege}.projectMembershipId`,
-          `${TableName.IdentityProjectMembership}.id`
-        )
-        .join(
-          // Join the Project table to later select orgId
-          TableName.Project,
-          `${TableName.IdentityProjectMembership}.projectId`,
-          `${TableName.Project}.id`
-        )
-        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
-          void queryBuilder
-            .on(`${TableName.Identity}.id`, `${TableName.IdentityMetadata}.identityId`)
-            .andOn(`${TableName.Project}.orgId`, `${TableName.IdentityMetadata}.orgId`);
-        })
-        .where(`${TableName.IdentityProjectMembership}.projectId`, projectId)
-        .select(selectAllTableCols(TableName.IdentityProjectMembershipRole))
-        .select(
-          db.ref("id").withSchema(TableName.IdentityProjectMembership).as("membershipId"),
-          db.ref("id").withSchema(TableName.Identity).as("identityId"),
-          db.ref("name").withSchema(TableName.Identity).as("identityName"),
-          db.ref("orgId").withSchema(TableName.Project).as("orgId"), // Now you can select orgId from Project
-          db.ref("type").withSchema(TableName.Project).as("projectType"),
-          db.ref("createdAt").withSchema(TableName.IdentityProjectMembership).as("membershipCreatedAt"),
-          db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership).as("membershipUpdatedAt"),
-          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
-          db.ref("permissions").withSchema(TableName.ProjectRoles),
-          db.ref("id").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApId"),
-          db.ref("permissions").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApPermissions"),
-          db
-            .ref("temporaryMode")
-            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
-            .as("identityApTemporaryMode"),
-          db.ref("isTemporary").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApIsTemporary"),
-          db
-            .ref("temporaryRange")
-            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
-            .as("identityApTemporaryRange"),
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
-            .as("identityApTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
-            .as("identityApTemporaryAccessEndTime"),
-          db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
-          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
-          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue")
-        );
-
-      const permissions = sqlNestRelationships({
-        data: docs,
-        key: "identityId",
-        parentMapper: ({
-          membershipId,
-          membershipCreatedAt,
-          membershipUpdatedAt,
-          orgId,
-          identityName,
-          projectType,
-          identityId
-        }) => ({
-          id: membershipId,
-          identityId,
-          username: identityName,
-          projectId,
-          createdAt: membershipCreatedAt,
-          updatedAt: membershipUpdatedAt,
-          orgId,
-          projectType,
-          // just a prefilled value
-          orgAuthEnforced: false
-        }),
-        childrenMapper: [
-          {
-            key: "id",
-            label: "roles" as const,
-            mapper: (data) =>
-              IdentityProjectMembershipRoleSchema.extend({
-                permissions: z.unknown(),
-                customRoleSlug: z.string().optional().nullable()
-              }).parse(data)
-          },
-          {
-            key: "identityApId",
-            label: "additionalPrivileges" as const,
-            mapper: ({
-              identityApId,
-              identityApPermissions,
-              identityApIsTemporary,
-              identityApTemporaryMode,
-              identityApTemporaryRange,
-              identityApTemporaryAccessEndTime,
-              identityApTemporaryAccessStartTime
-            }) => ({
-              id: identityApId,
-              permissions: identityApPermissions,
-              temporaryRange: identityApTemporaryRange,
-              temporaryMode: identityApTemporaryMode,
-              temporaryAccessEndTime: identityApTemporaryAccessEndTime,
-              temporaryAccessStartTime: identityApTemporaryAccessStartTime,
-              isTemporary: identityApIsTemporary
-            })
-          },
-          {
-            key: "metadataId",
-            label: "metadata" as const,
-            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
-              id: metadataId,
-              key: metadataKey,
-              value: metadataValue
-            })
-          }
-        ]
-      });
-
-      return permissions
-        .map((permission) => {
-          if (!permission) {
-            return undefined;
-          }
-
-          // when introducting cron mode change it here
-          const activeRoles = permission?.roles.filter(
-            ({ isTemporary, temporaryAccessEndTime }) =>
-              !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-          );
-          const activeAdditionalPrivileges = permission?.additionalPrivileges?.filter(
-            ({ isTemporary, temporaryAccessEndTime }) =>
-              !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
-          );
-
-          return { ...permission, roles: activeRoles, additionalPrivileges: activeAdditionalPrivileges };
-        })
-        .filter((item): item is NonNullable<typeof item> => Boolean(item));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "GetProjectIdentityPermissions" });
-    }
-  };
-
   const getProjectIdentityPermission = async (identityId: string, projectId: string) => {
     try {
       const docs = await db
@@ -1123,9 +568,6 @@ export const permissionDALFactory = (db: TDbClient) => {
     getOrgPermission,
     getOrgIdentityPermission,
     getProjectPermission,
-    getProjectIdentityPermission,
-    getProjectUserPermissions,
-    getProjectIdentityPermissions,
-    getProjectGroupPermissions
+    getProjectIdentityPermission
   };
 };

backend/src/ee/services/permission/permission-service-types.ts

@@ -1,6 +1,3 @@
-import { ActionProjectType } from "@app/db/schemas";
-import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
-
 export type TBuildProjectPermissionDTO = {
   permissions?: unknown;
   role: string;
@@ -10,34 +7,3 @@ export type TBuildOrgPermissionDTO = {
   permissions?: unknown;
   role: string;
 }[];
-
-export type TGetUserProjectPermissionArg = {
-  userId: string;
-  projectId: string;
-  authMethod: ActorAuthMethod;
-  actionProjectType: ActionProjectType;
-  userOrgId?: string;
-};
-
-export type TGetIdentityProjectPermissionArg = {
-  identityId: string;
-  projectId: string;
-  identityOrgId?: string;
-  actionProjectType: ActionProjectType;
-};
-
-export type TGetServiceTokenProjectPermissionArg = {
-  serviceTokenId: string;
-  projectId: string;
-  actorOrgId?: string;
-  actionProjectType: ActionProjectType;
-};
-
-export type TGetProjectPermissionArg = {
-  actor: ActorType;
-  actorId: string;
-  projectId: string;
-  actorAuthMethod: ActorAuthMethod;
-  actorOrgId?: string;
-  actionProjectType: ActionProjectType;
-};

backend/src/ee/services/permission/permission-service.ts

@@ -4,9 +4,9 @@ import { MongoQuery } from "@ucast/mongo2js";
 import handlebars from "handlebars";
 
 import {
-  ActionProjectType,
   OrgMembershipRole,
   ProjectMembershipRole,
+  ProjectType,
   ServiceTokenScopes,
   TIdentityProjectMemberships,
   TProjectMemberships
@@ -23,14 +23,7 @@ import { TServiceTokenDALFactory } from "@app/services/service-token/service-tok
 import { orgAdminPermissions, orgMemberPermissions, orgNoAccessPermissions, OrgPermissionSet } from "./org-permission";
 import { TPermissionDALFactory } from "./permission-dal";
 import { escapeHandlebarsMissingMetadata, validateOrgSSO } from "./permission-fns";
-import {
-  TBuildOrgPermissionDTO,
-  TBuildProjectPermissionDTO,
-  TGetIdentityProjectPermissionArg,
-  TGetProjectPermissionArg,
-  TGetServiceTokenProjectPermissionArg,
-  TGetUserProjectPermissionArg
-} from "./permission-service-types";
+import { TBuildOrgPermissionDTO, TBuildProjectPermissionDTO } from "./permission-service-types";
 import {
   buildServiceTokenProjectPermission,
   projectAdminPermissions,
@@ -200,13 +193,12 @@ export const permissionServiceFactory = ({
   };
 
   // user permission for a project in an organization
-  const getUserProjectPermission = async ({
-    userId,
-    projectId,
-    authMethod,
-    userOrgId,
-    actionProjectType
-  }: TGetUserProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.USER>> => {
+  const getUserProjectPermission = async (
+    userId: string,
+    projectId: string,
+    authMethod: ActorAuthMethod,
+    userOrgId?: string
+  ): Promise<TProjectPermissionRT<ActorType.USER>> => {
     const userProjectPermission = await permissionDAL.getProjectPermission(userId, projectId);
     if (!userProjectPermission) throw new ForbiddenRequestError({ name: "User not a part of the specified project" });
 
@@ -227,12 +219,6 @@ export const permissionServiceFactory = ({
 
     validateOrgSSO(authMethod, userProjectPermission.orgAuthEnforced);
 
-    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== userProjectPermission.projectType) {
-      throw new BadRequestError({
-        message: `The project is of type ${userProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
-      });
-    }
-
     // join two permissions and pass to build the final permission set
     const rolePermissions = userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
     const additionalPrivileges =
@@ -270,6 +256,13 @@ export const permissionServiceFactory = ({
     return {
       permission,
       membership: userProjectPermission,
+      ForbidOnInvalidProjectType: (productType: ProjectType) => {
+        if (productType !== userProjectPermission.projectType) {
+          throw new BadRequestError({
+            message: `The project is of type ${userProjectPermission.projectType}. Operations of type ${productType} are not allowed.`
+          });
+        }
+      },
       hasRole: (role: string) =>
         userProjectPermission.roles.findIndex(
           ({ role: slug, customRoleSlug }) => role === slug || slug === customRoleSlug
@@ -277,12 +270,11 @@ export const permissionServiceFactory = ({
     };
   };
 
-  const getIdentityProjectPermission = async ({
-    identityId,
-    projectId,
-    identityOrgId,
-    actionProjectType
-  }: TGetIdentityProjectPermissionArg): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
+  const getIdentityProjectPermission = async (
+    identityId: string,
+    projectId: string,
+    identityOrgId: string | undefined
+  ): Promise<TProjectPermissionRT<ActorType.IDENTITY>> => {
     const identityProjectPermission = await permissionDAL.getProjectIdentityPermission(identityId, projectId);
     if (!identityProjectPermission)
       throw new ForbiddenRequestError({
@@ -301,12 +293,6 @@ export const permissionServiceFactory = ({
       throw new ForbiddenRequestError({ name: "Identity is not a member of the specified organization" });
     }
 
-    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== identityProjectPermission.projectType) {
-      throw new BadRequestError({
-        message: `The project is of type ${identityProjectPermission.projectType}. Operations of type ${actionProjectType} are not allowed.`
-      });
-    }
-
     const rolePermissions =
       identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
     const additionalPrivileges =
@@ -345,6 +331,13 @@ export const permissionServiceFactory = ({
     return {
       permission,
       membership: identityProjectPermission,
+      ForbidOnInvalidProjectType: (productType: ProjectType) => {
+        if (productType !== identityProjectPermission.projectType) {
+          throw new BadRequestError({
+            message: `The project is of type ${identityProjectPermission.projectType}. Operations of type ${productType} are not allowed.`
+          });
+        }
+      },
       hasRole: (role: string) =>
         identityProjectPermission.roles.findIndex(
           ({ role: slug, customRoleSlug }) => role === slug || slug === customRoleSlug
@@ -352,12 +345,11 @@ export const permissionServiceFactory = ({
     };
   };
 
-  const getServiceTokenProjectPermission = async ({
-    serviceTokenId,
-    projectId,
-    actorOrgId,
-    actionProjectType
-  }: TGetServiceTokenProjectPermissionArg) => {
+  const getServiceTokenProjectPermission = async (
+    serviceTokenId: string,
+    projectId: string,
+    actorOrgId: string | undefined
+  ) => {
     const serviceToken = await serviceTokenDAL.findById(serviceTokenId);
     if (!serviceToken) throw new NotFoundError({ message: `Service token with ID '${serviceTokenId}' not found` });
 
@@ -381,16 +373,17 @@ export const permissionServiceFactory = ({
       });
     }
 
-    if (actionProjectType !== ActionProjectType.Any && actionProjectType !== serviceTokenProject.type) {
-      throw new BadRequestError({
-        message: `The project is of type ${serviceTokenProject.type}. Operations of type ${actionProjectType} are not allowed.`
-      });
-    }
-
     const scopes = ServiceTokenScopes.parse(serviceToken.scopes || []);
     return {
       permission: buildServiceTokenProjectPermission(scopes, serviceToken.permissions),
-      membership: undefined
+      membership: undefined,
+      ForbidOnInvalidProjectType: (productType: ProjectType) => {
+        if (productType !== serviceTokenProject.type) {
+          throw new BadRequestError({
+            message: `The project is of type ${serviceTokenProject.type}. Operations of type ${productType} are not allowed.`
+          });
+        }
+      }
     };
   };
 
@@ -399,6 +392,7 @@ export const permissionServiceFactory = ({
         permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
         membership: undefined;
         hasRole: (arg: string) => boolean;
+        ForbidOnInvalidProjectType: (type: ProjectType) => void;
       } // service token doesn't have both membership and roles
     : {
         permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
@@ -408,156 +402,23 @@ export const permissionServiceFactory = ({
           roles: Array<{ role: string }>;
         };
         hasRole: (role: string) => boolean;
+        ForbidOnInvalidProjectType: (type: ProjectType) => void;
       };
 
-  const getProjectPermissions = async (projectId: string) => {
-    // fetch user permissions
-    const rawUserProjectPermissions = await permissionDAL.getProjectUserPermissions(projectId);
-    const userPermissions = rawUserProjectPermissions.map((userProjectPermission) => {
-      const rolePermissions =
-        userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
-      const additionalPrivileges =
-        userProjectPermission.additionalPrivileges?.map(({ permissions }) => ({
-          role: ProjectMembershipRole.Custom,
-          permissions
-        })) || [];
-
-      const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
-      const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-      const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
-        objectify(
-          userProjectPermission.metadata,
-          (i) => i.key,
-          (i) => i.value
-        )
-      );
-      const interpolateRules = templatedRules(
-        {
-          identity: {
-            id: userProjectPermission.userId,
-            username: userProjectPermission.username,
-            metadata: metadataKeyValuePair
-          }
-        },
-        { data: false }
-      );
-      const permission = createMongoAbility<ProjectPermissionSet>(
-        JSON.parse(interpolateRules) as RawRuleOf<MongoAbility<ProjectPermissionSet>>[],
-        {
-          conditionsMatcher
-        }
-      );
-
-      return {
-        permission,
-        id: userProjectPermission.userId,
-        name: userProjectPermission.username,
-        membershipId: userProjectPermission.id
-      };
-    });
-
-    // fetch identity permissions
-    const rawIdentityProjectPermissions = await permissionDAL.getProjectIdentityPermissions(projectId);
-    const identityPermissions = rawIdentityProjectPermissions.map((identityProjectPermission) => {
-      const rolePermissions =
-        identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
-      const additionalPrivileges =
-        identityProjectPermission.additionalPrivileges?.map(({ permissions }) => ({
-          role: ProjectMembershipRole.Custom,
-          permissions
-        })) || [];
-
-      const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
-      const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
-      const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
-        objectify(
-          identityProjectPermission.metadata,
-          (i) => i.key,
-          (i) => i.value
-        )
-      );
-
-      const interpolateRules = templatedRules(
-        {
-          identity: {
-            id: identityProjectPermission.identityId,
-            username: identityProjectPermission.username,
-            metadata: metadataKeyValuePair
-          }
-        },
-        { data: false }
-      );
-      const permission = createMongoAbility<ProjectPermissionSet>(
-        JSON.parse(interpolateRules) as RawRuleOf<MongoAbility<ProjectPermissionSet>>[],
-        {
-          conditionsMatcher
-        }
-      );
-
-      return {
-        permission,
-        id: identityProjectPermission.identityId,
-        name: identityProjectPermission.username,
-        membershipId: identityProjectPermission.id
-      };
-    });
-
-    // fetch group permissions
-    const rawGroupProjectPermissions = await permissionDAL.getProjectGroupPermissions(projectId);
-    const groupPermissions = rawGroupProjectPermissions.map((groupProjectPermission) => {
-      const rolePermissions =
-        groupProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
-      const rules = buildProjectPermissionRules(rolePermissions);
-      const permission = createMongoAbility<ProjectPermissionSet>(rules, {
-        conditionsMatcher
-      });
-
-      return {
-        permission,
-        id: groupProjectPermission.groupId,
-        name: groupProjectPermission.username,
-        membershipId: groupProjectPermission.id
-      };
-    });
-
-    return {
-      userPermissions,
-      identityPermissions,
-      groupPermissions
-    };
-  };
-
-  const getProjectPermission = async <T extends ActorType>({
-    actor,
-    actorId,
-    projectId,
-    actorAuthMethod,
-    actorOrgId,
-    actionProjectType
-  }: TGetProjectPermissionArg): Promise<TProjectPermissionRT<T>> => {
-    switch (actor) {
+  const getProjectPermission = async <T extends ActorType>(
+    type: T,
+    id: string,
+    projectId: string,
+    actorAuthMethod: ActorAuthMethod,
+    actorOrgId: string | undefined
+  ): Promise<TProjectPermissionRT<T>> => {
+    switch (type) {
       case ActorType.USER:
-        return getUserProjectPermission({
-          userId: actorId,
-          projectId,
-          authMethod: actorAuthMethod,
-          userOrgId: actorOrgId,
-          actionProjectType
-        }) as Promise<TProjectPermissionRT<T>>;
+        return getUserProjectPermission(id, projectId, actorAuthMethod, actorOrgId) as Promise<TProjectPermissionRT<T>>;
       case ActorType.SERVICE:
-        return getServiceTokenProjectPermission({
-          serviceTokenId: actorId,
-          projectId,
-          actorOrgId,
-          actionProjectType
-        }) as Promise<TProjectPermissionRT<T>>;
+        return getServiceTokenProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
       case ActorType.IDENTITY:
-        return getIdentityProjectPermission({
-          identityId: actorId,
-          projectId,
-          identityOrgId: actorOrgId,
-          actionProjectType
-        }) as Promise<TProjectPermissionRT<T>>;
+        return getIdentityProjectPermission(id, projectId, actorOrgId) as Promise<TProjectPermissionRT<T>>;
       default:
         throw new BadRequestError({
           message: "Invalid actor provided",
@@ -594,7 +455,6 @@ export const permissionServiceFactory = ({
     getOrgPermission,
     getUserProjectPermission,
     getProjectPermission,
-    getProjectPermissions,
     getOrgPermissionByRole,
     getProjectPermissionByRole,
     buildOrgPermission,

backend/src/ee/services/permission/project-permission.ts

@@ -34,16 +34,6 @@ export enum ProjectPermissionDynamicSecretActions {
   Lease = "lease"
 }
 
-export enum ProjectPermissionSecretSyncActions {
-  Read = "read",
-  Create = "create",
-  Edit = "edit",
-  Delete = "delete",
-  SyncSecrets = "sync-secrets",
-  ImportSecrets = "import-secrets",
-  RemoveSecrets = "remove-secrets"
-}
-
 export enum ProjectPermissionSub {
   Role = "role",
   Member = "member",
@@ -155,7 +145,7 @@ export type ProjectPermissionSet =
   | [ProjectPermissionActions, ProjectPermissionSub.SshCertificateTemplates]
   | [ProjectPermissionActions, ProjectPermissionSub.PkiAlerts]
   | [ProjectPermissionActions, ProjectPermissionSub.PkiCollections]
-  | [ProjectPermissionSecretSyncActions, ProjectPermissionSub.SecretSyncs]
+  | [ProjectPermissionActions, ProjectPermissionSub.SecretSyncs]
   | [ProjectPermissionCmekActions, ProjectPermissionSub.Cmek]
   | [ProjectPermissionActions.Delete, ProjectPermissionSub.Project]
   | [ProjectPermissionActions.Edit, ProjectPermissionSub.Project]
@@ -406,7 +396,7 @@ const GeneralPermissionSchema = [
   }),
   z.object({
     subject: z.literal(ProjectPermissionSub.SecretSyncs).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionSecretSyncActions).describe(
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
       "Describe what action an entity can take."
     )
   })
@@ -524,7 +514,8 @@ const buildAdminPermissionRules = () => {
     ProjectPermissionSub.PkiCollections,
     ProjectPermissionSub.SshCertificateAuthorities,
     ProjectPermissionSub.SshCertificates,
-    ProjectPermissionSub.SshCertificateTemplates
+    ProjectPermissionSub.SshCertificateTemplates,
+    ProjectPermissionSub.SecretSyncs
   ].forEach((el) => {
     can(
       [
@@ -562,18 +553,6 @@ const buildAdminPermissionRules = () => {
     ],
     ProjectPermissionSub.Cmek
   );
-  can(
-    [
-      ProjectPermissionSecretSyncActions.Create,
-      ProjectPermissionSecretSyncActions.Edit,
-      ProjectPermissionSecretSyncActions.Delete,
-      ProjectPermissionSecretSyncActions.Read,
-      ProjectPermissionSecretSyncActions.SyncSecrets,
-      ProjectPermissionSecretSyncActions.ImportSecrets,
-      ProjectPermissionSecretSyncActions.RemoveSecrets
-    ],
-    ProjectPermissionSub.SecretSyncs
-  );
   return rules;
 };
 
