fix: filter project template policies based on type

.infisicalignore

@@ -28,15 +28,3 @@ frontend/src/pages/secret-manager/OverviewPage/components/SecretOverviewTableRow
 docs/cli/commands/user.mdx:generic-api-key:51
 frontend/src/pages/secret-manager/OverviewPage/components/SecretOverviewTableRow/SecretOverviewTableRow.tsx:generic-api-key:76
 docs/integrations/app-connections/hashicorp-vault.mdx:generic-api-key:188
-cli/detect/config/gitleaks.toml:gcp-api-key:567
-cli/detect/config/gitleaks.toml:gcp-api-key:569
-cli/detect/config/gitleaks.toml:gcp-api-key:570
-cli/detect/config/gitleaks.toml:gcp-api-key:572
-cli/detect/config/gitleaks.toml:gcp-api-key:574
-cli/detect/config/gitleaks.toml:gcp-api-key:575
-cli/detect/config/gitleaks.toml:gcp-api-key:576
-cli/detect/config/gitleaks.toml:gcp-api-key:577
-cli/detect/config/gitleaks.toml:gcp-api-key:578
-cli/detect/config/gitleaks.toml:gcp-api-key:579
-cli/detect/config/gitleaks.toml:gcp-api-key:581
-cli/detect/config/gitleaks.toml:gcp-api-key:582

Dockerfile.fips.standalone-infisical

@@ -133,8 +133,8 @@ RUN apt-get update && apt-get install -y \
 RUN printf "[FreeTDS]\nDescription = FreeTDS Driver\nDriver = /usr/lib/x86_64-linux-gnu/odbc/libtdsodbc.so\nSetup = /usr/lib/x86_64-linux-gnu/odbc/libtdsS.so\nFileUsage = 1\n" > /etc/odbcinst.ini
 
 # Install Infisical CLI
-RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \
-    && apt-get update && apt-get install -y infisical=0.41.2 \
+RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
+    && apt-get update && apt-get install -y infisical=0.31.1 \
     && rm -rf /var/lib/apt/lists/*
 
 RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs non-root-user
@@ -171,7 +171,6 @@ ENV NODE_ENV production
 ENV STANDALONE_BUILD true 
 ENV STANDALONE_MODE true
 ENV ChrystokiConfigurationPath=/usr/safenet/lunaclient/
-ENV NODE_OPTIONS="--max-old-space-size=1024"
 
 WORKDIR /backend
 

Dockerfile.standalone-infisical

@@ -127,8 +127,8 @@ RUN apt-get update && apt-get install -y \
     && rm -rf /var/lib/apt/lists/*
 
 # Install Infisical CLI
-RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \
-    && apt-get update && apt-get install -y infisical=0.41.2 \
+RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash \
+    && apt-get update && apt-get install -y infisical=0.31.1 \
     && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /
@@ -168,7 +168,6 @@ ENV HTTPS_ENABLED false
 ENV NODE_ENV production
 ENV STANDALONE_BUILD true 
 ENV STANDALONE_MODE true
-ENV NODE_OPTIONS="--max-old-space-size=1024"
 
 WORKDIR /backend
 

backend/Dockerfile

@@ -54,8 +54,8 @@ COPY --from=build /app .
 
 # Install Infisical CLI
 RUN apt-get install -y curl bash && \
-    curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash && \
-    apt-get update && apt-get install -y infisical=0.41.2 git
+    curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash && \
+    apt-get update && apt-get install -y infisical=0.8.1 git
 
 HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \  
   CMD node healthcheck.js

backend/Dockerfile.dev

@@ -55,9 +55,9 @@ RUN mkdir -p /etc/softhsm2/tokens && \
 # ? App setup
 
 # Install Infisical CLI
-RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash && \
+RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash && \
     apt-get update && \
-    apt-get install -y infisical=0.41.2
+    apt-get install -y infisical=0.8.1
 
 WORKDIR /app
 

backend/Dockerfile.dev.fips

@@ -64,9 +64,9 @@ RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
 # ? App setup
 
 # Install Infisical CLI
-RUN curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash && \
+RUN curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash && \
     apt-get update && \
-    apt-get install -y infisical=0.41.2
+    apt-get install -y infisical=0.8.1
 
 WORKDIR /app
 

backend/e2e-test/mocks/keystore.ts

@@ -1,8 +1,4 @@
-import RE2 from "re2";
-
 import { TKeyStoreFactory } from "@app/keystore/keystore";
-import { applyJitter } from "@app/lib/dates";
-import { delay as delayMs } from "@app/lib/delay";
 import { Lock } from "@app/lib/red-lock";
 
 export const mockKeyStore = (): TKeyStoreFactory => {
@@ -22,27 +18,6 @@ export const mockKeyStore = (): TKeyStoreFactory => {
       delete store[key];
       return 1;
     },
-    deleteItems: async ({ pattern, batchSize = 500, delay = 1500, jitter = 200 }) => {
-      const regex = new RE2(`^${pattern.replace(/[-[\]/{}()+?.\\^$|]/g, "\\$&").replace(/\*/g, ".*")}$`);
-      let totalDeleted = 0;
-      const keys = Object.keys(store);
-
-      for (let i = 0; i < keys.length; i += batchSize) {
-        const batch = keys.slice(i, i + batchSize);
-
-        for (const key of batch) {
-          if (regex.test(key)) {
-            delete store[key];
-            totalDeleted += 1;
-          }
-        }
-
-        // eslint-disable-next-line no-await-in-loop
-        await delayMs(Math.max(0, applyJitter(delay, jitter)));
-      }
-
-      return totalDeleted;
-    },
     getItem: async (key) => {
       const value = store[key];
       if (typeof value === "string") {

backend/e2e-test/vitest-environment-knex.ts

@@ -15,8 +15,8 @@ import { mockSmtpServer } from "./mocks/smtp";
 import { initDbConnection } from "@app/db";
 import { queueServiceFactory } from "@app/queue";
 import { keyStoreFactory } from "@app/keystore/keystore";
+import { Redis } from "ioredis";
 import { initializeHsmModule } from "@app/ee/services/hsm/hsm-fns";
-import { buildRedisFromConfig } from "@app/lib/config/redis";
 
 dotenv.config({ path: path.join(__dirname, "../../.env.test"), debug: true });
 export default {
@@ -30,7 +30,7 @@ export default {
       dbRootCert: envConfig.DB_ROOT_CERT
     });
 
-    const redis = buildRedisFromConfig(envConfig);
+    const redis = new Redis(envConfig.REDIS_URL);
     await redis.flushdb("SYNC");
 
     try {
@@ -55,8 +55,8 @@ export default {
       });
 
       const smtp = mockSmtpServer();
-      const queue = queueServiceFactory(envConfig, { dbConnectionUrl: envConfig.DB_CONNECTION_URI });
-      const keyStore = keyStoreFactory(envConfig);
+      const queue = queueServiceFactory(envConfig.REDIS_URL, { dbConnectionUrl: envConfig.DB_CONNECTION_URI });
+      const keyStore = keyStoreFactory(envConfig.REDIS_URL);
 
       const hsmModule = initializeHsmModule(envConfig);
       hsmModule.initialize();

backend/package.json

@@ -38,8 +38,8 @@
     "build:frontend": "npm run build --prefix ../frontend",
     "start": "node --enable-source-maps dist/main.mjs",
     "type:check": "tsc --noEmit",
-    "lint:fix": "node --max-old-space-size=8192 ./node_modules/.bin/eslint --fix --ext js,ts ./src",
-    "lint": "node --max-old-space-size=8192 ./node_modules/.bin/eslint 'src/**/*.ts'",
+    "lint:fix": "eslint --fix --ext js,ts ./src",
+    "lint": "eslint 'src/**/*.ts'",
     "test:unit": "vitest run -c vitest.unit.config.ts",
     "test:e2e": "vitest run -c vitest.e2e.config.ts --bail=1",
     "test:e2e-watch": "vitest -c vitest.e2e.config.ts --bail=1",
@@ -131,7 +131,6 @@
     "@aws-sdk/client-elasticache": "^3.637.0",
     "@aws-sdk/client-iam": "^3.525.0",
     "@aws-sdk/client-kms": "^3.609.0",
-    "@aws-sdk/client-route-53": "^3.810.0",
     "@aws-sdk/client-secrets-manager": "^3.504.0",
     "@aws-sdk/client-sts": "^3.600.0",
     "@casl/ability": "^6.5.0",
@@ -153,8 +152,7 @@
     "@infisical/quic": "^1.0.8",
     "@node-saml/passport-saml": "^5.0.1",
     "@octokit/auth-app": "^7.1.1",
-    "@octokit/core": "^5.2.1",
-    "@octokit/plugin-paginate-graphql": "^4.0.1",
+    "@octokit/plugin-paginate-graphql": "^5.2.4",
     "@octokit/plugin-retry": "^5.0.5",
     "@octokit/rest": "^20.0.2",
     "@octokit/webhooks-types": "^7.3.1",
@@ -175,7 +173,6 @@
     "@slack/oauth": "^3.0.2",
     "@slack/web-api": "^7.8.0",
     "@ucast/mongo2js": "^1.3.4",
-    "acme-client": "^5.4.0",
     "ajv": "^8.12.0",
     "argon2": "^0.31.2",
     "aws-sdk": "^2.1553.0",
@@ -211,7 +208,6 @@
     "mysql2": "^3.9.8",
     "nanoid": "^3.3.8",
     "nodemailer": "^6.9.9",
-    "oci-sdk": "^2.108.0",
     "odbc": "^2.4.9",
     "openid-client": "^5.6.5",
     "ora": "^7.0.1",
@@ -244,6 +240,6 @@
     "tweetnacl-util": "^0.15.1",
     "uuid": "^9.0.1",
     "zod": "^3.22.4",
-    "zod-to-json-schema": "^3.24.5"
+    "zod-to-json-schema": "^3.22.4"
   }
 }

backend/src/@types/fastify.d.ts

@@ -53,7 +53,6 @@ import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TCertificateServiceFactory } from "@app/services/certificate/certificate-service";
 import { TCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
-import { TInternalCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/internal/internal-certificate-authority-service";
 import { TCertificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
 import { TCmekServiceFactory } from "@app/services/cmek/cmek-service";
 import { TExternalGroupOrgRoleMappingServiceFactory } from "@app/services/external-group-org-role-mapping/external-group-org-role-mapping-service";
@@ -67,9 +66,6 @@ import { TIdentityAzureAuthServiceFactory } from "@app/services/identity-azure-a
 import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
 import { TIdentityJwtAuthServiceFactory } from "@app/services/identity-jwt-auth/identity-jwt-auth-service";
 import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
-import { TIdentityLdapAuthServiceFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-service";
-import { TAllowedFields } from "@app/services/identity-ldap-auth/identity-ldap-auth-types";
-import { TIdentityOciAuthServiceFactory } from "@app/services/identity-oci-auth/identity-oci-auth-service";
 import { TIdentityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
 import { TIdentityTokenAuthServiceFactory } from "@app/services/identity-token-auth/identity-token-auth-service";
@@ -82,7 +78,6 @@ import { TOrgServiceFactory } from "@app/services/org/org-service";
 import { TOrgAdminServiceFactory } from "@app/services/org-admin/org-admin-service";
 import { TPkiAlertServiceFactory } from "@app/services/pki-alert/pki-alert-service";
 import { TPkiCollectionServiceFactory } from "@app/services/pki-collection/pki-collection-service";
-import { TPkiSubscriberServiceFactory } from "@app/services/pki-subscriber/pki-subscriber-service";
 import { TProjectServiceFactory } from "@app/services/project/project-service";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TProjectEnvServiceFactory } from "@app/services/project-env/project-env-service";
@@ -111,7 +106,6 @@ import { TWorkflowIntegrationServiceFactory } from "@app/services/workflow-integ
 declare module "@fastify/request-context" {
   interface RequestContextData {
     reqId: string;
-    orgId?: string;
     identityAuthInfo?: {
       identityId: string;
       oidc?: {
@@ -152,13 +146,6 @@ declare module "fastify" {
       providerAuthToken: string;
       externalProviderAccessToken?: string;
     };
-    passportMachineIdentity: {
-      identityId: string;
-      user: {
-        uid: string;
-        mail?: string;
-      };
-    };
     kmipUser: {
       projectId: string;
       clientId: string;
@@ -166,9 +153,7 @@ declare module "fastify" {
     };
     auditLogInfo: Pick<TCreateAuditLogDTO, "userAgent" | "userAgentType" | "ipAddress" | "actor">;
     ssoConfig: Awaited<ReturnType<TSamlConfigServiceFactory["getSaml"]>>;
-    ldapConfig: Awaited<ReturnType<TLdapConfigServiceFactory["getLdapCfg"]>> & {
-      allowedFields?: TAllowedFields[];
-    };
+    ldapConfig: Awaited<ReturnType<TLdapConfigServiceFactory["getLdapCfg"]>>;
   }
 
   interface FastifyInstance {
@@ -212,10 +197,8 @@ declare module "fastify" {
       identityGcpAuth: TIdentityGcpAuthServiceFactory;
       identityAwsAuth: TIdentityAwsAuthServiceFactory;
       identityAzureAuth: TIdentityAzureAuthServiceFactory;
-      identityOciAuth: TIdentityOciAuthServiceFactory;
       identityOidcAuth: TIdentityOidcAuthServiceFactory;
       identityJwtAuth: TIdentityJwtAuthServiceFactory;
-      identityLdapAuth: TIdentityLdapAuthServiceFactory;
       accessApprovalPolicy: TAccessApprovalPolicyServiceFactory;
       accessApprovalRequest: TAccessApprovalRequestServiceFactory;
       secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;
@@ -237,7 +220,6 @@ declare module "fastify" {
       certificateAuthorityCrl: TCertificateAuthorityCrlServiceFactory;
       certificateEst: TCertificateEstServiceFactory;
       pkiCollection: TPkiCollectionServiceFactory;
-      pkiSubscriber: TPkiSubscriberServiceFactory;
       secretScanning: TSecretScanningServiceFactory;
       license: TLicenseServiceFactory;
       trustedIp: TTrustedIpServiceFactory;
@@ -270,7 +252,6 @@ declare module "fastify" {
       microsoftTeams: TMicrosoftTeamsServiceFactory;
       assumePrivileges: TAssumePrivilegeServiceFactory;
       githubOrgSync: TGithubOrgSyncServiceFactory;
-      internalCertificateAuthority: TInternalCertificateAuthorityServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -68,9 +68,6 @@ import {
   TDynamicSecrets,
   TDynamicSecretsInsert,
   TDynamicSecretsUpdate,
-  TExternalCertificateAuthorities,
-  TExternalCertificateAuthoritiesInsert,
-  TExternalCertificateAuthoritiesUpdate,
   TExternalGroupOrgRoleMappings,
   TExternalGroupOrgRoleMappingsInsert,
   TExternalGroupOrgRoleMappingsUpdate,
@@ -122,9 +119,6 @@ import {
   TIdentityMetadata,
   TIdentityMetadataInsert,
   TIdentityMetadataUpdate,
-  TIdentityOciAuths,
-  TIdentityOciAuthsInsert,
-  TIdentityOciAuthsUpdate,
   TIdentityOidcAuths,
   TIdentityOidcAuthsInsert,
   TIdentityOidcAuthsUpdate,
@@ -158,9 +152,6 @@ import {
   TIntegrations,
   TIntegrationsInsert,
   TIntegrationsUpdate,
-  TInternalCertificateAuthorities,
-  TInternalCertificateAuthoritiesInsert,
-  TInternalCertificateAuthoritiesUpdate,
   TInternalKms,
   TInternalKmsInsert,
   TInternalKmsUpdate,
@@ -218,9 +209,6 @@ import {
   TPkiCollections,
   TPkiCollectionsInsert,
   TPkiCollectionsUpdate,
-  TPkiSubscribers,
-  TPkiSubscribersInsert,
-  TPkiSubscribersUpdate,
   TProjectBots,
   TProjectBotsInsert,
   TProjectBotsUpdate,
@@ -444,11 +432,6 @@ import {
   TWorkflowIntegrationsInsert,
   TWorkflowIntegrationsUpdate
 } from "@app/db/schemas";
-import {
-  TIdentityLdapAuths,
-  TIdentityLdapAuthsInsert,
-  TIdentityLdapAuthsUpdate
-} from "@app/db/schemas/identity-ldap-auths";
 import {
   TMicrosoftTeamsIntegrations,
   TMicrosoftTeamsIntegrationsInsert,
@@ -544,16 +527,6 @@ declare module "knex/types/tables" {
       TCertificateAuthorityCrlInsert,
       TCertificateAuthorityCrlUpdate
     >;
-    [TableName.InternalCertificateAuthority]: KnexOriginal.CompositeTableType<
-      TInternalCertificateAuthorities,
-      TInternalCertificateAuthoritiesInsert,
-      TInternalCertificateAuthoritiesUpdate
-    >;
-    [TableName.ExternalCertificateAuthority]: KnexOriginal.CompositeTableType<
-      TExternalCertificateAuthorities,
-      TExternalCertificateAuthoritiesInsert,
-      TExternalCertificateAuthoritiesUpdate
-    >;
     [TableName.Certificate]: KnexOriginal.CompositeTableType<TCertificates, TCertificatesInsert, TCertificatesUpdate>;
     [TableName.CertificateTemplate]: KnexOriginal.CompositeTableType<
       TCertificateTemplates,
@@ -586,11 +559,6 @@ declare module "knex/types/tables" {
       TPkiCollectionItemsInsert,
       TPkiCollectionItemsUpdate
     >;
-    [TableName.PkiSubscriber]: KnexOriginal.CompositeTableType<
-      TPkiSubscribers,
-      TPkiSubscribersInsert,
-      TPkiSubscribersUpdate
-    >;
     [TableName.UserGroupMembership]: KnexOriginal.CompositeTableType<
       TUserGroupMembership,
       TUserGroupMembershipInsert,
@@ -757,11 +725,6 @@ declare module "knex/types/tables" {
       TIdentityAzureAuthsInsert,
       TIdentityAzureAuthsUpdate
     >;
-    [TableName.IdentityOciAuth]: KnexOriginal.CompositeTableType<
-      TIdentityOciAuths,
-      TIdentityOciAuthsInsert,
-      TIdentityOciAuthsUpdate
-    >;
     [TableName.IdentityOidcAuth]: KnexOriginal.CompositeTableType<
       TIdentityOidcAuths,
       TIdentityOidcAuthsInsert,
@@ -772,11 +735,6 @@ declare module "knex/types/tables" {
       TIdentityJwtAuthsInsert,
       TIdentityJwtAuthsUpdate
     >;
-    [TableName.IdentityLdapAuth]: KnexOriginal.CompositeTableType<
-      TIdentityLdapAuths,
-      TIdentityLdapAuthsInsert,
-      TIdentityLdapAuthsUpdate
-    >;
     [TableName.IdentityUaClientSecret]: KnexOriginal.CompositeTableType<
       TIdentityUaClientSecrets,
       TIdentityUaClientSecretsInsert,

backend/src/db/migrations/20250429203304_certificates-ca-relation-removal.ts

@@ -1,44 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.Certificate)) {
-    const hasProjectIdColumn = await knex.schema.hasColumn(TableName.Certificate, "projectId");
-    if (!hasProjectIdColumn) {
-      await knex.schema.alterTable(TableName.Certificate, (t) => {
-        t.string("projectId", 36).nullable();
-        t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      });
-
-      await knex.raw(`
-          UPDATE "${TableName.Certificate}" cert
-          SET "projectId" = ca."projectId"
-          FROM "${TableName.CertificateAuthority}" ca
-          WHERE cert."caId" = ca.id
-        `);
-
-      await knex.schema.alterTable(TableName.Certificate, (t) => {
-        t.string("projectId").notNullable().alter();
-      });
-    }
-
-    await knex.schema.alterTable(TableName.Certificate, (t) => {
-      t.uuid("caId").nullable().alter();
-      t.uuid("caCertId").nullable().alter();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.Certificate)) {
-    if (await knex.schema.hasColumn(TableName.Certificate, "projectId")) {
-      await knex.schema.alterTable(TableName.Certificate, (t) => {
-        t.dropForeign("projectId");
-        t.dropColumn("projectId");
-      });
-    }
-  }
-
-  // Altering back to notNullable for caId and caCertId will fail
-}

backend/src/db/migrations/20250429232917_store-cert-secret-key-and-chain.ts

@@ -3,7 +3,7 @@ import { Knex } from "knex";
 import { TableName } from "../schemas";
 
 export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.CertificateBody, "encryptedCertificateChain"))) {
+  if (await knex.schema.hasTable(TableName.CertificateBody)) {
     await knex.schema.alterTable(TableName.CertificateBody, (t) => {
       t.binary("encryptedCertificateChain").nullable();
     });
@@ -25,7 +25,7 @@ export async function down(knex: Knex): Promise<void> {
     await knex.schema.dropTable(TableName.CertificateSecret);
   }
 
-  if (await knex.schema.hasColumn(TableName.CertificateBody, "encryptedCertificateChain")) {
+  if (await knex.schema.hasTable(TableName.CertificateBody)) {
     await knex.schema.alterTable(TableName.CertificateBody, (t) => {
       t.dropColumn("encryptedCertificateChain");
     });

backend/src/db/migrations/20250430174352_email-case-change.ts

@@ -1,47 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasEmail = await knex.schema.hasColumn(TableName.Users, "email");
-  const hasUsername = await knex.schema.hasColumn(TableName.Users, "username");
-  if (hasEmail) {
-    await knex(TableName.Users)
-      .where({ isGhost: false })
-      .update({
-        // @ts-expect-error email assume string this is expected
-        email: knex.raw("lower(email)")
-      });
-  }
-  if (hasUsername) {
-    await knex.schema.raw(`
-      CREATE INDEX IF NOT EXISTS ${TableName.Users}_lower_username_idx 
-      ON ${TableName.Users} (LOWER(username))
-    `);
-
-    const duplicatesSubquery = knex(TableName.Users)
-      .select(knex.raw("lower(username) as lowercase_username"))
-      .groupBy("lowercase_username")
-      .having(knex.raw("count(*)"), ">", 1);
-
-    // Update usernames to lowercase where they won't create duplicates
-    await knex(TableName.Users)
-      .where({ isGhost: false })
-      .whereRaw("username <> lower(username)") // Only update if not already lowercase
-      // @ts-expect-error username assume string this is expected
-      .whereNotIn(knex.raw("lower(username)"), duplicatesSubquery)
-      .update({
-        // @ts-expect-error username assume string this is expected
-        username: knex.raw("lower(username)")
-      });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasUsername = await knex.schema.hasColumn(TableName.Users, "username");
-  if (hasUsername) {
-    await knex.schema.raw(`
-  DROP INDEX IF EXISTS ${TableName.Users}_lower_username_idx
-`);
-  }
-}

backend/src/db/migrations/20250501164905_add-groups-to-ssh-host-login-user-mappings.ts