@@ -740,13 +719,10 @@ const buildMemberPermissionRules = () => {
 
   can(
     [
-      ProjectPermissionSecretSyncActions.Create,
-      ProjectPermissionSecretSyncActions.Edit,
-      ProjectPermissionSecretSyncActions.Delete,
-      ProjectPermissionSecretSyncActions.Read,
-      ProjectPermissionSecretSyncActions.SyncSecrets,
-      ProjectPermissionSecretSyncActions.ImportSecrets,
-      ProjectPermissionSecretSyncActions.RemoveSecrets
+      ProjectPermissionActions.Read,
+      ProjectPermissionActions.Edit,
+      ProjectPermissionActions.Create,
+      ProjectPermissionActions.Delete
     ],
     ProjectPermissionSub.SecretSyncs
   );
@@ -784,7 +760,7 @@ const buildViewerPermissionRules = () => {
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateAuthorities);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificates);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SshCertificateTemplates);
-  can(ProjectPermissionSecretSyncActions.Read, ProjectPermissionSub.SecretSyncs);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretSyncs);
 
   return rules;
 };

backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts

@@ -2,7 +2,7 @@ import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
 import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 import ms from "ms";
 
-import { ActionProjectType, TableName } from "@app/db/schemas";
+import { TableName } from "@app/db/schemas";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { UnpackedPermissionSchema } from "@app/server/routes/santizedSchemas/permission";
@@ -55,23 +55,21 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     if (!projectMembership)
       throw new NotFoundError({ message: `Project membership with ID ${projectMembershipId} found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: projectMembership.projectId,
+      projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
-    const { permission: targetUserPermission } = await permissionService.getProjectPermission({
-      actor: ActorType.USER,
-      actorId: projectMembership.userId,
-      projectId: projectMembership.projectId,
+    const { permission: targetUserPermission } = await permissionService.getProjectPermission(
+      ActorType.USER,
+      projectMembership.userId,
+      projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@@ -142,23 +140,21 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
         message: `Project membership for user with ID '${userPrivilege.userId}' not found in project with ID '${userPrivilege.projectId}'`
       });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: projectMembership.projectId,
+      projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
-    const { permission: targetUserPermission } = await permissionService.getProjectPermission({
-      actor: ActorType.USER,
-      actorId: projectMembership.userId,
-      projectId: projectMembership.projectId,
+    const { permission: targetUserPermission } = await permissionService.getProjectPermission(
+      ActorType.USER,
+      projectMembership.userId,
+      projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     // we need to validate that the privilege given is not higher than the assigning users permission
     // @ts-expect-error this is expected error because of one being really accurate rule definition other being a bit more broader. Both are valid casl rules
@@ -228,14 +224,13 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
         message: `Project membership for user with ID '${userPrivilege.userId}' not found in project with ID '${userPrivilege.projectId}'`
       });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: projectMembership.projectId,
+      projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Member);
 
     const deletedPrivilege = await projectUserAdditionalPrivilegeDAL.deleteById(userPrivilege.id);
@@ -265,14 +260,13 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
         message: `Project membership for user with ID '${userPrivilege.userId}' not found in project with ID '${userPrivilege.projectId}'`
       });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: projectMembership.projectId,
+      projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
 
     return {
@@ -292,14 +286,13 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     if (!projectMembership)
       throw new NotFoundError({ message: `Project membership with ID ${projectMembershipId} not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: projectMembership.projectId,
+      projectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
 
     const userPrivileges = await projectUserAdditionalPrivilegeDAL.find(

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -421,14 +421,14 @@ export const samlConfigServiceFactory = ({
       });
     } else {
       const plan = await licenseService.getPlan(orgId);
-      if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
+      if (plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
         // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
         throw new BadRequestError({
           message: "Failed to create new member via SAML due to member limit reached. Upgrade plan to add more members."
         });
       }
 
-      if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
+      if (plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
         // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
         throw new BadRequestError({
           message: "Failed to create new member via SAML due to member limit reached. Upgrade plan to add more members."

backend/src/ee/services/scim/scim-service.ts

@@ -531,7 +531,7 @@ export const scimServiceFactory = ({
           firstName: scimUser.name.givenName,
           email: scimUser.emails[0].value,
           lastName: scimUser.name.familyName,
-          isEmailVerified: hasEmailChanged ? trustScimEmails : undefined
+          isEmailVerified: hasEmailChanged ? trustScimEmails : true
         },
         tx
       );
@@ -790,21 +790,6 @@ export const scimServiceFactory = ({
       });
 
     const newGroup = await groupDAL.transaction(async (tx) => {
-      const conflictingGroup = await groupDAL.findOne(
-        {
-          name: displayName,
-          orgId
-        },
-        tx
-      );
-
-      if (conflictingGroup) {
-        throw new ScimRequestError({
-          detail: `Group with name '${displayName}' already exists in the organization`,
-          status: 409
-        });
-      }
-
       const group = await groupDAL.create(
         {
           name: displayName,

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import picomatch from "picomatch";
 
-import { ActionProjectType } from "@app/db/schemas";
+import { ProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -79,14 +79,14 @@ export const secretApprovalPolicyServiceFactory = ({
     if (!groupApprovers.length && approvals > approvers.length)
       throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
       ProjectPermissionSub.SecretApproval
@@ -193,14 +193,14 @@ export const secretApprovalPolicyServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: secretApprovalPolicy.projectId,
+      secretApprovalPolicy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
 
     const plan = await licenseService.getPlan(actorOrgId);
@@ -288,14 +288,14 @@ export const secretApprovalPolicyServiceFactory = ({
     if (!sapPolicy)
       throw new NotFoundError({ message: `Secret approval policy with ID '${secretPolicyId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: sapPolicy.projectId,
+      sapPolicy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
       ProjectPermissionSub.SecretApproval
@@ -328,14 +328,13 @@ export const secretApprovalPolicyServiceFactory = ({
     actorAuthMethod,
     projectId
   }: TListSapDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
 
     const sapPolicies = await secretApprovalPolicyDAL.find({ projectId, deletedAt: null });
@@ -373,14 +372,7 @@ export const secretApprovalPolicyServiceFactory = ({
     environment,
     secretPath
   }: TGetBoardSapDTO) => {
-    await permissionService.getProjectPermission({
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+    await permissionService.getProjectPermission(actor, actorId, projectId, actorAuthMethod, actorOrgId);
 
     return getSecretApprovalPolicy(projectId, environment, secretPath);
   };
@@ -400,14 +392,13 @@ export const secretApprovalPolicyServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: sapPolicy.projectId,
+      sapPolicy.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
 

backend/src/ee/services/secret-approval-request/secret-approval-request-secret-dal.ts

@@ -256,7 +256,6 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
           `${TableName.SecretVersionV2Tag}.${TableName.SecretTag}Id`,
           db.ref("id").withSchema("secVerTag")
         )
-        .leftJoin(TableName.ResourceMetadata, `${TableName.SecretV2}.id`, `${TableName.ResourceMetadata}.secretId`)
         .select(selectAllTableCols(TableName.SecretApprovalRequestSecretV2))
         .select({
           secVerTagId: "secVerTag.id",
@@ -280,11 +279,6 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
           db.ref("key").withSchema(TableName.SecretVersionV2).as("secVerKey"),
           db.ref("encryptedValue").withSchema(TableName.SecretVersionV2).as("secVerValue"),
           db.ref("encryptedComment").withSchema(TableName.SecretVersionV2).as("secVerComment")
-        )
-        .select(
-          db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
-          db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
-          db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
         );
       const formatedDoc = sqlNestRelationships({
         data: doc,
@@ -344,19 +338,9 @@ export const secretApprovalRequestSecretDALFactory = (db: TDbClient) => {
                 })
               }
             ]
-          },
-          {
-            key: "metadataId",
-            label: "oldSecretMetadata" as const,
-            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
-              id: metadataId,
-              key: metadataKey,
-              value: metadataValue
-            })
           }
         ]
       });
-
       return formatedDoc?.map(({ secret, secretVersion, ...el }) => ({
         ...el,
         secret: secret?.[0],

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -1,8 +1,8 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
 import {
-  ActionProjectType,
   ProjectMembershipRole,
+  ProjectType,
   SecretEncryptionAlgo,
   SecretKeyEncoding,
   SecretType,
@@ -22,8 +22,6 @@ import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
-import { TResourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
-import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
 import {
   decryptSecretWithBot,
@@ -93,7 +91,6 @@ type TSecretApprovalRequestServiceFactoryDep = {
   secretBlindIndexDAL: Pick<TSecretBlindIndexDALFactory, "findOne">;
   snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
   secretVersionDAL: Pick<TSecretVersionDALFactory, "findLatestVersionMany" | "insertMany">;
-  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
   secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "insertMany">;
   smtpService: Pick<TSmtpService, "sendMail">;
   userDAL: Pick<TUserDALFactory, "find" | "findOne" | "findById">;
@@ -141,20 +138,18 @@ export const secretApprovalRequestServiceFactory = ({
   secretVersionV2BridgeDAL,
   secretVersionTagV2BridgeDAL,
   licenseService,
-  projectSlackConfigDAL,
-  resourceMetadataDAL
+  projectSlackConfigDAL
 }: TSecretApprovalRequestServiceFactoryDep) => {
   const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
     if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
 
-    await permissionService.getProjectPermission({
-      actor,
+    await permissionService.getProjectPermission(
+      actor as ActorType.USER,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
 
     const count = await secretApprovalRequestDAL.findProjectRequestCount(projectId, actorId);
     return count;
@@ -174,14 +169,7 @@ export const secretApprovalRequestServiceFactory = ({
   }: TListApprovalsDTO) => {
     if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
 
-    await permissionService.getProjectPermission({
-      actor,
-      actorId,
-      projectId,
-      actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+    await permissionService.getProjectPermission(actor, actorId, projectId, actorAuthMethod, actorOrgId);
 
     const { shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
     if (shouldUseSecretV2Bridge) {
@@ -224,14 +212,13 @@ export const secretApprovalRequestServiceFactory = ({
     const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
 
     const { policy } = secretApprovalRequest;
-    const { hasRole } = await permissionService.getProjectPermission({
+    const { hasRole } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
       secretApprovalRequest.committerUserId !== actorId &&
@@ -254,7 +241,6 @@ export const secretApprovalRequestServiceFactory = ({
         secretKey: el.key,
         id: el.id,
         version: el.version,
-        secretMetadata: el.secretMetadata as ResourceMetadataDTO,
         secretValue: el.encryptedValue ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString() : "",
         secretComment: el.encryptedComment
           ? secretManagerDecryptor({ cipherTextBlob: el.encryptedComment }).toString()
@@ -283,8 +269,7 @@ export const secretApprovalRequestServiceFactory = ({
               secretComment: el.secretVersion.encryptedComment
                 ? secretManagerDecryptor({ cipherTextBlob: el.secretVersion.encryptedComment }).toString()
                 : "",
-              tags: el.secretVersion.tags,
-              secretMetadata: el.oldSecretMetadata as ResourceMetadataDTO
+              tags: el.secretVersion.tags
             }
           : undefined
       }));
@@ -345,14 +330,13 @@ export const secretApprovalRequestServiceFactory = ({
       });
     }
 
-    const { hasRole } = await permissionService.getProjectPermission({
-      actor: ActorType.USER,
+    const { hasRole } = await permissionService.getProjectPermission(
+      ActorType.USER,
       actorId,
-      projectId: secretApprovalRequest.projectId,
+      secretApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
       secretApprovalRequest.committerUserId !== actorId &&
@@ -412,14 +396,13 @@ export const secretApprovalRequestServiceFactory = ({
       });
     }
 
-    const { hasRole } = await permissionService.getProjectPermission({
-      actor: ActorType.USER,
+    const { hasRole } = await permissionService.getProjectPermission(
+      ActorType.USER,
       actorId,
-      projectId: secretApprovalRequest.projectId,
+      secretApprovalRequest.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
       secretApprovalRequest.committerUserId !== actorId &&
@@ -469,14 +452,13 @@ export const secretApprovalRequestServiceFactory = ({
       });
     }
 
-    const { hasRole } = await permissionService.getProjectPermission({
-      actor: ActorType.USER,
+    const { hasRole } = await permissionService.getProjectPermission(
+      ActorType.USER,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
 
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
@@ -561,7 +543,6 @@ export const secretApprovalRequestServiceFactory = ({
           ? await fnSecretV2BridgeBulkInsert({
               tx,
               folderId,
-              orgId: actorOrgId,
               inputSecrets: secretCreationCommits.map((el) => ({
                 tagIds: el?.tags.map(({ id }) => id),
                 version: 1,
@@ -569,7 +550,6 @@ export const secretApprovalRequestServiceFactory = ({
                 encryptedValue: el.encryptedValue,
                 skipMultilineEncoding: el.skipMultilineEncoding,
                 key: el.key,
-                secretMetadata: el.secretMetadata as ResourceMetadataDTO,
                 references: el.encryptedValue
                   ? getAllSecretReferencesV2Bridge(
                       secretManagerDecryptor({
@@ -579,7 +559,6 @@ export const secretApprovalRequestServiceFactory = ({
                   : [],
                 type: SecretType.Shared
               })),
-              resourceMetadataDAL,
               secretDAL: secretV2BridgeDAL,
               secretVersionDAL: secretVersionV2BridgeDAL,
               secretTagDAL,
@@ -589,7 +568,6 @@ export const secretApprovalRequestServiceFactory = ({
         const updatedSecrets = secretUpdationCommits.length
           ? await fnSecretV2BridgeBulkUpdate({
               folderId,
-              orgId: actorOrgId,
               tx,
               inputSecrets: secretUpdationCommits.map((el) => {
                 const encryptedValue =
@@ -614,7 +592,6 @@ export const secretApprovalRequestServiceFactory = ({
                     skipMultilineEncoding: el.skipMultilineEncoding,
                     key: el.key,
                     tags: el?.tags.map(({ id }) => id),
-                    secretMetadata: el.secretMetadata as ResourceMetadataDTO,
                     ...encryptedValue
                   }
                 };
@@ -622,8 +599,7 @@ export const secretApprovalRequestServiceFactory = ({
               secretDAL: secretV2BridgeDAL,
               secretVersionDAL: secretVersionV2BridgeDAL,
               secretTagDAL,
-              secretVersionTagDAL: secretVersionTagV2BridgeDAL,
-              resourceMetadataDAL
+              secretVersionTagDAL: secretVersionTagV2BridgeDAL
             })
           : [];
         const deletedSecret = secretDeletionCommits.length
@@ -848,7 +824,6 @@ export const secretApprovalRequestServiceFactory = ({
     }
     await secretQueueService.syncSecrets({
       projectId,
-      orgId: actorOrgId,
       secretPath: folder.path,
       environmentSlug: folder.environmentSlug,
       actorId,
@@ -901,14 +876,14 @@ export const secretApprovalRequestServiceFactory = ({
   }: TGenerateSecretApprovalRequestDTO) => {
     if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       subject(ProjectPermissionSub.Secrets, { environment, secretPath })
@@ -1182,14 +1157,14 @@ export const secretApprovalRequestServiceFactory = ({
     if (actor === ActorType.SERVICE || actor === ActorType.Machine)
       throw new BadRequestError({ message: "Cannot use service token or machine token over protected branches" });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
     if (!folder)
       throw new NotFoundError({
@@ -1233,7 +1208,6 @@ export const secretApprovalRequestServiceFactory = ({
           ),
           skipMultilineEncoding: createdSecret.skipMultilineEncoding,
           key: createdSecret.secretKey,
-          secretMetadata: createdSecret.secretMetadata,
           type: SecretType.Shared
         }))
       );
@@ -1267,10 +1241,9 @@ export const secretApprovalRequestServiceFactory = ({
             type: SecretType.Shared
           }))
         );
-
-        if (secrets.length !== secretsWithNewName.length)
+        if (secrets.length)
           throw new NotFoundError({
-            message: `Secret does not exist: ${secrets.map((el) => el.key).join(",")}`
+            message: `Secret does not exist: ${secretsToUpdateStoredInDB.map((el) => el.key).join(",")}`
           });
       }
 
@@ -1290,14 +1263,12 @@ export const secretApprovalRequestServiceFactory = ({
             reminderNote,
             secretComment,
             metadata,
-            skipMultilineEncoding,
-            secretMetadata
+            skipMultilineEncoding
           }) => {
             const secretId = updatingSecretsGroupByKey[secretKey][0].id;
             if (tagIds?.length) commitTagIds[secretKey] = tagIds;
             return {
               ...latestSecretVersions[secretId],
-              secretMetadata,
               key: newSecretName || secretKey,
               encryptedComment: setKnexStringValue(
                 secretComment,
@@ -1399,8 +1370,7 @@ export const secretApprovalRequestServiceFactory = ({
             reminderRepeatDays,
             encryptedValue,
             secretId,
-            secretVersion,
-            secretMetadata
+            secretVersion
           }) => ({
             version,
             requestId: doc.id,
@@ -1413,8 +1383,7 @@ export const secretApprovalRequestServiceFactory = ({
             reminderRepeatDays,
             reminderNote,
             encryptedComment,
-            key,
-            secretMetadata: JSON.stringify(secretMetadata)
+            key
           })
         ),
         tx

backend/src/ee/services/secret-approval-request/secret-approval-request-types.ts

@@ -1,6 +1,5 @@
 import { TImmutableDBKeys, TSecretApprovalPolicies, TSecretApprovalRequestsSecrets } from "@app/db/schemas";
 import { TProjectPermission } from "@app/lib/types";
-import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretOperations } from "@app/services/secret/secret-types";
 
 export enum RequestState {
@@ -35,7 +34,6 @@ export type TApprovalCreateSecretV2Bridge = {
   reminderRepeatDays?: number | null;
   skipMultilineEncoding?: boolean;
   metadata?: Record<string, string>;
-  secretMetadata?: ResourceMetadataDTO;
   tagIds?: string[];
 };
 

backend/src/ee/services/secret-replication/secret-replication-service.ts

@@ -13,8 +13,6 @@ import { ActorType } from "@app/services/auth/auth-type";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
-import { TResourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
-import { ResourceMetadataDTO } from "@app/services/resource-metadata/resource-metadata-schema";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
 import { fnSecretBulkInsert, fnSecretBulkUpdate } from "@app/services/secret/secret-fns";
 import { TSecretQueueFactory, uniqueSecretQueueKey } from "@app/services/secret/secret-queue";
@@ -58,7 +56,6 @@ type TSecretReplicationServiceFactoryDep = {
   >;
   secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "find" | "insertMany">;
   secretVersionV2TagBridgeDAL: Pick<TSecretVersionV2TagDALFactory, "find" | "insertMany">;
-  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
   secretQueueService: Pick<TSecretQueueFactory, "syncSecrets" | "replicateSecrets">;
   queueService: Pick<TQueueServiceFactory, "start" | "listen" | "queue" | "stopJobById">;
   secretApprovalPolicyService: Pick<TSecretApprovalPolicyServiceFactory, "getSecretApprovalPolicy">;
@@ -124,8 +121,7 @@ export const secretReplicationServiceFactory = ({
   secretVersionV2TagBridgeDAL,
   secretVersionV2BridgeDAL,
   secretV2BridgeDAL,
-  kmsService,
-  resourceMetadataDAL
+  kmsService
 }: TSecretReplicationServiceFactoryDep) => {
   const $getReplicatedSecrets = (
     botKey: string,
@@ -155,10 +151,8 @@ export const secretReplicationServiceFactory = ({
   };
 
   const $getReplicatedSecretsV2 = (
-    localSecrets: (TSecretsV2 & { secretKey: string; secretValue?: string; secretMetadata?: ResourceMetadataDTO })[],
-    importedSecrets: {
-      secrets: (TSecretsV2 & { secretKey: string; secretValue?: string; secretMetadata?: ResourceMetadataDTO })[];
-    }[]
+    localSecrets: (TSecretsV2 & { secretKey: string; secretValue?: string })[],
+    importedSecrets: { secrets: (TSecretsV2 & { secretKey: string; secretValue?: string })[] }[]
   ) => {
     const deDupe = new Set<string>();
     const secrets = [...localSecrets];
@@ -184,7 +178,6 @@ export const secretReplicationServiceFactory = ({
       secretPath,
       environmentSlug,
       projectId,
-      orgId,
       actorId,
       actor,
       pickOnlyImportIds,
@@ -229,7 +222,6 @@ export const secretReplicationServiceFactory = ({
           .map(({ folderId }) =>
             secretQueueService.replicateSecrets({
               projectId,
-              orgId,
               secretPath: foldersGroupedById[folderId][0]?.path as string,
               environmentSlug: foldersGroupedById[folderId][0]?.environmentSlug as string,
               actorId,
@@ -275,7 +267,6 @@ export const secretReplicationServiceFactory = ({
           ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString()
           : undefined
       }));
-
       const sourceSecrets = $getReplicatedSecretsV2(sourceDecryptedLocalSecrets, sourceImportedSecrets);
       const sourceSecretsGroupByKey = groupBy(sourceSecrets, (i) => i.key);
 
@@ -342,29 +333,13 @@ export const secretReplicationServiceFactory = ({
               .map((el) => ({ ...el, operation: SecretOperations.Create })); // rewrite update ops to create
 
             const locallyUpdatedSecrets = sourceSecrets
-              .filter(({ key, secretKey, secretValue, secretMetadata }) => {
-                const sourceSecretMetadataJson = JSON.stringify(
-                  (secretMetadata ?? []).map((entry) => ({
-                    key: entry.key,
-                    value: entry.value
-                  }))
-                );
-
-                const destinationSecretMetadataJson = JSON.stringify(
-                  (destinationLocalSecretsGroupedByKey[key]?.[0]?.secretMetadata ?? []).map((entry) => ({
-                    key: entry.key,
-                    value: entry.value
-                  }))
-                );
-
-                return (
+              .filter(
+                ({ key, secretKey, secretValue }) =>
                   destinationLocalSecretsGroupedByKey[key]?.[0] &&
                   // if key or value changed
                   (destinationLocalSecretsGroupedByKey[key]?.[0]?.secretKey !== secretKey ||
-                    destinationLocalSecretsGroupedByKey[key]?.[0]?.secretValue !== secretValue ||
-                    sourceSecretMetadataJson !== destinationSecretMetadataJson)
-                );
-              })
+                    destinationLocalSecretsGroupedByKey[key]?.[0]?.secretValue !== secretValue)
+              )
               .map((el) => ({ ...el, operation: SecretOperations.Update })); // rewrite update ops to create
 
             const locallyDeletedSecrets = destinationLocalSecrets
@@ -412,7 +387,6 @@ export const secretReplicationServiceFactory = ({
                       op: operation,
                       requestId: approvalRequestDoc.id,
                       metadata: doc.metadata,
-                      secretMetadata: JSON.stringify(doc.secretMetadata),
                       key: doc.key,
                       encryptedValue: doc.encryptedValue,
                       encryptedComment: doc.encryptedComment,
@@ -432,12 +406,10 @@ export const secretReplicationServiceFactory = ({
                 if (locallyCreatedSecrets.length) {
                   await fnSecretV2BridgeBulkInsert({
                     folderId: destinationReplicationFolderId,
-                    orgId,
                     secretVersionDAL: secretVersionV2BridgeDAL,
                     secretDAL: secretV2BridgeDAL,
                     tx,
                     secretTagDAL,
-                    resourceMetadataDAL,
                     secretVersionTagDAL: secretVersionV2TagBridgeDAL,
                     inputSecrets: locallyCreatedSecrets.map((doc) => {
                       return {
@@ -447,7 +419,6 @@ export const secretReplicationServiceFactory = ({
                         encryptedValue: doc.encryptedValue,
                         encryptedComment: doc.encryptedComment,
                         skipMultilineEncoding: doc.skipMultilineEncoding,
-                        secretMetadata: doc.secretMetadata,
                         references: doc.secretValue ? getAllSecretReferences(doc.secretValue).nestedReferences : []
                       };
                     })
@@ -455,12 +426,10 @@ export const secretReplicationServiceFactory = ({
                 }
                 if (locallyUpdatedSecrets.length) {
                   await fnSecretV2BridgeBulkUpdate({
-                    orgId,
                     folderId: destinationReplicationFolderId,
                     secretVersionDAL: secretVersionV2BridgeDAL,
                     secretDAL: secretV2BridgeDAL,
                     tx,
-                    resourceMetadataDAL,
                     secretTagDAL,
                     secretVersionTagDAL: secretVersionV2TagBridgeDAL,
                     inputSecrets: locallyUpdatedSecrets.map((doc) => {
@@ -476,7 +445,6 @@ export const secretReplicationServiceFactory = ({
                           encryptedValue: doc.encryptedValue as Buffer,
                           encryptedComment: doc.encryptedComment,
                           skipMultilineEncoding: doc.skipMultilineEncoding,
-                          secretMetadata: doc.secretMetadata,
                           references: doc.secretValue ? getAllSecretReferences(doc.secretValue).nestedReferences : []
                         }
                       };
@@ -498,7 +466,6 @@ export const secretReplicationServiceFactory = ({
 
               await secretQueueService.syncSecrets({
                 projectId,
-                orgId,
                 secretPath: destinationFolder.path,
                 environmentSlug: destinationFolder.environmentSlug,
                 actorId,
@@ -784,7 +751,6 @@ export const secretReplicationServiceFactory = ({
 
             await secretQueueService.syncSecrets({
               projectId,
-              orgId,
               secretPath: destinationFolder.path,
               environmentSlug: destinationFolder.environmentSlug,
               actorId,

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts

@@ -180,8 +180,6 @@ export const secretRotationQueueFactory = ({
           provider.template.client === TDbProviderClients.MsSqlServer
             ? ({
                 encrypt: appCfg.ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT,
-                // when ca is provided use that
-                trustServerCertificate: !ca,
                 cryptoCredentialsDetails: ca ? { ca } : {}
               } as Record<string, unknown>)
             : undefined;

backend/src/ee/services/secret-rotation/secret-rotation-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import Ajv from "ajv";
 
-import { ActionProjectType, ProjectVersion, TableName } from "@app/db/schemas";
+import { ProjectType, ProjectVersion, TableName } from "@app/db/schemas";
 import { decryptSymmetric128BitHexKeyUTF8, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";
@@ -53,14 +53,14 @@ export const secretRotationServiceFactory = ({
     actorAuthMethod,
     projectId
   }: TProjectPermission) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
 
     return {
@@ -82,14 +82,14 @@ export const secretRotationServiceFactory = ({
     secretPath,
     environment
   }: TCreateSecretRotationDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
       ProjectPermissionSub.SecretRotation
@@ -191,14 +191,13 @@ export const secretRotationServiceFactory = ({
   };
 
   const getByProjectId = async ({ actorId, projectId, actor, actorOrgId, actorAuthMethod }: TListByProjectIdDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
     const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
     if (shouldUseSecretV2Bridge) {
@@ -237,14 +236,14 @@ export const secretRotationServiceFactory = ({
         message: "Failed to add secret rotation due to plan restriction. Upgrade plan to add secret rotation."
       });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: project.id,
+      doc.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretRotation);
     await secretRotationQueue.removeFromQueue(doc.id, doc.interval);
     await secretRotationQueue.addToQueue(doc.id, doc.interval);
@@ -255,14 +254,14 @@ export const secretRotationServiceFactory = ({
     const doc = await secretRotationDAL.findById(rotationId);
     if (!doc) throw new NotFoundError({ message: `Rotation with ID '${rotationId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: doc.projectId,
+      doc.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
       ProjectPermissionSub.SecretRotation

backend/src/ee/services/secret-scanning/secret-scanning-dal.ts

@@ -1,12 +1,9 @@
-import knex, { Knex } from "knex";
+import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
 import { TableName, TSecretScanningGitRisksInsert } from "@app/db/schemas";
-import { DatabaseError, GatewayTimeoutError } from "@app/lib/errors";
-import { ormify, selectAllTableCols } from "@app/lib/knex";
-import { OrderByDirection } from "@app/lib/types";
-
-import { SecretScanningResolvedStatus, TGetOrgRisksDTO } from "./secret-scanning-types";
+import { DatabaseError } from "@app/lib/errors";
+import { ormify } from "@app/lib/knex";
 
 export type TSecretScanningDALFactory = ReturnType<typeof secretScanningDALFactory>;
 
@@ -22,70 +19,5 @@ export const secretScanningDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findByOrgId = async (orgId: string, filter: TGetOrgRisksDTO["filter"], tx?: Knex) => {
-    try {
-      // Find statements
-      const sqlQuery = (tx || db.replicaNode())(TableName.SecretScanningGitRisk)
-        // eslint-disable-next-line func-names
-        .where(`${TableName.SecretScanningGitRisk}.orgId`, orgId);
-
-      if (filter.repositoryNames) {
-        void sqlQuery.whereIn(`${TableName.SecretScanningGitRisk}.repositoryFullName`, filter.repositoryNames);
-      }
-
-      if (filter.resolvedStatus) {
-        if (filter.resolvedStatus !== SecretScanningResolvedStatus.All) {
-          const isResolved = filter.resolvedStatus === SecretScanningResolvedStatus.Resolved;
-
-          void sqlQuery.where(`${TableName.SecretScanningGitRisk}.isResolved`, isResolved);
-        }
-      }
-
-      // Select statements
-      void sqlQuery
-        .select(selectAllTableCols(TableName.SecretScanningGitRisk))
-        .limit(filter.limit)
-        .offset(filter.offset);
-
-      if (filter.orderBy) {
-        const orderDirection = filter.orderDirection || OrderByDirection.ASC;
-
-        void sqlQuery.orderBy(filter.orderBy, orderDirection);
-      }
-
-      const countQuery = (tx || db.replicaNode())(TableName.SecretScanningGitRisk)
-        .where(`${TableName.SecretScanningGitRisk}.orgId`, orgId)
-        .count();
-
-      const uniqueReposQuery = (tx || db.replicaNode())(TableName.SecretScanningGitRisk)
-        .where(`${TableName.SecretScanningGitRisk}.orgId`, orgId)
-        .distinct("repositoryFullName")
-        .select("repositoryFullName");
-
-      // we timeout long running queries to prevent DB resource issues (2 minutes)
-      const docs = await sqlQuery.timeout(1000 * 120);
-      const uniqueRepos = await uniqueReposQuery.timeout(1000 * 120);
-      const totalCount = await countQuery;
-
-      return {
-        risks: docs,
-        totalCount: Number(totalCount?.[0].count),
-        repos: uniqueRepos
-          .filter(Boolean)
-          .map((r) => r.repositoryFullName!)
-          .sort((a, b) => a.localeCompare(b))
-      };
-    } catch (error) {
-      if (error instanceof knex.KnexTimeoutError) {
-        throw new GatewayTimeoutError({
-          error,
-          message: "Failed to fetch secret leaks due to timeout. Add more search filters."
-        });
-      }
-
-      throw new DatabaseError({ error });
-    }
-  };
-
-  return { ...gitRiskOrm, upsert, findByOrgId };
+  return { ...gitRiskOrm, upsert };
 };

backend/src/ee/services/secret-scanning/secret-scanning-service.ts

@@ -15,7 +15,6 @@ import { TSecretScanningDALFactory } from "./secret-scanning-dal";
 import { TSecretScanningQueueFactory } from "./secret-scanning-queue";
 import {
   SecretScanningRiskStatus,
-  TGetAllOrgRisksDTO,
   TGetOrgInstallStatusDTO,
   TGetOrgRisksDTO,
   TInstallAppSessionDTO,
@@ -119,21 +118,11 @@ export const secretScanningServiceFactory = ({
     return Boolean(appInstallation);
   };
 
-  const getRisksByOrg = async ({ actor, orgId, actorId, actorAuthMethod, actorOrgId, filter }: TGetOrgRisksDTO) => {
+  const getRisksByOrg = async ({ actor, orgId, actorId, actorAuthMethod, actorOrgId }: TGetOrgRisksDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
     ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);
-
-    const results = await secretScanningDAL.findByOrgId(orgId, filter);
-
-    return results;
-  };
-
-  const getAllRisksByOrg = async ({ actor, orgId, actorId, actorAuthMethod, actorOrgId }: TGetAllOrgRisksDTO) => {
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.SecretScanning);
-
     const risks = await secretScanningDAL.find({ orgId }, { sort: [["createdAt", "desc"]] });
-    return risks;
+    return { risks };
   };
 
   const updateRiskStatus = async ({
@@ -200,7 +189,6 @@ export const secretScanningServiceFactory = ({
     linkInstallationToOrg,
     getOrgInstallationStatus,
     getRisksByOrg,
-    getAllRisksByOrg,
     updateRiskStatus,
     handleRepoPushEvent,
     handleRepoDeleteEvent

backend/src/ee/services/secret-scanning/secret-scanning-types.ts

@@ -1,4 +1,4 @@
-import { OrderByDirection, TOrgPermission } from "@app/lib/types";
+import { TOrgPermission } from "@app/lib/types";
 
 export enum SecretScanningRiskStatus {
   FalsePositive = "RESOLVED_FALSE_POSITIVE",
@@ -7,12 +7,6 @@ export enum SecretScanningRiskStatus {
   Unresolved = "UNRESOLVED"
 }
 
-export enum SecretScanningResolvedStatus {
-  All = "all",
-  Resolved = "resolved",
-  Unresolved = "unresolved"
-}
-
 export type TInstallAppSessionDTO = TOrgPermission;
 
 export type TLinkInstallSessionDTO = {
@@ -22,22 +16,7 @@ export type TLinkInstallSessionDTO = {
 
 export type TGetOrgInstallStatusDTO = TOrgPermission;
 
-type RiskFilter = {
-  offset: number;
-  limit: number;
-  orderBy?: "createdAt" | "name";
-  orderDirection?: OrderByDirection;
-  repositoryNames?: string[];
-  resolvedStatus?: SecretScanningResolvedStatus;
-};
-
-export type TGetOrgRisksDTO = {
-  filter: RiskFilter;
-} & TOrgPermission;
-
-export type TGetAllOrgRisksDTO = {
-  filter: Omit<RiskFilter, "offset" | "limit" | "orderBy" | "orderDirection">;
-} & TOrgPermission;
+export type TGetOrgRisksDTO = TOrgPermission;
 
 export type TUpdateRiskStatusDTO = {
   riskId: string;

backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts

@@ -1,6 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
-import { ActionProjectType, TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
+import { ProjectType, TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { InternalServerError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
@@ -83,14 +83,13 @@ export const secretSnapshotServiceFactory = ({
     actorAuthMethod,
     path
   }: TProjectSnapshotCountDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
 
     // We need to check if the user has access to the secrets in the folder. If we don't do this, a user could theoretically access snapshot secret values even if they don't have read access to the secrets in the folder.
@@ -120,14 +119,13 @@ export const secretSnapshotServiceFactory = ({
     limit = 20,
     offset = 0
   }: TProjectSnapshotListDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
 
     // We need to check if the user has access to the secrets in the folder. If we don't do this, a user could theoretically access snapshot secret values even if they don't have read access to the secrets in the folder.
@@ -149,14 +147,13 @@ export const secretSnapshotServiceFactory = ({
   const getSnapshotData = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TGetSnapshotDataDTO) => {
     const snapshot = await snapshotDAL.findById(id);
     if (!snapshot) throw new NotFoundError({ message: `Snapshot with ID '${id}' not found` });
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: snapshot.projectId,
+      snapshot.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
     const shouldUseBridge = snapshot.projectVersion === 3;
@@ -325,14 +322,14 @@ export const secretSnapshotServiceFactory = ({
     if (!snapshot) throw new NotFoundError({ message: `Snapshot with ID '${snapshotId}' not found` });
     const shouldUseBridge = snapshot.projectVersion === 3;
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: snapshot.projectId,
+      snapshot.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
       ProjectPermissionSub.SecretRollback

backend/src/ee/services/ssh-certificate-template/ssh-certificate-template-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import ms from "ms";
 
-import { ActionProjectType } from "@app/db/schemas";
+import { ProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -54,15 +54,15 @@ export const sshCertificateTemplateServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
-    });
+      actorOrgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.SSH);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
       ProjectPermissionSub.SshCertificateTemplates
@@ -127,15 +127,15 @@ export const sshCertificateTemplateServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: certTemplate.projectId,
+      certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
-    });
+      actorOrgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.SSH);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       ProjectPermissionSub.SshCertificateTemplates
@@ -196,15 +196,15 @@ export const sshCertificateTemplateServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: certificateTemplate.projectId,
+      certificateTemplate.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
-    });
+      actorOrgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.SSH);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
       ProjectPermissionSub.SshCertificateTemplates
@@ -223,15 +223,15 @@ export const sshCertificateTemplateServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: certTemplate.projectId,
+      certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
-    });
+      actorOrgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.SSH);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       ProjectPermissionSub.SshCertificateTemplates

backend/src/ee/services/ssh/ssh-certificate-authority-service.ts

@@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
+import { ProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSshCertificateAuthorityDALFactory } from "@app/ee/services/ssh/ssh-certificate-authority-dal";
@@ -65,15 +65,15 @@ export const sshCertificateAuthorityServiceFactory = ({
     actor,
     actorOrgId
   }: TCreateSshCaDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
-    });
+      actorOrgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.SSH);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
       ProjectPermissionSub.SshCertificateAuthorities
@@ -118,15 +118,15 @@ export const sshCertificateAuthorityServiceFactory = ({
     const ca = await sshCertificateAuthorityDAL.findById(caId);
     if (!ca) throw new NotFoundError({ message: `SSH CA with ID '${caId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
-    });
+      actorOrgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.SSH);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       ProjectPermissionSub.SshCertificateAuthorities
@@ -187,15 +187,15 @@ export const sshCertificateAuthorityServiceFactory = ({
     const ca = await sshCertificateAuthorityDAL.findById(caId);
     if (!ca) throw new NotFoundError({ message: `SSH CA with ID '${caId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
-    });
+      actorOrgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.SSH);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       ProjectPermissionSub.SshCertificateAuthorities
@@ -226,15 +226,15 @@ export const sshCertificateAuthorityServiceFactory = ({
     const ca = await sshCertificateAuthorityDAL.findById(caId);
     if (!ca) throw new NotFoundError({ message: `SSH CA with ID '${caId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
-    });
+      actorOrgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.SSH);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
       ProjectPermissionSub.SshCertificateAuthorities
@@ -268,15 +268,15 @@ export const sshCertificateAuthorityServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: sshCertificateTemplate.projectId,
+      sshCertificateTemplate.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
-    });
+      actorOrgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.SSH);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
       ProjectPermissionSub.SshCertificates
@@ -390,15 +390,15 @@ export const sshCertificateAuthorityServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: sshCertificateTemplate.projectId,
+      sshCertificateTemplate.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
-    });
+      actorOrgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.SSH);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
       ProjectPermissionSub.SshCertificates
@@ -488,15 +488,15 @@ export const sshCertificateAuthorityServiceFactory = ({
     const ca = await sshCertificateAuthorityDAL.findById(caId);
     if (!ca) throw new NotFoundError({ message: `SSH CA with ID '${caId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SSH
-    });
+      actorOrgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.SSH);
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       ProjectPermissionSub.SshCertificateTemplates

backend/src/ee/services/trusted-ip/trusted-ip-service.ts

@@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { ActionProjectType } from "@app/db/schemas";
 import { BadRequestError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 import { TProjectPermission } from "@app/lib/types";
@@ -28,14 +27,13 @@ export const trustedIpServiceFactory = ({
   projectDAL
 }: TTrustedIpServiceFactoryDep) => {
   const listIpsByProjectId = async ({ projectId, actor, actorId, actorAuthMethod, actorOrgId }: TProjectPermission) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
     const trustedIps = await trustedIpDAL.find({
       projectId
@@ -53,14 +51,13 @@ export const trustedIpServiceFactory = ({
     comment,
     isActive
   }: TCreateIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
 
     const project = await projectDAL.findById(projectId);
@@ -99,14 +96,13 @@ export const trustedIpServiceFactory = ({
     comment,
     trustedIpId
   }: TUpdateIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
 
     const project = await projectDAL.findById(projectId);
@@ -145,14 +141,13 @@ export const trustedIpServiceFactory = ({
     actorAuthMethod,
     trustedIpId
   }: TDeleteIpDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.IpAllowList);
 
     const project = await projectDAL.findById(projectId);

backend/src/lib/api-docs/constants.ts

@@ -476,7 +476,7 @@ export const PROJECTS = {
   },
   ADD_GROUP_TO_PROJECT: {
     projectId: "The ID of the project to add the group to.",
-    groupIdOrName: "The ID or name of the group to add to the project.",
+    groupId: "The ID of the group to add to the project.",
     role: "The role for the group to assume in the project."
   },
   UPDATE_GROUP_IN_PROJECT: {
@@ -743,12 +743,6 @@ export const RAW_SECRETS = {
     workspaceId: "The ID of the project where the secret is located.",
     environment: "The slug of the environment where the the secret is located.",
     secretPath: "The folder path where the secret is located."
-  },
-  GET_ACCESS_LIST: {
-    secretName: "The name of the secret to get the access list for.",
-    workspaceId: "The ID of the project where the secret is located.",
-    environment: "The slug of the environment where the the secret is located.",
-    secretPath: "The folder path where the secret is located."
   }
 } as const;
 