@@ -1,22 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.SshHostLoginUserMapping, "groupId"))) {
-    await knex.schema.alterTable(TableName.SshHostLoginUserMapping, (t) => {
-      t.uuid("groupId").nullable();
-      t.foreign("groupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
-      t.unique(["sshHostLoginUserId", "groupId"]);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.SshHostLoginUserMapping, "groupId")) {
-    await knex.schema.alterTable(TableName.SshHostLoginUserMapping, (t) => {
-      t.dropUnique(["sshHostLoginUserId", "groupId"]);
-      t.dropColumn("groupId");
-    });
-  }
-}

backend/src/db/migrations/20250507003056_identity-ldap-auth.ts

@@ -1,39 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityLdapAuth))) {
-    await knex.schema.createTable(TableName.IdentityLdapAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-
-      t.binary("encryptedBindDN").notNullable();
-      t.binary("encryptedBindPass").notNullable();
-      t.binary("encryptedLdapCaCertificate").nullable();
-
-      t.string("url").notNullable();
-      t.string("searchBase").notNullable();
-      t.string("searchFilter").notNullable();
-
-      t.jsonb("allowedFields").nullable();
-
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityLdapAuth);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityLdapAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityLdapAuth);
-}

backend/src/db/migrations/20250508160957_pki-subscriber.ts

@@ -1,46 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.PkiSubscriber))) {
-    await knex.schema.createTable(TableName.PkiSubscriber, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.timestamps(true, true, true);
-      t.string("projectId").notNullable();
-      t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
-      t.uuid("caId").nullable();
-      t.foreign("caId").references("id").inTable(TableName.CertificateAuthority).onDelete("SET NULL");
-      t.string("name").notNullable();
-      t.string("commonName").notNullable();
-      t.specificType("subjectAlternativeNames", "text[]").notNullable();
-      t.string("ttl").notNullable();
-      t.specificType("keyUsages", "text[]").notNullable();
-      t.specificType("extendedKeyUsages", "text[]").notNullable();
-      t.string("status").notNullable(); // active / disabled
-      t.unique(["projectId", "name"]);
-    });
-    await createOnUpdateTrigger(knex, TableName.PkiSubscriber);
-  }
-
-  const hasSubscriberCol = await knex.schema.hasColumn(TableName.Certificate, "pkiSubscriberId");
-  if (!hasSubscriberCol) {
-    await knex.schema.alterTable(TableName.Certificate, (t) => {
-      t.uuid("pkiSubscriberId").nullable();
-      t.foreign("pkiSubscriberId").references("id").inTable(TableName.PkiSubscriber).onDelete("SET NULL");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasSubscriberCol = await knex.schema.hasColumn(TableName.Certificate, "pkiSubscriberId");
-  if (hasSubscriberCol) {
-    await knex.schema.alterTable(TableName.Certificate, (t) => {
-      t.dropColumn("pkiSubscriberId");
-    });
-  }
-
-  await knex.schema.dropTableIfExists(TableName.PkiSubscriber);
-  await dropOnUpdateTrigger(knex, TableName.PkiSubscriber);
-}

backend/src/db/migrations/20250508210717_identity-oci-auth.ts

@@ -1,30 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityOciAuth))) {
-    await knex.schema.createTable(TableName.IdentityOciAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.string("type").notNullable();
-
-      t.string("tenancyOcid").notNullable();
-      t.string("allowedUsernames").nullable();
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityOciAuth);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityOciAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityOciAuth);
-}

backend/src/db/migrations/20250512103022_identity-kubernetes-auth-gateway.ts

@@ -1,25 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasGatewayIdColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "gatewayId");
-
-  if (!hasGatewayIdColumn) {
-    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (table) => {
-      table.uuid("gatewayId").nullable();
-      table.foreign("gatewayId").references("id").inTable(TableName.Gateway).onDelete("SET NULL");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasGatewayIdColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "gatewayId");
-
-  if (hasGatewayIdColumn) {
-    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (table) => {
-      table.dropForeign("gatewayId");
-      table.dropColumn("gatewayId");
-    });
-  }
-}

backend/src/db/migrations/20250513081738_remove-gateway-project-link.ts

@@ -1,110 +0,0 @@
-import { Knex } from "knex";
-
-import { inMemoryKeyStore } from "@app/keystore/memory";
-import { selectAllTableCols } from "@app/lib/knex";
-import { initLogger } from "@app/lib/logger";
-import { KmsDataKey } from "@app/services/kms/kms-types";
-
-import { TableName } from "../schemas";
-import { getMigrationEnvConfig } from "./utils/env-config";
-import { getMigrationEncryptionServices } from "./utils/services";
-
-// Note(daniel): We aren't dropping tables or columns in this migrations so we can easily rollback if needed.
-// In the future we need to drop the projectGatewayId on the dynamic secrets table, and drop the project_gateways table entirely.
-
-const BATCH_SIZE = 500;
-
-export async function up(knex: Knex): Promise<void> {
-  // eslint-disable-next-line no-param-reassign
-  knex.replicaNode = () => {
-    return knex;
-  };
-
-  if (!(await knex.schema.hasColumn(TableName.DynamicSecret, "gatewayId"))) {
-    await knex.schema.alterTable(TableName.DynamicSecret, (table) => {
-      table.uuid("gatewayId").nullable();
-      table.foreign("gatewayId").references("id").inTable(TableName.Gateway).onDelete("SET NULL");
-
-      table.index("gatewayId");
-    });
-
-    const existingDynamicSecretsWithProjectGatewayId = await knex(TableName.DynamicSecret)
-      .select(selectAllTableCols(TableName.DynamicSecret))
-      .whereNotNull(`${TableName.DynamicSecret}.projectGatewayId`)
-      .join(TableName.ProjectGateway, `${TableName.ProjectGateway}.id`, `${TableName.DynamicSecret}.projectGatewayId`)
-      .whereNotNull(`${TableName.ProjectGateway}.gatewayId`)
-      .select(
-        knex.ref("projectId").withSchema(TableName.ProjectGateway).as("projectId"),
-        knex.ref("gatewayId").withSchema(TableName.ProjectGateway).as("projectGatewayGatewayId")
-      );
-
-    initLogger();
-    const envConfig = getMigrationEnvConfig();
-    const keyStore = inMemoryKeyStore();
-    const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
-
-    const updatedDynamicSecrets = await Promise.all(
-      existingDynamicSecretsWithProjectGatewayId.map(async (existingDynamicSecret) => {
-        if (!existingDynamicSecret.projectGatewayGatewayId) {
-          const result = {
-            ...existingDynamicSecret,
-            gatewayId: null
-          };
-
-          const { projectId, projectGatewayGatewayId, ...rest } = result;
-          return rest;
-        }
-
-        const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
-          type: KmsDataKey.SecretManager,
-          projectId: existingDynamicSecret.projectId
-        });
-        const { encryptor: secretManagerEncryptor } = await kmsService.createCipherPairWithDataKey({
-          type: KmsDataKey.SecretManager,
-          projectId: existingDynamicSecret.projectId
-        });
-
-        let decryptedStoredInput = JSON.parse(
-          secretManagerDecryptor({ cipherTextBlob: Buffer.from(existingDynamicSecret.encryptedInput) }).toString()
-        ) as object;
-
-        // We're not removing the existing projectGatewayId from the input so we can easily rollback without having to re-encrypt the input
-        decryptedStoredInput = {
-          ...decryptedStoredInput,
-          gatewayId: existingDynamicSecret.projectGatewayGatewayId
-        };
-
-        const encryptedInput = secretManagerEncryptor({
-          plainText: Buffer.from(JSON.stringify(decryptedStoredInput))
-        }).cipherTextBlob;
-
-        const result = {
-          ...existingDynamicSecret,
-          encryptedInput,
-          gatewayId: existingDynamicSecret.projectGatewayGatewayId
-        };
-
-        const { projectId, projectGatewayGatewayId, ...rest } = result;
-        return rest;
-      })
-    );
-
-    for (let i = 0; i < updatedDynamicSecrets.length; i += BATCH_SIZE) {
-      // eslint-disable-next-line no-await-in-loop
-      await knex(TableName.DynamicSecret)
-        .insert(updatedDynamicSecrets.slice(i, i + BATCH_SIZE))
-        .onConflict("id")
-        .merge();
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  // no re-encryption needed as we keep the old projectGatewayId in the input
-  if (await knex.schema.hasColumn(TableName.DynamicSecret, "gatewayId")) {
-    await knex.schema.alterTable(TableName.DynamicSecret, (table) => {
-      table.dropForeign("gatewayId");
-      table.dropColumn("gatewayId");
-    });
-  }
-}

backend/src/db/migrations/20250515164622_select-org-products.ts

@@ -1,53 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const columns = await knex.table(TableName.Organization).columnInfo();
-
-  await knex.schema.alterTable(TableName.Organization, (t) => {
-    if (!columns.secretsProductEnabled) {
-      t.boolean("secretsProductEnabled").defaultTo(true);
-    }
-    if (!columns.pkiProductEnabled) {
-      t.boolean("pkiProductEnabled").defaultTo(true);
-    }
-    if (!columns.kmsProductEnabled) {
-      t.boolean("kmsProductEnabled").defaultTo(true);
-    }
-    if (!columns.sshProductEnabled) {
-      t.boolean("sshProductEnabled").defaultTo(true);
-    }
-    if (!columns.scannerProductEnabled) {
-      t.boolean("scannerProductEnabled").defaultTo(true);
-    }
-    if (!columns.shareSecretsProductEnabled) {
-      t.boolean("shareSecretsProductEnabled").defaultTo(true);
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const columns = await knex.table(TableName.Organization).columnInfo();
-
-  await knex.schema.alterTable(TableName.Organization, (t) => {
-    if (columns.secretsProductEnabled) {
-      t.dropColumn("secretsProductEnabled");
-    }
-    if (columns.pkiProductEnabled) {
-      t.dropColumn("pkiProductEnabled");
-    }
-    if (columns.kmsProductEnabled) {
-      t.dropColumn("kmsProductEnabled");
-    }
-    if (columns.sshProductEnabled) {
-      t.dropColumn("sshProductEnabled");
-    }
-    if (columns.scannerProductEnabled) {
-      t.dropColumn("scannerProductEnabled");
-    }
-    if (columns.shareSecretsProductEnabled) {
-      t.dropColumn("shareSecretsProductEnabled");
-    }
-  });
-}

backend/src/db/migrations/20250516021501_toggle-secret-sharing-on-project.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasSecretSharingColumn = await knex.schema.hasColumn(TableName.Project, "secretSharing");
-  if (!hasSecretSharingColumn) {
-    await knex.schema.table(TableName.Project, (table) => {
-      table.boolean("secretSharing").notNullable().defaultTo(true);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasSecretSharingColumn = await knex.schema.hasColumn(TableName.Project, "secretSharing");
-  if (hasSecretSharingColumn) {
-    await knex.schema.table(TableName.Project, (table) => {
-      table.dropColumn("secretSharing");
-    });
-  }
-}

backend/src/db/migrations/20250516192508_secret-sharing-limits-for-org.ts

@@ -1,35 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasLifetimeColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretLifetime");
-  const hasViewLimitColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretViewLimit");
-
-  if (!hasLifetimeColumn || !hasViewLimitColumn) {
-    await knex.schema.alterTable(TableName.Organization, (t) => {
-      if (!hasLifetimeColumn) {
-        t.integer("maxSharedSecretLifetime").nullable().defaultTo(2592000); // 30 days in seconds
-      }
-      if (!hasViewLimitColumn) {
-        t.integer("maxSharedSecretViewLimit").nullable();
-      }
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasLifetimeColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretLifetime");
-  const hasViewLimitColumn = await knex.schema.hasColumn(TableName.Organization, "maxSharedSecretViewLimit");
-
-  if (hasLifetimeColumn || hasViewLimitColumn) {
-    await knex.schema.alterTable(TableName.Organization, (t) => {
-      if (hasLifetimeColumn) {
-        t.dropColumn("maxSharedSecretLifetime");
-      }
-      if (hasViewLimitColumn) {
-        t.dropColumn("maxSharedSecretViewLimit");
-      }
-    });
-  }
-}

backend/src/db/migrations/20250517002223_secret-share-to-specific-emails.ts

@@ -1,43 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretSharing)) {
-    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
-    const hasAuthorizedEmails = await knex.schema.hasColumn(TableName.SecretSharing, "authorizedEmails");
-
-    if (!hasEncryptedSalt || !hasAuthorizedEmails) {
-      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-        // These two columns are only needed when secrets are shared with a specific list of emails
-
-        if (!hasEncryptedSalt) {
-          t.binary("encryptedSalt").nullable();
-        }
-
-        if (!hasAuthorizedEmails) {
-          t.json("authorizedEmails").nullable();
-        }
-      });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretSharing)) {
-    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
-    const hasAuthorizedEmails = await knex.schema.hasColumn(TableName.SecretSharing, "authorizedEmails");
-
-    if (hasEncryptedSalt || hasAuthorizedEmails) {
-      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-        if (hasEncryptedSalt) {
-          t.dropColumn("encryptedSalt");
-        }
-
-        if (hasAuthorizedEmails) {
-          t.dropColumn("authorizedEmails");
-        }
-      });
-    }
-  }
-}

backend/src/db/migrations/20250521061831_increase-name-sizes.ts

@@ -1,22 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.alterTable(TableName.SecretSync, (t) => {
-    t.string("name", 64).notNullable().alter();
-  });
-  await knex.schema.alterTable(TableName.ProjectTemplates, (t) => {
-    t.string("name", 64).notNullable().alter();
-  });
-  await knex.schema.alterTable(TableName.AppConnection, (t) => {
-    t.string("name", 64).notNullable().alter();
-  });
-  await knex.schema.alterTable(TableName.SecretRotationV2, (t) => {
-    t.string("name", 64).notNullable().alter();
-  });
-}
-
-export async function down(): Promise<void> {
-  // No down migration or it will error
-}

backend/src/db/migrations/20250521110635_add-external-ca-pki.ts

@@ -1,205 +0,0 @@
-import slugify from "@sindresorhus/slugify";
-import { Knex } from "knex";
-
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasCATable = await knex.schema.hasTable(TableName.CertificateAuthority);
-  const hasExternalCATable = await knex.schema.hasTable(TableName.ExternalCertificateAuthority);
-  const hasInternalCATable = await knex.schema.hasTable(TableName.InternalCertificateAuthority);
-
-  if (hasCATable && !hasInternalCATable) {
-    await knex.schema.createTableLike(TableName.InternalCertificateAuthority, TableName.CertificateAuthority, (t) => {
-      t.uuid("caId").nullable();
-    });
-
-    // @ts-expect-error intentional: migration
-    await knex(TableName.InternalCertificateAuthority).insert(knex(TableName.CertificateAuthority).select("*"));
-    await knex(TableName.InternalCertificateAuthority).update("caId", knex.ref("id"));
-
-    await knex.schema.alterTable(TableName.InternalCertificateAuthority, (t) => {
-      t.dropColumn("projectId");
-      t.dropColumn("requireTemplateForIssuance");
-      t.dropColumn("createdAt");
-      t.dropColumn("updatedAt");
-      t.dropColumn("status");
-      t.uuid("parentCaId")
-        .nullable()
-        .references("id")
-        .inTable(TableName.CertificateAuthority)
-        .onDelete("CASCADE")
-        .alter();
-      t.uuid("activeCaCertId").nullable().references("id").inTable(TableName.CertificateAuthorityCert).alter();
-      t.uuid("caId").notNullable().references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE").alter();
-    });
-
-    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
-      t.renameColumn("requireTemplateForIssuance", "enableDirectIssuance");
-      t.string("name").nullable();
-    });
-
-    // prefill name for existing internal CAs and flip enableDirectIssuance
-    const cas = await knex(TableName.CertificateAuthority).select("id", "friendlyName", "enableDirectIssuance");
-    await Promise.all(
-      cas.map((ca) => {
-        const slugifiedName = ca.friendlyName
-          ? slugify(`${ca.friendlyName.slice(0, 16)}-${alphaNumericNanoId(8)}`)
-          : slugify(alphaNumericNanoId(12));
-
-        return knex(TableName.CertificateAuthority)
-          .where({ id: ca.id })
-          .update({ name: slugifiedName, enableDirectIssuance: !ca.enableDirectIssuance });
-      })
-    );
-
-    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
-      t.dropColumn("parentCaId");
-      t.dropColumn("type");
-      t.dropColumn("friendlyName");
-      t.dropColumn("organization");
-      t.dropColumn("ou");
-      t.dropColumn("country");
-      t.dropColumn("province");
-      t.dropColumn("locality");
-      t.dropColumn("commonName");
-      t.dropColumn("dn");
-      t.dropColumn("serialNumber");
-      t.dropColumn("maxPathLength");
-      t.dropColumn("keyAlgorithm");
-      t.dropColumn("notBefore");
-      t.dropColumn("notAfter");
-      t.dropColumn("activeCaCertId");
-      t.boolean("enableDirectIssuance").notNullable().defaultTo(true).alter();
-      t.string("name").notNullable().alter();
-      t.unique(["name", "projectId"]);
-    });
-  }
-
-  if (!hasExternalCATable) {
-    await knex.schema.createTable(TableName.ExternalCertificateAuthority, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("type").notNullable();
-      t.uuid("appConnectionId").nullable();
-      t.foreign("appConnectionId").references("id").inTable(TableName.AppConnection);
-      t.uuid("dnsAppConnectionId").nullable();
-      t.foreign("dnsAppConnectionId").references("id").inTable(TableName.AppConnection);
-      t.uuid("caId").notNullable().references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
-      t.binary("credentials");
-      t.json("configuration");
-    });
-  }
-
-  if (await knex.schema.hasTable(TableName.PkiSubscriber)) {
-    await knex.schema.alterTable(TableName.PkiSubscriber, (t) => {
-      t.string("ttl").nullable().alter();
-
-      t.boolean("enableAutoRenewal").notNullable().defaultTo(false);
-      t.integer("autoRenewalPeriodInDays");
-      t.datetime("lastAutoRenewAt");
-
-      t.string("lastOperationStatus");
-      t.text("lastOperationMessage");
-      t.dateTime("lastOperationAt");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasCATable = await knex.schema.hasTable(TableName.CertificateAuthority);
-  const hasExternalCATable = await knex.schema.hasTable(TableName.ExternalCertificateAuthority);
-  const hasInternalCATable = await knex.schema.hasTable(TableName.InternalCertificateAuthority);
-
-  if (hasCATable && hasInternalCATable) {
-    // First add all columns as nullable
-    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
-      t.uuid("parentCaId").nullable().references("id").inTable(TableName.CertificateAuthority).onDelete("CASCADE");
-      t.string("type").nullable();
-      t.string("friendlyName").nullable();
-      t.string("organization").nullable();
-      t.string("ou").nullable();
-      t.string("country").nullable();
-      t.string("province").nullable();
-      t.string("locality").nullable();
-      t.string("commonName").nullable();
-      t.string("dn").nullable();
-      t.string("serialNumber").nullable().unique();
-      t.integer("maxPathLength").nullable();
-      t.string("keyAlgorithm").nullable();
-      t.timestamp("notBefore").nullable();
-      t.timestamp("notAfter").nullable();
-      t.uuid("activeCaCertId").nullable().references("id").inTable(TableName.CertificateAuthorityCert);
-      t.renameColumn("enableDirectIssuance", "requireTemplateForIssuance");
-      t.dropColumn("name");
-    });
-
-    // flip requireTemplateForIssuance for existing internal CAs
-    const cas = await knex(TableName.CertificateAuthority).select("id", "requireTemplateForIssuance");
-    await Promise.all(
-      cas.map((ca) => {
-        return (
-          knex(TableName.CertificateAuthority)
-            .where({ id: ca.id })
-            // @ts-expect-error intentional: migration
-            .update({ requireTemplateForIssuance: !ca.requireTemplateForIssuance })
-        );
-      })
-    );
-
-    await knex.raw(`
-      UPDATE ${TableName.CertificateAuthority} ca
-      SET
-        type = ica.type,
-        "friendlyName" = ica."friendlyName",
-        organization = ica.organization,
-        ou = ica.ou,
-        country = ica.country,
-        province = ica.province,
-        locality = ica.locality,
-        "commonName" = ica."commonName",
-        dn = ica.dn,
-        "parentCaId" = ica."parentCaId",
-        "serialNumber" = ica."serialNumber",
-        "maxPathLength" = ica."maxPathLength",
-        "keyAlgorithm" = ica."keyAlgorithm",
-        "notBefore" = ica."notBefore",
-        "notAfter" = ica."notAfter",
-        "activeCaCertId" = ica."activeCaCertId"
-      FROM ${TableName.InternalCertificateAuthority} ica
-      WHERE ca.id = ica."caId"
-    `);
-
-    await knex.schema.alterTable(TableName.CertificateAuthority, (t) => {
-      t.string("type").notNullable().alter();
-      t.string("friendlyName").notNullable().alter();
-      t.string("organization").notNullable().alter();
-      t.string("ou").notNullable().alter();
-      t.string("country").notNullable().alter();
-      t.string("province").notNullable().alter();
-      t.string("locality").notNullable().alter();
-      t.string("commonName").notNullable().alter();
-      t.string("dn").notNullable().alter();
-      t.string("keyAlgorithm").notNullable().alter();
-      t.boolean("requireTemplateForIssuance").notNullable().defaultTo(false).alter();
-    });
-
-    await knex.schema.dropTable(TableName.InternalCertificateAuthority);
-  }
-
-  if (hasExternalCATable) {
-    await knex.schema.dropTable(TableName.ExternalCertificateAuthority);
-  }
-
-  if (await knex.schema.hasTable(TableName.PkiSubscriber)) {
-    await knex.schema.alterTable(TableName.PkiSubscriber, (t) => {
-      t.dropColumn("enableAutoRenewal");
-      t.dropColumn("autoRenewalPeriodInDays");
-      t.dropColumn("lastAutoRenewAt");
-
-      t.dropColumn("lastOperationStatus");
-      t.dropColumn("lastOperationMessage");
-      t.dropColumn("lastOperationAt");
-    });
-  }
-}

backend/src/db/migrations/20250527164523_add-mi-access-token-period.ts

@@ -1,139 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasColumn(TableName.IdentityAccessToken, "accessTokenPeriod"))) {
-    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
-      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "accessTokenPeriod"))) {
-    await knex.schema.alterTable(TableName.IdentityUniversalAuth, (t) => {
-      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasColumn(TableName.IdentityAwsAuth, "accessTokenPeriod"))) {
-    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
-      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasColumn(TableName.IdentityOidcAuth, "accessTokenPeriod"))) {
-    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
-      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasColumn(TableName.IdentityAzureAuth, "accessTokenPeriod"))) {
-    await knex.schema.alterTable(TableName.IdentityAzureAuth, (t) => {
-      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasColumn(TableName.IdentityGcpAuth, "accessTokenPeriod"))) {
-    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
-      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasColumn(TableName.IdentityJwtAuth, "accessTokenPeriod"))) {
-    await knex.schema.alterTable(TableName.IdentityJwtAuth, (t) => {
-      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "accessTokenPeriod"))) {
-    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
-      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasColumn(TableName.IdentityLdapAuth, "accessTokenPeriod"))) {
-    await knex.schema.alterTable(TableName.IdentityLdapAuth, (t) => {
-      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasColumn(TableName.IdentityOciAuth, "accessTokenPeriod"))) {
-    await knex.schema.alterTable(TableName.IdentityOciAuth, (t) => {
-      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
-    });
-  }
-
-  if (!(await knex.schema.hasColumn(TableName.IdentityTokenAuth, "accessTokenPeriod"))) {
-    await knex.schema.alterTable(TableName.IdentityTokenAuth, (t) => {
-      t.bigInteger("accessTokenPeriod").defaultTo(0).notNullable();
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.IdentityAccessToken, "accessTokenPeriod")) {
-    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
-      t.dropColumn("accessTokenPeriod");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "accessTokenPeriod")) {
-    await knex.schema.alterTable(TableName.IdentityUniversalAuth, (t) => {
-      t.dropColumn("accessTokenPeriod");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.IdentityAwsAuth, "accessTokenPeriod")) {
-    await knex.schema.alterTable(TableName.IdentityAwsAuth, (t) => {
-      t.dropColumn("accessTokenPeriod");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.IdentityOidcAuth, "accessTokenPeriod")) {
-    await knex.schema.alterTable(TableName.IdentityOidcAuth, (t) => {
-      t.dropColumn("accessTokenPeriod");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.IdentityAzureAuth, "accessTokenPeriod")) {
-    await knex.schema.alterTable(TableName.IdentityAzureAuth, (t) => {
-      t.dropColumn("accessTokenPeriod");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.IdentityGcpAuth, "accessTokenPeriod")) {
-    await knex.schema.alterTable(TableName.IdentityGcpAuth, (t) => {
-      t.dropColumn("accessTokenPeriod");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.IdentityJwtAuth, "accessTokenPeriod")) {
-    await knex.schema.alterTable(TableName.IdentityJwtAuth, (t) => {
-      t.dropColumn("accessTokenPeriod");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "accessTokenPeriod")) {
-    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (t) => {
-      t.dropColumn("accessTokenPeriod");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.IdentityLdapAuth, "accessTokenPeriod")) {
-    await knex.schema.alterTable(TableName.IdentityLdapAuth, (t) => {
-      t.dropColumn("accessTokenPeriod");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.IdentityOciAuth, "accessTokenPeriod")) {
-    await knex.schema.alterTable(TableName.IdentityOciAuth, (t) => {
-      t.dropColumn("accessTokenPeriod");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.IdentityTokenAuth, "accessTokenPeriod")) {
-    await knex.schema.alterTable(TableName.IdentityTokenAuth, (t) => {
-      t.dropColumn("accessTokenPeriod");
-    });
-  }
-}

backend/src/db/migrations/20250528183744_remove-encrypted-salt-from-shared-secret.ts