@@ -1158,8 +1152,7 @@ export const INTEGRATION = {
       shouldMaskSecrets: "Specifies if the secrets synced from Infisical to Gitlab should be marked as 'Masked'.",
       shouldProtectSecrets: "Specifies if the secrets synced from Infisical to Gitlab should be marked as 'Protected'.",
       shouldEnableDelete: "The flag to enable deletion of secrets.",
-      octopusDeployScopeValues: "Specifies the scope values to set on synced secrets to Octopus Deploy.",
-      metadataSyncMode: "The mode for syncing metadata to external system"
+      octopusDeployScopeValues: "Specifies the scope values to set on synced secrets to Octopus Deploy."
     }
   },
   UPDATE: {
@@ -1665,13 +1658,11 @@ export const SecretSyncs = {
     return {
       name: `The name of the ${destinationName} Sync to create. Must be slug-friendly.`,
       description: `An optional description for the ${destinationName} Sync.`,
-      projectId: "The ID of the project to create the sync in.",
-      environment: `The slug of the project environment to sync secrets from.`,
-      secretPath: `The folder path to sync secrets from.`,
+      folderId: `The ID of the project folder to sync secrets from.`,
       connectionId: `The ID of the ${
         APP_CONNECTION_NAME_MAP[SECRET_SYNC_CONNECTION_MAP[destination]]
       } Connection to use for syncing.`,
-      isAutoSyncEnabled: `Whether secrets should be automatically synced when changes occur at the source location or not.`,
+      isEnabled: `Whether secrets should be synced automatically or not.`,
       syncOptions: "Optional parameters to modify how secrets are synced."
     };
   },
@@ -1679,49 +1670,34 @@ export const SecretSyncs = {
     const destinationName = SECRET_SYNC_NAME_MAP[destination];
     return {
       syncId: `The ID of the ${destinationName} Sync to be updated.`,
-      connectionId: `The updated ID of the ${
-        APP_CONNECTION_NAME_MAP[SECRET_SYNC_CONNECTION_MAP[destination]]
-      } Connection to use for syncing.`,
       name: `The updated name of the ${destinationName} Sync. Must be slug-friendly.`,
-      environment: `The updated slug of the project environment to sync secrets from.`,
-      secretPath: `The updated folder path to sync secrets from.`,
+      folderId: `The updated project folder ID to sync secrets from.`,
       description: `The updated description of the ${destinationName} Sync.`,
-      isAutoSyncEnabled: `Whether secrets should be automatically synced when changes occur at the source location or not.`,
+      isEnabled: `Whether secrets should be synced automatically or not.`,
       syncOptions: "Optional parameters to modify how secrets are synced."
     };
   },
   DELETE: (destination: SecretSync) => ({
-    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to be deleted.`,
-    removeSecrets: `Whether previously synced secrets should be removed prior to deletion.`
+    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to be deleted.`
   }),
-  SYNC_SECRETS: (destination: SecretSync) => ({
+  SYNC: (destination: SecretSync) => ({
     syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger a sync for.`
   }),
-  IMPORT_SECRETS: (destination: SecretSync) => ({
-    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger importing secrets for.`,
-    importBehavior: `Specify whether Infisical should prioritize secret values from Infisical or ${SECRET_SYNC_NAME_MAP[destination]}.`
+  IMPORT: (destination: SecretSync) => ({
+    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger an import for.`,
+    shouldOverwrite: `Specify whether newly imported secrets should override existing secrets with matching names in Infisical.`
   }),
-  REMOVE_SECRETS: (destination: SecretSync) => ({
-    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger removing secrets for.`
+  ERASE: (destination: SecretSync) => ({
+    syncId: `The ID of the ${SECRET_SYNC_NAME_MAP[destination]} Sync to trigger an erase for.`
   }),
-  SYNC_OPTIONS: (destination: SecretSync) => {
-    const destinationName = SECRET_SYNC_NAME_MAP[destination];
-    return {
-      INITIAL_SYNC_BEHAVIOR: `Specify how Infisical should resolve the initial sync to the ${destinationName} destination.`,
-      PREPEND_PREFIX: `Optionally prepend a prefix to your secrets' keys when syncing to ${destinationName}.`,
-      APPEND_SUFFIX: `Optionally append a suffix to your secrets' keys when syncing to ${destinationName}.`
-    };
+  SYNC_OPTIONS: {
+    PREPEND_PREFIX: "Optionally prepend a prefix to your secrets' keys when syncing.",
+    APPEND_SUFFIX: "Optionally append a suffix to your secrets' keys when syncing."
   },
   DESTINATION_CONFIG: {
     AWS_PARAMETER_STORE: {
       REGION: "The AWS region to sync secrets to.",
       PATH: "The Parameter Store path to sync secrets to."
-    },
-    GITHUB: {
-      ORG: "The name of the GitHub organization.",
-      OWNER: "The name of the GitHub account owner of the repository.",
-      REPO: "The name of the GitHub repository.",
-      ENV: "The name of the GitHub environment."
     }
   }
 };

backend/src/lib/config/env.ts

@@ -199,29 +199,7 @@ const envSchema = z
     INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET: zpStr(z.string().optional()),
     INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY: zpStr(z.string().optional()),
     INF_APP_CONNECTION_GITHUB_APP_SLUG: zpStr(z.string().optional()),
-    INF_APP_CONNECTION_GITHUB_APP_ID: zpStr(z.string().optional()),
-
-    /* CORS ----------------------------------------------------------------------------- */
-
-    CORS_ALLOWED_ORIGINS: zpStr(
-      z
-        .string()
-        .optional()
-        .transform((val) => {
-          if (!val) return undefined;
-          return JSON.parse(val) as string[];
-        })
-    ),
-
-    CORS_ALLOWED_HEADERS: zpStr(
-      z
-        .string()
-        .optional()
-        .transform((val) => {
-          if (!val) return undefined;
-          return JSON.parse(val) as string[];
-        })
-    )
+    INF_APP_CONNECTION_GITHUB_APP_ID: zpStr(z.string().optional())
   })
   // To ensure that basic encryption is always possible.
   .refine(

backend/src/lib/fn/string.ts

@@ -16,3 +16,7 @@ export const prefixWithSlash = (str: string) => {
 };
 
 export const startsWithVowel = (str: string) => /^[aeiou]/i.test(str);
+
+export const wrapWithSlashes = (str: string) => {
+  return `${str.startsWith("/") ? "" : "/"}${str}${str.endsWith("/") ? "" : `/`}`;
+};

backend/src/lib/validator/index.ts

@@ -1,4 +1,3 @@
 export { isDisposableEmail } from "./validate-email";
 export { isValidFolderName, isValidSecretPath } from "./validate-folder-name";
 export { blockLocalAndPrivateIpAddresses } from "./validate-url";
-export { isUuidV4 } from "./validate-uuid";

backend/src/lib/validator/validate-uuid.ts

@@ -1,3 +0,0 @@
-import { z } from "zod";
-
-export const isUuidV4 = (uuid: string) => z.string().uuid().safeParse(uuid).success;

backend/src/queue/queue-service.ts

@@ -16,9 +16,9 @@ import {
   TSyncSecretsDTO
 } from "@app/services/secret/secret-types";
 import {
-  TQueueSecretSyncImportSecretsByIdDTO,
-  TQueueSecretSyncRemoveSecretsByIdDTO,
-  TQueueSecretSyncSyncSecretsByIdDTO,
+  TQueueSecretSyncByIdDTO,
+  TQueueSecretSyncEraseByIdDTO,
+  TQueueSecretSyncImportByIdDTO,
   TQueueSendSecretSyncActionFailedNotificationsDTO
 } from "@app/services/secret-sync/secret-sync-types";
 
@@ -69,10 +69,10 @@ export enum QueueJobs {
   IdentityAccessTokenStatusUpdate = "identity-access-token-status-update",
   ServiceTokenStatusUpdate = "service-token-status-update",
   ImportSecretsFromExternalSource = "import-secrets-from-external-source",
-  SecretSyncSyncSecrets = "secret-sync-sync-secrets",
-  SecretSyncImportSecrets = "secret-sync-import-secrets",
-  SecretSyncRemoveSecrets = "secret-sync-remove-secrets",
-  SecretSyncSendActionFailedNotifications = "secret-sync-send-action-failed-notifications"
+  AppConnectionSecretSync = "app-connection-secret-sync",
+  AppConnectionSecretSyncImport = "app-connection-secret-sync-import",
+  AppConnectionSecretSyncErase = "app-connection-secret-sync-erase",
+  AppConnectionSendSecretSyncActionFailedNotifications = "app-connection-send-secret-sync-action-failed-notifications"
 }
 
 export type TQueueJobTypes = {
@@ -197,19 +197,19 @@ export type TQueueJobTypes = {
   };
   [QueueName.AppConnectionSecretSync]:
     | {
-        name: QueueJobs.SecretSyncSyncSecrets;
-        payload: TQueueSecretSyncSyncSecretsByIdDTO;
+        name: QueueJobs.AppConnectionSecretSync;
+        payload: TQueueSecretSyncByIdDTO;
       }
     | {
-        name: QueueJobs.SecretSyncImportSecrets;
-        payload: TQueueSecretSyncImportSecretsByIdDTO;
+        name: QueueJobs.AppConnectionSecretSyncImport;
+        payload: TQueueSecretSyncImportByIdDTO;
       }
     | {
-        name: QueueJobs.SecretSyncRemoveSecrets;
-        payload: TQueueSecretSyncRemoveSecretsByIdDTO;
+        name: QueueJobs.AppConnectionSecretSyncErase;
+        payload: TQueueSecretSyncEraseByIdDTO;
       }
     | {
-        name: QueueJobs.SecretSyncSendActionFailedNotifications;
+        name: QueueJobs.AppConnectionSendSecretSyncActionFailedNotifications;
         payload: TQueueSendSecretSyncActionFailedNotificationsDTO;
       };
 };

backend/src/server/app.ts

@@ -87,16 +87,7 @@ export const main = async ({ db, hsmModule, auditLogDb, smtp, logger, queue, key
 
     await server.register<FastifyCorsOptions>(cors, {
       credentials: true,
-      ...(appCfg.CORS_ALLOWED_ORIGINS?.length
-        ? {
-            origin: [...appCfg.CORS_ALLOWED_ORIGINS, ...(appCfg.SITE_URL ? [appCfg.SITE_URL] : [])]
-          }
-        : {
-            origin: appCfg.SITE_URL || true
-          }),
-      ...(appCfg.CORS_ALLOWED_HEADERS?.length && {
-        allowedHeaders: appCfg.CORS_ALLOWED_HEADERS
-      })
+      origin: appCfg.SITE_URL || true
     });
 
     await server.register(addErrorsToResponseSchemas);

backend/src/server/plugins/audit-log.ts

@@ -32,21 +32,13 @@ export const getUserAgentType = (userAgent: string | undefined) => {
 export const injectAuditLogInfo = fp(async (server: FastifyZodProvider) => {
   server.decorateRequest("auditLogInfo", null);
   server.addHook("onRequest", async (req) => {
+    if (!req.auth) return;
     const userAgent = req.headers["user-agent"] ?? "";
     const payload = {
       ipAddress: req.realIp,
       userAgent,
       userAgentType: getUserAgentType(userAgent)
     } as typeof req.auditLogInfo;
-
-    if (!req.auth) {
-      payload.actor = {
-        type: ActorType.UNKNOWN_USER,
-        metadata: {}
-      };
-      req.auditLogInfo = payload;
-      return;
-    }
     if (req.auth.actor === ActorType.USER) {
       payload.actor = {
         type: ActorType.USER,

backend/src/server/plugins/secret-scanner.ts

@@ -1,4 +1,3 @@
-import type { EmitterWebhookEventName } from "@octokit/webhooks/dist-types/types";
 import { PushEvent } from "@octokit/webhooks-types";
 import { Probot } from "probot";
 import SmeeClient from "smee-client";
@@ -55,14 +54,14 @@ export const registerSecretScannerGhApp = async (server: FastifyZodProvider) =>
         rateLimit: writeLimit
       },
       handler: async (req, res) => {
-        const eventName = req.headers["x-github-event"] as EmitterWebhookEventName;
+        const eventName = req.headers["x-github-event"];
         const signatureSHA256 = req.headers["x-hub-signature-256"] as string;
         const id = req.headers["x-github-delivery"] as string;
-
         await probot.webhooks.verifyAndReceive({
           id,
+          // @ts-expect-error type
           name: eventName,
-          payload: JSON.stringify(req.body),
+          payload: req.body as string,
           signature: signatureSHA256
         });
         void res.send("ok");

backend/src/server/routes/index.ts

@@ -181,7 +181,6 @@ import { projectUserMembershipRoleDALFactory } from "@app/services/project-membe
 import { projectRoleDALFactory } from "@app/services/project-role/project-role-dal";
 import { projectRoleServiceFactory } from "@app/services/project-role/project-role-service";
 import { dailyResourceCleanUpQueueServiceFactory } from "@app/services/resource-cleanup/resource-cleanup-queue";
-import { resourceMetadataDALFactory } from "@app/services/resource-metadata/resource-metadata-dal";
 import { secretDALFactory } from "@app/services/secret/secret-dal";
 import { secretQueueFactory } from "@app/services/secret/secret-queue";
 import { secretServiceFactory } from "@app/services/secret/secret-service";
@@ -379,7 +378,6 @@ export const registerRoutes = async (
   const externalGroupOrgRoleMappingDAL = externalGroupOrgRoleMappingDALFactory(db);
 
   const projectTemplateDAL = projectTemplateDALFactory(db);
-  const resourceMetadataDAL = resourceMetadataDALFactory(db);
 
   const permissionService = permissionServiceFactory({
     permissionDAL,
@@ -612,7 +610,6 @@ export const registerRoutes = async (
   });
   const superAdminService = superAdminServiceFactory({
     userDAL,
-    userAliasDAL,
     authService: loginService,
     serverCfgDAL: superAdminDAL,
     kmsRootConfigDAL,
@@ -847,8 +844,7 @@ export const registerRoutes = async (
     secretTagDAL,
     secretVersionTagDAL,
     secretVersionV2BridgeDAL,
-    secretVersionTagV2BridgeDAL,
-    resourceMetadataDAL
+    secretVersionTagV2BridgeDAL
   });
 
   const secretQueueService = secretQueueFactory({
@@ -885,7 +881,6 @@ export const registerRoutes = async (
     projectKeyDAL,
     projectUserMembershipRoleDAL,
     orgService,
-    resourceMetadataDAL,
     secretSyncQueue
   });
 
@@ -923,8 +918,7 @@ export const registerRoutes = async (
     certificateTemplateDAL,
     projectSlackConfigDAL,
     slackIntegrationDAL,
-    projectTemplateService,
-    groupProjectDAL
+    projectTemplateService
   });
 
   const projectEnvService = projectEnvServiceFactory({
@@ -1013,8 +1007,7 @@ export const registerRoutes = async (
     secretApprovalPolicyService,
     secretApprovalRequestSecretDAL,
     kmsService,
-    snapshotService,
-    resourceMetadataDAL
+    snapshotService
   });
 
   const secretApprovalRequestService = secretApprovalRequestServiceFactory({
@@ -1041,8 +1034,7 @@ export const registerRoutes = async (
     projectEnvDAL,
     userDAL,
     licenseService,
-    projectSlackConfigDAL,
-    resourceMetadataDAL
+    projectSlackConfigDAL
   });
 
   const secretService = secretServiceFactory({
@@ -1063,8 +1055,7 @@ export const registerRoutes = async (
     secretApprovalRequestDAL,
     secretApprovalRequestSecretDAL,
     secretV2BridgeService,
-    secretApprovalRequestService,
-    licenseService
+    secretApprovalRequestService
   });
 
   const secretSharingService = secretSharingServiceFactory({
@@ -1122,10 +1113,8 @@ export const registerRoutes = async (
     kmsService,
     secretV2BridgeDAL,
     secretVersionV2TagBridgeDAL: secretVersionTagV2BridgeDAL,
-    secretVersionV2BridgeDAL,
-    resourceMetadataDAL
+    secretVersionV2BridgeDAL
   });
-
   const secretRotationQueue = secretRotationQueueFactory({
     telemetryService,
     secretRotationDAL,
@@ -1377,8 +1366,7 @@ export const registerRoutes = async (
     folderDAL,
     secretDAL: secretV2BridgeDAL,
     queueService,
-    secretV2BridgeService,
-    resourceMetadataDAL
+    secretV2BridgeService
   });
 
   const migrationService = externalMigrationServiceFactory({
@@ -1397,13 +1385,15 @@ export const registerRoutes = async (
   const appConnectionService = appConnectionServiceFactory({
     appConnectionDAL,
     permissionService,
-    kmsService
+    kmsService,
+    licenseService
   });
 
   const secretSyncService = secretSyncServiceFactory({
     secretSyncDAL,
     permissionService,
     appConnectionService,
+    licenseService,
     folderDAL,
     secretSyncQueue,
     projectBotService,

backend/src/server/routes/v1/app-connection-routers/app-connection-endpoints.ts

@@ -143,7 +143,7 @@ export const registerAppConnectionEndpoints = <T extends TAppConnection, I exten
 
   server.route({
     method: "GET",
-    url: `/connection-name/:connectionName`,
+    url: `/name/:connectionName`,
     config: {
       rateLimit: readLimit
     },

backend/src/server/routes/v1/app-connection-routers/github-connection-router.ts

@@ -1,18 +1,13 @@
-import { z } from "zod";
-
-import { readLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import {
   CreateGitHubConnectionSchema,
   SanitizedGitHubConnectionSchema,
   UpdateGitHubConnectionSchema
 } from "@app/services/app-connection/github";
-import { AuthMode } from "@app/services/auth/auth-type";
 
 import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
 
-export const registerGitHubConnectionRouter = async (server: FastifyZodProvider) => {
+export const registerGitHubConnectionRouter = async (server: FastifyZodProvider) =>
   registerAppConnectionEndpoints({
     app: AppConnection.GitHub,
     server,
@@ -20,98 +15,3 @@ export const registerGitHubConnectionRouter = async (server: FastifyZodProvider)
     createSchema: CreateGitHubConnectionSchema,
     updateSchema: UpdateGitHubConnectionSchema
   });
-
-  // The below endpoints are not exposed and for Infisical App use
-
-  server.route({
-    method: "GET",
-    url: `/:connectionId/repositories`,
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        connectionId: z.string().uuid()
-      }),
-      response: {
-        200: z.object({
-          repositories: z
-            .object({ id: z.number(), name: z.string(), owner: z.object({ login: z.string(), id: z.number() }) })
-            .array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { connectionId } = req.params;
-
-      const repositories = await server.services.appConnection.github.listRepositories(connectionId, req.permission);
-
-      return { repositories };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: `/:connectionId/organizations`,
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        connectionId: z.string().uuid()
-      }),
-      response: {
-        200: z.object({
-          organizations: z.object({ id: z.number(), login: z.string() }).array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { connectionId } = req.params;
-
-      const organizations = await server.services.appConnection.github.listOrganizations(connectionId, req.permission);
-
-      return { organizations };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: `/:connectionId/environments`,
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        connectionId: z.string().uuid()
-      }),
-      querystring: z.object({
-        repo: z.string().min(1, "Repository name is required"),
-        owner: z.string().min(1, "Repository owner name is required")
-      }),
-      response: {
-        200: z.object({
-          environments: z.object({ id: z.number(), name: z.string() }).array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const { connectionId } = req.params;
-      const { repo, owner } = req.query;
-
-      const environments = await server.services.appConnection.github.listEnvironments(
-        {
-          connectionId,
-          repo,
-          owner
-        },
-        req.permission
-      );
-
-      return { environments };
-    }
-  });
-};

backend/src/server/routes/v1/dashboard-router.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import { z } from "zod";
 
-import { ActionProjectType, SecretFoldersSchema, SecretImportsSchema, SecretTagsSchema } from "@app/db/schemas";
+import { SecretFoldersSchema, SecretImportsSchema, SecretTagsSchema } from "@app/db/schemas";
 import { EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import {
   ProjectPermissionDynamicSecretActions,
@@ -17,7 +17,6 @@ import { getUserAgentType } from "@app/server/plugins/audit-log";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { SanitizedDynamicSecretSchema, secretRawSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretsOrderBy } from "@app/services/secret/secret-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
@@ -117,7 +116,6 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           secrets: secretRawSchema
             .extend({
               secretPath: z.string().optional(),
-              secretMetadata: ResourceMetadataSchema.optional(),
               tags: SecretTagsSchema.pick({
                 id: true,
                 slug: true,
@@ -220,14 +218,13 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           totalCount: totalFolderCount ?? 0
         };
 
-      const { permission } = await server.services.permission.getProjectPermission({
-        actor: req.permission.type,
-        actorId: req.permission.id,
+      const { permission } = await server.services.permission.getProjectPermission(
+        req.permission.type,
+        req.permission.id,
         projectId,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        actionProjectType: ActionProjectType.SecretManager
-      });
+        req.permission.authMethod,
+        req.permission.orgId
+      );
 
       const allowedDynamicSecretEnvironments = // filter envs user has access to
         environments.filter((environment) =>
@@ -411,7 +408,6 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           secrets: secretRawSchema
             .extend({
               secretPath: z.string().optional(),
-              secretMetadata: ResourceMetadataSchema.optional(),
               tags: SecretTagsSchema.pick({
                 id: true,
                 slug: true,
@@ -697,7 +693,6 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           secrets: secretRawSchema
             .extend({
               secretPath: z.string().optional(),
-              secretMetadata: ResourceMetadataSchema.optional(),
               tags: SecretTagsSchema.pick({
                 id: true,
                 slug: true,
@@ -869,7 +864,6 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
           secrets: secretRawSchema
             .extend({
               secretPath: z.string().optional(),
-              secretMetadata: ResourceMetadataSchema.optional(),
               tags: SecretTagsSchema.pick({
                 id: true,
                 slug: true,

backend/src/server/routes/v1/integration-router.ts

@@ -131,7 +131,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
       body: z.object({
         app: z.string().trim().optional().describe(INTEGRATION.UPDATE.app),
         appId: z.string().trim().optional().describe(INTEGRATION.UPDATE.appId),
-        isActive: z.boolean().optional().describe(INTEGRATION.UPDATE.isActive),
+        isActive: z.boolean().describe(INTEGRATION.UPDATE.isActive),
         secretPath: z
           .string()
           .trim()

backend/src/server/routes/v1/invite-org-router.ts

@@ -73,40 +73,6 @@ export const registerInviteOrgRouter = async (server: FastifyZodProvider) => {
     }
   });
 
-  server.route({
-    url: "/signup-resend",
-    config: {
-      rateLimit: inviteUserRateLimit
-    },
-    method: "POST",
-    schema: {
-      body: z.object({
-        membershipId: z.string()
-      }),
-      response: {
-        200: z.object({
-          signupToken: z
-            .object({
-              email: z.string(),
-              link: z.string()
-            })
-            .optional()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      return server.services.org.resendOrgMemberInvitation({
-        orgId: req.permission.orgId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        membershipId: req.body.membershipId
-      });
-    }
-  });
-
   server.route({
     url: "/verify",
     method: "POST",

backend/src/server/routes/v1/secret-sharing-router.ts

@@ -1,7 +1,6 @@
 import { z } from "zod";
 
 import { SecretSharingSchema } from "@app/db/schemas";
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { SecretSharingAccessType } from "@app/lib/types";
 import {
   publicEndpointLimit,
@@ -89,21 +88,6 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
         orgId: req.permission?.orgId
       });
 
-      if (sharedSecret.secret?.orgId) {
-        await server.services.auditLog.createAuditLog({
-          orgId: sharedSecret.secret.orgId,
-          ...req.auditLogInfo,
-          event: {
-            type: EventType.READ_SHARED_SECRET,
-            metadata: {
-              id: req.params.id,
-              name: sharedSecret.secret.name || undefined,
-              accessType: sharedSecret.secret.accessType
-            }
-          }
-        });
-      }
-
       return sharedSecret;
     }
   });
@@ -167,23 +151,6 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
         actorOrgId: req.permission.orgId,
         ...req.body
       });
-
-      await server.services.auditLog.createAuditLog({
-        orgId: req.permission.orgId,
-        ...req.auditLogInfo,
-        event: {
-          type: EventType.CREATE_SHARED_SECRET,
-          metadata: {
-            accessType: req.body.accessType,
-            expiresAt: req.body.expiresAt,
-            expiresAfterViews: req.body.expiresAfterViews,
-            name: req.body.name,
-            id: sharedSecret.id,
-            usingPassword: !!req.body.password
-          }
-        }
-      });
-
       return { id: sharedSecret.id };
     }
   });
@@ -214,18 +181,6 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
         sharedSecretId
       });
 
-      await server.services.auditLog.createAuditLog({
-        orgId: req.permission.orgId,
-        ...req.auditLogInfo,
-        event: {
-          type: EventType.DELETE_SHARED_SECRET,
-          metadata: {
-            id: sharedSecretId,
-            name: deletedSharedSecret.name || undefined
-          }
-        }
-      });
-
       return { ...deletedSharedSecret };
     }
   });

backend/src/server/routes/v1/secret-sync-routers/github-sync-router.ts

@@ -1,13 +0,0 @@
-import { CreateGitHubSyncSchema, GitHubSyncSchema, UpdateGitHubSyncSchema } from "@app/services/secret-sync/github";
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
-
-import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
-
-export const registerGitHubSyncRouter = async (server: FastifyZodProvider) =>
-  registerSyncSecretsEndpoints({
-    destination: SecretSync.GitHub,
-    server,
-    responseSchema: GitHubSyncSchema,
-    createSchema: CreateGitHubSyncSchema,
-    updateSchema: UpdateGitHubSyncSchema
-  });

backend/src/server/routes/v1/secret-sync-routers/index.ts

@@ -1,11 +1,9 @@
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 
 import { registerAwsParameterStoreSyncRouter } from "./aws-parameter-store-sync-router";
-import { registerGitHubSyncRouter } from "./github-sync-router";
 
 export * from "./secret-sync-router";
 
 export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: FastifyZodProvider) => Promise<void>> = {
-  [SecretSync.AWSParameterStore]: registerAwsParameterStoreSyncRouter,
-  [SecretSync.GitHub]: registerGitHubSyncRouter
+  [SecretSync.AWSParameterStore]: registerAwsParameterStoreSyncRouter
 };

backend/src/server/routes/v1/secret-sync-routers/secret-sync-endpoints.ts

@@ -6,7 +6,7 @@ import { startsWithVowel } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { SecretSync, SecretSyncImportBehavior } from "@app/services/secret-sync/secret-sync-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 import { SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
 import { TSecretSync, TSecretSyncInput } from "@app/services/secret-sync/secret-sync-types";
 
@@ -21,24 +21,18 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
   server: FastifyZodProvider;
   createSchema: z.ZodType<{
     name: string;
-    environment: string;
-    secretPath: string;
-    projectId: string;
+    folderId: string;
     connectionId: string;
     destinationConfig: I["destinationConfig"];
-    syncOptions: I["syncOptions"];
+    syncOptions?: I["syncOptions"];
     description?: string | null;
-    isAutoSyncEnabled?: boolean;
   }>;
   updateSchema: z.ZodType<{
-    connectionId?: string;
     name?: string;
-    environment?: string;
-    secretPath?: string;
+    folderId?: string;
     destinationConfig?: I["destinationConfig"];
     syncOptions?: I["syncOptions"];
     description?: string | null;
-    isAutoSyncEnabled?: boolean;
   }>;
   responseSchema: z.ZodTypeAny;
 }) => {
@@ -129,7 +123,7 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
 
   server.route({
     method: "GET",
-    url: `/sync-name/:syncName`,
+    url: `/name/:syncName`,
     config: {
       rateLimit: readLimit
     },
@@ -192,8 +186,10 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
+      const syncOptions = req.body.syncOptions ?? {};
+
       const secretSync = (await server.services.secretSync.createSecretSync(
-        { ...req.body, destination },
+        { ...req.body, destination, syncOptions },
         req.permission
       )) as T;
 
@@ -205,7 +201,8 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
           metadata: {
             syncId: secretSync.id,
             destination,
-            ...req.body
+            ...req.body,
+            syncOptions
           }
         }
       });
@@ -221,7 +218,7 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
       rateLimit: writeLimit
     },
     schema: {
-      description: `Update the specified ${destinationName} Sync.`,
+      description: `Update the specified ${destinationName} Connection.`,
       params: z.object({
         syncId: z.string().uuid().describe(SecretSyncs.UPDATE(destination).syncId)
       }),
@@ -263,17 +260,10 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
       rateLimit: writeLimit
     },
     schema: {
-      description: `Delete the specified ${destinationName} Sync.`,
+      description: `Delete the specified ${destinationName} Connection.`,
       params: z.object({
         syncId: z.string().uuid().describe(SecretSyncs.DELETE(destination).syncId)
       }),
-      querystring: z.object({
-        removeSecrets: z
-          .enum(["true", "false"])
-          .default("false")
-          .transform((value) => value === "true")
-          .describe(SecretSyncs.DELETE(destination).removeSecrets)
-      }),
       response: {
         200: z.object({ secretSync: responseSchema })
       }
@@ -281,10 +271,9 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
       const { syncId } = req.params;
-      const { removeSecrets } = req.query;
 
       const secretSync = (await server.services.secretSync.deleteSecretSync(
-        { destination, syncId, removeSecrets },
+        { destination, syncId },
         req.permission
       )) as T;
 
@@ -295,8 +284,7 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
           type: EventType.DELETE_SECRET_SYNC,
           metadata: {
             destination,
-            syncId,
-            removeSecrets
+            syncId
           }
         }
       });
@@ -307,14 +295,14 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
 
   server.route({
     method: "POST",
-    url: "/:syncId/sync-secrets",
+    url: "/:syncId/sync",
     config: {
       rateLimit: writeLimit
     },
     schema: {
       description: `Trigger a sync for the specified ${destinationName} Sync.`,
       params: z.object({
-        syncId: z.string().uuid().describe(SecretSyncs.SYNC_SECRETS(destination).syncId)
+        syncId: z.string().uuid().describe(SecretSyncs.SYNC(destination).syncId)
       }),
       response: {
         200: z.object({ secretSync: responseSchema })
@@ -324,7 +312,7 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
     handler: async (req) => {
       const { syncId } = req.params;
 
-      const secretSync = (await server.services.secretSync.triggerSecretSyncSyncSecretsById(
+      const secretSync = (await server.services.secretSync.triggerSecretSyncById(
         {
           syncId,
           destination,
@@ -339,19 +327,21 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
 
   server.route({
     method: "POST",
-    url: "/:syncId/import-secrets",
+    url: "/:syncId/import",
     config: {
       rateLimit: writeLimit
     },
     schema: {
       description: `Import secrets from the specified ${destinationName} Sync destination.`,
       params: z.object({
-        syncId: z.string().uuid().describe(SecretSyncs.IMPORT_SECRETS(destination).syncId)
+        syncId: z.string().uuid().describe(SecretSyncs.IMPORT(destination).syncId)
       }),
       querystring: z.object({
-        importBehavior: z
-          .nativeEnum(SecretSyncImportBehavior)
-          .describe(SecretSyncs.IMPORT_SECRETS(destination).importBehavior)
+        shouldOverwrite: z
+          .enum(["true", "false"])
+          .optional()
+          .transform((val) => val === "true")
+          .describe(SecretSyncs.IMPORT(destination).shouldOverwrite)
       }),
       response: {
         200: z.object({ secretSync: responseSchema })
@@ -360,13 +350,13 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
       const { syncId } = req.params;
-      const { importBehavior } = req.query;
+      const { shouldOverwrite } = req.query;
 
-      const secretSync = (await server.services.secretSync.triggerSecretSyncImportSecretsById(
+      const secretSync = (await server.services.secretSync.triggerSecretSyncImportById(
         {
           syncId,
           destination,
-          importBehavior
+          shouldOverwrite
         },
         req.permission
       )) as T;
@@ -377,14 +367,14 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
 
   server.route({
     method: "POST",
-    url: "/:syncId/remove-secrets",
+    url: "/:syncId/erase",
     config: {
       rateLimit: writeLimit
     },
     schema: {
-      description: `Remove previously synced secrets from the specified ${destinationName} Sync destination.`,
+      description: `Erase synced secrets from the specified ${destinationName} Sync destination.`,
       params: z.object({
-        syncId: z.string().uuid().describe(SecretSyncs.REMOVE_SECRETS(destination).syncId)
+        syncId: z.string().uuid().describe(SecretSyncs.ERASE(destination).syncId)
       }),
       response: {
         200: z.object({ secretSync: responseSchema })
@@ -394,7 +384,7 @@ export const registerSyncSecretsEndpoints = <T extends TSecretSync, I extends TS
     handler: async (req) => {
       const { syncId } = req.params;
 
-      const secretSync = (await server.services.secretSync.triggerSecretSyncRemoveSecretsById(
+      const secretSync = (await server.services.secretSync.triggerSecretSyncEraseById(
         {
           syncId,
           destination

backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts

@@ -9,14 +9,12 @@ import {
   AwsParameterStoreSyncListItemSchema,
   AwsParameterStoreSyncSchema
 } from "@app/services/secret-sync/aws-parameter-store";
-import { GitHubSyncListItemSchema, GitHubSyncSchema } from "@app/services/secret-sync/github";
 
-const SecretSyncSchema = z.discriminatedUnion("destination", [AwsParameterStoreSyncSchema, GitHubSyncSchema]);
+// union once more available
+const SecretSyncSchema = AwsParameterStoreSyncSchema;
 
-const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
-  AwsParameterStoreSyncListItemSchema,
-  GitHubSyncListItemSchema
-]);
+// union once more available
+const SecretSyncOptionsSchema = AwsParameterStoreSyncListItemSchema;
 
 export const registerSecretSyncRouter = async (server: FastifyZodProvider) => {
   server.route({

backend/src/server/routes/v2/group-project-router.ts

@@ -16,7 +16,7 @@ import { ProjectUserMembershipTemporaryMode } from "@app/services/project-member
 export const registerGroupProjectRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "POST",
-    url: "/:projectId/groups/:groupIdOrName",
+    url: "/:projectId/groups/:groupId",
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     config: {
       rateLimit: writeLimit
@@ -30,7 +30,7 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
       ],
       params: z.object({
         projectId: z.string().trim().describe(PROJECTS.ADD_GROUP_TO_PROJECT.projectId),
-        groupIdOrName: z.string().trim().describe(PROJECTS.ADD_GROUP_TO_PROJECT.groupIdOrName)
+        groupId: z.string().trim().describe(PROJECTS.ADD_GROUP_TO_PROJECT.groupId)
       }),
       body: z
         .object({
@@ -76,7 +76,7 @@ export const registerGroupProjectRouter = async (server: FastifyZodProvider) =>
         actorOrgId: req.permission.orgId,
         roles: req.body.roles || [{ role: req.body.role }],
         projectId: req.params.projectId,
-        groupIdOrName: req.params.groupIdOrName
+        groupId: req.params.groupId
       });
 
       return { groupMembership };

backend/src/server/routes/v3/secret-router.ts

@@ -18,7 +18,6 @@ import { getUserAgentType } from "@app/server/plugins/audit-log";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { ActorType, AuthMode } from "@app/services/auth/auth-type";
 import { ProjectFilterType } from "@app/services/project/project-types";
-import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 import { SecretOperations, SecretProtectionType } from "@app/services/secret/secret-types";
 import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
 
@@ -36,12 +35,6 @@ const SecretReferenceNodeTree: z.ZodType<TSecretReferenceNode> = SecretReference
   children: z.lazy(() => SecretReferenceNodeTree.array())
 });
 