@@ -1,27 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretSharing)) {
-    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
-
-    if (hasEncryptedSalt) {
-      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-        t.dropColumn("encryptedSalt");
-      });
-    }
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasTable(TableName.SecretSharing)) {
-    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
-
-    if (!hasEncryptedSalt) {
-      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
-        t.binary("encryptedSalt").nullable();
-      });
-    }
-  }
-}

backend/src/db/schemas/certificate-authorities.ts

@@ -11,10 +11,25 @@ export const CertificateAuthoritiesSchema = z.object({
   id: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
+  parentCaId: z.string().uuid().nullable().optional(),
   projectId: z.string(),
-  enableDirectIssuance: z.boolean().default(true),
+  type: z.string(),
   status: z.string(),
-  name: z.string()
+  friendlyName: z.string(),
+  organization: z.string(),
+  ou: z.string(),
+  country: z.string(),
+  province: z.string(),
+  locality: z.string(),
+  commonName: z.string(),
+  dn: z.string(),
+  serialNumber: z.string().nullable().optional(),
+  maxPathLength: z.number().nullable().optional(),
+  keyAlgorithm: z.string(),
+  notBefore: z.date().nullable().optional(),
+  notAfter: z.date().nullable().optional(),
+  activeCaCertId: z.string().uuid().nullable().optional(),
+  requireTemplateForIssuance: z.boolean().default(false)
 });
 
 export type TCertificateAuthorities = z.infer<typeof CertificateAuthoritiesSchema>;

backend/src/db/schemas/certificates.ts

@@ -11,7 +11,7 @@ export const CertificatesSchema = z.object({
   id: z.string().uuid(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  caId: z.string().uuid().nullable().optional(),
+  caId: z.string().uuid(),
   status: z.string(),
   serialNumber: z.string(),
   friendlyName: z.string(),
@@ -21,12 +21,10 @@ export const CertificatesSchema = z.object({
   revokedAt: z.date().nullable().optional(),
   revocationReason: z.number().nullable().optional(),
   altNames: z.string().nullable().optional(),
-  caCertId: z.string().uuid().nullable().optional(),
+  caCertId: z.string().uuid(),
   certificateTemplateId: z.string().uuid().nullable().optional(),
   keyUsages: z.string().array().nullable().optional(),
-  extendedKeyUsages: z.string().array().nullable().optional(),
-  pkiSubscriberId: z.string().uuid().nullable().optional(),
-  projectId: z.string()
+  extendedKeyUsages: z.string().array().nullable().optional()
 });
 
 export type TCertificates = z.infer<typeof CertificatesSchema>;

backend/src/db/schemas/dynamic-secrets.ts

@@ -27,8 +27,7 @@ export const DynamicSecretsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   encryptedInput: zodBuffer,
-  projectGatewayId: z.string().uuid().nullable().optional(),
-  gatewayId: z.string().uuid().nullable().optional()
+  projectGatewayId: z.string().uuid().nullable().optional()
 });
 
 export type TDynamicSecrets = z.infer<typeof DynamicSecretsSchema>;

backend/src/db/schemas/external-certificate-authorities.ts

@@ -1,29 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const ExternalCertificateAuthoritiesSchema = z.object({
-  id: z.string().uuid(),
-  type: z.string(),
-  appConnectionId: z.string().uuid().nullable().optional(),
-  dnsAppConnectionId: z.string().uuid().nullable().optional(),
-  caId: z.string().uuid(),
-  credentials: zodBuffer.nullable().optional(),
-  configuration: z.unknown().nullable().optional()
-});
-
-export type TExternalCertificateAuthorities = z.infer<typeof ExternalCertificateAuthoritiesSchema>;
-export type TExternalCertificateAuthoritiesInsert = Omit<
-  z.input<typeof ExternalCertificateAuthoritiesSchema>,
-  TImmutableDBKeys
->;
-export type TExternalCertificateAuthoritiesUpdate = Partial<
-  Omit<z.input<typeof ExternalCertificateAuthoritiesSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/identity-access-tokens.ts

@@ -21,8 +21,7 @@ export const IdentityAccessTokensSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   name: z.string().nullable().optional(),
-  authMethod: z.string(),
-  accessTokenPeriod: z.coerce.number().default(0)
+  authMethod: z.string()
 });
 
 export type TIdentityAccessTokens = z.infer<typeof IdentityAccessTokensSchema>;

backend/src/db/schemas/identity-aws-auths.ts

@@ -19,8 +19,7 @@ export const IdentityAwsAuthsSchema = z.object({
   type: z.string(),
   stsEndpoint: z.string(),
   allowedPrincipalArns: z.string(),
-  allowedAccountIds: z.string(),
-  accessTokenPeriod: z.coerce.number().default(0)
+  allowedAccountIds: z.string()
 });
 
 export type TIdentityAwsAuths = z.infer<typeof IdentityAwsAuthsSchema>;

backend/src/db/schemas/identity-azure-auths.ts

@@ -18,8 +18,7 @@ export const IdentityAzureAuthsSchema = z.object({
   identityId: z.string().uuid(),
   tenantId: z.string(),
   resource: z.string(),
-  allowedServicePrincipalIds: z.string(),
-  accessTokenPeriod: z.coerce.number().default(0)
+  allowedServicePrincipalIds: z.string()
 });
 
 export type TIdentityAzureAuths = z.infer<typeof IdentityAzureAuthsSchema>;

backend/src/db/schemas/identity-gcp-auths.ts

@@ -19,8 +19,7 @@ export const IdentityGcpAuthsSchema = z.object({
   type: z.string(),
   allowedServiceAccounts: z.string().nullable().optional(),
   allowedProjects: z.string().nullable().optional(),
-  allowedZones: z.string().nullable().optional(),
-  accessTokenPeriod: z.coerce.number().default(0)
+  allowedZones: z.string().nullable().optional()
 });
 
 export type TIdentityGcpAuths = z.infer<typeof IdentityGcpAuthsSchema>;

backend/src/db/schemas/identity-jwt-auths.ts

@@ -25,8 +25,7 @@ export const IdentityJwtAuthsSchema = z.object({
   boundClaims: z.unknown(),
   boundSubject: z.string(),
   createdAt: z.date(),
-  updatedAt: z.date(),
-  accessTokenPeriod: z.coerce.number().default(0)
+  updatedAt: z.date()
 });
 
 export type TIdentityJwtAuths = z.infer<typeof IdentityJwtAuthsSchema>;

backend/src/db/schemas/identity-kubernetes-auths.ts

@@ -29,9 +29,7 @@ export const IdentityKubernetesAuthsSchema = z.object({
   allowedNames: z.string(),
   allowedAudience: z.string(),
   encryptedKubernetesTokenReviewerJwt: zodBuffer.nullable().optional(),
-  encryptedKubernetesCaCertificate: zodBuffer.nullable().optional(),
-  gatewayId: z.string().uuid().nullable().optional(),
-  accessTokenPeriod: z.coerce.number().default(0)
+  encryptedKubernetesCaCertificate: zodBuffer.nullable().optional()
 });
 
 export type TIdentityKubernetesAuths = z.infer<typeof IdentityKubernetesAuthsSchema>;

backend/src/db/schemas/identity-ldap-auths.ts

@@ -1,33 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { zodBuffer } from "@app/lib/zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const IdentityLdapAuthsSchema = z.object({
-  id: z.string().uuid(),
-  accessTokenTTL: z.coerce.number().default(7200),
-  accessTokenMaxTTL: z.coerce.number().default(7200),
-  accessTokenNumUsesLimit: z.coerce.number().default(0),
-  accessTokenTrustedIps: z.unknown(),
-  identityId: z.string().uuid(),
-  encryptedBindDN: zodBuffer,
-  encryptedBindPass: zodBuffer,
-  encryptedLdapCaCertificate: zodBuffer.nullable().optional(),
-  url: z.string(),
-  searchBase: z.string(),
-  searchFilter: z.string(),
-  allowedFields: z.unknown().nullable().optional(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  accessTokenPeriod: z.coerce.number().default(0)
-});
-
-export type TIdentityLdapAuths = z.infer<typeof IdentityLdapAuthsSchema>;
-export type TIdentityLdapAuthsInsert = Omit<z.input<typeof IdentityLdapAuthsSchema>, TImmutableDBKeys>;
-export type TIdentityLdapAuthsUpdate = Partial<Omit<z.input<typeof IdentityLdapAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-oci-auths.ts

@@ -1,27 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const IdentityOciAuthsSchema = z.object({
-  id: z.string().uuid(),
-  accessTokenTTL: z.coerce.number().default(7200),
-  accessTokenMaxTTL: z.coerce.number().default(7200),
-  accessTokenNumUsesLimit: z.coerce.number().default(0),
-  accessTokenTrustedIps: z.unknown(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  identityId: z.string().uuid(),
-  type: z.string(),
-  tenancyOcid: z.string(),
-  allowedUsernames: z.string().nullable().optional(),
-  accessTokenPeriod: z.coerce.number().default(0)
-});
-
-export type TIdentityOciAuths = z.infer<typeof IdentityOciAuthsSchema>;
-export type TIdentityOciAuthsInsert = Omit<z.input<typeof IdentityOciAuthsSchema>, TImmutableDBKeys>;
-export type TIdentityOciAuthsUpdate = Partial<Omit<z.input<typeof IdentityOciAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-oidc-auths.ts

@@ -27,8 +27,7 @@ export const IdentityOidcAuthsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   encryptedCaCertificate: zodBuffer.nullable().optional(),
-  claimMetadataMapping: z.unknown().nullable().optional(),
-  accessTokenPeriod: z.coerce.number().default(0)
+  claimMetadataMapping: z.unknown().nullable().optional()
 });
 
 export type TIdentityOidcAuths = z.infer<typeof IdentityOidcAuthsSchema>;

backend/src/db/schemas/identity-token-auths.ts

@@ -15,8 +15,7 @@ export const IdentityTokenAuthsSchema = z.object({
   accessTokenTrustedIps: z.unknown(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  identityId: z.string().uuid(),
-  accessTokenPeriod: z.coerce.number().default(0)
+  identityId: z.string().uuid()
 });
 
 export type TIdentityTokenAuths = z.infer<typeof IdentityTokenAuthsSchema>;

backend/src/db/schemas/identity-universal-auths.ts

@@ -17,8 +17,7 @@ export const IdentityUniversalAuthsSchema = z.object({
   accessTokenTrustedIps: z.unknown(),
   createdAt: z.date(),
   updatedAt: z.date(),
-  identityId: z.string().uuid(),
-  accessTokenPeriod: z.coerce.number().default(0)
+  identityId: z.string().uuid()
 });
 
 export type TIdentityUniversalAuths = z.infer<typeof IdentityUniversalAuthsSchema>;

backend/src/db/schemas/index.ts

@@ -20,7 +20,6 @@ export * from "./certificate-templates";
 export * from "./certificates";
 export * from "./dynamic-secret-leases";
 export * from "./dynamic-secrets";
-export * from "./external-certificate-authorities";
 export * from "./external-group-org-role-mappings";
 export * from "./external-kms";
 export * from "./gateways";
@@ -38,7 +37,6 @@ export * from "./identity-gcp-auths";
 export * from "./identity-jwt-auths";
 export * from "./identity-kubernetes-auths";
 export * from "./identity-metadata";
-export * from "./identity-oci-auths";
 export * from "./identity-oidc-auths";
 export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";
@@ -50,7 +48,6 @@ export * from "./identity-universal-auths";
 export * from "./incident-contacts";
 export * from "./integration-auths";
 export * from "./integrations";
-export * from "./internal-certificate-authorities";
 export * from "./internal-kms";
 export * from "./kmip-client-certificates";
 export * from "./kmip-clients";
@@ -72,7 +69,6 @@ export * from "./organizations";
 export * from "./pki-alerts";
 export * from "./pki-collection-items";
 export * from "./pki-collections";
-export * from "./pki-subscribers";
 export * from "./project-bots";
 export * from "./project-environments";
 export * from "./project-gateways";

backend/src/db/schemas/internal-certificate-authorities.ts

@@ -1,38 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const InternalCertificateAuthoritiesSchema = z.object({
-  id: z.string().uuid(),
-  parentCaId: z.string().uuid().nullable().optional(),
-  type: z.string(),
-  friendlyName: z.string(),
-  organization: z.string(),
-  ou: z.string(),
-  country: z.string(),
-  province: z.string(),
-  locality: z.string(),
-  commonName: z.string(),
-  dn: z.string(),
-  serialNumber: z.string().nullable().optional(),
-  maxPathLength: z.number().nullable().optional(),
-  keyAlgorithm: z.string(),
-  notBefore: z.date().nullable().optional(),
-  notAfter: z.date().nullable().optional(),
-  activeCaCertId: z.string().uuid().nullable().optional(),
-  caId: z.string().uuid()
-});
-
-export type TInternalCertificateAuthorities = z.infer<typeof InternalCertificateAuthoritiesSchema>;
-export type TInternalCertificateAuthoritiesInsert = Omit<
-  z.input<typeof InternalCertificateAuthoritiesSchema>,
-  TImmutableDBKeys
->;
-export type TInternalCertificateAuthoritiesUpdate = Partial<
-  Omit<z.input<typeof InternalCertificateAuthoritiesSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/models.ts

@@ -13,8 +13,6 @@ export enum TableName {
   SshCertificate = "ssh_certificates",
   SshCertificateBody = "ssh_certificate_bodies",
   CertificateAuthority = "certificate_authorities",
-  ExternalCertificateAuthority = "external_certificate_authorities",
-  InternalCertificateAuthority = "internal_certificate_authorities",
   CertificateTemplateEstConfig = "certificate_template_est_configs",
   CertificateAuthorityCert = "certificate_authority_certs",
   CertificateAuthoritySecret = "certificate_authority_secret",
@@ -23,7 +21,6 @@ export enum TableName {
   CertificateBody = "certificate_bodies",
   CertificateSecret = "certificate_secrets",
   CertificateTemplate = "certificate_templates",
-  PkiSubscriber = "pki_subscribers",
   PkiAlert = "pki_alerts",
   PkiCollection = "pki_collections",
   PkiCollectionItem = "pki_collection_items",
@@ -81,10 +78,8 @@ export enum TableName {
   IdentityAzureAuth = "identity_azure_auths",
   IdentityUaClientSecret = "identity_ua_client_secrets",
   IdentityAwsAuth = "identity_aws_auths",
-  IdentityOciAuth = "identity_oci_auths",
   IdentityOidcAuth = "identity_oidc_auths",
   IdentityJwtAuth = "identity_jwt_auths",
-  IdentityLdapAuth = "identity_ldap_auths",
   IdentityOrgMembership = "identity_org_memberships",
   IdentityProjectMembership = "identity_project_memberships",
   IdentityProjectMembershipRole = "identity_project_membership_role",
@@ -236,10 +231,8 @@ export enum IdentityAuthMethod {
   GCP_AUTH = "gcp-auth",
   AWS_AUTH = "aws-auth",
   AZURE_AUTH = "azure-auth",
-  OCI_AUTH = "oci-auth",
   OIDC_AUTH = "oidc-auth",
-  JWT_AUTH = "jwt-auth",
-  LDAP_AUTH = "ldap-auth"
+  JWT_AUTH = "jwt-auth"
 }
 
 export enum ProjectType {

backend/src/db/schemas/organizations.ts

@@ -28,15 +28,7 @@ export const OrganizationsSchema = z.object({
   privilegeUpgradeInitiatedByUsername: z.string().nullable().optional(),
   privilegeUpgradeInitiatedAt: z.date().nullable().optional(),
   bypassOrgAuthEnabled: z.boolean().default(false),
-  userTokenExpiration: z.string().nullable().optional(),
-  secretsProductEnabled: z.boolean().default(true).nullable().optional(),
-  pkiProductEnabled: z.boolean().default(true).nullable().optional(),
-  kmsProductEnabled: z.boolean().default(true).nullable().optional(),
-  sshProductEnabled: z.boolean().default(true).nullable().optional(),
-  scannerProductEnabled: z.boolean().default(true).nullable().optional(),
-  shareSecretsProductEnabled: z.boolean().default(true).nullable().optional(),
-  maxSharedSecretLifetime: z.number().default(2592000).nullable().optional(),
-  maxSharedSecretViewLimit: z.number().nullable().optional()
+  userTokenExpiration: z.string().nullable().optional()
 });
 
 export type TOrganizations = z.infer<typeof OrganizationsSchema>;

backend/src/db/schemas/pki-subscribers.ts

@@ -1,33 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const PkiSubscribersSchema = z.object({
-  id: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  projectId: z.string(),
-  caId: z.string().uuid().nullable().optional(),
-  name: z.string(),
-  commonName: z.string(),
-  subjectAlternativeNames: z.string().array(),
-  ttl: z.string().nullable().optional(),
-  keyUsages: z.string().array(),
-  extendedKeyUsages: z.string().array(),
-  status: z.string(),
-  enableAutoRenewal: z.boolean().default(false),
-  autoRenewalPeriodInDays: z.number().nullable().optional(),
-  lastAutoRenewAt: z.date().nullable().optional(),
-  lastOperationStatus: z.string().nullable().optional(),
-  lastOperationMessage: z.string().nullable().optional(),
-  lastOperationAt: z.date().nullable().optional()
-});
-
-export type TPkiSubscribers = z.infer<typeof PkiSubscribersSchema>;
-export type TPkiSubscribersInsert = Omit<z.input<typeof PkiSubscribersSchema>, TImmutableDBKeys>;
-export type TPkiSubscribersUpdate = Partial<Omit<z.input<typeof PkiSubscribersSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/projects.ts

@@ -27,8 +27,7 @@ export const ProjectsSchema = z.object({
   description: z.string().nullable().optional(),
   type: z.string(),
   enforceCapitalization: z.boolean().default(false),
-  hasDeleteProtection: z.boolean().default(false).nullable().optional(),
-  secretSharing: z.boolean().default(true)
+  hasDeleteProtection: z.boolean().default(false).nullable().optional()
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/db/schemas/secret-sharing.ts

@@ -27,8 +27,7 @@ export const SecretSharingSchema = z.object({
   password: z.string().nullable().optional(),
   encryptedSecret: zodBuffer.nullable().optional(),
   identifier: z.string().nullable().optional(),
-  type: z.string().default("share"),
-  authorizedEmails: z.unknown().nullable().optional()
+  type: z.string().default("share")
 });
 
 export type TSecretSharing = z.infer<typeof SecretSharingSchema>;

backend/src/db/schemas/ssh-host-login-user-mappings.ts

@@ -12,8 +12,7 @@ export const SshHostLoginUserMappingsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   sshHostLoginUserId: z.string().uuid(),
-  userId: z.string().uuid().nullable().optional(),
-  groupId: z.string().uuid().nullable().optional()
+  userId: z.string().uuid().nullable().optional()
 });
 
 export type TSshHostLoginUserMappings = z.infer<typeof SshHostLoginUserMappingsSchema>;