-const SecretNameSchema = z
-  .string()
-  .trim()
-  .min(1)
-  .refine((el) => !el.includes(" "), "Secret name cannot contain spaces.");
-
 export const registerSecretRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "POST",
@@ -57,7 +50,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: SecretNameSchema.describe(SECRETS.ATTACH_TAGS.secretName)
+        secretName: z.string().trim().describe(SECRETS.ATTACH_TAGS.secretName)
       }),
       body: z.object({
         projectSlug: z.string().trim().describe(SECRETS.ATTACH_TAGS.projectSlug),
@@ -120,7 +113,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().describe(SECRETS.DETACH_TAGS.secretName)
+        secretName: z.string().trim().describe(SECRETS.DETACH_TAGS.secretName)
       }),
       body: z.object({
         projectSlug: z.string().trim().describe(SECRETS.DETACH_TAGS.projectSlug),
@@ -212,7 +205,6 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           secrets: secretRawSchema
             .extend({
               secretPath: z.string().optional(),
-              secretMetadata: ResourceMetadataSchema.optional(),
               tags: SecretTagsSchema.pick({
                 id: true,
                 slug: true,
@@ -228,12 +220,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
               secretPath: z.string(),
               environment: z.string(),
               folderId: z.string().optional(),
-              secrets: secretRawSchema
-                .omit({ createdAt: true, updatedAt: true })
-                .extend({
-                  secretMetadata: ResourceMetadataSchema.optional()
-                })
-                .array()
+              secrets: secretRawSchema.omit({ createdAt: true, updatedAt: true }).array()
             })
             .array()
             .optional()
@@ -361,8 +348,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
             })
               .extend({ name: z.string() })
               .array()
-              .optional(),
-            secretMetadata: ResourceMetadataSchema.optional()
+              .optional()
           })
         })
       }
@@ -448,7 +434,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: SecretNameSchema.describe(RAW_SECRETS.CREATE.secretName)
+        secretName: z.string().trim().describe(RAW_SECRETS.CREATE.secretName)
       }),
       body: z.object({
         workspaceId: z.string().trim().describe(RAW_SECRETS.CREATE.workspaceId),
@@ -464,7 +450,6 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
           .describe(RAW_SECRETS.CREATE.secretValue),
         secretComment: z.string().trim().optional().default("").describe(RAW_SECRETS.CREATE.secretComment),
-        secretMetadata: ResourceMetadataSchema.optional(),
         tagIds: z.string().array().optional().describe(RAW_SECRETS.CREATE.tagIds),
         skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.CREATE.skipMultilineEncoding),
         type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.CREATE.type),
@@ -499,7 +484,6 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         secretValue: req.body.secretValue,
         skipMultilineEncoding: req.body.skipMultilineEncoding,
         secretComment: req.body.secretComment,
-        secretMetadata: req.body.secretMetadata,
         tagIds: req.body.tagIds,
         secretReminderNote: req.body.secretReminderNote,
         secretReminderRepeatDays: req.body.secretReminderRepeatDays
@@ -555,7 +539,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: SecretNameSchema.describe(RAW_SECRETS.UPDATE.secretName)
+        secretName: z.string().trim().describe(RAW_SECRETS.UPDATE.secretName)
       }),
       body: z.object({
         workspaceId: z.string().trim().describe(RAW_SECRETS.UPDATE.workspaceId),
@@ -574,14 +558,13 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.UPDATE.type),
         tagIds: z.string().array().optional().describe(RAW_SECRETS.UPDATE.tagIds),
         metadata: z.record(z.string()).optional(),
-        secretMetadata: ResourceMetadataSchema.optional(),
         secretReminderNote: z.string().optional().nullable().describe(RAW_SECRETS.UPDATE.secretReminderNote),
         secretReminderRepeatDays: z
           .number()
           .optional()
           .nullable()
           .describe(RAW_SECRETS.UPDATE.secretReminderRepeatDays),
-        newSecretName: SecretNameSchema.optional().describe(RAW_SECRETS.UPDATE.newSecretName),
+        newSecretName: z.string().min(1).optional().describe(RAW_SECRETS.UPDATE.newSecretName),
         secretComment: z.string().optional().describe(RAW_SECRETS.UPDATE.secretComment)
       }),
       response: {
@@ -612,10 +595,8 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         secretReminderNote: req.body.secretReminderNote,
         metadata: req.body.metadata,
         newSecretName: req.body.newSecretName,
-        secretComment: req.body.secretComment,
-        secretMetadata: req.body.secretMetadata
+        secretComment: req.body.secretComment
       });
-
       if (secretOperation.type === SecretProtectionType.Approval) {
         return { approval: secretOperation.approval };
       }
@@ -666,7 +647,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().min(1).describe(RAW_SECRETS.DELETE.secretName)
+        secretName: z.string().trim().describe(RAW_SECRETS.DELETE.secretName)
       }),
       body: z.object({
         workspaceId: z.string().trim().describe(RAW_SECRETS.DELETE.workspaceId),
@@ -1861,7 +1842,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           .describe(RAW_SECRETS.CREATE.secretPath),
         secrets: z
           .object({
-            secretKey: SecretNameSchema.describe(RAW_SECRETS.CREATE.secretName),
+            secretKey: z.string().trim().describe(RAW_SECRETS.CREATE.secretName),
             secretValue: z
               .string()
               .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
@@ -1869,7 +1850,6 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
             secretComment: z.string().trim().optional().default("").describe(RAW_SECRETS.CREATE.secretComment),
             skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.CREATE.skipMultilineEncoding),
             metadata: z.record(z.string()).optional(),
-            secretMetadata: ResourceMetadataSchema.optional(),
             tagIds: z.string().array().optional().describe(RAW_SECRETS.CREATE.tagIds)
           })
           .array()
@@ -1962,17 +1942,16 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           .describe(RAW_SECRETS.UPDATE.secretPath),
         secrets: z
           .object({
-            secretKey: SecretNameSchema.describe(RAW_SECRETS.UPDATE.secretName),
+            secretKey: z.string().trim().describe(RAW_SECRETS.UPDATE.secretName),
             secretValue: z
               .string()
               .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
               .describe(RAW_SECRETS.UPDATE.secretValue),
             secretComment: z.string().trim().optional().describe(RAW_SECRETS.UPDATE.secretComment),
             skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.UPDATE.skipMultilineEncoding),
-            newSecretName: SecretNameSchema.optional().describe(RAW_SECRETS.UPDATE.newSecretName),
+            newSecretName: z.string().min(1).optional().describe(RAW_SECRETS.UPDATE.newSecretName),
             tagIds: z.string().array().optional().describe(RAW_SECRETS.UPDATE.tagIds),
             secretReminderNote: z.string().optional().nullable().describe(RAW_SECRETS.UPDATE.secretReminderNote),
-            secretMetadata: ResourceMetadataSchema.optional(),
             secretReminderRepeatDays: z
               .number()
               .optional()
@@ -2068,7 +2047,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           .describe(RAW_SECRETS.DELETE.secretPath),
         secrets: z
           .object({
-            secretKey: z.string().describe(RAW_SECRETS.DELETE.secretName),
+            secretKey: z.string().trim().describe(RAW_SECRETS.DELETE.secretName),
             type: z.nativeEnum(SecretType).default(SecretType.Shared)
           })
           .array()

backend/src/services/app-connection/app-connection-service.ts

@@ -1,5 +1,6 @@
 import { ForbiddenError, subject } from "@casl/ability";
 
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionAppConnectionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { BadRequestError, DatabaseError, NotFoundError } from "@app/lib/errors";
@@ -22,7 +23,6 @@ import {
 } from "@app/services/app-connection/app-connection-types";
 import { ValidateAwsConnectionCredentialsSchema } from "@app/services/app-connection/aws";
 import { ValidateGitHubConnectionCredentialsSchema } from "@app/services/app-connection/github";
-import { githubConnectionService } from "@app/services/app-connection/github/github-connection-service";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 
 import { TAppConnectionDALFactory } from "./app-connection-dal";
@@ -31,6 +31,7 @@ export type TAppConnectionServiceFactoryDep = {
   appConnectionDAL: TAppConnectionDALFactory;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">; // TODO: remove once launched
 };
 
 export type TAppConnectionServiceFactory = ReturnType<typeof appConnectionServiceFactory>;
@@ -43,9 +44,19 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
 export const appConnectionServiceFactory = ({
   appConnectionDAL,
   permissionService,
-  kmsService
+  kmsService,
+  licenseService
 }: TAppConnectionServiceFactoryDep) => {
+  // app connections are disabled for public until launch
+  const checkAppServicesAvailability = async (orgId: string) => {
+    const subscription = await licenseService.getPlan(orgId);
+
+    if (!subscription.appConnections) throw new BadRequestError({ message: "App Connections are not available yet." });
+  };
+
   const listAppConnectionsByOrg = async (actor: OrgServiceActor, app?: AppConnection) => {
+    await checkAppServicesAvailability(actor.orgId);
+
     const { permission } = await permissionService.getOrgPermission(
       actor.type,
       actor.id,
@@ -75,6 +86,8 @@ export const appConnectionServiceFactory = ({
   };
 
   const findAppConnectionById = async (app: AppConnection, connectionId: string, actor: OrgServiceActor) => {
+    await checkAppServicesAvailability(actor.orgId);
+
     const appConnection = await appConnectionDAL.findById(connectionId);
 
     if (!appConnection) throw new NotFoundError({ message: `Could not find App Connection with ID ${connectionId}` });
@@ -99,6 +112,8 @@ export const appConnectionServiceFactory = ({
   };
 
   const findAppConnectionByName = async (app: AppConnection, connectionName: string, actor: OrgServiceActor) => {
+    await checkAppServicesAvailability(actor.orgId);
+
     const appConnection = await appConnectionDAL.findOne({ name: connectionName, orgId: actor.orgId });
 
     if (!appConnection)
@@ -127,6 +142,8 @@ export const appConnectionServiceFactory = ({
     { method, app, credentials, ...params }: TCreateAppConnectionDTO,
     actor: OrgServiceActor
   ) => {
+    await checkAppServicesAvailability(actor.orgId);
+
     const { permission } = await permissionService.getOrgPermission(
       actor.type,
       actor.id,
@@ -193,6 +210,8 @@ export const appConnectionServiceFactory = ({
     { connectionId, credentials, ...params }: TUpdateAppConnectionDTO,
     actor: OrgServiceActor
   ) => {
+    await checkAppServicesAvailability(actor.orgId);
+
     const appConnection = await appConnectionDAL.findById(connectionId);
 
     if (!appConnection) throw new NotFoundError({ message: `Could not find App Connection with ID ${connectionId}` });
@@ -279,6 +298,8 @@ export const appConnectionServiceFactory = ({
   };
 
   const deleteAppConnection = async (app: AppConnection, connectionId: string, actor: OrgServiceActor) => {
+    await checkAppServicesAvailability(actor.orgId);
+
     const appConnection = await appConnectionDAL.findById(connectionId);
 
     if (!appConnection) throw new NotFoundError({ message: `Could not find App Connection with ID ${connectionId}` });
@@ -317,11 +338,7 @@ export const appConnectionServiceFactory = ({
     }
   };
 
-  const connectAppConnectionById = async <T extends TAppConnection>(
-    app: AppConnection,
-    connectionId: string,
-    actor: OrgServiceActor
-  ) => {
+  const connectAppConnectionById = async (connectionId: string, actor: OrgServiceActor) => {
     const appConnection = await appConnectionDAL.findById(connectionId);
 
     if (!appConnection) throw new NotFoundError({ message: `Could not find App Connection with ID ${connectionId}` });
@@ -339,19 +356,12 @@ export const appConnectionServiceFactory = ({
       subject(OrgPermissionSubjects.AppConnections, { connectionId: appConnection.id })
     );
 
-    if (appConnection.app !== app)
-      throw new BadRequestError({
-        message: `${
-          APP_CONNECTION_NAME_MAP[appConnection.app as AppConnection]
-        } Connection with ID ${connectionId} cannot be used to connect to ${APP_CONNECTION_NAME_MAP[app]}`
-      });
-
-    const connection = await decryptAppConnection(appConnection, kmsService);
-
-    return connection as T;
+    return decryptAppConnection(appConnection, kmsService);
   };
 
   const listAvailableAppConnectionsForUser = async (app: AppConnection, actor: OrgServiceActor) => {
+    await checkAppServicesAvailability(actor.orgId);
+
     const { permission: orgPermission } = await permissionService.getOrgPermission(
       actor.type,
       actor.id,
@@ -381,7 +391,6 @@ export const appConnectionServiceFactory = ({
     updateAppConnection,
     deleteAppConnection,
     connectAppConnectionById,
-    listAvailableAppConnectionsForUser,
-    github: githubConnectionService(connectAppConnectionById)
+    listAvailableAppConnectionsForUser
   };
 };

backend/src/services/app-connection/aws/aws-connection-schemas.ts

@@ -38,11 +38,11 @@ export const AwsConnectionSchema = z.intersection(
 export const SanitizedAwsConnectionSchema = z.discriminatedUnion("method", [
   BaseAwsConnectionSchema.extend({
     method: z.literal(AwsConnectionMethod.AssumeRole),
-    credentials: AwsConnectionAssumeRoleCredentialsSchema.pick({})
+    credentials: AwsConnectionAssumeRoleCredentialsSchema.omit({ roleArn: true })
   }),
   BaseAwsConnectionSchema.extend({
     method: z.literal(AwsConnectionMethod.AccessKey),
-    credentials: AwsConnectionAccessTokenCredentialsSchema.pick({ accessKeyId: true })
+    credentials: AwsConnectionAccessTokenCredentialsSchema.omit({ secretAccessKey: true })
   })
 ]);
 

backend/src/services/app-connection/github/github-connection-fns.ts

@@ -1,5 +1,3 @@
-import { createAppAuth } from "@octokit/auth-app";
-import { Octokit } from "@octokit/rest";
 import { AxiosResponse } from "axios";
 
 import { getConfig } from "@app/lib/config/env";
@@ -10,7 +8,7 @@ import { IntegrationUrls } from "@app/services/integration-auth/integration-list
 
 import { AppConnection } from "../app-connection-enums";
 import { GitHubConnectionMethod } from "./github-connection-enums";
-import { TGitHubConnection, TGitHubConnectionConfig } from "./github-connection-types";
+import { TGitHubConnectionConfig } from "./github-connection-types";
 
 export const getGitHubConnectionListItem = () => {
   const { INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_ID, INF_APP_CONNECTION_GITHUB_APP_SLUG } = getConfig();
@@ -24,131 +22,10 @@ export const getGitHubConnectionListItem = () => {
   };
 };
 
-export const getGitHubClient = (appConnection: TGitHubConnection) => {
-  const appCfg = getConfig();
-
-  const { method, credentials } = appConnection;
-
-  let client: Octokit;
-
-  switch (method) {
-    case GitHubConnectionMethod.App:
-      if (!appCfg.INF_APP_CONNECTION_GITHUB_APP_ID || !appCfg.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY) {
-        throw new InternalServerError({
-          message: `GitHub ${getAppConnectionMethodName(method).replace(
-            "GitHub",
-            ""
-          )} environment variables have not been configured`
-        });
-      }
-
-      client = new Octokit({
-        authStrategy: createAppAuth,
-        auth: {
-          appId: appCfg.INF_APP_CONNECTION_GITHUB_APP_ID,
-          privateKey: appCfg.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY,
-          installationId: credentials.installationId
-        }
-      });
-      break;
-    case GitHubConnectionMethod.OAuth:
-      client = new Octokit({
-        auth: credentials.accessToken
-      });
-      break;
-    default:
-      throw new InternalServerError({
-        message: `Unhandled GitHub connection method: ${method as GitHubConnectionMethod}`
-      });
-  }
-
-  return client;
-};
-
-type GitHubOrganization = {
-  login: string;
-  id: number;
-};
-
-type GitHubRepository = {
-  id: number;
-  name: string;
-  owner: GitHubOrganization;
-};
-
-export const getGitHubRepositories = async (appConnection: TGitHubConnection) => {
-  const client = getGitHubClient(appConnection);
-
-  let repositories: GitHubRepository[];
-
-  switch (appConnection.method) {
-    case GitHubConnectionMethod.App:
-      repositories = await client.paginate("GET /installation/repositories");
-      break;
-    case GitHubConnectionMethod.OAuth:
-    default:
-      repositories = (await client.paginate("GET /user/repos")).filter((repo) => repo.permissions?.admin);
-      break;
-  }
-
-  return repositories;
-};
-
-export const getGitHubOrganizations = async (appConnection: TGitHubConnection) => {
-  const client = getGitHubClient(appConnection);
-
-  let organizations: GitHubOrganization[];
-
-  switch (appConnection.method) {
-    case GitHubConnectionMethod.App: {
-      const installationRepositories = await client.paginate("GET /installation/repositories");
-
-      const organizationMap: Record<string, GitHubOrganization> = {};
-
-      installationRepositories.forEach((repo) => {
-        if (repo.owner.type === "Organization") {
-          organizationMap[repo.owner.id] = repo.owner;
-        }
-      });
-
-      organizations = Object.values(organizationMap);
-
-      break;
-    }
-    case GitHubConnectionMethod.OAuth:
-    default:
-      organizations = await client.paginate("GET /user/orgs");
-      break;
-  }
-
-  return organizations;
-};
-
-export const getGitHubEnvironments = async (appConnection: TGitHubConnection, owner: string, repo: string) => {
-  const client = getGitHubClient(appConnection);
-
-  try {
-    const environments = await client.paginate("GET /repos/{owner}/{repo}/environments", {
-      owner,
-      repo
-    });
-
-    return environments;
-  } catch (e) {
-    // repo doesn't have envs
-    if ((e as { status: number }).status === 404) {
-      return [];
-    }
-
-    throw e;
-  }
-};
-
 type TokenRespData = {
   access_token: string;
   scope: string;
   token_type: string;
-  error?: string;
 };
 
 export const validateGitHubConnectionCredentials = async (config: TGitHubConnectionConfig) => {
@@ -176,10 +53,7 @@ export const validateGitHubConnectionCredentials = async (config: TGitHubConnect
 
   if (!clientId || !clientSecret) {
     throw new InternalServerError({
-      message: `GitHub ${getAppConnectionMethodName(method).replace(
-        "GitHub",
-        ""
-      )} environment variables have not been configured`
+      message: `GitHub ${getAppConnectionMethodName(method)} environment variables have not been configured`
     });
   }
 
@@ -191,7 +65,7 @@ export const validateGitHubConnectionCredentials = async (config: TGitHubConnect
         client_id: clientId,
         client_secret: clientSecret,
         code: credentials.code,
-        redirect_uri: `${SITE_URL}/organization/app-connections/github/oauth/callback`
+        redirect_uri: `${SITE_URL}/app-connections/github/oauth/callback`
       },
       headers: {
         Accept: "application/json",
@@ -216,8 +90,6 @@ export const validateGitHubConnectionCredentials = async (config: TGitHubConnect
         id: number;
         account: {
           login: string;
-          type: string;
-          id: number;
         };
       }[];
     }>(IntegrationUrls.GITHUB_USER_INSTALLATIONS, {
@@ -239,13 +111,10 @@ export const validateGitHubConnectionCredentials = async (config: TGitHubConnect
     }
   }
 
-  if (!tokenResp.data.access_token) {
-    throw new InternalServerError({ message: `Missing access token: ${tokenResp.data.error}` });
-  }
-
   switch (method) {
     case GitHubConnectionMethod.App:
       return {
+        // access token not needed for GitHub App
         installationId: credentials.installationId
       };
     case GitHubConnectionMethod.OAuth:

backend/src/services/app-connection/github/github-connection-schemas.ts

@@ -74,11 +74,11 @@ export const GitHubConnectionSchema = z.intersection(
 export const SanitizedGitHubConnectionSchema = z.discriminatedUnion("method", [
   BaseGitHubConnectionSchema.extend({
     method: z.literal(GitHubConnectionMethod.App),
-    credentials: GitHubConnectionAppOutputCredentialsSchema.pick({})
+    credentials: GitHubConnectionAppOutputCredentialsSchema.omit({ installationId: true })
   }),
   BaseGitHubConnectionSchema.extend({
     method: z.literal(GitHubConnectionMethod.OAuth),
-    credentials: GitHubConnectionOAuthOutputCredentialsSchema.pick({})
+    credentials: GitHubConnectionOAuthOutputCredentialsSchema.omit({ accessToken: true })
   })
 ]);
 

backend/src/services/app-connection/github/github-connection-service.ts

@@ -1,55 +0,0 @@
-import { OrgServiceActor } from "@app/lib/types";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-import {
-  getGitHubEnvironments,
-  getGitHubOrganizations,
-  getGitHubRepositories
-} from "@app/services/app-connection/github/github-connection-fns";
-import { TGitHubConnection } from "@app/services/app-connection/github/github-connection-types";
-
-type TGetAppConnectionFunc = (
-  app: AppConnection,
-  connectionId: string,
-  actor: OrgServiceActor
-) => Promise<TGitHubConnection>;
-
-type TListGitHubEnvironmentsDTO = {
-  connectionId: string;
-  repo: string;
-  owner: string;
-};
-
-export const githubConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
-  const listRepositories = async (connectionId: string, actor: OrgServiceActor) => {
-    const appConnection = await getAppConnection(AppConnection.GitHub, connectionId, actor);
-
-    const repositories = await getGitHubRepositories(appConnection);
-
-    return repositories;
-  };
-
-  const listOrganizations = async (connectionId: string, actor: OrgServiceActor) => {
-    const appConnection = await getAppConnection(AppConnection.GitHub, connectionId, actor);
-
-    const organizations = await getGitHubOrganizations(appConnection);
-
-    return organizations;
-  };
-
-  const listEnvironments = async (
-    { connectionId, repo, owner }: TListGitHubEnvironmentsDTO,
-    actor: OrgServiceActor
-  ) => {
-    const appConnection = await getAppConnection(AppConnection.GitHub, connectionId, actor);
-
-    const environments = await getGitHubEnvironments(appConnection, owner, repo);
-
-    return environments;
-  };
-
-  return {
-    listRepositories,
-    listOrganizations,
-    listEnvironments
-  };
-};

backend/src/services/auth/auth-type.ts

@@ -39,8 +39,7 @@ export enum ActorType { // would extend to AWS, Azure, ...
   SERVICE = "service",
   IDENTITY = "identity",
   Machine = "machine",
-  SCIM_CLIENT = "scimClient",
-  UNKNOWN_USER = "unknownUser"
+  SCIM_CLIENT = "scimClient"
 }
 
 // This will be null unless the token-type is JWT

backend/src/services/certificate-authority/certificate-authority-service.ts

@@ -5,7 +5,7 @@ import crypto, { KeyObject } from "crypto";
 import ms from "ms";
 import { z } from "zod";
 
-import { ActionProjectType, ProjectType, TCertificateAuthorities, TCertificateTemplates } from "@app/db/schemas";
+import { ProjectType, TCertificateAuthorities, TCertificateTemplates } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { getConfig } from "@app/lib/config/env";
@@ -136,14 +136,14 @@ export const certificateAuthorityServiceFactory = ({
       projectId = certManagerProjectFromSplit.id;
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
@@ -305,14 +305,13 @@ export const certificateAuthorityServiceFactory = ({
     const ca = await certificateAuthorityDAL.findById(caId);
     if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
       ProjectPermissionSub.CertificateAuthorities
@@ -337,14 +336,14 @@ export const certificateAuthorityServiceFactory = ({
     const ca = await certificateAuthorityDAL.findById(caId);
     if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
@@ -363,14 +362,14 @@ export const certificateAuthorityServiceFactory = ({
     const ca = await certificateAuthorityDAL.findById(caId);
     if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
@@ -389,14 +388,13 @@ export const certificateAuthorityServiceFactory = ({
     const ca = await certificateAuthorityDAL.findById(caId);
     if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
@@ -451,14 +449,14 @@ export const certificateAuthorityServiceFactory = ({
 
     if (!ca.activeCaCertId) throw new BadRequestError({ message: "CA does not have a certificate installed" });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
@@ -722,14 +720,13 @@ export const certificateAuthorityServiceFactory = ({
     const ca = await certificateAuthorityDAL.findById(caId);
     if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
@@ -758,14 +755,13 @@ export const certificateAuthorityServiceFactory = ({
     if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });
     if (!ca.activeCaCertId) throw new BadRequestError({ message: "CA does not have a certificate installed" });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
@@ -839,14 +835,14 @@ export const certificateAuthorityServiceFactory = ({
     const ca = await certificateAuthorityDAL.findById(caId);
     if (!ca) throw new NotFoundError({ message: "CA not found" });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
@@ -986,14 +982,14 @@ export const certificateAuthorityServiceFactory = ({
     const ca = await certificateAuthorityDAL.findById(caId);
     if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
@@ -1149,14 +1145,14 @@ export const certificateAuthorityServiceFactory = ({
       throw new NotFoundError({ message: `CA with ID '${caId}' not found` });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Certificates);
 
@@ -1478,14 +1474,14 @@ export const certificateAuthorityServiceFactory = ({
     }
 
     if (!dto.isInternal) {
-      const { permission } = await permissionService.getProjectPermission({
-        actor: dto.actor,
-        actorId: dto.actorId,
-        projectId: ca.projectId,
-        actorAuthMethod: dto.actorAuthMethod,
-        actorOrgId: dto.actorOrgId,
-        actionProjectType: ActionProjectType.CertificateManager
-      });
+      const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+        dto.actor,
+        dto.actorId,
+        ca.projectId,
+        dto.actorAuthMethod,
+        dto.actorOrgId
+      );
+      ForbidOnInvalidProjectType(ProjectType.CertificateManager);
 
       ForbiddenError.from(permission).throwUnlessCan(
         ProjectPermissionActions.Create,
@@ -1836,14 +1832,13 @@ export const certificateAuthorityServiceFactory = ({
     const ca = await certificateAuthorityDAL.findById(caId);
     if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,

backend/src/services/certificate-template/certificate-template-service.ts

@@ -2,7 +2,7 @@ import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import bcrypt from "bcrypt";
 
-import { ActionProjectType, TCertificateTemplateEstConfigsUpdate } from "@app/db/schemas";
+import { ProjectType, TCertificateTemplateEstConfigsUpdate } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@@ -67,14 +67,14 @@ export const certificateTemplateServiceFactory = ({
         message: `CA with ID ${caId} not found`
       });
     }
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
@@ -129,14 +129,14 @@ export const certificateTemplateServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: certTemplate.projectId,
+      certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
@@ -187,14 +187,14 @@ export const certificateTemplateServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: certTemplate.projectId,
+      certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
@@ -214,14 +214,13 @@ export const certificateTemplateServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: certTemplate.projectId,
+      certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,
@@ -256,14 +255,14 @@ export const certificateTemplateServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: certTemplate.projectId,
+      certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
@@ -341,14 +340,14 @@ export const certificateTemplateServiceFactory = ({
       });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: certTemplate.projectId,
+      certTemplate.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
@@ -423,14 +422,13 @@ export const certificateTemplateServiceFactory = ({
     }
 
     if (!dto.isInternal) {
-      const { permission } = await permissionService.getProjectPermission({
-        actor: dto.actor,
-        actorId: dto.actorId,
-        projectId: certTemplate.projectId,
-        actorAuthMethod: dto.actorAuthMethod,
-        actorOrgId: dto.actorOrgId,
-        actionProjectType: ActionProjectType.CertificateManager
-      });
+      const { permission } = await permissionService.getProjectPermission(
+        dto.actor,
+        dto.actorId,
+        certTemplate.projectId,
+        dto.actorAuthMethod,
+        dto.actorOrgId
+      );
 
       ForbiddenError.from(permission).throwUnlessCan(
         ProjectPermissionActions.Edit,

backend/src/services/certificate/certificate-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 
-import { ActionProjectType } from "@app/db/schemas";
+import { ProjectType } from "@app/db/schemas";
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
@@ -50,14 +50,14 @@ export const certificateServiceFactory = ({
     const cert = await certificateDAL.findOne({ serialNumber });
     const ca = await certificateAuthorityDAL.findById(cert.caId);
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Certificates);
 
@@ -74,14 +74,14 @@ export const certificateServiceFactory = ({
     const cert = await certificateDAL.findOne({ serialNumber });
     const ca = await certificateAuthorityDAL.findById(cert.caId);
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Certificates);
 
@@ -109,14 +109,14 @@ export const certificateServiceFactory = ({
     const cert = await certificateDAL.findOne({ serialNumber });
     const ca = await certificateAuthorityDAL.findById(cert.caId);
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.CertificateManager);
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Certificates);
 
@@ -156,14 +156,13 @@ export const certificateServiceFactory = ({
     const cert = await certificateDAL.findOne({ serialNumber });
     const ca = await certificateAuthorityDAL.findById(cert.caId);
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: ca.projectId,
+      ca.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.CertificateManager
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Certificates);
 

backend/src/services/cmek/cmek-service.ts

@@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 
-import { ActionProjectType, ProjectType } from "@app/db/schemas";
+import { ProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionCmekActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -34,14 +34,14 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
       projectId = cmekProjectFromSplit.id;
     }
 
-    const { permission } = await permissionService.getProjectPermission({
-      actor: actor.type,
-      actorId: actor.id,
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
       projectId,
-      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.KMS
-    });
+      actor.authMethod,
+      actor.orgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.KMS);
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Create, ProjectPermissionSub.Cmek);
 
     const cmek = await kmsService.generateKmsKey({
@@ -60,14 +60,14 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
 
     if (!key.projectId || key.isReserved) throw new BadRequestError({ message: "Key is not customer managed" });
 
-    const { permission } = await permissionService.getProjectPermission({
-      actor: actor.type,
-      actorId: actor.id,
-      projectId: key.projectId,
-      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.KMS
-    });
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      key.projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.KMS);
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Edit, ProjectPermissionSub.Cmek);
 
@@ -83,14 +83,14 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
 
     if (!key.projectId || key.isReserved) throw new BadRequestError({ message: "Key is not customer managed" });
 
-    const { permission } = await permissionService.getProjectPermission({
-      actor: actor.type,
-      actorId: actor.id,
-      projectId: key.projectId,
-      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.KMS
-    });
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      key.projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.KMS);
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Delete, ProjectPermissionSub.Cmek);
 
@@ -109,14 +109,13 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
       projectId = cmekProjectFromSplit.id;
     }
 
-    const { permission } = await permissionService.getProjectPermission({
-      actor: actor.type,
-      actorId: actor.id,
+    const { permission } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
       projectId,
-      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.KMS
-    });
+      actor.authMethod,
+      actor.orgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Read, ProjectPermissionSub.Cmek);
 
@@ -134,15 +133,15 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
 
     if (key.isDisabled) throw new BadRequestError({ message: "Key is disabled" });
 
-    const { permission } = await permissionService.getProjectPermission({
-      actor: actor.type,
-      actorId: actor.id,
-      projectId: key.projectId,
-      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.KMS
-    });
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      key.projectId,
+      actor.authMethod,
+      actor.orgId
+    );
 
+    ForbidOnInvalidProjectType(ProjectType.KMS);
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Encrypt, ProjectPermissionSub.Cmek);
 
     const encrypt = await kmsService.encryptWithKmsKey({ kmsId: keyId });
@@ -161,14 +160,14 @@ export const cmekServiceFactory = ({ kmsService, kmsDAL, permissionService, proj
 
     if (key.isDisabled) throw new BadRequestError({ message: "Key is disabled" });
 
-    const { permission } = await permissionService.getProjectPermission({
-      actor: actor.type,
-      actorId: actor.id,
-      projectId: key.projectId,
-      actorAuthMethod: actor.authMethod,
-      actorOrgId: actor.orgId,
-      actionProjectType: ActionProjectType.KMS
-    });
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
+      actor.type,
+      actor.id,
+      key.projectId,
+      actor.authMethod,
+      actor.orgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.KMS);
 
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionCmekActions.Decrypt, ProjectPermissionSub.Cmek);
 

backend/src/services/external-migration/external-migration-fns.ts

@@ -16,7 +16,6 @@ import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectServiceFactory } from "../project/project-service";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TProjectEnvServiceFactory } from "../project-env/project-env-service";
-import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretTagDALFactory } from "../secret-tag/secret-tag-dal";
 import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
@@ -36,8 +35,6 @@ export type TImportDataIntoInfisicalDTO = {
   secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecretV2" | "create">;
   secretVersionTagDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany" | "create">;
 
-  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany">;
-
   folderDAL: Pick<TSecretFolderDALFactory, "create" | "findBySecretPath" | "findById">;
   projectService: Pick<TProjectServiceFactory, "createProject">;
   projectEnvService: Pick<TProjectEnvServiceFactory, "createEnvironment">;
@@ -506,7 +503,6 @@ export const importDataIntoInfisicalFn = async ({
   secretTagDAL,
   secretVersionTagDAL,
   folderDAL,
-  resourceMetadataDAL,
   input: { data, actor, actorId, actorOrgId, actorAuthMethod }
 }: TImportDataIntoInfisicalDTO) => {
   // Import data to infisical
@@ -766,8 +762,6 @@ export const importDataIntoInfisicalFn = async ({
               };
             }),
             folderId: selectedFolder.id,
-            orgId: actorOrgId,
-            resourceMetadataDAL,
             secretDAL,
             secretVersionDAL,
             secretTagDAL,

backend/src/services/external-migration/external-migration-queue.ts

@@ -8,7 +8,6 @@ import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectServiceFactory } from "../project/project-service";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TProjectEnvServiceFactory } from "../project-env/project-env-service";
-import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretTagDALFactory } from "../secret-tag/secret-tag-dal";
 import { TSecretV2BridgeDALFactory } from "../secret-v2-bridge/secret-v2-bridge-dal";
@@ -36,8 +35,6 @@ export type TExternalMigrationQueueFactoryDep = {
   projectService: Pick<TProjectServiceFactory, "createProject">;
   projectEnvService: Pick<TProjectEnvServiceFactory, "createEnvironment">;
   secretV2BridgeService: Pick<TSecretV2BridgeServiceFactory, "createManySecret">;
-
-  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
 };
 
 export type TExternalMigrationQueueFactory = ReturnType<typeof externalMigrationQueueFactory>;
@@ -55,8 +52,7 @@ export const externalMigrationQueueFactory = ({
   secretVersionDAL,
   secretTagDAL,
   secretVersionTagDAL,
-  folderDAL,
-  resourceMetadataDAL
+  folderDAL
 }: TExternalMigrationQueueFactoryDep) => {
   const startImport = async (dto: {
     actorEmail: string;
@@ -113,8 +109,7 @@ export const externalMigrationQueueFactory = ({
         kmsService,
         projectService,
         projectEnvService,
-        secretV2BridgeService,
-        resourceMetadataDAL
+        secretV2BridgeService
       });
 
       if (projectsNotImported.length) {

backend/src/services/group-project/group-project-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import ms from "ms";
 
-import { ActionProjectType, ProjectMembershipRole, SecretKeyEncoding, TGroups } from "@app/db/schemas";
+import { ProjectMembershipRole, SecretKeyEncoding } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
@@ -9,7 +9,6 @@ import { decryptAsymmetric, encryptAsymmetric } from "@app/lib/crypto";
 import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
-import { isUuidV4 } from "@app/lib/validator";
 
 import { TGroupDALFactory } from "../../ee/services/group/group-dal";
 import { TUserGroupMembershipDALFactory } from "../../ee/services/group/user-group-membership-dal";
@@ -63,37 +62,29 @@ export const groupProjectServiceFactory = ({
     actorAuthMethod,
     roles,
     projectId,
-    groupIdOrName
+    groupId
   }: TCreateProjectGroupDTO) => {
     const project = await projectDAL.findById(projectId);
 
     if (!project) throw new NotFoundError({ message: `Failed to find project with ID ${projectId}` });
     if (project.version < 2) throw new BadRequestError({ message: `Failed to add group to E2EE project` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId,
+      project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Groups);
 
-    let group: TGroups | null = null;
-    if (isUuidV4(groupIdOrName)) {
-      group = await groupDAL.findOne({ orgId: actorOrgId, id: groupIdOrName });
-    }
-    if (!group) {
-      group = await groupDAL.findOne({ orgId: actorOrgId, name: groupIdOrName });
-    }
-
-    if (!group) throw new NotFoundError({ message: `Failed to find group with ID or name ${groupIdOrName}` });
+    const group = await groupDAL.findOne({ orgId: actorOrgId, id: groupId });
+    if (!group) throw new NotFoundError({ message: `Failed to find group with ID ${groupId}` });
 
     const existingGroup = await groupProjectDAL.findOne({ groupId: group.id, projectId: project.id });
     if (existingGroup)
       throw new BadRequestError({
-        message: `Group with ID ${group.id} already exists in project with id ${project.id}`
+        message: `Group with ID ${groupId} already exists in project with id ${project.id}`
       });
 
     for await (const { role: requestedRoleChange } of roles) {
@@ -136,7 +127,7 @@ export const groupProjectServiceFactory = ({
     const projectGroup = await groupProjectDAL.transaction(async (tx) => {
       const groupProjectMembership = await groupProjectDAL.create(
         {
-          groupId: group!.id,
+          groupId: group.id,
           projectId: project.id
         },
         tx
@@ -171,7 +162,7 @@ export const groupProjectServiceFactory = ({
       // share project key with users in group that have not
       // individually been added to the project and that are not part of
       // other groups that are in the project
-      const groupMembers = await userGroupMembershipDAL.findGroupMembersNotInProject(group!.id, project.id, tx);
+      const groupMembers = await userGroupMembershipDAL.findGroupMembersNotInProject(group.id, project.id, tx);
 
       if (groupMembers.length) {
         const ghostUser = await projectDAL.findProjectGhostUser(project.id, tx);
@@ -246,14 +237,13 @@ export const groupProjectServiceFactory = ({
 
     if (!project) throw new NotFoundError({ message: `Failed to find project with ID ${projectId}` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId,
+      project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Groups);
 
     const group = await groupDAL.findOne({ orgId: actorOrgId, id: groupId });
@@ -349,14 +339,13 @@ export const groupProjectServiceFactory = ({
     const groupProjectMembership = await groupProjectDAL.findOne({ groupId: group.id, projectId: project.id });
     if (!groupProjectMembership) throw new NotFoundError({ message: `Failed to find group with ID ${groupId}` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId,
+      project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Groups);
 
     const deletedProjectGroup = await groupProjectDAL.transaction(async (tx) => {
@@ -394,14 +383,13 @@ export const groupProjectServiceFactory = ({
       throw new NotFoundError({ message: `Failed to find project with ID ${projectId}` });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId,
+      project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Groups);
 
     const groupMemberships = await groupProjectDAL.findByProjectId(project.id);
@@ -422,14 +410,13 @@ export const groupProjectServiceFactory = ({
       throw new NotFoundError({ message: `Failed to find project with ID ${projectId}` });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId,
+      project.id,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Groups);
 
     const [groupMembership] = await groupProjectDAL.findByProjectId(project.id, {

backend/src/services/group-project/group-project-types.ts

@@ -3,7 +3,7 @@ import { TProjectPermission } from "@app/lib/types";
 import { ProjectUserMembershipTemporaryMode } from "../project-membership/project-membership-types";
 
 export type TCreateProjectGroupDTO = {
-  groupIdOrName: string;
+  groupId: string;
   roles: (
     | {
         role: string;

backend/src/services/identity-oidc-auth/identity-oidc-auth-fns.ts

@@ -2,11 +2,3 @@ import picomatch from "picomatch";
 
 export const doesFieldValueMatchOidcPolicy = (fieldValue: string, policyValue: string) =>
   policyValue === fieldValue || picomatch.isMatch(fieldValue, policyValue);
-
-export const doesAudValueMatchOidcPolicy = (fieldValue: string | string[], policyValue: string) => {
-  if (Array.isArray(fieldValue)) {
-    return fieldValue.some((entry) => entry === policyValue || picomatch.isMatch(entry, policyValue));
-  }
-
-  return policyValue === fieldValue || picomatch.isMatch(fieldValue, policyValue);
-};

backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts

@@ -27,7 +27,7 @@ import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identit
 import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
 import { TOrgBotDALFactory } from "../org/org-bot-dal";
 import { TIdentityOidcAuthDALFactory } from "./identity-oidc-auth-dal";
-import { doesAudValueMatchOidcPolicy, doesFieldValueMatchOidcPolicy } from "./identity-oidc-auth-fns";
+import { doesFieldValueMatchOidcPolicy } from "./identity-oidc-auth-fns";
 import {
   TAttachOidcAuthDTO,
   TGetOidcAuthDTO,
@@ -148,7 +148,7 @@ export const identityOidcAuthServiceFactory = ({
       if (
         !identityOidcAuth.boundAudiences
           .split(", ")
-          .some((policyValue) => doesAudValueMatchOidcPolicy(tokenData.aud, policyValue))
+          .some((policyValue) => doesFieldValueMatchOidcPolicy(tokenData.aud, policyValue))
       ) {
         throw new UnauthorizedError({
           message: "Access denied: OIDC audience not allowed."