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 
 import { AccessApprovalRequestsReviewersSchema, AccessApprovalRequestsSchema, UsersSchema } from "@app/db/schemas";
 import { ApprovalStatus } from "@app/ee/services/access-approval-request/access-approval-request-types";
-import { writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
@@ -19,9 +18,6 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
   server.route({
     url: "/",
     method: "POST",
-    config: {
-      rateLimit: writeLimit
-    },
     schema: {
       body: z.object({
         permissions: z.any().array(),
@@ -154,8 +150,7 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
         requestId: z.string().trim()
       }),
       body: z.object({
-        status: z.enum([ApprovalStatus.APPROVED, ApprovalStatus.REJECTED]),
-        bypassReason: z.string().min(10).max(1000).optional()
+        status: z.enum([ApprovalStatus.APPROVED, ApprovalStatus.REJECTED])
       }),
       response: {
         200: z.object({
@@ -171,8 +166,7 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
         actorOrgId: req.permission.orgId,
         actorAuthMethod: req.permission.authMethod,
         requestId: req.params.requestId,
-        status: req.body.status,
-        bypassReason: req.body.bypassReason
+        status: req.body.status
       });
 
       return { review };

backend/src/ee/routes/v1/app-connection-routers/oci-connection-router.ts

@@ -1,123 +0,0 @@
-import z from "zod";
-
-import {
-  CreateOCIConnectionSchema,
-  SanitizedOCIConnectionSchema,
-  UpdateOCIConnectionSchema
-} from "@app/ee/services/app-connections/oci";
-import { readLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-import { registerAppConnectionEndpoints } from "../../../../server/routes/v1/app-connection-routers/app-connection-endpoints";
-
-export const registerOCIConnectionRouter = async (server: FastifyZodProvider) => {
-  registerAppConnectionEndpoints({
-    app: AppConnection.OCI,
-    server,
-    sanitizedResponseSchema: SanitizedOCIConnectionSchema,
-    createSchema: CreateOCIConnectionSchema,
-    updateSchema: UpdateOCIConnectionSchema
-  });
-
-  // The following endpoints are for internal Infisical App use only and not part of the public API
-  server.route({
-    method: "GET",
-    url: `/:connectionId/compartments`,
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        connectionId: z.string().uuid()
-      }),
-      response: {
-        200: z
-          .object({
-            id: z.string(),
-            name: z.string()
-          })
-          .array()
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { connectionId } = req.params;
-
-      const compartments = await server.services.appConnection.oci.listCompartments(connectionId, req.permission);
-      return compartments;
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: `/:connectionId/vaults`,
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        connectionId: z.string().uuid()
-      }),
-      querystring: z.object({
-        compartmentOcid: z.string().min(1, "Compartment OCID required")
-      }),
-      response: {
-        200: z
-          .object({
-            id: z.string(),
-            displayName: z.string()
-          })
-          .array()
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { connectionId } = req.params;
-      const { compartmentOcid } = req.query;
-
-      const vaults = await server.services.appConnection.oci.listVaults(
-        { connectionId, compartmentOcid },
-        req.permission
-      );
-      return vaults;
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: `/:connectionId/vault-keys`,
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      params: z.object({
-        connectionId: z.string().uuid()
-      }),
-      querystring: z.object({
-        compartmentOcid: z.string().min(1, "Compartment OCID required"),
-        vaultOcid: z.string().min(1, "Vault OCID required")
-      }),
-      response: {
-        200: z
-          .object({
-            id: z.string(),
-            displayName: z.string()
-          })
-          .array()
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { connectionId } = req.params;
-      const { compartmentOcid, vaultOcid } = req.query;
-
-      const keys = await server.services.appConnection.oci.listVaultKeys(
-        { connectionId, compartmentOcid, vaultOcid },
-        req.permission
-      );
-      return keys;
-    }
-  });
-};

backend/src/ee/routes/v1/gateway-router.ts

@@ -121,7 +121,14 @@ export const registerGatewayRouter = async (server: FastifyZodProvider) => {
             identity: z.object({
               name: z.string(),
               id: z.string()
-            })
+            }),
+            projects: z
+              .object({
+                name: z.string(),
+                id: z.string(),
+                slug: z.string()
+              })
+              .array()
           }).array()
         })
       }
@@ -151,15 +158,17 @@ export const registerGatewayRouter = async (server: FastifyZodProvider) => {
             identity: z.object({
               name: z.string(),
               id: z.string()
-            })
+            }),
+            projectGatewayId: z.string()
           }).array()
         })
       }
     },
     onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN, AuthMode.JWT]),
     handler: async (req) => {
-      const gateways = await server.services.gateway.listGateways({
-        orgPermission: req.permission
+      const gateways = await server.services.gateway.getProjectGateways({
+        projectId: req.params.projectId,
+        projectPermission: req.permission
       });
       return { gateways };
     }
@@ -207,7 +216,8 @@ export const registerGatewayRouter = async (server: FastifyZodProvider) => {
         id: z.string()
       }),
       body: z.object({
-        name: slugSchema({ field: "name" }).optional()
+        name: slugSchema({ field: "name" }).optional(),
+        projectIds: z.string().array().optional()
       }),
       response: {
         200: z.object({
@@ -220,7 +230,8 @@ export const registerGatewayRouter = async (server: FastifyZodProvider) => {
       const gateway = await server.services.gateway.updateGatewayById({
         orgPermission: req.permission,
         id: req.params.id,
-        name: req.body.name
+        name: req.body.name,
+        projectIds: req.body.projectIds
       });
       return { gateway };
     }

backend/src/ee/routes/v1/ldap-router.ts

@@ -98,9 +98,6 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
   server.route({
     url: "/login",
     method: "POST",
-    config: {
-      rateLimit: writeLimit
-    },
     schema: {
       body: z.object({
         organizationSlug: z.string().trim()

backend/src/ee/routes/v1/license-router.ts

@@ -47,7 +47,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
         200: z.object({ plan: z.any() })
       }
     },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT]),
     handler: async (req) => {
       const plan = await server.services.license.getOrgPlan({
         actorId: req.permission.id,

backend/src/ee/routes/v1/saml-router.ts

@@ -145,7 +145,7 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
 
           const { isUserCompleted, providerAuthToken } = await server.services.saml.samlLogin({
             externalId: profile.nameID,
-            email: email.toLowerCase(),
+            email,
             firstName,
             lastName: lastName as string,
             relayState: (req.body as { RelayState?: string }).RelayState,
@@ -166,9 +166,6 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
   server.route({
     url: "/redirect/saml2/organizations/:orgSlug",
     method: "GET",
-    config: {
-      rateLimit: readLimit
-    },
     schema: {
       params: z.object({
         orgSlug: z.string().trim()
@@ -195,9 +192,6 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
   server.route({
     url: "/redirect/saml2/:samlConfigId",
     method: "GET",
-    config: {
-      rateLimit: readLimit
-    },
     schema: {
       params: z.object({
         samlConfigId: z.string().trim()
@@ -224,9 +218,6 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
   server.route({
     url: "/saml2/:samlConfigId",
     method: "POST",
-    config: {
-      rateLimit: writeLimit
-    },
     schema: {
       params: z.object({
         samlConfigId: z.string().trim()

backend/src/ee/routes/v1/scim-router.ts

@@ -196,9 +196,6 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
   server.route({
     url: "/Users",
     method: "POST",
-    config: {
-      rateLimit: writeLimit
-    },
     schema: {
       body: z.object({
         schemas: z.array(z.string()),

backend/src/ee/routes/v1/secret-scanning-router.ts

@@ -1,11 +1,11 @@
 import { z } from "zod";
 
 import { GitAppOrgSchema, SecretScanningGitRisksSchema } from "@app/db/schemas";
-import { canUseSecretScanning } from "@app/ee/services/secret-scanning/secret-scanning-fns";
 import {
   SecretScanningResolvedStatus,
   SecretScanningRiskStatus
 } from "@app/ee/services/secret-scanning/secret-scanning-types";
+import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { OrderByDirection } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -23,14 +23,14 @@ export const registerSecretScanningRouter = async (server: FastifyZodProvider) =
       body: z.object({ organizationId: z.string().trim() }),
       response: {
         200: z.object({
-          sessionId: z.string(),
-          gitAppSlug: z.string()
+          sessionId: z.string()
         })
       }
     },
     onRequest: verifyAuth([AuthMode.JWT]),
     handler: async (req) => {
-      if (!canUseSecretScanning(req.auth.orgId)) {
+      const appCfg = getConfig();
+      if (!appCfg.SECRET_SCANNING_ORG_WHITELIST?.includes(req.auth.orgId)) {
         throw new BadRequestError({
           message: "Secret scanning is temporarily unavailable."
         });

backend/src/ee/routes/v1/secret-sync-routers/oci-vault-sync-router.ts

@@ -1,16 +0,0 @@
-import {
-  CreateOCIVaultSyncSchema,
-  OCIVaultSyncSchema,
-  UpdateOCIVaultSyncSchema
-} from "@app/ee/services/secret-sync/oci-vault";
-import { registerSyncSecretsEndpoints } from "@app/server/routes/v1/secret-sync-routers/secret-sync-endpoints";
-import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
-
-export const registerOCIVaultSyncRouter = async (server: FastifyZodProvider) =>
-  registerSyncSecretsEndpoints({
-    destination: SecretSync.OCIVault,
-    server,
-    responseSchema: OCIVaultSyncSchema,
-    createSchema: CreateOCIVaultSyncSchema,
-    updateSchema: UpdateOCIVaultSyncSchema
-  });

backend/src/ee/routes/v1/ssh-certificate-template-router.ts

@@ -97,7 +97,7 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
           allowCustomKeyIds: z.boolean().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.allowCustomKeyIds)
         })
         .refine((data) => ms(data.maxTTL) >= ms(data.ttl), {
-          message: "Max TTL must be greater than or equal to TTL",
+          message: "Max TLL must be greater than or equal to TTL",
           path: ["maxTTL"]
         }),
       response: {

backend/src/ee/routes/v1/ssh-host-router.ts

@@ -73,7 +73,7 @@ export const registerSshHostRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      const host = await server.services.sshHost.getSshHostById({
+      const host = await server.services.sshHost.getSshHost({
         sshHostId: req.params.sshHostId,
         actor: req.permission.type,
         actorId: req.permission.id,

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -2,7 +2,7 @@ import { ForbiddenError } from "@casl/ability";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionApprovalActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
@@ -98,7 +98,7 @@ export const accessApprovalPolicyServiceFactory = ({
     });
 
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionApprovalActions.Create,
+      ProjectPermissionActions.Create,
       ProjectPermissionSub.SecretApproval
     );
     const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
@@ -256,10 +256,7 @@ export const accessApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
 
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionApprovalActions.Edit,
-      ProjectPermissionSub.SecretApproval
-    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
 
     const updatedPolicy = await accessApprovalPolicyDAL.transaction(async (tx) => {
       const doc = await accessApprovalPolicyDAL.updateById(
@@ -344,7 +341,7 @@ export const accessApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
     ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionApprovalActions.Delete,
+      ProjectPermissionActions.Delete,
       ProjectPermissionSub.SecretApproval
     );
 
@@ -435,10 +432,7 @@ export const accessApprovalPolicyServiceFactory = ({
       actionProjectType: ActionProjectType.SecretManager
     });
 
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionApprovalActions.Read,
-      ProjectPermissionSub.SecretApproval
-    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
 
     return policy;
   };

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -6,7 +6,6 @@ import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { EnforcementLevel } from "@app/lib/types";
 import { triggerWorkflowIntegrationNotification } from "@app/lib/workflow-integrations/trigger-notification";
 import { TriggerFeature } from "@app/lib/workflow-integrations/types";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -23,7 +22,6 @@ import { TAccessApprovalPolicyApproverDALFactory } from "../access-approval-poli
 import { TAccessApprovalPolicyDALFactory } from "../access-approval-policy/access-approval-policy-dal";
 import { TGroupDALFactory } from "../group/group-dal";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { ProjectPermissionApprovalActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
 import { ProjectUserAdditionalPrivilegeTemporaryMode } from "../project-user-additional-privilege/project-user-additional-privilege-types";
 import { TAccessApprovalRequestDALFactory } from "./access-approval-request-dal";
@@ -325,22 +323,26 @@ export const accessApprovalRequestServiceFactory = ({
     status,
     actorId,
     actorAuthMethod,
-    actorOrgId,
-    bypassReason
+    actorOrgId
   }: TReviewAccessRequestDTO) => {
     const accessApprovalRequest = await accessApprovalRequestDAL.findById(requestId);
     if (!accessApprovalRequest) {
       throw new NotFoundError({ message: `Secret approval request with ID '${requestId}' not found` });
     }
 
-    const { policy, environment } = accessApprovalRequest;
+    const { policy } = accessApprovalRequest;
     if (policy.deletedAt) {
       throw new BadRequestError({
         message: "The policy associated with this access request has been deleted."
       });
     }
+    if (!policy.allowedSelfApprovals && actorId === accessApprovalRequest.requestedByUserId) {
+      throw new BadRequestError({
+        message: "Failed to review access approval request. Users are not authorized to review their own request."
+      });
+    }
 
-    const { membership, hasRole, permission } = await permissionService.getProjectPermission({
+    const { membership, hasRole } = await permissionService.getProjectPermission({
       actor,
       actorId,
       projectId: accessApprovalRequest.projectId,
@@ -353,20 +355,6 @@ export const accessApprovalRequestServiceFactory = ({
       throw new ForbiddenRequestError({ message: "You are not a member of this project" });
     }
 
-    const isSelfApproval = actorId === accessApprovalRequest.requestedByUserId;
-    const isSoftEnforcement = policy.enforcementLevel === EnforcementLevel.Soft;
-    const canBypassApproval = permission.can(
-      ProjectPermissionApprovalActions.AllowAccessBypass,
-      ProjectPermissionSub.SecretApproval
-    );
-    const cannotBypassUnderSoftEnforcement = !(isSoftEnforcement && canBypassApproval);
-
-    if (!policy.allowedSelfApprovals && isSelfApproval && cannotBypassUnderSoftEnforcement) {
-      throw new BadRequestError({
-        message: "Failed to review access approval request. Users are not authorized to review their own request."
-      });
-    }
-
     if (
       !hasRole(ProjectMembershipRole.Admin) &&
       accessApprovalRequest.requestedByUserId !== actorId && // The request wasn't made by the current user
@@ -375,49 +363,21 @@ export const accessApprovalRequestServiceFactory = ({
       throw new ForbiddenRequestError({ message: "You are not authorized to approve this request" });
     }
 
-    const project = await projectDAL.findById(accessApprovalRequest.projectId);
-    if (!project) {
-      throw new NotFoundError({ message: "The project associated with this access request was not found." });
-    }
-
     const existingReviews = await accessApprovalRequestReviewerDAL.find({ requestId: accessApprovalRequest.id });
     if (existingReviews.some((review) => review.status === ApprovalStatus.REJECTED)) {
       throw new BadRequestError({ message: "The request has already been rejected by another reviewer" });
     }
 
     const reviewStatus = await accessApprovalRequestReviewerDAL.transaction(async (tx) => {
-      const isBreakGlassApprovalAttempt =
-        policy.enforcementLevel === EnforcementLevel.Soft &&
-        actorId === accessApprovalRequest.requestedByUserId &&
-        status === ApprovalStatus.APPROVED;
-
-      let reviewForThisActorProcessing: {
-        id: string;
-        requestId: string;
-        reviewerUserId: string;
-        status: string;
-        createdAt: Date;
-        updatedAt: Date;
-      };
-
-      const existingReviewByActorInTx = await accessApprovalRequestReviewerDAL.findOne(
+      const review = await accessApprovalRequestReviewerDAL.findOne(
         {
           requestId: accessApprovalRequest.id,
           reviewerUserId: actorId
         },
         tx
       );
-
-      // Check if review exists for actor
-      if (existingReviewByActorInTx) {
-        // Check if breakglass re-approval
-        if (isBreakGlassApprovalAttempt && existingReviewByActorInTx.status === ApprovalStatus.APPROVED) {
-          reviewForThisActorProcessing = existingReviewByActorInTx;
-        } else {
-          throw new BadRequestError({ message: "You have already reviewed this request" });
-        }
-      } else {
-        reviewForThisActorProcessing = await accessApprovalRequestReviewerDAL.create(
+      if (!review) {
+        const newReview = await accessApprovalRequestReviewerDAL.create(
           {
             status,
             requestId: accessApprovalRequest.id,
@@ -425,26 +385,19 @@ export const accessApprovalRequestServiceFactory = ({
           },
           tx
         );
-      }
 
-      const otherReviews = existingReviews.filter((er) => er.reviewerUserId !== actorId);
-      const allUniqueReviews = [...otherReviews, reviewForThisActorProcessing];
+        const allReviews = [...existingReviews, newReview];
 
-      const approvedReviews = allUniqueReviews.filter((r) => r.status === ApprovalStatus.APPROVED);
-      const meetsStandardApprovalThreshold = approvedReviews.length >= policy.approvals;
+        const approvedReviews = allReviews.filter((r) => r.status === ApprovalStatus.APPROVED);
 
-      if (
-        reviewForThisActorProcessing.status === ApprovalStatus.APPROVED &&
-        (meetsStandardApprovalThreshold || isBreakGlassApprovalAttempt)
-      ) {
-        const currentRequestState = await accessApprovalRequestDAL.findById(accessApprovalRequest.id, tx);
-        let privilegeIdToSet = currentRequestState?.privilegeId || null;
-
-        if (!privilegeIdToSet) {
+        // approvals is the required number of approvals. If the number of approved reviews is equal to the number of required approvals, then the request is approved.
+        if (approvedReviews.length === policy.approvals) {
           if (accessApprovalRequest.isTemporary && !accessApprovalRequest.temporaryRange) {
             throw new BadRequestError({ message: "Temporary range is required for temporary access" });
           }
 
+          let privilegeId: string | null = null;
+
           if (!accessApprovalRequest.isTemporary && !accessApprovalRequest.temporaryRange) {
             // Permanent access
             const privilege = await additionalPrivilegeDAL.create(
@@ -456,7 +409,7 @@ export const accessApprovalRequestServiceFactory = ({
               },
               tx
             );
-            privilegeIdToSet = privilege.id;
+            privilegeId = privilege.id;
           } else {
             // Temporary access
             const relativeTempAllocatedTimeInMs = ms(accessApprovalRequest.temporaryRange!);
@@ -468,57 +421,23 @@ export const accessApprovalRequestServiceFactory = ({
                 projectId: accessApprovalRequest.projectId,
                 slug: `requested-privilege-${slugify(alphaNumericNanoId(12))}`,
                 permissions: JSON.stringify(accessApprovalRequest.permissions),
-                isTemporary: true, // Explicitly set to true for the privilege
+                isTemporary: true,
                 temporaryMode: ProjectUserAdditionalPrivilegeTemporaryMode.Relative,
                 temporaryRange: accessApprovalRequest.temporaryRange!,
                 temporaryAccessStartTime: startTime,
-                temporaryAccessEndTime: new Date(startTime.getTime() + relativeTempAllocatedTimeInMs)
+                temporaryAccessEndTime: new Date(new Date(startTime).getTime() + relativeTempAllocatedTimeInMs)
               },
               tx
             );
-            privilegeIdToSet = privilege.id;
+            privilegeId = privilege.id;
           }
-          await accessApprovalRequestDAL.updateById(accessApprovalRequest.id, { privilegeId: privilegeIdToSet }, tx);
+
+          await accessApprovalRequestDAL.updateById(accessApprovalRequest.id, { privilegeId }, tx);
         }
+
+        return newReview;
       }
-
-      // Send notification if this was a breakglass approval
-      if (isBreakGlassApprovalAttempt) {
-        const cfg = getConfig();
-        const actingUser = await userDAL.findById(actorId, tx);
-
-        if (actingUser) {
-          const policyApproverUserIds = policy.approvers
-            .map((ap) => ap.userId)
-            .filter((id): id is string => typeof id === "string");
-
-          if (policyApproverUserIds.length > 0) {
-            const approverUsersForEmail = await userDAL.find({ $in: { id: policyApproverUserIds } }, { tx });
-            const recipientEmails = approverUsersForEmail
-              .map((appUser) => appUser.email)
-              .filter((email): email is string => !!email);
-
-            if (recipientEmails.length > 0) {
-              await smtpService.sendMail({
-                recipients: recipientEmails,
-                subjectLine: "Infisical Secret Access Policy Bypassed",
-                substitutions: {
-                  projectName: project.name,
-                  requesterFullName: `${actingUser.firstName} ${actingUser.lastName}`,
-                  requesterEmail: actingUser.email,
-                  bypassReason: bypassReason || "No reason provided",
-                  secretPath: policy.secretPath || "/",
-                  environment,
-                  approvalUrl: `${cfg.SITE_URL}/secret-manager/${project.id}/approval`,
-                  requestType: "access"
-                },
-                template: SmtpTemplates.AccessSecretRequestBypassed
-              });
-            }
-          }
-        }
-      }
-      return reviewForThisActorProcessing;
+      throw new BadRequestError({ message: "You have already reviewed this request" });
     });
 
     return reviewStatus;

backend/src/ee/services/access-approval-request/access-approval-request-types.ts

@@ -17,8 +17,6 @@ export type TGetAccessRequestCountDTO = {
 export type TReviewAccessRequestDTO = {
   requestId: string;
   status: ApprovalStatus;
-  envName?: string;
-  bypassReason?: string;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TCreateAccessApprovalRequestDTO = {

backend/src/ee/services/app-connections/oci/index.ts

@@ -1,4 +0,0 @@
-export * from "./oci-connection-enums";
-export * from "./oci-connection-fns";
-export * from "./oci-connection-schemas";
-export * from "./oci-connection-types";

backend/src/ee/services/app-connections/oci/oci-connection-enums.ts

@@ -1,3 +0,0 @@
-export enum OCIConnectionMethod {
-  AccessKey = "access-key"
-}

backend/src/ee/services/app-connections/oci/oci-connection-fns.ts

@@ -1,139 +0,0 @@
-import { common, identity, keymanagement } from "oci-sdk";
-
-import { BadRequestError } from "@app/lib/errors";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-
-import { OCIConnectionMethod } from "./oci-connection-enums";
-import { TOCIConnection, TOCIConnectionConfig } from "./oci-connection-types";
-
-export const getOCIProvider = async (config: TOCIConnectionConfig) => {
-  const {
-    credentials: { fingerprint, privateKey, region, tenancyOcid, userOcid }
-  } = config;
-
-  const provider = new common.SimpleAuthenticationDetailsProvider(
-    tenancyOcid,
-    userOcid,
-    fingerprint,
-    privateKey,
-    null,
-    common.Region.fromRegionId(region)
-  );
-
-  return provider;
-};
-
-export const getOCIConnectionListItem = () => {
-  return {
-    name: "OCI" as const,
-    app: AppConnection.OCI as const,
-    methods: Object.values(OCIConnectionMethod) as [OCIConnectionMethod.AccessKey]
-  };
-};
-
-export const validateOCIConnectionCredentials = async (config: TOCIConnectionConfig) => {
-  const provider = await getOCIProvider(config);
-
-  try {
-    const identityClient = new identity.IdentityClient({
-      authenticationDetailsProvider: provider
-    });
-
-    // Get user details - a lightweight call that validates all credentials
-    await identityClient.getUser({ userId: config.credentials.userOcid });
-  } catch (error: unknown) {
-    if (error instanceof Error) {
-      throw new BadRequestError({
-        message: `Failed to validate credentials: ${error.message || "Unknown error"}`
-      });
-    }
-    throw new BadRequestError({
-      message: "Unable to validate connection: verify credentials"
-    });
-  }
-
-  return config.credentials;
-};
-
-export const listOCICompartments = async (appConnection: TOCIConnection) => {
-  const provider = await getOCIProvider(appConnection);
-
-  const identityClient = new identity.IdentityClient({ authenticationDetailsProvider: provider });
-  const keyManagementClient = new keymanagement.KmsVaultClient({
-    authenticationDetailsProvider: provider
-  });
-
-  const rootCompartment = await identityClient
-    .getTenancy({
-      tenancyId: appConnection.credentials.tenancyOcid
-    })
-    .then((response) => ({
-      ...response.tenancy,
-      id: appConnection.credentials.tenancyOcid,
-      name: response.tenancy.name ? `${response.tenancy.name} (root)` : "root"
-    }));
-
-  const compartments = await identityClient.listCompartments({
-    compartmentId: appConnection.credentials.tenancyOcid,
-    compartmentIdInSubtree: true,
-    accessLevel: identity.requests.ListCompartmentsRequest.AccessLevel.Any,
-    lifecycleState: identity.models.Compartment.LifecycleState.Active
-  });
-
-  const allCompartments = [rootCompartment, ...compartments.items];
-  const filteredCompartments = [];
-
-  for await (const compartment of allCompartments) {
-    try {
-      // Check if user can list vaults in this compartment
-      await keyManagementClient.listVaults({
-        compartmentId: compartment.id,
-        limit: 1
-      });
-
-      filteredCompartments.push(compartment);
-    } catch (error) {
-      // Do nothing
-    }
-  }
-
-  return filteredCompartments;
-};
-
-export const listOCIVaults = async (appConnection: TOCIConnection, compartmentOcid: string) => {
-  const provider = await getOCIProvider(appConnection);
-
-  const keyManagementClient = new keymanagement.KmsVaultClient({
-    authenticationDetailsProvider: provider
-  });
-
-  const vaults = await keyManagementClient.listVaults({
-    compartmentId: compartmentOcid
-  });
-
-  return vaults.items.filter((v) => v.lifecycleState === keymanagement.models.Vault.LifecycleState.Active);
-};
-
-export const listOCIVaultKeys = async (appConnection: TOCIConnection, compartmentOcid: string, vaultOcid: string) => {
-  const provider = await getOCIProvider(appConnection);
-
-  const kmsVaultClient = new keymanagement.KmsVaultClient({
-    authenticationDetailsProvider: provider
-  });
-
-  const vault = await kmsVaultClient.getVault({
-    vaultId: vaultOcid
-  });
-
-  const keyManagementClient = new keymanagement.KmsManagementClient({
-    authenticationDetailsProvider: provider
-  });
-
-  keyManagementClient.endpoint = vault.vault.managementEndpoint;
-
-  const keys = await keyManagementClient.listKeys({
-    compartmentId: compartmentOcid
-  });
-
-  return keys.items.filter((v) => v.lifecycleState === keymanagement.models.KeySummary.LifecycleState.Enabled);
-};

backend/src/ee/services/app-connections/oci/oci-connection-schemas.ts

@@ -1,65 +0,0 @@
-import z from "zod";
-
-import { AppConnections } from "@app/lib/api-docs";
-import { AppConnection } from "@app/services/app-connection/app-connection-enums";
-import {
-  BaseAppConnectionSchema,
-  GenericCreateAppConnectionFieldsSchema,
-  GenericUpdateAppConnectionFieldsSchema
-} from "@app/services/app-connection/app-connection-schemas";
-
-import { OCIConnectionMethod } from "./oci-connection-enums";
-
-export const OCIConnectionAccessTokenCredentialsSchema = z.object({
-  userOcid: z.string().trim().min(1, "User OCID required").describe(AppConnections.CREDENTIALS.OCI.userOcid),
-  tenancyOcid: z.string().trim().min(1, "Tenancy OCID required").describe(AppConnections.CREDENTIALS.OCI.tenancyOcid),
-  region: z.string().trim().min(1, "Region required").describe(AppConnections.CREDENTIALS.OCI.region),
-  fingerprint: z.string().trim().min(1, "Fingerprint required").describe(AppConnections.CREDENTIALS.OCI.fingerprint),
-  privateKey: z.string().trim().min(1, "Private Key required").describe(AppConnections.CREDENTIALS.OCI.privateKey)
-});
-
-const BaseOCIConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.OCI) });
-
-export const OCIConnectionSchema = BaseOCIConnectionSchema.extend({
-  method: z.literal(OCIConnectionMethod.AccessKey),
-  credentials: OCIConnectionAccessTokenCredentialsSchema
-});
-
-export const SanitizedOCIConnectionSchema = z.discriminatedUnion("method", [
-  BaseOCIConnectionSchema.extend({
-    method: z.literal(OCIConnectionMethod.AccessKey),
-    credentials: OCIConnectionAccessTokenCredentialsSchema.pick({
-      userOcid: true,
-      tenancyOcid: true,
-      region: true,
-      fingerprint: true
-    })
-  })
-]);
-
-export const ValidateOCIConnectionCredentialsSchema = z.discriminatedUnion("method", [
-  z.object({
-    method: z.literal(OCIConnectionMethod.AccessKey).describe(AppConnections.CREATE(AppConnection.OCI).method),
-    credentials: OCIConnectionAccessTokenCredentialsSchema.describe(
-      AppConnections.CREATE(AppConnection.OCI).credentials
-    )
-  })
-]);
-
-export const CreateOCIConnectionSchema = ValidateOCIConnectionCredentialsSchema.and(
-  GenericCreateAppConnectionFieldsSchema(AppConnection.OCI)
-);
-
-export const UpdateOCIConnectionSchema = z
-  .object({
-    credentials: OCIConnectionAccessTokenCredentialsSchema.optional().describe(
-      AppConnections.UPDATE(AppConnection.OCI).credentials
-    )
-  })
-  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.OCI));
-
-export const OCIConnectionListItemSchema = z.object({
-  name: z.literal("OCI"),
-  app: z.literal(AppConnection.OCI),
-  methods: z.nativeEnum(OCIConnectionMethod).array()
-});

backend/src/ee/services/app-connections/oci/oci-connection-service.ts

@@ -1,91 +0,0 @@
-import { BadRequestError } from "@app/lib/errors";
-import { logger } from "@app/lib/logger";
-import { OrgServiceActor } from "@app/lib/types";
-
-import { AppConnection } from "../../../../services/app-connection/app-connection-enums";
-import { TLicenseServiceFactory } from "../../license/license-service";
-import { listOCICompartments, listOCIVaultKeys, listOCIVaults } from "./oci-connection-fns";
-import { TOCIConnection } from "./oci-connection-types";
-
-type TGetAppConnectionFunc = (
-  app: AppConnection,
-  connectionId: string,
-  actor: OrgServiceActor
-) => Promise<TOCIConnection>;
-
-type TListOCIVaultsDTO = {
-  connectionId: string;
-  compartmentOcid: string;
-};
-
-type TListOCIVaultKeysDTO = {
-  connectionId: string;
-  compartmentOcid: string;
-  vaultOcid: string;
-};
-
-// Enterprise check
-export const checkPlan = async (licenseService: Pick<TLicenseServiceFactory, "getPlan">, orgId: string) => {
-  const plan = await licenseService.getPlan(orgId);
-  if (!plan.enterpriseAppConnections)
-    throw new BadRequestError({
-      message:
-        "Failed to use app connection due to plan restriction. Upgrade plan to access enterprise app connections."
-    });
-};
-
-export const ociConnectionService = (
-  getAppConnection: TGetAppConnectionFunc,
-  licenseService: Pick<TLicenseServiceFactory, "getPlan">
-) => {
-  const listCompartments = async (connectionId: string, actor: OrgServiceActor) => {
-    await checkPlan(licenseService, actor.orgId);
-
-    const appConnection = await getAppConnection(AppConnection.OCI, connectionId, actor);
-
-    try {
-      const compartments = await listOCICompartments(appConnection);
-      return compartments;
-    } catch (error) {
-      logger.error(error, "Failed to establish connection with OCI");
-      return [];
-    }
-  };
-
-  const listVaults = async ({ connectionId, compartmentOcid }: TListOCIVaultsDTO, actor: OrgServiceActor) => {
-    await checkPlan(licenseService, actor.orgId);
-
-    const appConnection = await getAppConnection(AppConnection.OCI, connectionId, actor);
-
-    try {
-      const vaults = await listOCIVaults(appConnection, compartmentOcid);
-      return vaults;
-    } catch (error) {
-      logger.error(error, "Failed to establish connection with OCI");
-      return [];
-    }
-  };
-
-  const listVaultKeys = async (
-    { connectionId, compartmentOcid, vaultOcid }: TListOCIVaultKeysDTO,
-    actor: OrgServiceActor
-  ) => {
-    await checkPlan(licenseService, actor.orgId);
-
-    const appConnection = await getAppConnection(AppConnection.OCI, connectionId, actor);
-
-    try {
-      const keys = await listOCIVaultKeys(appConnection, compartmentOcid, vaultOcid);
-      return keys;
-    } catch (error) {
-      logger.error(error, "Failed to establish connection with OCI");
-      return [];
-    }
-  };
-
-  return {
-    listCompartments,
-    listVaults,
-    listVaultKeys
-  };
-};

backend/src/ee/services/app-connections/oci/oci-connection-types.ts

@@ -1,22 +0,0 @@
-import z from "zod";
-
-import { DiscriminativePick } from "@app/lib/types";
-
-import { AppConnection } from "../../../../services/app-connection/app-connection-enums";
-import {
-  CreateOCIConnectionSchema,
-  OCIConnectionSchema,
-  ValidateOCIConnectionCredentialsSchema
-} from "./oci-connection-schemas";
-
-export type TOCIConnection = z.infer<typeof OCIConnectionSchema>;
-
-export type TOCIConnectionInput = z.infer<typeof CreateOCIConnectionSchema> & {
-  app: AppConnection.OCI;
-};
-
-export type TValidateOCIConnectionCredentialsSchema = typeof ValidateOCIConnectionCredentialsSchema;
-
-export type TOCIConnectionConfig = DiscriminativePick<TOCIConnectionInput, "method" | "app" | "credentials"> & {
-  orgId: string;
-};

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -1,4 +1,3 @@
-import { ProjectType } from "@app/db/schemas";
 import {
   TCreateProjectTemplateDTO,
   TUpdateProjectTemplateDTO
@@ -20,10 +19,9 @@ import { TProjectPermission } from "@app/lib/types";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 import { TCreateAppConnectionDTO, TUpdateAppConnectionDTO } from "@app/services/app-connection/app-connection-types";
 import { ActorType } from "@app/services/auth/auth-type";
-import { CertExtendedKeyUsage, CertKeyAlgorithm, CertKeyUsage } from "@app/services/certificate/certificate-types";
-import { CaStatus } from "@app/services/certificate-authority/certificate-authority-enums";
+import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
+import { CaStatus } from "@app/services/certificate-authority/certificate-authority-types";
 import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
-import { TAllowedFields } from "@app/services/identity-ldap-auth/identity-ldap-auth-types";
 import { PkiItemType } from "@app/services/pki-collection/pki-collection-types";
 import { SecretSync, SecretSyncImportBehavior } from "@app/services/secret-sync/secret-sync-enums";
 import {
@@ -121,66 +119,44 @@ export enum EventType {
   CREATE_TOKEN_IDENTITY_TOKEN_AUTH = "create-token-identity-token-auth",
   UPDATE_TOKEN_IDENTITY_TOKEN_AUTH = "update-token-identity-token-auth",
   GET_TOKENS_IDENTITY_TOKEN_AUTH = "get-tokens-identity-token-auth",
-
   ADD_IDENTITY_TOKEN_AUTH = "add-identity-token-auth",
   UPDATE_IDENTITY_TOKEN_AUTH = "update-identity-token-auth",
   GET_IDENTITY_TOKEN_AUTH = "get-identity-token-auth",
   REVOKE_IDENTITY_TOKEN_AUTH = "revoke-identity-token-auth",
-
   LOGIN_IDENTITY_KUBERNETES_AUTH = "login-identity-kubernetes-auth",
   ADD_IDENTITY_KUBERNETES_AUTH = "add-identity-kubernetes-auth",
   UPDATE_IDENTITY_KUBENETES_AUTH = "update-identity-kubernetes-auth",
   GET_IDENTITY_KUBERNETES_AUTH = "get-identity-kubernetes-auth",
   REVOKE_IDENTITY_KUBERNETES_AUTH = "revoke-identity-kubernetes-auth",
-
   LOGIN_IDENTITY_OIDC_AUTH = "login-identity-oidc-auth",
   ADD_IDENTITY_OIDC_AUTH = "add-identity-oidc-auth",
   UPDATE_IDENTITY_OIDC_AUTH = "update-identity-oidc-auth",
   GET_IDENTITY_OIDC_AUTH = "get-identity-oidc-auth",
   REVOKE_IDENTITY_OIDC_AUTH = "revoke-identity-oidc-auth",
-
   LOGIN_IDENTITY_JWT_AUTH = "login-identity-jwt-auth",
   ADD_IDENTITY_JWT_AUTH = "add-identity-jwt-auth",
   UPDATE_IDENTITY_JWT_AUTH = "update-identity-jwt-auth",
   GET_IDENTITY_JWT_AUTH = "get-identity-jwt-auth",
   REVOKE_IDENTITY_JWT_AUTH = "revoke-identity-jwt-auth",
-
   CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
   REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "revoke-identity-universal-auth-client-secret",
-
   GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
   GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET_BY_ID = "get-identity-universal-auth-client-secret-by-id",
-
   LOGIN_IDENTITY_GCP_AUTH = "login-identity-gcp-auth",
   ADD_IDENTITY_GCP_AUTH = "add-identity-gcp-auth",
   UPDATE_IDENTITY_GCP_AUTH = "update-identity-gcp-auth",
   REVOKE_IDENTITY_GCP_AUTH = "revoke-identity-gcp-auth",
   GET_IDENTITY_GCP_AUTH = "get-identity-gcp-auth",
-
   LOGIN_IDENTITY_AWS_AUTH = "login-identity-aws-auth",
   ADD_IDENTITY_AWS_AUTH = "add-identity-aws-auth",
   UPDATE_IDENTITY_AWS_AUTH = "update-identity-aws-auth",
   REVOKE_IDENTITY_AWS_AUTH = "revoke-identity-aws-auth",
   GET_IDENTITY_AWS_AUTH = "get-identity-aws-auth",
-
-  LOGIN_IDENTITY_OCI_AUTH = "login-identity-oci-auth",
-  ADD_IDENTITY_OCI_AUTH = "add-identity-oci-auth",
-  UPDATE_IDENTITY_OCI_AUTH = "update-identity-oci-auth",
-  REVOKE_IDENTITY_OCI_AUTH = "revoke-identity-oci-auth",
-  GET_IDENTITY_OCI_AUTH = "get-identity-oci-auth",
-
   LOGIN_IDENTITY_AZURE_AUTH = "login-identity-azure-auth",
   ADD_IDENTITY_AZURE_AUTH = "add-identity-azure-auth",
   UPDATE_IDENTITY_AZURE_AUTH = "update-identity-azure-auth",
   GET_IDENTITY_AZURE_AUTH = "get-identity-azure-auth",
   REVOKE_IDENTITY_AZURE_AUTH = "revoke-identity-azure-auth",
-
-  LOGIN_IDENTITY_LDAP_AUTH = "login-identity-ldap-auth",
-  ADD_IDENTITY_LDAP_AUTH = "add-identity-ldap-auth",
-  UPDATE_IDENTITY_LDAP_AUTH = "update-identity-ldap-auth",
-  GET_IDENTITY_LDAP_AUTH = "get-identity-ldap-auth",
-  REVOKE_IDENTITY_LDAP_AUTH = "revoke-identity-ldap-auth",
-
   CREATE_ENVIRONMENT = "create-environment",
   UPDATE_ENVIRONMENT = "update-environment",
   DELETE_ENVIRONMENT = "delete-environment",
@@ -232,7 +208,6 @@ export enum EventType {
   REMOVE_HOST_FROM_SSH_HOST_GROUP = "remove-host-from-ssh-host-group",
   CREATE_CA = "create-certificate-authority",
   GET_CA = "get-certificate-authority",
-  GET_CAS = "get-certificate-authorities",
   UPDATE_CA = "update-certificate-authority",
   DELETE_CA = "delete-certificate-authority",
   RENEW_CA = "renew-certificate-authority",
@@ -243,7 +218,6 @@ export enum EventType {
   IMPORT_CA_CERT = "import-certificate-authority-cert",
   GET_CA_CRLS = "get-certificate-authority-crls",
   ISSUE_CERT = "issue-cert",
-  IMPORT_CERT = "import-cert",
   SIGN_CERT = "sign-cert",
   GET_CA_CERTIFICATE_TEMPLATES = "get-ca-certificate-templates",
   GET_CERT = "get-cert",
@@ -263,15 +237,6 @@ export enum EventType {
   GET_PKI_COLLECTION_ITEMS = "get-pki-collection-items",
   ADD_PKI_COLLECTION_ITEM = "add-pki-collection-item",
   DELETE_PKI_COLLECTION_ITEM = "delete-pki-collection-item",
-  CREATE_PKI_SUBSCRIBER = "create-pki-subscriber",
-  UPDATE_PKI_SUBSCRIBER = "update-pki-subscriber",
-  DELETE_PKI_SUBSCRIBER = "delete-pki-subscriber",
-  GET_PKI_SUBSCRIBER = "get-pki-subscriber",
-  ISSUE_PKI_SUBSCRIBER_CERT = "issue-pki-subscriber-cert",
-  SIGN_PKI_SUBSCRIBER_CERT = "sign-pki-subscriber-cert",
-  AUTOMATED_RENEW_SUBSCRIBER_CERT = "automated-renew-subscriber-cert",
-  LIST_PKI_SUBSCRIBER_CERTS = "list-pki-subscriber-certs",
-  GET_SUBSCRIBER_ACTIVE_CERT_BUNDLE = "get-subscriber-active-cert-bundle",
   CREATE_KMS = "create-kms",
   UPDATE_KMS = "update-kms",
   DELETE_KMS = "delete-kms",
@@ -320,6 +285,7 @@ export enum EventType {
   CREATE_PROJECT_TEMPLATE = "create-project-template",
   UPDATE_PROJECT_TEMPLATE = "update-project-template",
   DELETE_PROJECT_TEMPLATE = "delete-project-template",
+  APPLY_PROJECT_TEMPLATE = "apply-project-template",
   GET_APP_CONNECTIONS = "get-app-connections",
   GET_AVAILABLE_APP_CONNECTIONS_DETAILS = "get-available-app-connections-details",
   GET_APP_CONNECTION = "get-app-connection",
@@ -379,13 +345,7 @@ export enum EventType {
   MICROSOFT_TEAMS_WORKFLOW_INTEGRATION_LIST = "microsoft-teams-workflow-integration-list",
 
   PROJECT_ASSUME_PRIVILEGE_SESSION_START = "project-assume-privileges-session-start",
-  PROJECT_ASSUME_PRIVILEGE_SESSION_END = "project-assume-privileges-session-end",
-
-  UPDATE_ORG = "update-org",
-
-  CREATE_PROJECT = "create-project",
-  UPDATE_PROJECT = "update-project",
-  DELETE_PROJECT = "delete-project"
+  PROJECT_ASSUME_PRIVILEGE_SESSION_END = "project-assume-privileges-session-end"
 }
 
 export const filterableSecretEvents: EventType[] = [
@@ -1025,55 +985,6 @@ interface GetIdentityAwsAuthEvent {
   };
 }
 
-interface LoginIdentityOciAuthEvent {
-  type: EventType.LOGIN_IDENTITY_OCI_AUTH;
-  metadata: {
-    identityId: string;
-    identityOciAuthId: string;
-    identityAccessTokenId: string;
-  };
-}
-
-interface AddIdentityOciAuthEvent {
-  type: EventType.ADD_IDENTITY_OCI_AUTH;
-  metadata: {
-    identityId: string;
-    tenancyOcid: string;
-    allowedUsernames: string | null;
-    accessTokenTTL: number;
-    accessTokenMaxTTL: number;
-    accessTokenNumUsesLimit: number;
-    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface DeleteIdentityOciAuthEvent {
-  type: EventType.REVOKE_IDENTITY_OCI_AUTH;
-  metadata: {
-    identityId: string;
-  };
-}
-
-interface UpdateIdentityOciAuthEvent {
-  type: EventType.UPDATE_IDENTITY_OCI_AUTH;
-  metadata: {
-    identityId: string;
-    tenancyOcid?: string;
-    allowedUsernames: string | null;
-    accessTokenTTL?: number;
-    accessTokenMaxTTL?: number;
-    accessTokenNumUsesLimit?: number;
-    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface GetIdentityOciAuthEvent {
-  type: EventType.GET_IDENTITY_OCI_AUTH;
-  metadata: {
-    identityId: string;
-  };
-}
-
 interface LoginIdentityAzureAuthEvent {
   type: EventType.LOGIN_IDENTITY_AZURE_AUTH;
   metadata: {
@@ -1123,55 +1034,6 @@ interface GetIdentityAzureAuthEvent {
   };
 }
 
-interface LoginIdentityLdapAuthEvent {
-  type: EventType.LOGIN_IDENTITY_LDAP_AUTH;
-  metadata: {
-    identityId: string;
-    ldapUsername: string;
-    ldapEmail?: string;
-  };
-}
-
-interface AddIdentityLdapAuthEvent {
-  type: EventType.ADD_IDENTITY_LDAP_AUTH;
-  metadata: {
-    identityId: string;
-    accessTokenTTL?: number;
-    accessTokenMaxTTL?: number;
-    accessTokenNumUsesLimit?: number;
-    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
-    allowedFields?: TAllowedFields[];
-    url: string;
-  };
-}
-
-interface UpdateIdentityLdapAuthEvent {
-  type: EventType.UPDATE_IDENTITY_LDAP_AUTH;
-  metadata: {
-    identityId: string;
-    accessTokenTTL?: number;
-    accessTokenMaxTTL?: number;
-    accessTokenNumUsesLimit?: number;
-    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
-    allowedFields?: TAllowedFields[];
-    url?: string;
-  };
-}
-
-interface GetIdentityLdapAuthEvent {
-  type: EventType.GET_IDENTITY_LDAP_AUTH;
-  metadata: {
-    identityId: string;
-  };
-}
-
-interface RevokeIdentityLdapAuthEvent {
-  type: EventType.REVOKE_IDENTITY_LDAP_AUTH;
-  metadata: {
-    identityId: string;
-  };
-}
-
 interface LoginIdentityOidcAuthEvent {
   type: EventType.LOGIN_IDENTITY_OIDC_AUTH;
   metadata: {
@@ -1782,8 +1644,7 @@ interface CreateCa {
   type: EventType.CREATE_CA;
   metadata: {
     caId: string;
-    name: string;
-    dn?: string;
+    dn: string;
   };
 }
 
@@ -1791,15 +1652,7 @@ interface GetCa {
   type: EventType.GET_CA;
   metadata: {
     caId: string;
-    name: string;
-    dn?: string;
-  };
-}
-
-interface GetCAs {
-  type: EventType.GET_CAS;
-  metadata: {
-    caIds: string[];
+    dn: string;
   };
 }
 
@@ -1807,8 +1660,7 @@ interface UpdateCa {
   type: EventType.UPDATE_CA;
   metadata: {
     caId: string;
-    name: string;
-    dn?: string;
+    dn: string;
     status: CaStatus;
   };
 }
@@ -1817,8 +1669,7 @@ interface DeleteCa {
   type: EventType.DELETE_CA;
   metadata: {
     caId: string;
-    name: string;
-    dn?: string;
+    dn: string;
   };
 }
 
@@ -1888,15 +1739,6 @@ interface IssueCert {
   };
 }
 
-interface ImportCert {
-  type: EventType.IMPORT_CERT;
-  metadata: {
-    certId: string;
-    cn: string;
-    serialNumber: string;
-  };
-}
-
 interface SignCert {
   type: EventType.SIGN_CERT;
   metadata: {
@@ -2057,95 +1899,6 @@ interface DeletePkiCollectionItem {
   };
 }
 
-interface CreatePkiSubscriber {
-  type: EventType.CREATE_PKI_SUBSCRIBER;
-  metadata: {
-    pkiSubscriberId: string;
-    caId?: string;
-    name: string;
-    commonName: string;
-    ttl?: string;
-    subjectAlternativeNames: string[];
-    keyUsages: CertKeyUsage[];
-    extendedKeyUsages: CertExtendedKeyUsage[];
-  };
-}
-
-interface UpdatePkiSubscriber {
-  type: EventType.UPDATE_PKI_SUBSCRIBER;
-  metadata: {
-    pkiSubscriberId: string;
-    caId?: string;
-    name?: string;
-    commonName?: string;
-    ttl?: string;
-    subjectAlternativeNames?: string[];
-    keyUsages?: CertKeyUsage[];
-    extendedKeyUsages?: CertExtendedKeyUsage[];
-  };
-}
-
-interface DeletePkiSubscriber {
-  type: EventType.DELETE_PKI_SUBSCRIBER;
-  metadata: {
-    pkiSubscriberId: string;
-    name: string;
-  };
-}
-
-interface GetPkiSubscriber {
-  type: EventType.GET_PKI_SUBSCRIBER;
-  metadata: {
-    pkiSubscriberId: string;
-    name: string;
-  };
-}
-
-interface IssuePkiSubscriberCert {
-  type: EventType.ISSUE_PKI_SUBSCRIBER_CERT;
-  metadata: {
-    subscriberId: string;
-    name: string;
-    serialNumber?: string;
-  };
-}
-
-interface AutomatedRenewPkiSubscriberCert {
-  type: EventType.AUTOMATED_RENEW_SUBSCRIBER_CERT;
-  metadata: {
-    subscriberId: string;
-    name: string;
-  };
-}
-
-interface SignPkiSubscriberCert {
-  type: EventType.SIGN_PKI_SUBSCRIBER_CERT;
-  metadata: {
-    subscriberId: string;
-    name: string;
-    serialNumber: string;
-  };
-}
-
-interface ListPkiSubscriberCerts {
-  type: EventType.LIST_PKI_SUBSCRIBER_CERTS;
-  metadata: {
-    subscriberId: string;
-    name: string;
-    projectId: string;
-  };
-}
-
-interface GetSubscriberActiveCertBundle {
-  type: EventType.GET_SUBSCRIBER_ACTIVE_CERT_BUNDLE;
-  metadata: {
-    subscriberId: string;
-    name: string;
-    certId: string;
-    serialNumber: string;
-  };
-}
-
 interface CreateKmsEvent {
   type: EventType.CREATE_KMS;
   metadata: {
@@ -2499,6 +2252,14 @@ interface DeleteProjectTemplateEvent {
   };
 }
 
+interface ApplyProjectTemplateEvent {
+  type: EventType.APPLY_PROJECT_TEMPLATE;
+  metadata: {
+    template: string;
+    projectId: string;
+  };
+}
+
 interface GetAppConnectionsEvent {
   type: EventType.GET_APP_CONNECTIONS;
   metadata: {
@@ -2953,59 +2714,6 @@ interface MicrosoftTeamsWorkflowIntegrationUpdateEvent {
   };
 }
 
-interface OrgUpdateEvent {
-  type: EventType.UPDATE_ORG;
-  metadata: {
-    name?: string;
-    slug?: string;
-    authEnforced?: boolean;
-    scimEnabled?: boolean;
-    defaultMembershipRoleSlug?: string;
-    enforceMfa?: boolean;
-    selectedMfaMethod?: string;
-    allowSecretSharingOutsideOrganization?: boolean;
-    bypassOrgAuthEnabled?: boolean;
-    userTokenExpiration?: string;
-    secretsProductEnabled?: boolean;
-    pkiProductEnabled?: boolean;
-    kmsProductEnabled?: boolean;
-    sshProductEnabled?: boolean;
-    scannerProductEnabled?: boolean;
-    shareSecretsProductEnabled?: boolean;
-  };
-}
-
-interface ProjectCreateEvent {
-  type: EventType.CREATE_PROJECT;
-  metadata: {
-    name: string;
-    slug?: string;
-    type: ProjectType;
-  };
-}
-
-interface ProjectUpdateEvent {
-  type: EventType.UPDATE_PROJECT;
-  metadata: {
-    name?: string;
-    description?: string;
-    autoCapitalization?: boolean;
-    hasDeleteProtection?: boolean;
-    slug?: string;
-    secretSharing?: boolean;
-    pitVersionLimit?: number;
-    auditLogsRetentionDays?: number;
-  };
-}
-
-interface ProjectDeleteEvent {
-  type: EventType.DELETE_PROJECT;
-  metadata: {
-    id: string;
-    name: string;
-  };
-}
-
 export type Event =
   | GetSecretsEvent
   | GetSecretEvent
@@ -3062,11 +2770,6 @@ export type Event =
   | UpdateIdentityAwsAuthEvent
   | GetIdentityAwsAuthEvent
   | DeleteIdentityAwsAuthEvent
-  | LoginIdentityOciAuthEvent
-  | AddIdentityOciAuthEvent
-  | UpdateIdentityOciAuthEvent
-  | GetIdentityOciAuthEvent
-  | DeleteIdentityOciAuthEvent
   | LoginIdentityAzureAuthEvent
   | AddIdentityAzureAuthEvent
   | DeleteIdentityAzureAuthEvent
@@ -3082,11 +2785,6 @@ export type Event =
   | UpdateIdentityJwtAuthEvent
   | GetIdentityJwtAuthEvent
   | DeleteIdentityJwtAuthEvent
-  | LoginIdentityLdapAuthEvent
-  | AddIdentityLdapAuthEvent
-  | UpdateIdentityLdapAuthEvent
-  | GetIdentityLdapAuthEvent
-  | RevokeIdentityLdapAuthEvent
   | CreateEnvironmentEvent
   | GetEnvironmentEvent
   | UpdateEnvironmentEvent
@@ -3130,7 +2828,6 @@ export type Event =
   | IssueSshHostHostCert
   | CreateCa
   | GetCa
-  | GetCAs
   | UpdateCa
   | DeleteCa
   | RenewCa
@@ -3141,7 +2838,6 @@ export type Event =
   | ImportCaCert
   | GetCaCrls
   | IssueCert
-  | ImportCert
   | SignCert
   | GetCaCertificateTemplates
   | GetCert
@@ -3161,15 +2857,6 @@ export type Event =
   | GetPkiCollectionItems
   | AddPkiCollectionItem
   | DeletePkiCollectionItem
-  | CreatePkiSubscriber
-  | UpdatePkiSubscriber
-  | DeletePkiSubscriber
-  | GetPkiSubscriber
-  | IssuePkiSubscriberCert
-  | SignPkiSubscriberCert
-  | AutomatedRenewPkiSubscriberCert
-  | ListPkiSubscriberCerts
-  | GetSubscriberActiveCertBundle
   | CreateKmsEvent
   | UpdateKmsEvent
   | DeleteKmsEvent
@@ -3214,6 +2901,7 @@ export type Event =
   | CreateProjectTemplateEvent
   | UpdateProjectTemplateEvent
   | DeleteProjectTemplateEvent
+  | ApplyProjectTemplateEvent
   | GetAppConnectionsEvent
   | GetAvailableAppConnectionsDetailsEvent
   | GetAppConnectionEvent
@@ -3275,8 +2963,4 @@ export type Event =
   | MicrosoftTeamsWorkflowIntegrationGetTeamsEvent
   | MicrosoftTeamsWorkflowIntegrationGetEvent
   | MicrosoftTeamsWorkflowIntegrationListEvent
-  | MicrosoftTeamsWorkflowIntegrationUpdateEvent
-  | OrgUpdateEvent
-  | ProjectCreateEvent
-  | ProjectUpdateEvent
-  | ProjectDeleteEvent;
+  | MicrosoftTeamsWorkflowIntegrationUpdateEvent;

backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts

@@ -7,7 +7,6 @@ import { TPermissionServiceFactory } from "@app/ee/services/permission/permissio
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { NotFoundError } from "@app/lib/errors";
 import { TCertificateAuthorityDALFactory } from "@app/services/certificate-authority/certificate-authority-dal";
-import { expandInternalCa } from "@app/services/certificate-authority/certificate-authority-fns";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { getProjectKmsCertificateKeyId } from "@app/services/project/project-fns";
@@ -15,7 +14,7 @@ import { getProjectKmsCertificateKeyId } from "@app/services/project/project-fns
 import { TGetCaCrlsDTO, TGetCrlById } from "./certificate-authority-crl-types";
 
 type TCertificateAuthorityCrlServiceFactoryDep = {
-  certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findByIdWithAssociatedCa">;
+  certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findById">;
   certificateAuthorityCrlDAL: Pick<TCertificateAuthorityCrlDALFactory, "find" | "findById">;
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
   kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
@@ -38,8 +37,7 @@ export const certificateAuthorityCrlServiceFactory = ({
     const caCrl = await certificateAuthorityCrlDAL.findById(crlId);
     if (!caCrl) throw new NotFoundError({ message: `CRL with ID '${crlId}' not found` });
 
-    const ca = await certificateAuthorityDAL.findByIdWithAssociatedCa(caCrl.caId);
-    if (!ca?.internalCa?.id) throw new NotFoundError({ message: `Internal CA with ID '${caCrl.caId}' not found` });
+    const ca = await certificateAuthorityDAL.findById(caCrl.caId);
 
     const keyId = await getProjectKmsCertificateKeyId({
       projectId: ca.projectId,
@@ -56,7 +54,7 @@ export const certificateAuthorityCrlServiceFactory = ({
     const crl = new x509.X509Crl(decryptedCrl);
 
     return {
-      ca: expandInternalCa(ca),
+      ca,
       caCrl,
       crl: crl.rawData
     };
@@ -66,8 +64,8 @@ export const certificateAuthorityCrlServiceFactory = ({
    * Returns a list of CRL ids for CA with id [caId]
    */
   const getCaCrls = async ({ caId, actorId, actorAuthMethod, actor, actorOrgId }: TGetCaCrlsDTO) => {
-    const ca = await certificateAuthorityDAL.findByIdWithAssociatedCa(caId);
-    if (!ca?.internalCa?.id) throw new NotFoundError({ message: `Internal CA with ID '${caId}' not found` });
+    const ca = await certificateAuthorityDAL.findById(caId);
+    if (!ca) throw new NotFoundError({ message: `CA with ID '${caId}' not found` });
 
     const { permission } = await permissionService.getProjectPermission({
       actor,
@@ -110,7 +108,7 @@ export const certificateAuthorityCrlServiceFactory = ({
     );
 
     return {
-      ca: expandInternalCa(ca),
+      ca,
       crls: decryptedCrls
     };
   };

backend/src/ee/services/certificate-est/certificate-est-service.ts

@@ -6,7 +6,7 @@ import { isCertChainValid } from "@app/services/certificate/certificate-fns";
 import { TCertificateAuthorityCertDALFactory } from "@app/services/certificate-authority/certificate-authority-cert-dal";
 import { TCertificateAuthorityDALFactory } from "@app/services/certificate-authority/certificate-authority-dal";
 import { getCaCertChain, getCaCertChains } from "@app/services/certificate-authority/certificate-authority-fns";
-import { TInternalCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/internal/internal-certificate-authority-service";
+import { TCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/certificate-authority-service";
 import { TCertificateTemplateDALFactory } from "@app/services/certificate-template/certificate-template-dal";
 import { TCertificateTemplateServiceFactory } from "@app/services/certificate-template/certificate-template-service";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -16,10 +16,10 @@ import { TLicenseServiceFactory } from "../license/license-service";
 import { convertRawCertsToPkcs7 } from "./certificate-est-fns";
 
 type TCertificateEstServiceFactoryDep = {
-  internalCertificateAuthorityService: Pick<TInternalCertificateAuthorityServiceFactory, "signCertFromCa">;
+  certificateAuthorityService: Pick<TCertificateAuthorityServiceFactory, "signCertFromCa">;
   certificateTemplateService: Pick<TCertificateTemplateServiceFactory, "getEstConfiguration">;
   certificateTemplateDAL: Pick<TCertificateTemplateDALFactory, "findById">;
-  certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findById" | "findByIdWithAssociatedCa">;
+  certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findById">;
   certificateAuthorityCertDAL: Pick<TCertificateAuthorityCertDALFactory, "find" | "findById">;
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
   kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
@@ -29,7 +29,7 @@ type TCertificateEstServiceFactoryDep = {
 export type TCertificateEstServiceFactory = ReturnType<typeof certificateEstServiceFactory>;
 
 export const certificateEstServiceFactory = ({
-  internalCertificateAuthorityService,
+  certificateAuthorityService,
   certificateTemplateService,
   certificateTemplateDAL,
   certificateAuthorityCertDAL,
@@ -127,7 +127,7 @@ export const certificateEstServiceFactory = ({
       });
     }
 
-    const { certificate } = await internalCertificateAuthorityService.signCertFromCa({
+    const { certificate } = await certificateAuthorityService.signCertFromCa({
       isInternal: true,
       certificateTemplateId,
       csr
@@ -188,7 +188,7 @@ export const certificateEstServiceFactory = ({
       }
     }
 
-    const { certificate } = await internalCertificateAuthorityService.signCertFromCa({
+    const { certificate } = await certificateAuthorityService.signCertFromCa({
       isInternal: true,
       certificateTemplateId,
       csr
@@ -227,15 +227,15 @@ export const certificateEstServiceFactory = ({
       });
     }
 
-    const ca = await certificateAuthorityDAL.findByIdWithAssociatedCa(certTemplate.caId);
-    if (!ca?.internalCa?.id) {
+    const ca = await certificateAuthorityDAL.findById(certTemplate.caId);
+    if (!ca) {
       throw new NotFoundError({
-        message: `Internal Certificate Authority with ID '${certTemplate.caId}' not found`
+        message: `Certificate Authority with ID '${certTemplate.caId}' not found`
       });
     }
 
     const { caCert, caCertChain } = await getCaCertChain({
-      caCertId: ca.internalCa.activeCaCertId as string,
+      caCertId: ca.activeCaCertId as string,
       certificateAuthorityDAL,
       certificateAuthorityCertDAL,
       projectDAL,

backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts

@@ -17,8 +17,7 @@ import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-fold
 
 import { TDynamicSecretLeaseDALFactory } from "../dynamic-secret-lease/dynamic-secret-lease-dal";
 import { TDynamicSecretLeaseQueueServiceFactory } from "../dynamic-secret-lease/dynamic-secret-lease-queue";
-import { TGatewayDALFactory } from "../gateway/gateway-dal";
-import { OrgPermissionGatewayActions, OrgPermissionSubjects } from "../permission/org-permission";
+import { TProjectGatewayDALFactory } from "../gateway/project-gateway-dal";
 import { TDynamicSecretDALFactory } from "./dynamic-secret-dal";
 import {
   DynamicSecretStatus,
@@ -45,9 +44,9 @@ type TDynamicSecretServiceFactoryDep = {
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath" | "findBySecretPathMultiEnv">;
   projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getOrgPermission">;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
-  gatewayDAL: Pick<TGatewayDALFactory, "findOne" | "find">;
+  projectGatewayDAL: Pick<TProjectGatewayDALFactory, "findOne">;
   resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
 };
 
@@ -63,7 +62,7 @@ export const dynamicSecretServiceFactory = ({
   dynamicSecretQueueService,
   projectDAL,
   kmsService,
-  gatewayDAL,
+  projectGatewayDAL,
   resourceMetadataDAL
 }: TDynamicSecretServiceFactoryDep) => {
   const create = async ({
@@ -118,31 +117,15 @@ export const dynamicSecretServiceFactory = ({
     const inputs = await selectedProvider.validateProviderInputs(provider.inputs);
 
     let selectedGatewayId: string | null = null;
-    if (inputs && typeof inputs === "object" && "gatewayId" in inputs && inputs.gatewayId) {
-      const gatewayId = inputs.gatewayId as string;
+    if (inputs && typeof inputs === "object" && "projectGatewayId" in inputs && inputs.projectGatewayId) {
+      const projectGatewayId = inputs.projectGatewayId as string;
 
-      const [gateway] = await gatewayDAL.find({ id: gatewayId, orgId: actorOrgId });
-
-      if (!gateway) {
+      const projectGateway = await projectGatewayDAL.findOne({ id: projectGatewayId, projectId });
+      if (!projectGateway)
         throw new NotFoundError({
-          message: `Gateway with ID ${gatewayId} not found`
+          message: `Project gateway with ${projectGatewayId} not found`
         });
-      }
-
-      const { permission: orgPermission } = await permissionService.getOrgPermission(
-        actor,
-        actorId,
-        gateway.orgId,
-        actorAuthMethod,
-        actorOrgId
-      );
-
-      ForbiddenError.from(orgPermission).throwUnlessCan(
-        OrgPermissionGatewayActions.AttachGateways,
-        OrgPermissionSubjects.Gateway
-      );
-
-      selectedGatewayId = gateway.id;
+      selectedGatewayId = projectGateway.id;
     }
 
     const isConnected = await selectedProvider.validateConnection(provider.inputs);
@@ -163,7 +146,7 @@ export const dynamicSecretServiceFactory = ({
           defaultTTL,
           folderId: folder.id,
           name,
-          gatewayId: selectedGatewayId
+          projectGatewayId: selectedGatewayId
         },
         tx
       );
@@ -272,30 +255,20 @@ export const dynamicSecretServiceFactory = ({
     const updatedInput = await selectedProvider.validateProviderInputs(newInput);
 
     let selectedGatewayId: string | null = null;
-    if (updatedInput && typeof updatedInput === "object" && "gatewayId" in updatedInput && updatedInput?.gatewayId) {
-      const gatewayId = updatedInput.gatewayId as string;
+    if (
+      updatedInput &&
+      typeof updatedInput === "object" &&
+      "projectGatewayId" in updatedInput &&
+      updatedInput?.projectGatewayId
+    ) {
+      const projectGatewayId = updatedInput.projectGatewayId as string;
 
-      const [gateway] = await gatewayDAL.find({ id: gatewayId, orgId: actorOrgId });
-      if (!gateway) {
+      const projectGateway = await projectGatewayDAL.findOne({ id: projectGatewayId, projectId });
+      if (!projectGateway)
         throw new NotFoundError({
-          message: `Gateway with ID ${gatewayId} not found`
+          message: `Project gateway with ${projectGatewayId} not found`
         });
-      }
-
-      const { permission: orgPermission } = await permissionService.getOrgPermission(
-        actor,
-        actorId,
-        gateway.orgId,
-        actorAuthMethod,
-        actorOrgId
-      );
-
-      ForbiddenError.from(orgPermission).throwUnlessCan(
-        OrgPermissionGatewayActions.AttachGateways,
-        OrgPermissionSubjects.Gateway
-      );
-
-      selectedGatewayId = gateway.id;
+      selectedGatewayId = projectGateway.id;
     }
 
     const isConnected = await selectedProvider.validateConnection(newInput);
@@ -311,7 +284,7 @@ export const dynamicSecretServiceFactory = ({
           defaultTTL,
           name: newName ?? name,
           status: null,
-          gatewayId: selectedGatewayId
+          projectGatewayId: selectedGatewayId
         },
         tx
       );

backend/src/ee/services/dynamic-secret/providers/index.ts

@@ -6,7 +6,6 @@ import { AwsIamProvider } from "./aws-iam";
 import { AzureEntraIDProvider } from "./azure-entra-id";
 import { CassandraProvider } from "./cassandra";
 import { ElasticSearchProvider } from "./elastic-search";
-import { KubernetesProvider } from "./kubernetes";
 import { LdapProvider } from "./ldap";
 import { DynamicSecretProviders, TDynamicProviderFns } from "./models";
 import { MongoAtlasProvider } from "./mongo-atlas";
@@ -19,7 +18,7 @@ import { SqlDatabaseProvider } from "./sql-database";
 import { TotpProvider } from "./totp";
 
 type TBuildDynamicSecretProviderDTO = {
-  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">;
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTls">;
 };
 
 export const buildDynamicSecretProviders = ({
@@ -39,6 +38,5 @@ export const buildDynamicSecretProviders = ({
   [DynamicSecretProviders.SapHana]: SapHanaProvider(),
   [DynamicSecretProviders.Snowflake]: SnowflakeProvider(),
   [DynamicSecretProviders.Totp]: TotpProvider(),
-  [DynamicSecretProviders.SapAse]: SapAseProvider(),
-  [DynamicSecretProviders.Kubernetes]: KubernetesProvider({ gatewayService })
+  [DynamicSecretProviders.SapAse]: SapAseProvider()
 });

backend/src/ee/services/dynamic-secret/providers/kubernetes.ts

@@ -1,199 +0,0 @@
-import axios from "axios";
-import https from "https";
-
-import { InternalServerError } from "@app/lib/errors";
-import { withGatewayProxy } from "@app/lib/gateway";
-import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
-import { TKubernetesTokenRequest } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-types";
-
-import { TGatewayServiceFactory } from "../../gateway/gateway-service";
-import { DynamicSecretKubernetesSchema, TDynamicProviderFns } from "./models";
-
-const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000;
-
-type TKubernetesProviderDTO = {
-  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">;
-};
-
-export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO): TDynamicProviderFns => {
-  const validateProviderInputs = async (inputs: unknown) => {
-    const providerInputs = await DynamicSecretKubernetesSchema.parseAsync(inputs);
-    if (!providerInputs.gatewayId) {
-      await blockLocalAndPrivateIpAddresses(providerInputs.url);
-    }
-
-    return providerInputs;
-  };
-
-  const $gatewayProxyWrapper = async <T>(
-    inputs: {
-      gatewayId: string;
-      targetHost: string;
-      targetPort: number;
-    },
-    gatewayCallback: (host: string, port: number) => Promise<T>
-  ): Promise<T> => {
-    const relayDetails = await gatewayService.fnGetGatewayClientTlsByGatewayId(inputs.gatewayId);
-    const [relayHost, relayPort] = relayDetails.relayAddress.split(":");
-
-    const callbackResult = await withGatewayProxy(
-      async (port) => {
-        // Needs to be https protocol or the kubernetes API server will fail with "Client sent an HTTP request to an HTTPS server"
-        const res = await gatewayCallback("https://localhost", port);
-        return res;
-      },
-      {
-        targetHost: inputs.targetHost,
-        targetPort: inputs.targetPort,
-        relayHost,
-        relayPort: Number(relayPort),
-        identityId: relayDetails.identityId,
-        orgId: relayDetails.orgId,
-        tlsOptions: {
-          ca: relayDetails.certChain,
-          cert: relayDetails.certificate,
-          key: relayDetails.privateKey.toString()
-        }
-      }
-    );
-
-    return callbackResult;
-  };
-
-  const validateConnection = async (inputs: unknown) => {
-    const providerInputs = await validateProviderInputs(inputs);
-
-    const serviceAccountGetCallback = async (host: string, port: number) => {
-      const baseUrl = port ? `${host}:${port}` : host;
-
-      await axios.get(
-        `${baseUrl}/api/v1/namespaces/${providerInputs.namespace}/serviceaccounts/${providerInputs.serviceAccountName}`,
-        {
-          headers: {
-            "Content-Type": "application/json",
-            Authorization: `Bearer ${providerInputs.clusterToken}`
-          },
-          signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
-          timeout: EXTERNAL_REQUEST_TIMEOUT,
-          httpsAgent: new https.Agent({
-            ca: providerInputs.ca,
-            rejectUnauthorized: providerInputs.sslEnabled
-          })
-        }
-      );
-    };
-
-    const url = new URL(providerInputs.url);
-    const k8sPort = url.port ? Number(url.port) : 443;
-
-    try {
-      if (providerInputs.gatewayId) {
-        const k8sHost = url.hostname;
-
-        await $gatewayProxyWrapper(
-          {
-            gatewayId: providerInputs.gatewayId,
-            targetHost: k8sHost,
-            targetPort: k8sPort
-          },
-          serviceAccountGetCallback
-        );
-      } else {
-        const k8sHost = `${url.protocol}//${url.hostname}`;
-        await serviceAccountGetCallback(k8sHost, k8sPort);
-      }
-
-      return true;
-    } catch (error) {
-      let errorMessage = error instanceof Error ? error.message : "Unknown error";
-      if (axios.isAxiosError(error) && (error.response?.data as { message: string })?.message) {
-        errorMessage = (error.response?.data as { message: string }).message;
-      }
-
-      throw new InternalServerError({
-        message: `Failed to validate connection: ${errorMessage}`
-      });
-    }
-  };
-
-  const create = async (inputs: unknown, expireAt: number) => {
-    const providerInputs = await validateProviderInputs(inputs);
-
-    const tokenRequestCallback = async (host: string, port: number) => {
-      const baseUrl = port ? `${host}:${port}` : host;
-
-      const res = await axios.post<TKubernetesTokenRequest>(
-        `${baseUrl}/api/v1/namespaces/${providerInputs.namespace}/serviceaccounts/${providerInputs.serviceAccountName}/token`,
-        {
-          spec: {
-            expirationSeconds: Math.floor((expireAt - Date.now()) / 1000),
-            ...(providerInputs.audiences?.length ? { audiences: providerInputs.audiences } : {})
-          }
-        },
-        {
-          headers: {
-            "Content-Type": "application/json",
-            Authorization: `Bearer ${providerInputs.clusterToken}`
-          },
-          signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
-          timeout: EXTERNAL_REQUEST_TIMEOUT,
-          httpsAgent: new https.Agent({
-            ca: providerInputs.ca,
-            rejectUnauthorized: providerInputs.sslEnabled
-          })
-        }
-      );
-
-      return res.data;
-    };
-
-    const url = new URL(providerInputs.url);
-    const k8sHost = `${url.protocol}//${url.hostname}`;
-    const k8sGatewayHost = url.hostname;
-    const k8sPort = url.port ? Number(url.port) : 443;
-
-    try {
-      const tokenData = providerInputs.gatewayId
-        ? await $gatewayProxyWrapper(
-            {
-              gatewayId: providerInputs.gatewayId,
-              targetHost: k8sGatewayHost,
-              targetPort: k8sPort
-            },
-            tokenRequestCallback
-          )
-        : await tokenRequestCallback(k8sHost, k8sPort);
-
-      return {
-        entityId: providerInputs.serviceAccountName,
-        data: { TOKEN: tokenData.status.token }
-      };
-    } catch (error) {
-      let errorMessage = error instanceof Error ? error.message : "Unknown error";
-      if (axios.isAxiosError(error) && (error.response?.data as { message: string })?.message) {
-        errorMessage = (error.response?.data as { message: string }).message;
-      }
-
-      throw new InternalServerError({
-        message: `Failed to create dynamic secret: ${errorMessage}`
-      });
-    }
-  };
-
-  const revoke = async (_inputs: unknown, entityId: string) => {
-    return { entityId };
-  };
-
-  const renew = async (_inputs: unknown, entityId: string) => {
-    // No renewal necessary
-    return { entityId };
-  };
-
-  return {
-    validateProviderInputs,
-    validateConnection,
-    create,
-    revoke,
-    renew
-  };
-};

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -29,10 +29,6 @@ export enum LdapCredentialType {
   Static = "static"
 }
 
-export enum KubernetesCredentialType {
-  Static = "static"
-}
-
 export enum TotpConfigType {
   URL = "url",
   MANUAL = "manual"
@@ -141,7 +137,7 @@ export const DynamicSecretSqlDBSchema = z.object({
   revocationStatement: z.string().trim(),
   renewStatement: z.string().trim().optional(),
   ca: z.string().optional(),
-  gatewayId: z.string().nullable().optional()
+  projectGatewayId: z.string().nullable().optional()
 });
 
 export const DynamicSecretCassandraSchema = z.object({
@@ -281,18 +277,6 @@ export const LdapSchema = z.union([
   })
 ]);
 
-export const DynamicSecretKubernetesSchema = z.object({
-  url: z.string().url().trim().min(1),
-  gatewayId: z.string().nullable().optional(),
-  sslEnabled: z.boolean().default(true),
-  clusterToken: z.string().trim().min(1),
-  ca: z.string().optional(),
-  serviceAccountName: z.string().trim().min(1),
-  credentialType: z.literal(KubernetesCredentialType.Static),
-  namespace: z.string().trim().min(1),
-  audiences: z.array(z.string().trim().min(1))
-});
-
 export const DynamicSecretTotpSchema = z.discriminatedUnion("configType", [
   z.object({
     configType: z.literal(TotpConfigType.URL),
@@ -336,8 +320,7 @@ export enum DynamicSecretProviders {
   SapHana = "sap-hana",
   Snowflake = "snowflake",
   Totp = "totp",
-  SapAse = "sap-ase",
-  Kubernetes = "kubernetes"
+  SapAse = "sap-ase"
 }
 
 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
@@ -355,8 +338,7 @@ export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
   z.object({ type: z.literal(DynamicSecretProviders.AzureEntraID), inputs: AzureEntraIDSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.Ldap), inputs: LdapSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.Snowflake), inputs: DynamicSecretSnowflakeSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.Totp), inputs: DynamicSecretTotpSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.Kubernetes), inputs: DynamicSecretKubernetesSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.Totp), inputs: DynamicSecretTotpSchema })
 ]);
 
 export type TDynamicProviderFns = {

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -112,14 +112,14 @@ const generateUsername = (provider: SqlProviders) => {
 };
 
 type TSqlDatabaseProviderDTO = {
-  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">;
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTls">;
 };
 
 export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretSqlDBSchema.parseAsync(inputs);
 
-    const [hostIp] = await verifyHostInputValidity(providerInputs.host, Boolean(providerInputs.gatewayId));
+    const [hostIp] = await verifyHostInputValidity(providerInputs.host, Boolean(providerInputs.projectGatewayId));
     validateHandlebarTemplate("SQL creation", providerInputs.creationStatement, {
       allowedExpressions: (val) => ["username", "password", "expiration", "database"].includes(val)
     });
@@ -168,7 +168,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
     providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>,
     gatewayCallback: (host: string, port: number) => Promise<void>
   ) => {
-    const relayDetails = await gatewayService.fnGetGatewayClientTlsByGatewayId(providerInputs.gatewayId as string);
+    const relayDetails = await gatewayService.fnGetGatewayClientTls(providerInputs.projectGatewayId as string);
     const [relayHost, relayPort] = relayDetails.relayAddress.split(":");
     await withGatewayProxy(
       async (port) => {
@@ -202,7 +202,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
       await db.destroy();
     };
 
-    if (providerInputs.gatewayId) {
+    if (providerInputs.projectGatewayId) {
       await gatewayProxyWrapper(providerInputs, gatewayCallback);
     } else {
       await gatewayCallback();
@@ -238,7 +238,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
         await db.destroy();
       }
     };
-    if (providerInputs.gatewayId) {
+    if (providerInputs.projectGatewayId) {
       await gatewayProxyWrapper(providerInputs, gatewayCallback);
     } else {
       await gatewayCallback();
@@ -265,7 +265,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
         await db.destroy();
       }
     };
-    if (providerInputs.gatewayId) {
+    if (providerInputs.projectGatewayId) {
       await gatewayProxyWrapper(providerInputs, gatewayCallback);
     } else {
       await gatewayCallback();
@@ -301,7 +301,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
         await db.destroy();
       }
     };
-    if (providerInputs.gatewayId) {
+    if (providerInputs.projectGatewayId) {
       await gatewayProxyWrapper(providerInputs, gatewayCallback);
     } else {
       await gatewayCallback();

backend/src/ee/services/gateway/gateway-dal.ts

@@ -1,34 +1,37 @@
+import { Knex } from "knex";
+
 import { TDbClient } from "@app/db";
 import { GatewaysSchema, TableName, TGateways } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import { buildFindFilter, ormify, selectAllTableCols, TFindFilter, TFindOpt } from "@app/lib/knex";
+import {
+  buildFindFilter,
+  ormify,
+  selectAllTableCols,
+  sqlNestRelationships,
+  TFindFilter,
+  TFindOpt
+} from "@app/lib/knex";
 
 export type TGatewayDALFactory = ReturnType<typeof gatewayDALFactory>;
 
 export const gatewayDALFactory = (db: TDbClient) => {
   const orm = ormify(db, TableName.Gateway);
 
-  const find = async (
-    filter: TFindFilter<TGateways> & { orgId?: string },
-    { offset, limit, sort, tx }: TFindOpt<TGateways> = {}
-  ) => {
+  const find = async (filter: TFindFilter<TGateways>, { offset, limit, sort, tx }: TFindOpt<TGateways> = {}) => {
     try {
       const query = (tx || db)(TableName.Gateway)
         // eslint-disable-next-line @typescript-eslint/no-misused-promises
-        .where(buildFindFilter(filter, TableName.Gateway, ["orgId"]))
+        .where(buildFindFilter(filter))
         .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.Gateway}.identityId`)
-        .join(
-          TableName.IdentityOrgMembership,
-          `${TableName.IdentityOrgMembership}.identityId`,
-          `${TableName.Gateway}.identityId`
-        )
+        .leftJoin(TableName.ProjectGateway, `${TableName.ProjectGateway}.gatewayId`, `${TableName.Gateway}.id`)
+        .leftJoin(TableName.Project, `${TableName.Project}.id`, `${TableName.ProjectGateway}.projectId`)
         .select(selectAllTableCols(TableName.Gateway))
-        .select(db.ref("orgId").withSchema(TableName.IdentityOrgMembership).as("identityOrgId"))
-        .select(db.ref("name").withSchema(TableName.Identity).as("identityName"));
-
-      if (filter.orgId) {
-        void query.where(`${TableName.IdentityOrgMembership}.orgId`, filter.orgId);
-      }
+        .select(
+          db.ref("name").withSchema(TableName.Identity).as("identityName"),
+          db.ref("name").withSchema(TableName.Project).as("projectName"),
+          db.ref("slug").withSchema(TableName.Project).as("projectSlug"),
+          db.ref("id").withSchema(TableName.Project).as("projectId")
+        );
       if (limit) void query.limit(limit);
       if (offset) void query.offset(offset);
       if (sort) {
@@ -36,16 +39,48 @@ export const gatewayDALFactory = (db: TDbClient) => {
       }
 
       const docs = await query;
-
-      return docs.map((el) => ({
-        ...GatewaysSchema.parse(el),
-        orgId: el.identityOrgId as string, // todo(daniel): figure out why typescript is not inferring this as a string
-        identity: { id: el.identityId, name: el.identityName }
-      }));
+      return sqlNestRelationships({
+        data: docs,
+        key: "id",
+        parentMapper: (data) => ({
+          ...GatewaysSchema.parse(data),
+          identity: { id: data.identityId, name: data.identityName }
+        }),
+        childrenMapper: [
+          {
+            key: "projectId",
+            label: "projects" as const,
+            mapper: ({ projectId, projectName, projectSlug }) => ({
+              id: projectId,
+              name: projectName,
+              slug: projectSlug
+            })
+          }
+        ]
+      });
     } catch (error) {
       throw new DatabaseError({ error, name: `${TableName.Gateway}: Find` });
     }
   };
 
-  return { ...orm, find };
+  const findByProjectId = async (projectId: string, tx?: Knex) => {
+    try {
+      const query = (tx || db)(TableName.Gateway)
+        .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.Gateway}.identityId`)
+        .join(TableName.ProjectGateway, `${TableName.ProjectGateway}.gatewayId`, `${TableName.Gateway}.id`)
+        .select(selectAllTableCols(TableName.Gateway))
+        .select(
+          db.ref("name").withSchema(TableName.Identity).as("identityName"),
+          db.ref("id").withSchema(TableName.ProjectGateway).as("projectGatewayId")
+        )
+        .where({ [`${TableName.ProjectGateway}.projectId` as "projectId"]: projectId });
+
+      const docs = await query;
+      return docs.map((el) => ({ ...el, identity: { id: el.identityId, name: el.identityName } }));
+    } catch (error) {
+      throw new DatabaseError({ error, name: `${TableName.Gateway}: Find by project id` });
+    }
+  };
+
+  return { ...orm, find, findByProjectId };
 };

backend/src/ee/services/gateway/gateway-service.ts

@@ -4,6 +4,7 @@ import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import { z } from "zod";
 
+import { ActionProjectType } from "@app/db/schemas";
 import { KeyStorePrefixes, PgSqlLock, TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -26,14 +27,17 @@ import { TGatewayDALFactory } from "./gateway-dal";
 import {
   TExchangeAllocatedRelayAddressDTO,
   TGetGatewayByIdDTO,
+  TGetProjectGatewayByIdDTO,
   THeartBeatDTO,
   TListGatewaysDTO,
   TUpdateGatewayByIdDTO
 } from "./gateway-types";
 import { TOrgGatewayConfigDALFactory } from "./org-gateway-config-dal";
+import { TProjectGatewayDALFactory } from "./project-gateway-dal";
 
 type TGatewayServiceFactoryDep = {
   gatewayDAL: TGatewayDALFactory;
+  projectGatewayDAL: TProjectGatewayDALFactory;
   orgGatewayConfigDAL: Pick<TOrgGatewayConfigDALFactory, "findOne" | "create" | "transaction" | "findById">;
   licenseService: Pick<TLicenseServiceFactory, "onPremFeatures" | "getPlan">;
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey" | "decryptWithRootKey">;
@@ -53,7 +57,8 @@ export const gatewayServiceFactory = ({
   kmsService,
   permissionService,
   orgGatewayConfigDAL,
-  keyStore
+  keyStore,
+  projectGatewayDAL
 }: TGatewayServiceFactoryDep) => {
   const $validateOrgAccessToGateway = async (orgId: string, actorId: string, actorAuthMethod: ActorAuthMethod) => {
     // if (!licenseService.onPremFeatures.gateway) {
@@ -521,7 +526,7 @@ export const gatewayServiceFactory = ({
     return gateway;
   };
 
-  const updateGatewayById = async ({ orgPermission, id, name }: TUpdateGatewayByIdDTO) => {
+  const updateGatewayById = async ({ orgPermission, id, name, projectIds }: TUpdateGatewayByIdDTO) => {
     const { permission } = await permissionService.getOrgPermission(
       orgPermission.type,
       orgPermission.id,
@@ -538,6 +543,15 @@ export const gatewayServiceFactory = ({
 
     const [gateway] = await gatewayDAL.update({ id, orgGatewayRootCaId: orgGatewayConfig.id }, { name });
     if (!gateway) throw new NotFoundError({ message: `Gateway with ID ${id} not found.` });
+    if (projectIds) {
+      await projectGatewayDAL.transaction(async (tx) => {
+        await projectGatewayDAL.delete({ gatewayId: gateway.id }, tx);
+        await projectGatewayDAL.insertMany(
+          projectIds.map((el) => ({ gatewayId: gateway.id, projectId: el })),
+          tx
+        );
+      });
+    }
 
     return gateway;
   };
@@ -562,7 +576,27 @@ export const gatewayServiceFactory = ({
     return gateway;
   };
 
-  const fnGetGatewayClientTlsByGatewayId = async (gatewayId: string) => {
+  const getProjectGateways = async ({ projectId, projectPermission }: TGetProjectGatewayByIdDTO) => {
+    await permissionService.getProjectPermission({
+      projectId,
+      actor: projectPermission.type,
+      actorId: projectPermission.id,
+      actorOrgId: projectPermission.orgId,
+      actorAuthMethod: projectPermission.authMethod,
+      actionProjectType: ActionProjectType.Any
+    });
+
+    const gateways = await gatewayDAL.findByProjectId(projectId);
+    return gateways;
+  };
+
+  // this has no permission check and used for dynamic secrets directly
+  // assumes permission check is already done
+  const fnGetGatewayClientTls = async (projectGatewayId: string) => {
+    const projectGateway = await projectGatewayDAL.findById(projectGatewayId);
+    if (!projectGateway) throw new NotFoundError({ message: `Project gateway with ID ${projectGatewayId} not found.` });
+
+    const { gatewayId } = projectGateway;
     const gateway = await gatewayDAL.findById(gatewayId);
     if (!gateway) throw new NotFoundError({ message: `Gateway with ID ${gatewayId} not found.` });
 
@@ -611,7 +645,8 @@ export const gatewayServiceFactory = ({
     getGatewayById,
     updateGatewayById,
     deleteGatewayById,
-    fnGetGatewayClientTlsByGatewayId,
+    getProjectGateways,
+    fnGetGatewayClientTls,
     heartbeat
   };
 };

backend/src/ee/services/gateway/gateway-types.ts

@@ -20,6 +20,7 @@ export type TGetGatewayByIdDTO = {
 export type TUpdateGatewayByIdDTO = {
   id: string;
   name?: string;
+  projectIds?: string[];
   orgPermission: OrgServiceActor;
 };
 

backend/src/ee/services/gateway/project-gateway-dal.ts

@@ -0,0 +1,10 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TProjectGatewayDALFactory = ReturnType<typeof projectGatewayDALFactory>;
+
+export const projectGatewayDALFactory = (db: TDbClient) => {
+  const orm = ormify(db, TableName.ProjectGateway);
+  return orm;
+};

backend/src/ee/services/github-org-sync/github-org-sync-service.ts

@@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";
 import { Octokit } from "@octokit/core";
-import { paginateGraphql } from "@octokit/plugin-paginate-graphql";
+import { paginateGraphQL } from "@octokit/plugin-paginate-graphql";
 import { Octokit as OctokitRest } from "@octokit/rest";
 
 import { OrgMembershipRole } from "@app/db/schemas";
@@ -18,7 +18,7 @@ import { TPermissionServiceFactory } from "../permission/permission-service";
 import { TGithubOrgSyncDALFactory } from "./github-org-sync-dal";
 import { TCreateGithubOrgSyncDTO, TDeleteGithubOrgSyncDTO, TUpdateGithubOrgSyncDTO } from "./github-org-sync-types";
 
-const OctokitWithPlugin = Octokit.plugin(paginateGraphql);
+const OctokitWithPlugin = Octokit.plugin(paginateGraphQL);
 
 type TGithubOrgSyncServiceFactoryDep = {
   githubOrgSyncDAL: TGithubOrgSyncDALFactory;

backend/src/ee/services/group/group-dal.ts

@@ -111,9 +111,9 @@ export const groupDALFactory = (db: TDbClient) => {
       }
 
       if (search) {
-        void query.andWhereRaw(`CONCAT_WS(' ', "firstName", "lastName", lower("username")) ilike ?`, [`%${search}%`]);
+        void query.andWhereRaw(`CONCAT_WS(' ', "firstName", "lastName", "username") ilike ?`, [`%${search}%`]);
       } else if (username) {
-        void query.andWhereRaw(`lower("${TableName.Users}"."username") ilike ?`, `%${username}%`);
+        void query.andWhere(`${TableName.Users}.username`, "ilike", `%${username}%`);
       }
 
       switch (filter) {
@@ -157,23 +157,10 @@ export const groupDALFactory = (db: TDbClient) => {
     }
   };
 
-  const findGroupsByProjectId = async (projectId: string, tx?: Knex) => {
-    try {
-      const docs = await (tx || db.replicaNode())(TableName.Groups)
-        .join(TableName.GroupProjectMembership, `${TableName.Groups}.id`, `${TableName.GroupProjectMembership}.groupId`)
-        .where(`${TableName.GroupProjectMembership}.projectId`, projectId)
-        .select(selectAllTableCols(TableName.Groups));
-      return docs;
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Find groups by project id" });
-    }
-  };
-
   return {
     findGroups,
     findByOrgId,
     findAllGroupPossibleMembers,
-    findGroupsByProjectId,
     ...groupOrm
   };
 };

backend/src/ee/services/group/group-service.ts

@@ -30,7 +30,7 @@ import {
 import { TUserGroupMembershipDALFactory } from "./user-group-membership-dal";
 
 type TGroupServiceFactoryDep = {
-  userDAL: Pick<TUserDALFactory, "find" | "findUserEncKeyByUserIdsBatch" | "transaction" | "findUserByUsername">;
+  userDAL: Pick<TUserDALFactory, "find" | "findUserEncKeyByUserIdsBatch" | "transaction" | "findOne">;
   groupDAL: Pick<
     TGroupDALFactory,
     "create" | "findOne" | "update" | "delete" | "findAllGroupPossibleMembers" | "findById" | "transaction"
@@ -380,10 +380,7 @@ export const groupServiceFactory = ({
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
-    const usersWithUsername = await userDAL.findUserByUsername(username);
-    // akhilmhdh: case sensitive email resolution
-    const user =
-      usersWithUsername?.length > 1 ? usersWithUsername.find((el) => el.username === username) : usersWithUsername?.[0];
+    const user = await userDAL.findOne({ username });
     if (!user) throw new NotFoundError({ message: `Failed to find user with username ${username}` });
 
     const users = await addUsersToGroupByUserIds({
@@ -464,10 +461,7 @@ export const groupServiceFactory = ({
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
-    const usersWithUsername = await userDAL.findUserByUsername(username);
-    // akhilmhdh: case sensitive email resolution
-    const user =
-      usersWithUsername?.length > 1 ? usersWithUsername.find((el) => el.username === username) : usersWithUsername?.[0];
+    const user = await userDAL.findOne({ username });
     if (!user) throw new NotFoundError({ message: `Failed to find user with username ${username}` });
 
     const users = await removeUsersFromGroupByUserIds({

backend/src/ee/services/group/user-group-membership-dal.ts

@@ -176,8 +176,7 @@ export const userGroupMembershipDALFactory = (db: TDbClient) => {
           db.ref("name").withSchema(TableName.Groups).as("groupName"),
           db.ref("id").withSchema(TableName.OrgMembership).as("orgMembershipId"),
           db.ref("firstName").withSchema(TableName.Users).as("firstName"),
-          db.ref("lastName").withSchema(TableName.Users).as("lastName"),
-          db.ref("slug").withSchema(TableName.Groups).as("groupSlug")
+          db.ref("lastName").withSchema(TableName.Users).as("lastName")
         );
 
       return docs;

backend/src/ee/services/hsm/hsm-fns.ts

@@ -24,13 +24,9 @@ export const initializeHsmModule = (envConfig: Pick<TEnvConfig, "isHsmConfigured
       isInitialized = true;
 
       logger.info("PKCS#11 module initialized");
-    } catch (error) {
-      if (error instanceof pkcs11js.Pkcs11Error && error.code === pkcs11js.CKR_CRYPTOKI_ALREADY_INITIALIZED) {
-        logger.info("Skipping HSM initialization because it's already initialized.");
-      } else {
-        logger.error(error, "Failed to initialize PKCS#11 module");
-        throw error;
-      }
+    } catch (err) {
+      logger.error(err, "Failed to initialize PKCS#11 module");
+      throw err;
     }
   };
 

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -380,7 +380,7 @@ export const ldapConfigServiceFactory = ({
         if (serverCfg.trustLdapEmails) {
           newUser = await userDAL.findOne(
             {
-              email: email.toLowerCase(),
+              email,
               isEmailVerified: true
             },
             tx
@@ -391,8 +391,8 @@ export const ldapConfigServiceFactory = ({
           const uniqueUsername = await normalizeUsername(username, userDAL);
           newUser = await userDAL.create(
             {
-              username: serverCfg.trustLdapEmails ? email.toLowerCase() : uniqueUsername,
-              email: email.toLowerCase(),
+              username: serverCfg.trustLdapEmails ? email : uniqueUsername,
+              email,
               isEmailVerified: serverCfg.trustLdapEmails,
               firstName,
               lastName,
@@ -429,7 +429,7 @@ export const ldapConfigServiceFactory = ({
           await orgMembershipDAL.create(
             {
               userId: newUser.id,
-              inviteEmail: email.toLowerCase(),
+              inviteEmail: email,
               orgId,
               role,
               roleId,

backend/src/ee/services/ldap-config/ldap-config-types.ts

@@ -14,11 +14,6 @@ export type TLDAPConfig = {
   caCert: string;
 };
 
-export type TTestLDAPConfigDTO = Omit<
-  TLDAPConfig,
-  "organization" | "id" | "groupSearchBase" | "groupSearchFilter" | "isActive" | "uniqueUserAttribute" | "searchBase"
->;
-
 export type TCreateLdapCfgDTO = {
   orgId: string;
   isActive: boolean;

backend/src/ee/services/ldap-config/ldap-fns.ts

@@ -2,14 +2,15 @@ import ldapjs from "ldapjs";
 
 import { logger } from "@app/lib/logger";
 
-import { TLDAPConfig, TTestLDAPConfigDTO } from "./ldap-config-types";
+import { TLDAPConfig } from "./ldap-config-types";
 
 export const isValidLdapFilter = (filter: string) => {
   try {
     ldapjs.parseFilter(filter);
     return true;
   } catch (error) {
-    logger.error(error, "Invalid LDAP filter");
+    logger.error("Invalid LDAP filter");
+    logger.error(error);
     return false;
   }
 };
@@ -19,7 +20,7 @@ export const isValidLdapFilter = (filter: string) => {
  * @param ldapConfig - The LDAP configuration to test
  * @returns {Boolean} isConnected - Whether or not the connection was successful
  */
-export const testLDAPConfig = async (ldapConfig: TTestLDAPConfigDTO): Promise<boolean> => {
+export const testLDAPConfig = async (ldapConfig: TLDAPConfig): Promise<boolean> => {
   return new Promise((resolve) => {
     const ldapClient = ldapjs.createClient({
       url: ldapConfig.url,

backend/src/ee/services/license/__mocks__/license-fns.ts

@@ -29,9 +29,7 @@ export const getDefaultOnPremFeatures = () => {
     secretApproval: true,
     secretRotation: true,
     caCrl: false,
-    sshHostGroups: false,
-    enterpriseSecretSyncs: false,
-    enterpriseAppConnections: false
+    sshHostGroups: false
   };
 };
 

backend/src/ee/services/license/license-dal.ts

@@ -19,7 +19,7 @@ export const licenseDALFactory = (db: TDbClient) => {
         .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
         .where(`${TableName.Users}.isGhost`, false)
         .count();
-      return Number(doc?.[0]?.count ?? 0);
+      return Number(doc?.[0].count);
     } catch (error) {
       throw new DatabaseError({ error, name: "Count of Org Members" });
     }

backend/src/ee/services/license/license-fns.ts

@@ -2,7 +2,6 @@ import axios, { AxiosError } from "axios";
 
 import { getConfig } from "@app/lib/config/env";
 import { request } from "@app/lib/config/request";
-import { logger } from "@app/lib/logger";
 
 import { TFeatureSet } from "./license-types";
 
@@ -55,24 +54,15 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   projectTemplates: false,
   kmip: false,
   gateway: false,
-  sshHostGroups: false,
-  enterpriseSecretSyncs: false,
-  enterpriseAppConnections: false
+  sshHostGroups: false
 });
 
-export const setupLicenseRequestWithStore = (
-  baseURL: string,
-  refreshUrl: string,
-  licenseKey: string,
-  region?: string
-) => {
+export const setupLicenseRequestWithStore = (baseURL: string, refreshUrl: string, licenseKey: string) => {
   let token: string;
   const licenseReq = axios.create({
     baseURL,
-    timeout: 35 * 1000,
-    headers: {
-      "x-region": region
-    }
+    timeout: 35 * 1000
+    // signal: AbortSignal.timeout(60 * 1000)
   });
 
   const refreshLicense = async () => {
@@ -108,10 +98,9 @@ export const setupLicenseRequestWithStore = (
     (response) => response,
     async (err) => {
       const originalRequest = (err as AxiosError).config;
-      const errStatusCode = Number((err as AxiosError)?.response?.status);
-      logger.error((err as AxiosError)?.response?.data, "License server call error");
+
       // eslint-disable-next-line
-      if ((errStatusCode === 401 || errStatusCode === 403) && !(originalRequest as any)._retry) {
+      if ((err as AxiosError)?.response?.status === 401 && !(originalRequest as any)._retry) {
         // eslint-disable-next-line
         (originalRequest as any)._retry = true; // injected
 

backend/src/ee/services/license/license-service.ts

@@ -77,15 +77,13 @@ export const licenseServiceFactory = ({
   const licenseServerCloudApi = setupLicenseRequestWithStore(
     appCfg.LICENSE_SERVER_URL || "",
     LICENSE_SERVER_CLOUD_LOGIN,
-    appCfg.LICENSE_SERVER_KEY || "",
-    appCfg.INTERNAL_REGION
+    appCfg.LICENSE_SERVER_KEY || ""
   );
 
   const licenseServerOnPremApi = setupLicenseRequestWithStore(
     appCfg.LICENSE_SERVER_URL || "",
     LICENSE_SERVER_ON_PREM_LOGIN,
-    appCfg.LICENSE_KEY || "",
-    appCfg.INTERNAL_REGION
+    appCfg.LICENSE_KEY || ""
   );
 
   const syncLicenseKeyOnPremFeatures = async (shouldThrow: boolean = false) => {
@@ -94,10 +92,6 @@ export const licenseServiceFactory = ({
       const {
         data: { currentPlan }
       } = await licenseServerOnPremApi.request.get<{ currentPlan: TFeatureSet }>("/api/license/v1/plan");
-
-      const workspacesUsed = await projectDAL.countOfOrgProjects(null);
-      currentPlan.workspacesUsed = workspacesUsed;
-
       onPremFeatures = currentPlan;
       logger.info("Successfully synchronized license key features");
     } catch (error) {
@@ -191,14 +185,6 @@ export const licenseServiceFactory = ({
         } = await licenseServerCloudApi.request.get<{ currentPlan: TFeatureSet }>(
           `/api/license-server/v1/customers/${org.customerId}/cloud-plan`
         );
-        const workspacesUsed = await projectDAL.countOfOrgProjects(orgId);
-        currentPlan.workspacesUsed = workspacesUsed;
-
-        const membersUsed = await licenseDAL.countOfOrgMembers(orgId);
-        currentPlan.membersUsed = membersUsed;
-        const identityUsed = await licenseDAL.countOrgUsersAndIdentities(orgId);
-        currentPlan.identitiesUsed = identityUsed;
-
         await keyStore.setItemWithExpiry(
           FEATURE_CACHE_KEY(org.id),
           LICENSE_SERVER_CLOUD_PLAN_TTL,
@@ -362,8 +348,8 @@ export const licenseServiceFactory = ({
       } = await licenseServerCloudApi.request.post(
         `/api/license-server/v1/customers/${organization.customerId}/billing-details/payment-methods`,
         {
-          success_url: `${appCfg.SITE_URL}/organization/billing`,
-          cancel_url: `${appCfg.SITE_URL}/organization/billing`
+          success_url: `${appCfg.SITE_URL}/dashboard`,
+          cancel_url: `${appCfg.SITE_URL}/dashboard`
         }
       );
 
@@ -376,7 +362,7 @@ export const licenseServiceFactory = ({
     } = await licenseServerCloudApi.request.post(
       `/api/license-server/v1/customers/${organization.customerId}/billing-details/billing-portal`,
       {
-        return_url: `${appCfg.SITE_URL}/organization/billing`
+        return_url: `${appCfg.SITE_URL}/dashboard`
       }
     );
 
@@ -393,7 +379,7 @@ export const licenseServiceFactory = ({
         message: `Organization with ID '${orgId}' not found`
       });
     }
-    if (instanceType === InstanceType.Cloud) {
+    if (instanceType !== InstanceType.OnPrem && instanceType !== InstanceType.EnterpriseOnPremOffline) {
       const { data } = await licenseServerCloudApi.request.get(
         `/api/license-server/v1/customers/${organization.customerId}/cloud-plan/billing`
       );
@@ -421,38 +407,11 @@ export const licenseServiceFactory = ({
         message: `Organization with ID '${orgId}' not found`
       });
     }
-
-    const orgMembersUsed = await orgDAL.countAllOrgMembers(orgId);
-    const identityUsed = await identityOrgMembershipDAL.countAllOrgIdentities({ orgId });
-    const projects = await projectDAL.find({ orgId });
-    const projectCount = projects.length;
-
-    if (instanceType === InstanceType.Cloud) {
-      const { data } = await licenseServerCloudApi.request.get<{
-        head: { name: string }[];
-        rows: { name: string; allowed: boolean }[];
-      }>(`/api/license-server/v1/customers/${organization.customerId}/cloud-plan/table`);
-
-      const formattedData = {
-        head: data.head,
-        rows: data.rows.map((el) => {
-          let used = "-";
-
-          if (el.name === BillingPlanRows.MemberLimit.name) {
-            used = orgMembersUsed.toString();
-          } else if (el.name === BillingPlanRows.WorkspaceLimit.name) {
-            used = projectCount.toString();
-          } else if (el.name === BillingPlanRows.IdentityLimit.name) {
-            used = (identityUsed + orgMembersUsed).toString();
-          }
-
-          return {
-            ...el,
-            used
-          };
-        })
-      };
-      return formattedData;
+    if (instanceType !== InstanceType.OnPrem && instanceType !== InstanceType.EnterpriseOnPremOffline) {
+      const { data } = await licenseServerCloudApi.request.get(
+        `/api/license-server/v1/customers/${organization.customerId}/cloud-plan/table`
+      );
+      return data;
     }
 
     const mappedRows = await Promise.all(
@@ -461,11 +420,14 @@ export const licenseServiceFactory = ({
         let used = "-";
 
         if (field === BillingPlanRows.MemberLimit.field) {
-          used = orgMembersUsed.toString();
+          const orgMemberships = await orgDAL.countAllOrgMembers(orgId);
+          used = orgMemberships.toString();
         } else if (field === BillingPlanRows.WorkspaceLimit.field) {
-          used = projectCount.toString();
+          const projects = await projectDAL.find({ orgId });
+          used = projects.length.toString();
         } else if (field === BillingPlanRows.IdentityLimit.field) {
-          used = identityUsed.toString();
+          const identities = await identityOrgMembershipDAL.countAllOrgIdentities({ orgId });
+          used = identities.toString();
         }
 
         return {

backend/src/ee/services/license/license-types.ts

@@ -27,7 +27,7 @@ export type TFeatureSet = {
   slug: null;
   tier: -1;
   workspaceLimit: null;
-  workspacesUsed: number;
+  workspacesUsed: 0;
   dynamicSecret: false;
   memberLimit: null;
   membersUsed: number;
@@ -72,8 +72,6 @@ export type TFeatureSet = {
   kmip: false;
   gateway: false;
   sshHostGroups: false;
-  enterpriseSecretSyncs: false;
-  enterpriseAppConnections: false;
 };
 
 export type TOrgPlansTableDTO = {

backend/src/ee/services/oidc/oidc-config-service.ts

@@ -44,7 +44,6 @@ import {
   TOidcLoginDTO,
   TUpdateOidcCfgDTO
 } from "./oidc-config-types";
-import { logger } from "@app/lib/logger";
 
 type TOidcConfigServiceFactoryDep = {
   userDAL: Pick<
@@ -172,8 +171,8 @@ export const oidcConfigServiceFactory = ({
   };
 
   const oidcLogin = async ({
-    email,
     externalId,
+    email,
     firstName,
     lastName,
     orgId,
@@ -700,7 +699,6 @@ export const oidcConfigServiceFactory = ({
       // eslint-disable-next-line @typescript-eslint/no-explicit-any
       (_req: any, tokenSet: TokenSet, cb: any) => {
         const claims = tokenSet.claims();
-        logger.info(`User OIDC claims received for [orgId=${org.id}] [claims=${JSON.stringify(claims)}]`);
         if (!claims.email || !claims.given_name) {
           throw new BadRequestError({
             message: "Invalid request. Missing email or first name"
@@ -716,15 +714,13 @@ export const oidcConfigServiceFactory = ({
           }
         }
 
-        const groups = typeof claims.groups === "string" ? [claims.groups] : (claims.groups as string[] | undefined);
-
         oidcLogin({
-          email: claims.email.toLowerCase(),
+          email: claims.email,
           externalId: claims.sub,
           firstName: claims.given_name ?? "",
           lastName: claims.family_name ?? "",
           orgId: org.id,
-          groups,
+          groups: claims.groups as string[] | undefined,
           callbackPort,
           manageGroupMemberships: oidcCfg.manageGroupMemberships
         })

backend/src/ee/services/permission/default-roles.ts

@@ -2,7 +2,6 @@ import { AbilityBuilder, createMongoAbility, MongoAbility } from "@casl/ability"
 
 import {
   ProjectPermissionActions,
-  ProjectPermissionApprovalActions,
   ProjectPermissionCertificateActions,
   ProjectPermissionCmekActions,
   ProjectPermissionDynamicSecretActions,
@@ -10,7 +9,6 @@ import {
   ProjectPermissionIdentityActions,
   ProjectPermissionKmipActions,
   ProjectPermissionMemberActions,
-  ProjectPermissionPkiSubscriberActions,
   ProjectPermissionSecretActions,
   ProjectPermissionSecretRotationActions,
   ProjectPermissionSecretSyncActions,
@@ -26,6 +24,7 @@ const buildAdminPermissionRules = () => {
   [
     ProjectPermissionSub.SecretFolders,
     ProjectPermissionSub.SecretImports,
+    ProjectPermissionSub.SecretApproval,
     ProjectPermissionSub.Role,
     ProjectPermissionSub.Integrations,
     ProjectPermissionSub.Webhooks,
@@ -55,18 +54,6 @@ const buildAdminPermissionRules = () => {
     );
   });
 
-  can(
-    [
-      ProjectPermissionApprovalActions.Read,
-      ProjectPermissionApprovalActions.Edit,
-      ProjectPermissionApprovalActions.Create,
-      ProjectPermissionApprovalActions.Delete,
-      ProjectPermissionApprovalActions.AllowChangeBypass,
-      ProjectPermissionApprovalActions.AllowAccessBypass
-    ],
-    ProjectPermissionSub.SecretApproval
-  );
-
   can(
     [
       ProjectPermissionCertificateActions.Read,
@@ -89,18 +76,6 @@ const buildAdminPermissionRules = () => {
     ProjectPermissionSub.SshHosts
   );
 
-  can(
-    [
-      ProjectPermissionPkiSubscriberActions.Edit,
-      ProjectPermissionPkiSubscriberActions.Read,
-      ProjectPermissionPkiSubscriberActions.Create,
-      ProjectPermissionPkiSubscriberActions.Delete,
-      ProjectPermissionPkiSubscriberActions.IssueCert,
-      ProjectPermissionPkiSubscriberActions.ListCerts
-    ],
-    ProjectPermissionSub.PkiSubscribers
-  );
-
   can(
     [
       ProjectPermissionMemberActions.Create,
@@ -138,6 +113,7 @@ const buildAdminPermissionRules = () => {
 
   can(
     [
+      ProjectPermissionSecretActions.DescribeAndReadValue,
       ProjectPermissionSecretActions.DescribeSecret,
       ProjectPermissionSecretActions.ReadValue,
       ProjectPermissionSecretActions.Create,
@@ -218,6 +194,7 @@ const buildMemberPermissionRules = () => {
 
   can(
     [
+      ProjectPermissionSecretActions.DescribeAndReadValue,
       ProjectPermissionSecretActions.DescribeSecret,
       ProjectPermissionSecretActions.ReadValue,
       ProjectPermissionSecretActions.Edit,
@@ -255,7 +232,7 @@ const buildMemberPermissionRules = () => {
     ProjectPermissionSub.SecretImports
   );
 
-  can([ProjectPermissionApprovalActions.Read], ProjectPermissionSub.SecretApproval);
+  can([ProjectPermissionActions.Read], ProjectPermissionSub.SecretApproval);
   can([ProjectPermissionSecretRotationActions.Read], ProjectPermissionSub.SecretRotation);
 
   can([ProjectPermissionActions.Read, ProjectPermissionActions.Create], ProjectPermissionSub.SecretRollback);
@@ -361,7 +338,6 @@ const buildMemberPermissionRules = () => {
   can([ProjectPermissionActions.Read], ProjectPermissionSub.SshCertificateTemplates);
 
   can([ProjectPermissionSshHostActions.Read], ProjectPermissionSub.SshHosts);
-  can([ProjectPermissionPkiSubscriberActions.Read], ProjectPermissionSub.PkiSubscribers);
 
   can(
     [
@@ -396,14 +372,13 @@ const buildMemberPermissionRules = () => {
 const buildViewerPermissionRules = () => {
   const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
 
-  can(
-    [ProjectPermissionSecretActions.DescribeSecret, ProjectPermissionSecretActions.ReadValue],
-    ProjectPermissionSub.Secrets
-  );
+  can(ProjectPermissionSecretActions.DescribeAndReadValue, ProjectPermissionSub.Secrets);
+  can(ProjectPermissionSecretActions.DescribeSecret, ProjectPermissionSub.Secrets);
+  can(ProjectPermissionSecretActions.ReadValue, ProjectPermissionSub.Secrets);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretFolders);
   can(ProjectPermissionDynamicSecretActions.ReadRootCredential, ProjectPermissionSub.DynamicSecrets);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretImports);
-  can(ProjectPermissionApprovalActions.Read, ProjectPermissionSub.SecretApproval);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
   can(ProjectPermissionSecretRotationActions.Read, ProjectPermissionSub.SecretRotation);
   can(ProjectPermissionMemberActions.Read, ProjectPermissionSub.Member);

backend/src/ee/services/permission/org-permission.ts

@@ -41,8 +41,7 @@ export enum OrgPermissionGatewayActions {
   CreateGateways = "create-gateways",
   ListGateways = "list-gateways",
   EditGateways = "edit-gateways",
-  DeleteGateways = "delete-gateways",
-  AttachGateways = "attach-gateways"
+  DeleteGateways = "delete-gateways"
 }
 
 export enum OrgPermissionIdentityActions {
@@ -338,7 +337,6 @@ const buildAdminPermission = () => {
   can(OrgPermissionGatewayActions.CreateGateways, OrgPermissionSubjects.Gateway);
   can(OrgPermissionGatewayActions.EditGateways, OrgPermissionSubjects.Gateway);
   can(OrgPermissionGatewayActions.DeleteGateways, OrgPermissionSubjects.Gateway);
-  can(OrgPermissionGatewayActions.AttachGateways, OrgPermissionSubjects.Gateway);
 
   can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);
 
@@ -380,7 +378,6 @@ const buildMemberPermission = () => {
   can(OrgPermissionAppConnectionActions.Connect, OrgPermissionSubjects.AppConnections);
   can(OrgPermissionGatewayActions.ListGateways, OrgPermissionSubjects.Gateway);
   can(OrgPermissionGatewayActions.CreateGateways, OrgPermissionSubjects.Gateway);
-  can(OrgPermissionGatewayActions.AttachGateways, OrgPermissionSubjects.Gateway);
 
   return rules;
 };