backend/src/services/identity-project/identity-project-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError, subject } from "@casl/ability";
 import ms from "ms";
 
-import { ActionProjectType, ProjectMembershipRole } from "@app/db/schemas";
+import { ProjectMembershipRole } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
@@ -54,14 +54,13 @@ export const identityProjectServiceFactory = ({
     projectId,
     roles
   }: TCreateProjectIdentityDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Create,
       subject(ProjectPermissionSub.Identity, {
@@ -160,14 +159,13 @@ export const identityProjectServiceFactory = ({
     actorAuthMethod,
     actorOrgId
   }: TUpdateProjectIdentityDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Edit,
       subject(ProjectPermissionSub.Identity, { identityId })
@@ -256,27 +254,25 @@ export const identityProjectServiceFactory = ({
       throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Delete,
       subject(ProjectPermissionSub.Identity, { identityId })
     );
 
-    const { permission: identityRolePermission } = await permissionService.getProjectPermission({
-      actor: ActorType.IDENTITY,
-      actorId: identityId,
-      projectId: identityProjectMembership.projectId,
+    const { permission: identityRolePermission } = await permissionService.getProjectPermission(
+      ActorType.IDENTITY,
+      identityId,
+      identityProjectMembership.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     if (!isAtLeastAsPrivileged(permission, identityRolePermission))
       throw new ForbiddenRequestError({ message: "Failed to delete more privileged identity" });
 
@@ -296,14 +292,13 @@ export const identityProjectServiceFactory = ({
     orderDirection,
     search
   }: TListProjectIdentityDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Identity);
 
     const identityMemberships = await identityProjectDAL.findByProjectId(projectId, {
@@ -327,14 +322,13 @@ export const identityProjectServiceFactory = ({
     actorOrgId,
     identityId
   }: TGetProjectIdentityByIdentityIdDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.Any
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(permission).throwUnlessCan(
       ProjectPermissionActions.Read,

backend/src/services/integration-auth/integration-auth-service.ts

@@ -5,7 +5,7 @@ import { Client as OctopusClient, SpaceRepository as OctopusSpaceRepository } fr
 import AWS from "aws-sdk";
 
 import {
-  ActionProjectType,
+  ProjectType,
   SecretEncryptionAlgo,
   SecretKeyEncoding,
   TIntegrationAuths,
@@ -97,14 +97,13 @@ export const integrationAuthServiceFactory = ({
     actorAuthMethod,
     projectId
   }: TProjectPermission) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const authorizations = await integrationAuthDAL.find({ projectId });
     return authorizations;
@@ -115,14 +114,13 @@ export const integrationAuthServiceFactory = ({
 
     return Promise.all(
       authorizations.filter(async (auth) => {
-        const { permission } = await permissionService.getProjectPermission({
+        const { permission } = await permissionService.getProjectPermission(
           actor,
           actorId,
-          projectId: auth.projectId,
+          auth.projectId,
           actorAuthMethod,
-          actorOrgId,
-          actionProjectType: ActionProjectType.SecretManager
-        });
+          actorOrgId
+        );
 
         return permission.can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
       })
@@ -133,14 +131,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     return integrationAuth;
   };
@@ -159,14 +156,14 @@ export const integrationAuthServiceFactory = ({
     if (!Object.values(Integrations).includes(integration as Integrations))
       throw new BadRequestError({ message: "Invalid integration" });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);
 
     const tokenExchange = await exchangeCode({ integration, code, url, installationId });
@@ -269,14 +266,14 @@ export const integrationAuthServiceFactory = ({
     if (!Object.values(Integrations).includes(integration as Integrations))
       throw new BadRequestError({ message: "Invalid integration" });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission, ForbidOnInvalidProjectType } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
+    ForbidOnInvalidProjectType(ProjectType.SecretManager);
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Create, ProjectPermissionSub.Integrations);
 
     const updateDoc: TIntegrationAuthsInsert = {
@@ -404,14 +401,13 @@ export const integrationAuthServiceFactory = ({
       throw new NotFoundError({ message: `Integration auth with id ${integrationAuthId} not found.` });
     }
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.Integrations);
 
     const { projectId } = integrationAuth;
@@ -666,14 +662,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
 
     const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(integrationAuth.projectId);
@@ -701,14 +696,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
 
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
@@ -732,14 +726,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@@ -774,14 +767,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@@ -803,14 +795,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
 
@@ -878,14 +869,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@@ -926,14 +916,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@@ -961,14 +950,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessId, accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@@ -1020,14 +1008,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@@ -1057,14 +1044,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@@ -1099,14 +1085,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@@ -1140,14 +1125,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@@ -1181,14 +1165,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID ${id} not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@@ -1221,14 +1204,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@@ -1262,14 +1244,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@@ -1331,14 +1312,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@@ -1406,14 +1386,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@@ -1457,14 +1436,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@@ -1506,14 +1484,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@@ -1575,14 +1552,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@@ -1617,14 +1593,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@@ -1730,14 +1705,13 @@ export const integrationAuthServiceFactory = ({
     actorAuthMethod,
     actorOrgId
   }: TDeleteIntegrationAuthsDTO) => {
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);
 
     const integrations = await integrationAuthDAL.delete({ integration, projectId });
@@ -1754,14 +1728,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Delete, ProjectPermissionSub.Integrations);
 
     const delIntegrationAuth = await integrationAuthDAL.transaction(async (tx) => {
@@ -1788,28 +1761,26 @@ export const integrationAuthServiceFactory = ({
       throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
     }
 
-    const { permission: sourcePermission } = await permissionService.getProjectPermission({
+    const { permission: sourcePermission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(sourcePermission).throwUnlessCan(
       ProjectPermissionActions.Create,
       ProjectPermissionSub.Integrations
     );
 
-    const { permission: targetPermission } = await permissionService.getProjectPermission({
+    const { permission: targetPermission } = await permissionService.getProjectPermission(
       actor,
       actorId,
       projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
 
     ForbiddenError.from(targetPermission).throwUnlessCan(
       ProjectPermissionActions.Create,
@@ -1835,14 +1806,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);
@@ -1876,14 +1846,13 @@ export const integrationAuthServiceFactory = ({
     const integrationAuth = await integrationAuthDAL.findById(id);
     if (!integrationAuth) throw new NotFoundError({ message: `Integration auth with ID '${id}' not found` });
 
-    const { permission } = await permissionService.getProjectPermission({
+    const { permission } = await permissionService.getProjectPermission(
       actor,
       actorId,
-      projectId: integrationAuth.projectId,
+      integrationAuth.projectId,
       actorAuthMethod,
-      actorOrgId,
-      actionProjectType: ActionProjectType.SecretManager
-    });
+      actorOrgId
+    );
     ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
     const { shouldUseSecretV2Bridge, botKey } = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessToken } = await getIntegrationAccessToken(integrationAuth, shouldUseSecretV2Bridge, botKey);

backend/src/services/integration-auth/integration-list.ts

@@ -427,8 +427,3 @@ export const getIntegrationOptions = async () => {
 
   return INTEGRATION_OPTIONS;
 };
-
-export enum IntegrationMetadataSyncMode {
-  CUSTOM = "custom",
-  SECRET_METADATA = "secret-metadata"
-}

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -38,7 +38,6 @@ import { TCreateManySecretsRawFn, TUpdateManySecretsRawFn } from "@app/services/
 
 import { TIntegrationDALFactory } from "../integration/integration-dal";
 import { IntegrationMetadataSchema } from "../integration/integration-schema";
-import { ResourceMetadataDTO } from "../resource-metadata/resource-metadata-schema";
 import { IntegrationAuthMetadataSchema } from "./integration-auth-schema";
 import {
   CircleCiScope,
@@ -49,7 +48,6 @@ import {
 import {
   IntegrationInitialSyncBehavior,
   IntegrationMappingBehavior,
-  IntegrationMetadataSyncMode,
   Integrations,
   IntegrationUrls
 } from "./integration-list";
@@ -932,22 +930,15 @@ const syncSecretsAWSParameterStore = async ({
           logger.info(
             `getIntegrationSecrets: create secret in AWS SSM for [projectId=${projectId}] [environment=${integration.environment.slug}]  [secretPath=${integration.secretPath}]`
           );
-
-          try {
-            await ssm
-              .putParameter({
-                Name: `${integration.path}${key}`,
-                Type: "SecureString",
-                Value: secrets[key].value,
-                ...(metadata.kmsKeyId && { KeyId: metadata.kmsKeyId }),
-                Overwrite: true
-              })
-              .promise();
-          } catch (error) {
-            (error as { secretKey: string }).secretKey = key;
-            throw error;
-          }
-
+          await ssm
+            .putParameter({
+              Name: `${integration.path}${key}`,
+              Type: "SecureString",
+              Value: secrets[key].value,
+              ...(metadata.kmsKeyId && { KeyId: metadata.kmsKeyId }),
+              Overwrite: true
+            })
+            .promise();
           if (metadata.secretAWSTag?.length) {
             try {
               await ssm
@@ -994,20 +985,15 @@ const syncSecretsAWSParameterStore = async ({
 
         // we ensure that the KMS key configured in the integration is applied for ALL parameters on AWS
         if (secrets[key].value && (shouldUpdateKms || awsParameterStoreSecretsObj[key].Value !== secrets[key].value)) {
-          try {
-            await ssm
-              .putParameter({
-                Name: `${integration.path}${key}`,
-                Type: "SecureString",
-                Value: secrets[key].value,
-                Overwrite: true,
-                ...(metadata.kmsKeyId && { KeyId: metadata.kmsKeyId })
-              })
-              .promise();
-          } catch (error) {
-            (error as { secretKey: string }).secretKey = key;
-            throw error;
-          }
+          await ssm
+            .putParameter({
+              Name: `${integration.path}${key}`,
+              Type: "SecureString",
+              Value: secrets[key].value,
+              Overwrite: true,
+              ...(metadata.kmsKeyId && { KeyId: metadata.kmsKeyId })
+            })
+            .promise();
         }
 
         if (awsParameterStoreSecretsObj[key].Name) {
@@ -1096,14 +1082,14 @@ const syncSecretsAWSSecretManager = async ({
   projectId
 }: {
   integration: TIntegrations;
-  secrets: Record<string, { value: string; comment?: string; secretMetadata?: ResourceMetadataDTO }>;
+  secrets: Record<string, { value: string; comment?: string }>;
   accessId: string | null;
   accessToken: string;
   awsAssumeRoleArn: string | null;
   projectId?: string;
 }) => {
   const appCfg = getConfig();
-  const metadata = IntegrationMetadataSchema.parse(integration.metadata || {});
+  const metadata = z.record(z.any()).parse(integration.metadata || {});
 
   if (!accessId && !awsAssumeRoleArn) {
     throw new Error("AWS access ID/AWS Assume Role is required");
@@ -1151,25 +1137,8 @@ const syncSecretsAWSSecretManager = async ({
 
   const processAwsSecret = async (
     secretId: string,
-    secretValue: Record<string, string | null | undefined> | string,
-    secretMetadata?: ResourceMetadataDTO
+    secretValue: Record<string, string | null | undefined> | string
   ) => {
-    const secretAWSTag = metadata.secretAWSTag as { key: string; value: string }[] | undefined;
-    const shouldTag =
-      (secretAWSTag && secretAWSTag.length) ||
-      (metadata.metadataSyncMode === IntegrationMetadataSyncMode.SECRET_METADATA &&
-        metadata.mappingBehavior === IntegrationMappingBehavior.ONE_TO_ONE);
-    const tagArray =
-      (metadata.metadataSyncMode === IntegrationMetadataSyncMode.SECRET_METADATA ? secretMetadata : secretAWSTag) ?? [];
-
-    const integrationTagObj = tagArray.reduce(
-      (acc, item) => {
-        acc[item.key] = item.value;
-        return acc;
-      },
-      {} as Record<string, string>
-    );
-
     try {
       const awsSecretManagerSecret = await secretsManager.send(
         new GetSecretValueCommand({
@@ -1205,7 +1174,9 @@ const syncSecretsAWSSecretManager = async ({
         }
       }
 
-      if (shouldTag) {
+      const secretAWSTag = metadata.secretAWSTag as { key: string; value: string }[] | undefined;
+
+      if (secretAWSTag && secretAWSTag.length) {
         const describedSecret = await secretsManager.send(
           // requires secretsmanager:DescribeSecret policy
           new DescribeSecretCommand({
@@ -1215,6 +1186,14 @@ const syncSecretsAWSSecretManager = async ({
 
         if (!describedSecret.Tags) return;
 
+        const integrationTagObj = secretAWSTag.reduce(
+          (acc, item) => {
+            acc[item.key] = item.value;
+            return acc;
+          },
+          {} as Record<string, string>
+        );
+
         const awsTagObj = (describedSecret.Tags || []).reduce(
           (acc, item) => {
             if (item.Key && item.Value) {
@@ -1246,7 +1225,7 @@ const syncSecretsAWSSecretManager = async ({
           }
         });
 
-        tagArray.forEach((tag) => {
+        secretAWSTag?.forEach((tag) => {
           if (!(tag.key in awsTagObj)) {
             // create tag in AWS secret manager
             tagsToUpdate.push({
@@ -1283,8 +1262,8 @@ const syncSecretsAWSSecretManager = async ({
               Name: secretId,
               SecretString: typeof secretValue === "string" ? secretValue : JSON.stringify(secretValue),
               ...(metadata.kmsKeyId && { KmsKeyId: metadata.kmsKeyId }),
-              Tags: shouldTag
-                ? tagArray.map((tag: { key: string; value: string }) => ({
+              Tags: metadata.secretAWSTag
+                ? metadata.secretAWSTag.map((tag: { key: string; value: string }) => ({
                     Key: tag.key,
                     Value: tag.value
                   }))
@@ -1301,10 +1280,7 @@ const syncSecretsAWSSecretManager = async ({
 
   if (metadata.mappingBehavior === IntegrationMappingBehavior.ONE_TO_ONE) {
     for await (const [key, value] of Object.entries(secrets)) {
-      await processAwsSecret(key, value.value, value.secretMetadata).catch((error) => {
-        error.secretKey = key;
-        throw error;
-      });
+      await processAwsSecret(key, value.value);
     }
   } else {
     await processAwsSecret(integration.app as string, getSecretKeyValuePair(secrets));
@@ -2787,23 +2763,13 @@ const syncSecretsAzureDevops = async ({
  * Sync/push [secrets] to GitLab repo with name [integration.app]
  */
 const syncSecretsGitLab = async ({
-  createManySecretsRawFn,
   integrationAuth,
   integration,
   secrets,
   accessToken
 }: {
-  createManySecretsRawFn: (params: TCreateManySecretsRawFn) => Promise<Array<{ id: string }>>;
   integrationAuth: TIntegrationAuths;
-  integration: TIntegrations & {
-    projectId: string;
-    environment: {
-      id: string;
-      name: string;
-      slug: string;
-    };
-    secretPath: string;
-  };
+  integration: TIntegrations;
   secrets: Record<string, { value: string; comment?: string }>;
   accessToken: string;
 }) => {
@@ -2860,81 +2826,6 @@ const syncSecretsGitLab = async ({
       return isValid;
     });
 
-  if (!integration.lastUsed) {
-    const secretsToAddToInfisical: { [key: string]: GitLabSecret } = {};
-    const secretsToRemoveInGitlab: GitLabSecret[] = [];
-
-    if (!metadata.initialSyncBehavior) {
-      metadata.initialSyncBehavior = IntegrationInitialSyncBehavior.OVERWRITE_TARGET;
-    }
-
-    getSecretsRes.forEach((gitlabSecret) => {
-      // first time using integration
-      // -> apply initial sync behavior
-      switch (metadata.initialSyncBehavior) {
-        // Override all the secrets in GitLab
-        case IntegrationInitialSyncBehavior.OVERWRITE_TARGET: {
-          if (!(gitlabSecret.key in secrets)) {
-            secretsToRemoveInGitlab.push(gitlabSecret);
-          }
-          break;
-        }
-        case IntegrationInitialSyncBehavior.PREFER_SOURCE: {
-          // if the secret is not in infisical, we need to add it to infisical
-          if (!(gitlabSecret.key in secrets)) {
-            secrets[gitlabSecret.key] = {
-              value: gitlabSecret.value
-            };
-            // need to remove prefix and suffix from what we're saving to Infisical
-            const prefix = metadata?.secretPrefix || "";
-            const suffix = metadata?.secretSuffix || "";
-            let processedKey = gitlabSecret.key;
-
-            // Remove prefix if it exists at the start
-            if (prefix && processedKey.startsWith(prefix)) {
-              processedKey = processedKey.slice(prefix.length);
-            }
-
-            // Remove suffix if it exists at the end
-            if (suffix && processedKey.endsWith(suffix)) {
-              processedKey = processedKey.slice(0, -suffix.length);
-            }
-
-            secretsToAddToInfisical[processedKey] = gitlabSecret;
-          }
-          break;
-        }
-        default: {
-          throw new Error(`Invalid initial sync behavior: ${metadata.initialSyncBehavior}`);
-        }
-      }
-    });
-
-    if (Object.keys(secretsToAddToInfisical).length) {
-      await createManySecretsRawFn({
-        projectId: integration.projectId,
-        environment: integration.environment.slug,
-        path: integration.secretPath,
-        secrets: Object.keys(secretsToAddToInfisical).map((key) => ({
-          secretName: key,
-          secretValue: secretsToAddToInfisical[key].value,
-          type: SecretType.Shared
-        }))
-      });
-    }
-
-    for await (const gitlabSecret of secretsToRemoveInGitlab) {
-      await request.delete(
-        `${gitLabApiUrl}/v4/projects/${integration?.appId}/variables/${gitlabSecret.key}?filter[environment_scope]=${integration.targetEnvironment}`,
-        {
-          headers: {
-            Authorization: `Bearer ${accessToken}`
-          }
-        }
-      );
-    }
-  }
-
   for await (const key of Object.keys(secrets)) {
     const existingSecret = getSecretsRes.find((s) => s.key === key);
     if (!existingSecret) {
@@ -3762,28 +3653,17 @@ const syncSecretsCloudflarePages = async ({
   );
 
   const metadata = z.record(z.any()).parse(integration.metadata);
-  if (metadata.shouldAutoRedeploy && integration.targetEnvironment === "production") {
-    await request
-      .post(
-        `${IntegrationUrls.CLOUDFLARE_PAGES_API_URL}/client/v4/accounts/${accessId}/pages/projects/${integration.app}/deployments`,
-        {},
-        {
-          headers: {
-            Authorization: `Bearer ${accessToken}`,
-            Accept: "application/json"
-          }
+  if (metadata.shouldAutoRedeploy) {
+    await request.post(
+      `${IntegrationUrls.CLOUDFLARE_PAGES_API_URL}/client/v4/accounts/${accessId}/pages/projects/${integration.app}/deployments`,
+      {},
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          Accept: "application/json"
         }
-      )
-      .catch((error) => {
-        if (error instanceof AxiosError && error.response?.status === 304) {
-          logger.info(
-            `syncSecretsCloudflarePages: CF pages redeployment returned status code 304 for integration [id=${integration.id}]`
-          );
-          return;
-        }
-
-        throw error;
-      });
+      }
+    );
   }
 };
 
@@ -4560,7 +4440,7 @@ export const syncIntegrationSecrets = async ({
     secretPath: string;
   };
   integrationAuth: TIntegrationAuths;
-  secrets: Record<string, { value: string; comment?: string; secretMetadata?: ResourceMetadataDTO }>;
+  secrets: Record<string, { value: string; comment?: string }>;
   accessId: string | null;
   awsAssumeRoleArn: string | null;
   accessToken: string;
@@ -4665,8 +4545,7 @@ export const syncIntegrationSecrets = async ({
         integrationAuth,
         integration,
         secrets,
-        accessToken,
-        createManySecretsRawFn
+        accessToken
       });
       break;
     case Integrations.RENDER: