chore: renamed new migration files to latest timestamp (gh-action)

.github/workflows/build-staging-and-deploy-aws.yml

@@ -74,21 +74,21 @@ jobs:
         uses: pr-mpt/actions-commit-hash@v2
       - name: Download task definition
         run: |
-          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
+          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
       - name: Render Amazon ECS task definition
         id: render-web-container
         uses: aws-actions/amazon-ecs-render-task-definition@v1
         with:
           task-definition: task-definition.json
-          container-name: infisical-core-platform
+          container-name: infisical-prod-platform
           image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
           environment-variables: "LOG_LEVEL=info"
       - name: Deploy to Amazon ECS service
         uses: aws-actions/amazon-ecs-deploy-task-definition@v1
         with:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-core-platform
-          cluster: infisical-core-platform
+          service: infisical-prod-platform
+          cluster: infisical-prod-platform
           wait-for-service-stability: true
 
   production-postgres-deployment:
@@ -122,19 +122,19 @@ jobs:
         uses: pr-mpt/actions-commit-hash@v2
       - name: Download task definition
         run: |
-          aws ecs describe-task-definition --task-definition infisical-core-platform --query taskDefinition > task-definition.json
+          aws ecs describe-task-definition --task-definition infisical-prod-platform --query taskDefinition > task-definition.json
       - name: Render Amazon ECS task definition
         id: render-web-container
         uses: aws-actions/amazon-ecs-render-task-definition@v1
         with:
           task-definition: task-definition.json
-          container-name: infisical-core-platform
+          container-name: infisical-prod-platform
           image: infisical/staging_infisical:${{ steps.commit.outputs.short }}
           environment-variables: "LOG_LEVEL=info"
       - name: Deploy to Amazon ECS service
         uses: aws-actions/amazon-ecs-deploy-task-definition@v1
         with:
           task-definition: ${{ steps.render-web-container.outputs.task-definition }}
-          service: infisical-core-platform
-          cluster: infisical-core-platform
+          service: infisical-prod-platform
+          cluster: infisical-prod-platform
           wait-for-service-stability: true

.github/workflows/update-be-new-migration-latest-timestamp.yml

@@ -2,7 +2,8 @@ name: Rename Migrations
 
 on:
   pull_request:
-    types: [closed]
+    types:
+      - closed
     paths:
       - 'backend/src/db/migrations/**'
 
@@ -10,50 +11,27 @@ jobs:
   rename:
     runs-on: ubuntu-latest
     if: github.event.pull_request.merged == true
-
     steps:
       - name: Check out repository
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-
+          
       - name: Get list of newly added files in migration folder
-        run: |
-          git diff --name-status HEAD^ HEAD backend/src/db/migrations | grep '^A' | cut -f2 | xargs -n1 basename > added_files.txt
-          if [ ! -s added_files.txt ]; then
-            echo "No new files added. Skipping"
-            echo "SKIP_RENAME=true" >> $GITHUB_ENV
-          fi
-
-      - name: Script to rename migrations
-        if: env.SKIP_RENAME != 'true'
+        run: git diff --name-status HEAD^ HEAD backend/src/db/migrations | grep '^A' | cut -f2  | xargs -n1 basename > added_files.txt
+      
+      - name: Script to rename migrations 
         run: python .github/resources/rename_migration_files.py
 
       - name: Commit and push changes
-        if: env.SKIP_RENAME != 'true'
         run: |
           git config user.name github-actions
           git config user.email github-actions@github.com
           git add ./backend/src/db/migrations
-          rm added_files.txt
           git commit -m "chore: renamed new migration files to latest timestamp (gh-action)"
-
-      - name: Get PR details
-        id: pr_details
+      
+      - name: Push changes
+        env:
+          TOKEN: ${{ secrets.GH_PERSONAL_TOKEN }}
         run: |
-          PR_NUMBER=${{ github.event.pull_request.number }}
-          PR_MERGER=$(curl -s "https://api.github.com/repos/${{ github.repository }}/pulls/$PR_NUMBER" | jq -r '.merged_by.login')
-          
-          echo "PR Number: $PR_NUMBER"
-          echo "PR Merger: $PR_MERGER"
-          echo "pr_merger=$PR_MERGER" >> $GITHUB_OUTPUT
-
-      - name: Create Pull Request
-        if: env.SKIP_RENAME != 'true'
-        uses: peter-evans/create-pull-request@v6
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          commit-message: 'chore: renamed new migration files to latest UTC (gh-action)'
-          title: 'GH Action: rename new migration file timestamp'
-          branch-suffix: timestamp
-          reviewers: ${{ steps.pr_details.outputs.pr_merger }}
+          git push https://$GITHUB_ACTOR:$TOKEN@github.com/${{ github.repository }}.git HEAD:origin/main

.infisicalignore

@@ -2,6 +2,4 @@
 frontend/src/views/Project/MembersPage/components/IdentityTab/components/IdentityRoleForm/IdentityRbacSection.tsx:generic-api-key:206
 frontend/src/views/Project/MembersPage/components/IdentityTab/components/IdentityRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:304
 frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/MemberRbacSection.tsx:generic-api-key:206
-frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:292
-docs/self-hosting/configuration/envars.mdx:generic-api-key:106
-frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:451
+frontend/src/views/Project/MembersPage/components/MemberListTab/MemberRoleForm/SpecificPrivilegeSection.tsx:generic-api-key:292

backend/package.json

@@ -95,13 +95,11 @@
     "axios": "^1.6.7",
     "axios-retry": "^4.0.0",
     "bcrypt": "^5.1.1",
-    "bullmq": "^5.4.2",
+    "bullmq": "^5.3.3",
     "cassandra-driver": "^4.7.2",
     "dotenv": "^16.4.1",
     "fastify": "^4.26.0",
     "fastify-plugin": "^4.5.1",
-    "google-auth-library": "^9.9.0",
-    "googleapis": "^137.1.0",
     "handlebars": "^4.7.8",
     "ioredis": "^5.3.2",
     "jmespath": "^0.16.0",
@@ -112,7 +110,7 @@
     "libsodium-wrappers": "^0.7.13",
     "lodash.isequal": "^4.5.0",
     "ms": "^2.1.3",
-    "mysql2": "^3.9.7",
+    "mysql2": "^3.9.4",
     "nanoid": "^5.0.4",
     "nodemailer": "^6.9.9",
     "ora": "^7.0.1",

backend/src/@types/fastify.d.ts

@@ -1,11 +1,8 @@
 import "fastify";
 
 import { TUsers } from "@app/db/schemas";
-import { TAccessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-service";
-import { TAccessApprovalRequestServiceFactory } from "@app/ee/services/access-approval-request/access-approval-request-service";
 import { TAuditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
 import { TCreateAuditLogDTO } from "@app/ee/services/audit-log/audit-log-types";
-import { TAuditLogStreamServiceFactory } from "@app/ee/services/audit-log-stream/audit-log-stream-service";
 import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-service";
 import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
 import { TGroupServiceFactory } from "@app/ee/services/group/group-service";
@@ -32,9 +29,6 @@ import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-se
 import { TGroupProjectServiceFactory } from "@app/services/group-project/group-project-service";
 import { TIdentityServiceFactory } from "@app/services/identity/identity-service";
 import { TIdentityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
-import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
-import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
-import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
 import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua-service";
 import { TIntegrationServiceFactory } from "@app/services/integration/integration-service";
@@ -118,11 +112,6 @@ declare module "fastify" {
       identityAccessToken: TIdentityAccessTokenServiceFactory;
       identityProject: TIdentityProjectServiceFactory;
       identityUa: TIdentityUaServiceFactory;
-      identityKubernetesAuth: TIdentityKubernetesAuthServiceFactory;
-      identityGcpAuth: TIdentityGcpAuthServiceFactory;
-      identityAwsAuth: TIdentityAwsAuthServiceFactory;
-      accessApprovalPolicy: TAccessApprovalPolicyServiceFactory;
-      accessApprovalRequest: TAccessApprovalRequestServiceFactory;
       secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;
       secretApprovalRequest: TSecretApprovalRequestServiceFactory;
       secretRotation: TSecretRotationServiceFactory;
@@ -131,7 +120,6 @@ declare module "fastify" {
       scim: TScimServiceFactory;
       ldap: TLdapConfigServiceFactory;
       auditLog: TAuditLogServiceFactory;
-      auditLogStream: TAuditLogStreamServiceFactory;
       secretScanning: TSecretScanningServiceFactory;
       license: TLicenseServiceFactory;
       trustedIp: TTrustedIpServiceFactory;

backend/src/@types/knex.d.ts

@@ -2,26 +2,11 @@ import { Knex } from "knex";
 
 import {
   TableName,
-  TAccessApprovalPolicies,
-  TAccessApprovalPoliciesApprovers,
-  TAccessApprovalPoliciesApproversInsert,
-  TAccessApprovalPoliciesApproversUpdate,
-  TAccessApprovalPoliciesInsert,
-  TAccessApprovalPoliciesUpdate,
-  TAccessApprovalRequests,
-  TAccessApprovalRequestsInsert,
-  TAccessApprovalRequestsReviewers,
-  TAccessApprovalRequestsReviewersInsert,
-  TAccessApprovalRequestsReviewersUpdate,
-  TAccessApprovalRequestsUpdate,
   TApiKeys,
   TApiKeysInsert,
   TApiKeysUpdate,
   TAuditLogs,
   TAuditLogsInsert,
-  TAuditLogStreams,
-  TAuditLogStreamsInsert,
-  TAuditLogStreamsUpdate,
   TAuditLogsUpdate,
   TAuthTokens,
   TAuthTokenSessions,
@@ -59,15 +44,6 @@ import {
   TIdentityAccessTokens,
   TIdentityAccessTokensInsert,
   TIdentityAccessTokensUpdate,
-  TIdentityAwsAuths,
-  TIdentityAwsAuthsInsert,
-  TIdentityAwsAuthsUpdate,
-  TIdentityGcpAuths,
-  TIdentityGcpAuthsInsert,
-  TIdentityGcpAuthsUpdate,
-  TIdentityKubernetesAuths,
-  TIdentityKubernetesAuthsInsert,
-  TIdentityKubernetesAuthsUpdate,
   TIdentityOrgMemberships,
   TIdentityOrgMembershipsInsert,
   TIdentityOrgMembershipsUpdate,
@@ -234,7 +210,6 @@ import {
   TWebhooksInsert,
   TWebhooksUpdate
 } from "@app/db/schemas";
-import { TSecretReferences, TSecretReferencesInsert, TSecretReferencesUpdate } from "@app/db/schemas/secret-references";
 
 declare module "knex/types/tables" {
   interface Tables {
@@ -308,11 +283,6 @@ declare module "knex/types/tables" {
     >;
     [TableName.ProjectKeys]: Knex.CompositeTableType<TProjectKeys, TProjectKeysInsert, TProjectKeysUpdate>;
     [TableName.Secret]: Knex.CompositeTableType<TSecrets, TSecretsInsert, TSecretsUpdate>;
-    [TableName.SecretReference]: Knex.CompositeTableType<
-      TSecretReferences,
-      TSecretReferencesInsert,
-      TSecretReferencesUpdate
-    >;
     [TableName.SecretBlindIndex]: Knex.CompositeTableType<
       TSecretBlindIndexes,
       TSecretBlindIndexesInsert,
@@ -341,21 +311,6 @@ declare module "knex/types/tables" {
       TIdentityUniversalAuthsInsert,
       TIdentityUniversalAuthsUpdate
     >;
-    [TableName.IdentityKubernetesAuth]: Knex.CompositeTableType<
-      TIdentityKubernetesAuths,
-      TIdentityKubernetesAuthsInsert,
-      TIdentityKubernetesAuthsUpdate
-    >;
-    [TableName.IdentityGcpAuth]: Knex.CompositeTableType<
-      TIdentityGcpAuths,
-      TIdentityGcpAuthsInsert,
-      TIdentityGcpAuthsUpdate
-    >;
-    [TableName.IdentityAwsAuth]: Knex.CompositeTableType<
-      TIdentityAwsAuths,
-      TIdentityAwsAuthsInsert,
-      TIdentityAwsAuthsUpdate
-    >;
     [TableName.IdentityUaClientSecret]: Knex.CompositeTableType<
       TIdentityUaClientSecrets,
       TIdentityUaClientSecretsInsert,
@@ -386,31 +341,6 @@ declare module "knex/types/tables" {
       TIdentityProjectAdditionalPrivilegeInsert,
       TIdentityProjectAdditionalPrivilegeUpdate
     >;
-
-    [TableName.AccessApprovalPolicy]: Knex.CompositeTableType<
-      TAccessApprovalPolicies,
-      TAccessApprovalPoliciesInsert,
-      TAccessApprovalPoliciesUpdate
-    >;
-
-    [TableName.AccessApprovalPolicyApprover]: Knex.CompositeTableType<
-      TAccessApprovalPoliciesApprovers,
-      TAccessApprovalPoliciesApproversInsert,
-      TAccessApprovalPoliciesApproversUpdate
-    >;
-
-    [TableName.AccessApprovalRequest]: Knex.CompositeTableType<
-      TAccessApprovalRequests,
-      TAccessApprovalRequestsInsert,
-      TAccessApprovalRequestsUpdate
-    >;
-
-    [TableName.AccessApprovalRequestReviewer]: Knex.CompositeTableType<
-      TAccessApprovalRequestsReviewers,
-      TAccessApprovalRequestsReviewersInsert,
-      TAccessApprovalRequestsReviewersUpdate
-    >;
-
     [TableName.ScimToken]: Knex.CompositeTableType<TScimTokens, TScimTokensInsert, TScimTokensUpdate>;
     [TableName.SecretApprovalPolicy]: Knex.CompositeTableType<
       TSecretApprovalPolicies,
@@ -474,11 +404,6 @@ declare module "knex/types/tables" {
     [TableName.LdapGroupMap]: Knex.CompositeTableType<TLdapGroupMaps, TLdapGroupMapsInsert, TLdapGroupMapsUpdate>;
     [TableName.OrgBot]: Knex.CompositeTableType<TOrgBots, TOrgBotsInsert, TOrgBotsUpdate>;
     [TableName.AuditLog]: Knex.CompositeTableType<TAuditLogs, TAuditLogsInsert, TAuditLogsUpdate>;
-    [TableName.AuditLogStream]: Knex.CompositeTableType<
-      TAuditLogStreams,
-      TAuditLogStreamsInsert,
-      TAuditLogStreamsUpdate
-    >;
     [TableName.GitAppInstallSession]: Knex.CompositeTableType<
       TGitAppInstallSessions,
       TGitAppInstallSessionsInsert,

backend/src/db/migrations/20240426181045_test.ts

@@ -0,0 +1,10 @@
+import { Knex } from "knex";
+
+
+export async function up(knex: Knex): Promise<void> {
+}
+
+
+export async function down(knex: Knex): Promise<void> {
+}
+

backend/src/db/migrations/20240429154610_audit-log-index.ts

@@ -1,28 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
-  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
-  const doesCreatedAtExist = await knex.schema.hasColumn(TableName.AuditLog, "createdAt");
-  if (await knex.schema.hasTable(TableName.AuditLog)) {
-    await knex.schema.alterTable(TableName.AuditLog, (t) => {
-      if (doesProjectIdExist && doesCreatedAtExist) t.index(["projectId", "createdAt"]);
-      if (doesOrgIdExist && doesCreatedAtExist) t.index(["orgId", "createdAt"]);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
-  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
-  const doesCreatedAtExist = await knex.schema.hasColumn(TableName.AuditLog, "createdAt");
-
-  if (await knex.schema.hasTable(TableName.AuditLog)) {
-    await knex.schema.alterTable(TableName.AuditLog, (t) => {
-      if (doesProjectIdExist && doesCreatedAtExist) t.dropIndex(["projectId", "createdAt"]);
-      if (doesOrgIdExist && doesCreatedAtExist) t.dropIndex(["orgId", "createdAt"]);
-    });
-  }
-}

backend/src/db/migrations/20240503101144_audit-log-stream.ts

@@ -1,28 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.AuditLogStream))) {
-    await knex.schema.createTable(TableName.AuditLogStream, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("url").notNullable();
-      t.text("encryptedHeadersCiphertext");
-      t.text("encryptedHeadersIV");
-      t.text("encryptedHeadersTag");
-      t.string("encryptedHeadersAlgorithm");
-      t.string("encryptedHeadersKeyEncoding");
-      t.uuid("orgId").notNullable();
-      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.AuditLogStream);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await dropOnUpdateTrigger(knex, TableName.AuditLogStream);
-  await knex.schema.dropTableIfExists(TableName.AuditLogStream);
-}

backend/src/db/migrations/20240507032811_trusted-saml-ldap-emails.ts

@@ -1,54 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const isUsersTablePresent = await knex.schema.hasTable(TableName.Users);
-  if (isUsersTablePresent) {
-    const hasIsEmailVerifiedColumn = await knex.schema.hasColumn(TableName.Users, "isEmailVerified");
-
-    if (!hasIsEmailVerifiedColumn) {
-      await knex.schema.alterTable(TableName.Users, (t) => {
-        t.boolean("isEmailVerified").defaultTo(false);
-      });
-    }
-
-    // Backfilling the isEmailVerified to true where isAccepted is true
-    await knex(TableName.Users).update({ isEmailVerified: true }).where("isAccepted", true);
-  }
-
-  const isUserAliasTablePresent = await knex.schema.hasTable(TableName.UserAliases);
-  if (isUserAliasTablePresent) {
-    await knex.schema.alterTable(TableName.UserAliases, (t) => {
-      t.string("username").nullable().alter();
-    });
-  }
-
-  const isSuperAdminTablePresent = await knex.schema.hasTable(TableName.SuperAdmin);
-  if (isSuperAdminTablePresent) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-      t.boolean("trustSamlEmails").defaultTo(false);
-      t.boolean("trustLdapEmails").defaultTo(false);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  if (await knex.schema.hasColumn(TableName.Users, "isEmailVerified")) {
-    await knex.schema.alterTable(TableName.Users, (t) => {
-      t.dropColumn("isEmailVerified");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.SuperAdmin, "trustSamlEmails")) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-      t.dropColumn("trustSamlEmails");
-    });
-  }
-
-  if (await knex.schema.hasColumn(TableName.SuperAdmin, "trustLdapEmails")) {
-    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
-      t.dropColumn("trustLdapEmails");
-    });
-  }
-}

backend/src/db/migrations/20240507162140_access-approval-policy.ts

@@ -1,41 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.AccessApprovalPolicy))) {
-    await knex.schema.createTable(TableName.AccessApprovalPolicy, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("name").notNullable();
-      t.integer("approvals").defaultTo(1).notNullable();
-      t.string("secretPath");
-
-      t.uuid("envId").notNullable();
-      t.foreign("envId").references("id").inTable(TableName.Environment).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-    await createOnUpdateTrigger(knex, TableName.AccessApprovalPolicy);
-  }
-
-  if (!(await knex.schema.hasTable(TableName.AccessApprovalPolicyApprover))) {
-    await knex.schema.createTable(TableName.AccessApprovalPolicyApprover, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("approverId").notNullable();
-      t.foreign("approverId").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
-
-      t.uuid("policyId").notNullable();
-      t.foreign("policyId").references("id").inTable(TableName.AccessApprovalPolicy).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-    await createOnUpdateTrigger(knex, TableName.AccessApprovalPolicyApprover);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.AccessApprovalPolicyApprover);
-  await knex.schema.dropTableIfExists(TableName.AccessApprovalPolicy);
-
-  await dropOnUpdateTrigger(knex, TableName.AccessApprovalPolicyApprover);
-  await dropOnUpdateTrigger(knex, TableName.AccessApprovalPolicy);
-}

backend/src/db/migrations/20240507162141_access.ts

@@ -1,51 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.AccessApprovalRequest))) {
-    await knex.schema.createTable(TableName.AccessApprovalRequest, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-
-      t.uuid("policyId").notNullable();
-      t.foreign("policyId").references("id").inTable(TableName.AccessApprovalPolicy).onDelete("CASCADE");
-
-      t.uuid("privilegeId").nullable();
-      t.foreign("privilegeId").references("id").inTable(TableName.ProjectUserAdditionalPrivilege).onDelete("CASCADE");
-
-      t.uuid("requestedBy").notNullable();
-      t.foreign("requestedBy").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
-
-      // We use these values to create the actual privilege at a later point in time.
-      t.boolean("isTemporary").notNullable();
-      t.string("temporaryRange").nullable();
-
-      t.jsonb("permissions").notNullable();
-
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.AccessApprovalRequest);
-
-  if (!(await knex.schema.hasTable(TableName.AccessApprovalRequestReviewer))) {
-    await knex.schema.createTable(TableName.AccessApprovalRequestReviewer, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.uuid("member").notNullable();
-      t.foreign("member").references("id").inTable(TableName.ProjectMembership).onDelete("CASCADE");
-      t.string("status").notNullable();
-      t.uuid("requestId").notNullable();
-      t.foreign("requestId").references("id").inTable(TableName.AccessApprovalRequest).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-  }
-  await createOnUpdateTrigger(knex, TableName.AccessApprovalRequestReviewer);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.AccessApprovalRequestReviewer);
-  await knex.schema.dropTableIfExists(TableName.AccessApprovalRequest);
-
-  await dropOnUpdateTrigger(knex, TableName.AccessApprovalRequestReviewer);
-  await dropOnUpdateTrigger(knex, TableName.AccessApprovalRequest);
-}

backend/src/db/migrations/20240507210655_identity-aws-auth.ts

@@ -1,30 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityAwsAuth))) {
-    await knex.schema.createTable(TableName.IdentityAwsAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.string("type").notNullable();
-      t.string("stsEndpoint").notNullable();
-      t.string("allowedPrincipalArns").notNullable();
-      t.string("allowedAccountIds").notNullable();
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityAwsAuth);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityAwsAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityAwsAuth);
-}

backend/src/db/migrations/20240514041650_identity-gcp-auth.ts

@@ -1,30 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityGcpAuth))) {
-    await knex.schema.createTable(TableName.IdentityGcpAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.string("type").notNullable();
-      t.string("allowedServiceAccounts").notNullable();
-      t.string("allowedProjects").notNullable();
-      t.string("allowedZones").notNullable(); // GCE only (fully qualified zone names)
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityGcpAuth);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityGcpAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityGcpAuth);
-}

backend/src/db/migrations/20240514141809_inline-secret-reference-sync.ts

@@ -1,24 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.SecretReference))) {
-    await knex.schema.createTable(TableName.SecretReference, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.string("environment").notNullable();
-      t.string("secretPath").notNullable();
-      t.uuid("secretId").notNullable();
-      t.foreign("secretId").references("id").inTable(TableName.Secret).onDelete("CASCADE");
-      t.timestamps(true, true, true);
-    });
-
-    await createOnUpdateTrigger(knex, TableName.SecretReference);
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.SecretReference);
-  await dropOnUpdateTrigger(knex, TableName.SecretReference);
-}

backend/src/db/migrations/20240518142614_kubernetes-auth.ts

@@ -1,36 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
-
-export async function up(knex: Knex): Promise<void> {
-  if (!(await knex.schema.hasTable(TableName.IdentityKubernetesAuth))) {
-    await knex.schema.createTable(TableName.IdentityKubernetesAuth, (t) => {
-      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
-      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
-      t.jsonb("accessTokenTrustedIps").notNullable();
-      t.timestamps(true, true, true);
-      t.uuid("identityId").notNullable().unique();
-      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
-      t.string("kubernetesHost").notNullable();
-      t.text("encryptedCaCert").notNullable();
-      t.string("caCertIV").notNullable();
-      t.string("caCertTag").notNullable();
-      t.text("encryptedTokenReviewerJwt").notNullable();
-      t.string("tokenReviewerJwtIV").notNullable();
-      t.string("tokenReviewerJwtTag").notNullable();
-      t.string("allowedNamespaces").notNullable();
-      t.string("allowedNames").notNullable();
-      t.string("allowedAudience").notNullable();
-    });
-  }
-
-  await createOnUpdateTrigger(knex, TableName.IdentityKubernetesAuth);
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists(TableName.IdentityKubernetesAuth);
-  await dropOnUpdateTrigger(knex, TableName.IdentityKubernetesAuth);
-}

backend/src/db/migrations/20240520064127_add-integration-sync-status.ts

@@ -1,43 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const hasIsSyncedColumn = await knex.schema.hasColumn(TableName.Integration, "isSynced");
-  const hasSyncMessageColumn = await knex.schema.hasColumn(TableName.Integration, "syncMessage");
-  const hasLastSyncJobId = await knex.schema.hasColumn(TableName.Integration, "lastSyncJobId");
-
-  await knex.schema.alterTable(TableName.Integration, (t) => {
-    if (!hasIsSyncedColumn) {
-      t.boolean("isSynced").nullable();
-    }
-
-    if (!hasSyncMessageColumn) {
-      t.text("syncMessage").nullable();
-    }
-
-    if (!hasLastSyncJobId) {
-      t.string("lastSyncJobId").nullable();
-    }
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const hasIsSyncedColumn = await knex.schema.hasColumn(TableName.Integration, "isSynced");
-  const hasSyncMessageColumn = await knex.schema.hasColumn(TableName.Integration, "syncMessage");
-  const hasLastSyncJobId = await knex.schema.hasColumn(TableName.Integration, "lastSyncJobId");
-
-  await knex.schema.alterTable(TableName.Integration, (t) => {
-    if (hasIsSyncedColumn) {
-      t.dropColumn("isSynced");
-    }
-
-    if (hasSyncMessageColumn) {
-      t.dropColumn("syncMessage");
-    }
-
-    if (hasLastSyncJobId) {
-      t.dropColumn("lastSyncJobId");
-    }
-  });
-}

backend/src/db/migrations/20240522193447_index-audit-logs-project-id-org-id.ts

@@ -1,26 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
-  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
-  if (await knex.schema.hasTable(TableName.AuditLog)) {
-    await knex.schema.alterTable(TableName.AuditLog, (t) => {
-      if (doesProjectIdExist) t.index("projectId");
-      if (doesOrgIdExist) t.index("orgId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesOrgIdExist = await knex.schema.hasColumn(TableName.AuditLog, "orgId");
-  const doesProjectIdExist = await knex.schema.hasColumn(TableName.AuditLog, "projectId");
-
-  if (await knex.schema.hasTable(TableName.AuditLog)) {
-    await knex.schema.alterTable(TableName.AuditLog, (t) => {
-      if (doesProjectIdExist) t.dropIndex("projectId");
-      if (doesOrgIdExist) t.dropIndex("orgId");
-    });
-  }
-}

backend/src/db/migrations/20240522203425_index-secret-snapshot-secrets-envid.ts

@@ -1,22 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "envId");
-  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
-    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
-      if (doesEnvIdExist) t.index("envId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "envId");
-
-  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
-    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
-      if (doesEnvIdExist) t.dropIndex("envId");
-    });
-  }
-}

backend/src/db/migrations/20240522204414_index-secret-version-envId.ts

@@ -1,22 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SecretVersion, "envId");
-  if (await knex.schema.hasTable(TableName.SecretVersion)) {
-    await knex.schema.alterTable(TableName.SecretVersion, (t) => {
-      if (doesEnvIdExist) t.index("envId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesEnvIdExist = await knex.schema.hasColumn(TableName.SecretVersion, "envId");
-
-  if (await knex.schema.hasTable(TableName.SecretVersion)) {
-    await knex.schema.alterTable(TableName.SecretVersion, (t) => {
-      if (doesEnvIdExist) t.dropIndex("envId");
-    });
-  }
-}

backend/src/db/migrations/20240522212706_secret-snapshot-secrets-index-on-snapshotId.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "snapshotId");
-  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
-    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
-      if (doesSnapshotIdExist) t.index("snapshotId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotSecret, "snapshotId");
-  if (await knex.schema.hasTable(TableName.SnapshotSecret)) {
-    await knex.schema.alterTable(TableName.SnapshotSecret, (t) => {
-      if (doesSnapshotIdExist) t.dropIndex("snapshotId");
-    });
-  }
-}

backend/src/db/migrations/20240522221147_secret-snapshot-folder-index-on-snapshotId.ts

@@ -1,21 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotFolder, "snapshotId");
-  if (await knex.schema.hasTable(TableName.SnapshotFolder)) {
-    await knex.schema.alterTable(TableName.SnapshotFolder, (t) => {
-      if (doesSnapshotIdExist) t.index("snapshotId");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesSnapshotIdExist = await knex.schema.hasColumn(TableName.SnapshotFolder, "snapshotId");
-  if (await knex.schema.hasTable(TableName.SnapshotFolder)) {
-    await knex.schema.alterTable(TableName.SnapshotFolder, (t) => {
-      if (doesSnapshotIdExist) t.dropIndex("snapshotId");
-    });
-  }
-}

backend/src/db/migrations/20240522225402_secrets-index-on-folder-id-user-id.ts

@@ -1,24 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesFolderIdExist = await knex.schema.hasColumn(TableName.Secret, "folderId");
-  const doesUserIdExist = await knex.schema.hasColumn(TableName.Secret, "userId");
-  if (await knex.schema.hasTable(TableName.Secret)) {
-    await knex.schema.alterTable(TableName.Secret, (t) => {
-      if (doesFolderIdExist && doesUserIdExist) t.index(["folderId", "userId"]);
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesFolderIdExist = await knex.schema.hasColumn(TableName.Secret, "folderId");
-  const doesUserIdExist = await knex.schema.hasColumn(TableName.Secret, "userId");
-
-  if (await knex.schema.hasTable(TableName.Secret)) {
-    await knex.schema.alterTable(TableName.Secret, (t) => {
-      if (doesUserIdExist && doesFolderIdExist) t.dropIndex(["folderId", "userId"]);
-    });
-  }
-}

backend/src/db/migrations/20240523003158_audit-log-add-expireAt-index.ts

@@ -1,22 +0,0 @@
-import { Knex } from "knex";
-
-import { TableName } from "../schemas";
-
-export async function up(knex: Knex): Promise<void> {
-  const doesExpireAtExist = await knex.schema.hasColumn(TableName.AuditLog, "expiresAt");
-  if (await knex.schema.hasTable(TableName.AuditLog)) {
-    await knex.schema.alterTable(TableName.AuditLog, (t) => {
-      if (doesExpireAtExist) t.index("expiresAt");
-    });
-  }
-}
-
-export async function down(knex: Knex): Promise<void> {
-  const doesExpireAtExist = await knex.schema.hasColumn(TableName.AuditLog, "expiresAt");
-
-  if (await knex.schema.hasTable(TableName.AuditLog)) {
-    await knex.schema.alterTable(TableName.AuditLog, (t) => {
-      if (doesExpireAtExist) t.dropIndex("expiresAt");
-    });
-  }
-}

backend/src/db/schemas/access-approval-policies-approvers.ts

@@ -1,25 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const AccessApprovalPoliciesApproversSchema = z.object({
-  id: z.string().uuid(),
-  approverId: z.string().uuid(),
-  policyId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TAccessApprovalPoliciesApprovers = z.infer<typeof AccessApprovalPoliciesApproversSchema>;
-export type TAccessApprovalPoliciesApproversInsert = Omit<
-  z.input<typeof AccessApprovalPoliciesApproversSchema>,
-  TImmutableDBKeys
->;
-export type TAccessApprovalPoliciesApproversUpdate = Partial<
-  Omit<z.input<typeof AccessApprovalPoliciesApproversSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/access-approval-requests-reviewers.ts

@@ -1,26 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const AccessApprovalRequestsReviewersSchema = z.object({
-  id: z.string().uuid(),
-  member: z.string().uuid(),
-  status: z.string(),
-  requestId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TAccessApprovalRequestsReviewers = z.infer<typeof AccessApprovalRequestsReviewersSchema>;
-export type TAccessApprovalRequestsReviewersInsert = Omit<
-  z.input<typeof AccessApprovalRequestsReviewersSchema>,
-  TImmutableDBKeys
->;
-export type TAccessApprovalRequestsReviewersUpdate = Partial<
-  Omit<z.input<typeof AccessApprovalRequestsReviewersSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/access-approval-requests.ts

@@ -1,26 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const AccessApprovalRequestsSchema = z.object({
-  id: z.string().uuid(),
-  policyId: z.string().uuid(),
-  privilegeId: z.string().uuid().nullable().optional(),
-  requestedBy: z.string().uuid(),
-  isTemporary: z.boolean(),
-  temporaryRange: z.string().nullable().optional(),
-  permissions: z.unknown(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TAccessApprovalRequests = z.infer<typeof AccessApprovalRequestsSchema>;
-export type TAccessApprovalRequestsInsert = Omit<z.input<typeof AccessApprovalRequestsSchema>, TImmutableDBKeys>;
-export type TAccessApprovalRequestsUpdate = Partial<
-  Omit<z.input<typeof AccessApprovalRequestsSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/audit-log-streams.ts

@@ -1,25 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const AuditLogStreamsSchema = z.object({
-  id: z.string().uuid(),
-  url: z.string(),
-  encryptedHeadersCiphertext: z.string().nullable().optional(),
-  encryptedHeadersIV: z.string().nullable().optional(),
-  encryptedHeadersTag: z.string().nullable().optional(),
-  encryptedHeadersAlgorithm: z.string().nullable().optional(),
-  encryptedHeadersKeyEncoding: z.string().nullable().optional(),
-  orgId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TAuditLogStreams = z.infer<typeof AuditLogStreamsSchema>;
-export type TAuditLogStreamsInsert = Omit<z.input<typeof AuditLogStreamsSchema>, TImmutableDBKeys>;
-export type TAuditLogStreamsUpdate = Partial<Omit<z.input<typeof AuditLogStreamsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-aws-auths.ts

@@ -1,27 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const IdentityAwsAuthsSchema = z.object({
-  id: z.string().uuid(),
-  accessTokenTTL: z.coerce.number().default(7200),
-  accessTokenMaxTTL: z.coerce.number().default(7200),
-  accessTokenNumUsesLimit: z.coerce.number().default(0),
-  accessTokenTrustedIps: z.unknown(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  identityId: z.string().uuid(),
-  type: z.string(),
-  stsEndpoint: z.string(),
-  allowedPrincipalArns: z.string(),
-  allowedAccountIds: z.string()
-});
-
-export type TIdentityAwsAuths = z.infer<typeof IdentityAwsAuthsSchema>;
-export type TIdentityAwsAuthsInsert = Omit<z.input<typeof IdentityAwsAuthsSchema>, TImmutableDBKeys>;
-export type TIdentityAwsAuthsUpdate = Partial<Omit<z.input<typeof IdentityAwsAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-gcp-auths.ts

@@ -1,27 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const IdentityGcpAuthsSchema = z.object({
-  id: z.string().uuid(),
-  accessTokenTTL: z.coerce.number().default(7200),
-  accessTokenMaxTTL: z.coerce.number().default(7200),
-  accessTokenNumUsesLimit: z.coerce.number().default(0),
-  accessTokenTrustedIps: z.unknown(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  identityId: z.string().uuid(),
-  type: z.string(),
-  allowedServiceAccounts: z.string(),
-  allowedProjects: z.string(),
-  allowedZones: z.string()
-});
-
-export type TIdentityGcpAuths = z.infer<typeof IdentityGcpAuthsSchema>;
-export type TIdentityGcpAuthsInsert = Omit<z.input<typeof IdentityGcpAuthsSchema>, TImmutableDBKeys>;
-export type TIdentityGcpAuthsUpdate = Partial<Omit<z.input<typeof IdentityGcpAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-kubernetes-auths.ts

@@ -1,35 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const IdentityKubernetesAuthsSchema = z.object({
-  id: z.string().uuid(),
-  accessTokenTTL: z.coerce.number().default(7200),
-  accessTokenMaxTTL: z.coerce.number().default(7200),
-  accessTokenNumUsesLimit: z.coerce.number().default(0),
-  accessTokenTrustedIps: z.unknown(),
-  createdAt: z.date(),
-  updatedAt: z.date(),
-  identityId: z.string().uuid(),
-  kubernetesHost: z.string(),
-  encryptedCaCert: z.string(),
-  caCertIV: z.string(),
-  caCertTag: z.string(),
-  encryptedTokenReviewerJwt: z.string(),
-  tokenReviewerJwtIV: z.string(),
-  tokenReviewerJwtTag: z.string(),
-  allowedNamespaces: z.string(),
-  allowedNames: z.string(),
-  allowedAudience: z.string()
-});
-
-export type TIdentityKubernetesAuths = z.infer<typeof IdentityKubernetesAuthsSchema>;
-export type TIdentityKubernetesAuthsInsert = Omit<z.input<typeof IdentityKubernetesAuthsSchema>, TImmutableDBKeys>;
-export type TIdentityKubernetesAuthsUpdate = Partial<
-  Omit<z.input<typeof IdentityKubernetesAuthsSchema>, TImmutableDBKeys>
->;

backend/src/db/schemas/index.ts

@@ -1,9 +1,4 @@
-export * from "./access-approval-policies";
-export * from "./access-approval-policies-approvers";
-export * from "./access-approval-requests";
-export * from "./access-approval-requests-reviewers";
 export * from "./api-keys";
-export * from "./audit-log-streams";
 export * from "./audit-logs";
 export * from "./auth-token-sessions";
 export * from "./auth-tokens";
@@ -17,9 +12,6 @@ export * from "./group-project-memberships";
 export * from "./groups";
 export * from "./identities";
 export * from "./identity-access-tokens";
-export * from "./identity-aws-auths";
-export * from "./identity-gcp-auths";
-export * from "./identity-kubernetes-auths";
 export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";
 export * from "./identity-project-membership-role";

backend/src/db/schemas/integrations.ts

@@ -28,10 +28,7 @@ export const IntegrationsSchema = z.object({
   secretPath: z.string().default("/"),
   createdAt: z.date(),
   updatedAt: z.date(),
-  lastUsed: z.date().nullable().optional(),
-  isSynced: z.boolean().nullable().optional(),
-  syncMessage: z.string().nullable().optional(),
-  lastSyncJobId: z.string().nullable().optional()
+  lastUsed: z.date().nullable().optional()
 });
 
 export type TIntegrations = z.infer<typeof IntegrationsSchema>;

backend/src/db/schemas/models.ts

@@ -28,7 +28,6 @@ export enum TableName {
   ProjectUserMembershipRole = "project_user_membership_roles",
   ProjectKeys = "project_keys",
   Secret = "secrets",
-  SecretReference = "secret_references",
   SecretBlindIndex = "secret_blind_indexes",
   SecretVersion = "secret_versions",
   SecretFolder = "secret_folders",
@@ -45,19 +44,12 @@ export enum TableName {
   Identity = "identities",
   IdentityAccessToken = "identity_access_tokens",
   IdentityUniversalAuth = "identity_universal_auths",
-  IdentityKubernetesAuth = "identity_kubernetes_auths",
-  IdentityGcpAuth = "identity_gcp_auths",
   IdentityUaClientSecret = "identity_ua_client_secrets",
-  IdentityAwsAuth = "identity_aws_auths",
   IdentityOrgMembership = "identity_org_memberships",
   IdentityProjectMembership = "identity_project_memberships",
   IdentityProjectMembershipRole = "identity_project_membership_role",
   IdentityProjectAdditionalPrivilege = "identity_project_additional_privilege",
   ScimToken = "scim_tokens",
-  AccessApprovalPolicy = "access_approval_policies",
-  AccessApprovalPolicyApprover = "access_approval_policies_approvers",
-  AccessApprovalRequest = "access_approval_requests",
-  AccessApprovalRequestReviewer = "access_approval_requests_reviewers",
   SecretApprovalPolicy = "secret_approval_policies",
   SecretApprovalPolicyApprover = "secret_approval_policies_approvers",
   SecretApprovalRequest = "secret_approval_requests",
@@ -70,7 +62,6 @@ export enum TableName {
   LdapConfig = "ldap_configs",
   LdapGroupMap = "ldap_group_maps",
   AuditLog = "audit_logs",
-  AuditLogStream = "audit_log_streams",
   GitAppInstallSession = "git_app_install_sessions",
   GitAppOrg = "git_app_org",
   SecretScanningGitRisk = "secret_scanning_git_risks",
@@ -146,8 +137,5 @@ export enum ProjectUpgradeStatus {
 }
 
 export enum IdentityAuthMethod {
-  Univeral = "universal-auth",
-  KUBERNETES_AUTH = "kubernetes-auth",
-  GCP_AUTH = "gcp-auth",
-  AWS_AUTH = "aws-auth"
+  Univeral = "universal-auth"
 }

backend/src/db/schemas/secret-references.ts

@@ -1,21 +0,0 @@
-// Code generated by automation script, DO NOT EDIT.
-// Automated by pulling database and generating zod schema
-// To update. Just run npm run generate:schema
-// Written by akhilmhdh.
-
-import { z } from "zod";
-
-import { TImmutableDBKeys } from "./models";
-
-export const SecretReferencesSchema = z.object({
-  id: z.string().uuid(),
-  environment: z.string(),
-  secretPath: z.string(),
-  secretId: z.string().uuid(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});
-
-export type TSecretReferences = z.infer<typeof SecretReferencesSchema>;
-export type TSecretReferencesInsert = Omit<z.input<typeof SecretReferencesSchema>, TImmutableDBKeys>;
-export type TSecretReferencesUpdate = Partial<Omit<z.input<typeof SecretReferencesSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/super-admin.ts

@@ -14,9 +14,7 @@ export const SuperAdminSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   allowedSignUpDomain: z.string().nullable().optional(),
-  instanceId: z.string().uuid().default("00000000-0000-0000-0000-000000000000"),
-  trustSamlEmails: z.boolean().default(false).nullable().optional(),
-  trustLdapEmails: z.boolean().default(false).nullable().optional()
+  instanceId: z.string().uuid().default("00000000-0000-0000-0000-000000000000")
 });
 
 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;

backend/src/db/schemas/user-aliases.ts

@@ -10,7 +10,7 @@ import { TImmutableDBKeys } from "./models";
 export const UserAliasesSchema = z.object({
   id: z.string().uuid(),
   userId: z.string().uuid(),
-  username: z.string().nullable().optional(),
+  username: z.string(),
   aliasType: z.string(),
   externalId: z.string(),
   emails: z.string().array().nullable().optional(),

backend/src/db/schemas/users.ts

@@ -21,8 +21,7 @@ export const UsersSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   isGhost: z.boolean().default(false),
-  username: z.string(),
-  isEmailVerified: z.boolean().default(false).nullable().optional()
+  username: z.string()
 });
 
 export type TUsers = z.infer<typeof UsersSchema>;

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -1,168 +0,0 @@
-import { nanoid } from "nanoid";
-import { z } from "zod";
-
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    url: "/",
-    method: "POST",
-    schema: {
-      body: z
-        .object({
-          projectSlug: z.string().trim(),
-          name: z.string().optional(),
-          secretPath: z.string().trim().default("/"),
-          environment: z.string(),
-          approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1)
-        })
-        .refine((data) => data.approvals <= data.approvers.length, {
-          path: ["approvals"],
-          message: "The number of approvals should be lower than the number of approvers."
-        }),
-      response: {
-        200: z.object({
-          approval: sapPubSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const approval = await server.services.accessApprovalPolicy.createAccessApprovalPolicy({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body,
-        projectSlug: req.body.projectSlug,
-        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`
-      });
-      return { approval };
-    }
-  });
-
-  server.route({
-    url: "/",
-    method: "GET",
-    schema: {
-      querystring: z.object({
-        projectSlug: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          approvals: sapPubSchema.extend({ approvers: z.string().array(), secretPath: z.string().optional() }).array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const approvals = await server.services.accessApprovalPolicy.getAccessApprovalPolicyByProjectSlug({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        projectSlug: req.query.projectSlug
-      });
-      return { approvals };
-    }
-  });
-
-  server.route({
-    url: "/count",
-    method: "GET",
-    schema: {
-      querystring: z.object({
-        projectSlug: z.string(),
-        envSlug: z.string()
-      }),
-      response: {
-        200: z.object({
-          count: z.number()
-        })
-      }
-    },
-
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { count } = await server.services.accessApprovalPolicy.getAccessPolicyCountByEnvSlug({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        projectSlug: req.query.projectSlug,
-        actorOrgId: req.permission.orgId,
-        envSlug: req.query.envSlug
-      });
-      return { count };
-    }
-  });
-
-  server.route({
-    url: "/:policyId",
-    method: "PATCH",
-    schema: {
-      params: z.object({
-        policyId: z.string()
-      }),
-      body: z
-        .object({
-          name: z.string().optional(),
-          secretPath: z
-            .string()
-            .trim()
-            .optional()
-            .transform((val) => (val === "" ? "/" : val)),
-          approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1)
-        })
-        .refine((data) => data.approvals <= data.approvers.length, {
-          path: ["approvals"],
-          message: "The number of approvals should be lower than the number of approvers."
-        }),
-      response: {
-        200: z.object({
-          approval: sapPubSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      await server.services.accessApprovalPolicy.updateAccessApprovalPolicy({
-        policyId: req.params.policyId,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        ...req.body
-      });
-    }
-  });
-
-  server.route({
-    url: "/:policyId",
-    method: "DELETE",
-    schema: {
-      params: z.object({
-        policyId: z.string()
-      }),
-      response: {
-        200: z.object({
-          approval: sapPubSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const approval = await server.services.accessApprovalPolicy.deleteAccessApprovalPolicy({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        policyId: req.params.policyId
-      });
-      return { approval };
-    }
-  });
-};

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -1,160 +0,0 @@
-import { z } from "zod";
-
-import { AccessApprovalRequestsReviewersSchema, AccessApprovalRequestsSchema } from "@app/db/schemas";
-import { ApprovalStatus } from "@app/ee/services/access-approval-request/access-approval-request-types";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-export const registerAccessApprovalRequestRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    url: "/",
-    method: "POST",
-    schema: {
-      body: z.object({
-        permissions: z.any().array(),
-        isTemporary: z.boolean(),
-        temporaryRange: z.string().optional()
-      }),
-      querystring: z.object({
-        projectSlug: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          approval: AccessApprovalRequestsSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { request } = await server.services.accessApprovalRequest.createAccessApprovalRequest({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        permissions: req.body.permissions,
-        actorOrgId: req.permission.orgId,
-        projectSlug: req.query.projectSlug,
-        temporaryRange: req.body.temporaryRange,
-        isTemporary: req.body.isTemporary
-      });
-      return { approval: request };
-    }
-  });
-
-  server.route({
-    url: "/count",
-    method: "GET",
-    schema: {
-      querystring: z.object({
-        projectSlug: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          pendingCount: z.number(),
-          finalizedCount: z.number()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { count } = await server.services.accessApprovalRequest.getCount({
-        projectSlug: req.query.projectSlug,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod
-      });
-
-      return { ...count };
-    }
-  });
-
-  server.route({
-    url: "/",
-    method: "GET",
-    schema: {
-      querystring: z.object({
-        projectSlug: z.string().trim(),
-        authorProjectMembershipId: z.string().trim().optional(),
-        envSlug: z.string().trim().optional()
-      }),
-      response: {
-        200: z.object({
-          requests: AccessApprovalRequestsSchema.extend({
-            environmentName: z.string(),
-            isApproved: z.boolean(),
-            privilege: z
-              .object({
-                membershipId: z.string(),
-                isTemporary: z.boolean(),
-                temporaryMode: z.string().nullish(),
-                temporaryRange: z.string().nullish(),
-                temporaryAccessStartTime: z.date().nullish(),
-                temporaryAccessEndTime: z.date().nullish(),
-                permissions: z.unknown()
-              })
-              .nullable(),
-            policy: z.object({
-              id: z.string(),
-              name: z.string(),
-              approvals: z.number(),
-              approvers: z.string().array(),
-              secretPath: z.string().nullish(),
-              envId: z.string()
-            }),
-            reviewers: z
-              .object({
-                member: z.string(),
-                status: z.string()
-              })
-              .array()
-          }).array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const { requests } = await server.services.accessApprovalRequest.listApprovalRequests({
-        projectSlug: req.query.projectSlug,
-        authorProjectMembershipId: req.query.authorProjectMembershipId,
-        envSlug: req.query.envSlug,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod
-      });
-
-      return { requests };
-    }
-  });
-
-  server.route({
-    url: "/:requestId/review",
-    method: "POST",
-    schema: {
-      params: z.object({
-        requestId: z.string().trim()
-      }),
-      body: z.object({
-        status: z.enum([ApprovalStatus.APPROVED, ApprovalStatus.REJECTED])
-      }),
-      response: {
-        200: z.object({
-          review: AccessApprovalRequestsReviewersSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT]),
-    handler: async (req) => {
-      const review = await server.services.accessApprovalRequest.reviewAccessRequest({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        requestId: req.params.requestId,
-        status: req.body.status
-      });
-
-      return { review };
-    }
-  });
-};

backend/src/ee/routes/v1/audit-log-stream-router.ts

@@ -1,215 +0,0 @@
-import { z } from "zod";
-
-import { AUDIT_LOG_STREAMS } from "@app/lib/api-docs";
-import { readLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { SanitizedAuditLogStreamSchema } from "@app/server/routes/sanitizedSchemas";
-import { AuthMode } from "@app/services/auth/auth-type";
-
-export const registerAuditLogStreamRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "Create an Audit Log Stream.",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      body: z.object({
-        url: z.string().min(1).describe(AUDIT_LOG_STREAMS.CREATE.url),
-        headers: z
-          .object({
-            key: z.string().min(1).trim().describe(AUDIT_LOG_STREAMS.CREATE.headers.key),
-            value: z.string().min(1).trim().describe(AUDIT_LOG_STREAMS.CREATE.headers.value)
-          })
-          .describe(AUDIT_LOG_STREAMS.CREATE.headers.desc)
-          .array()
-          .optional()
-      }),
-      response: {
-        200: z.object({
-          auditLogStream: SanitizedAuditLogStreamSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const auditLogStream = await server.services.auditLogStream.create({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        url: req.body.url,
-        headers: req.body.headers
-      });
-
-      return { auditLogStream };
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/:id",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "Update an Audit Log Stream by ID.",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        id: z.string().describe(AUDIT_LOG_STREAMS.UPDATE.id)
-      }),
-      body: z.object({
-        url: z.string().optional().describe(AUDIT_LOG_STREAMS.UPDATE.url),
-        headers: z
-          .object({
-            key: z.string().min(1).trim().describe(AUDIT_LOG_STREAMS.UPDATE.headers.key),
-            value: z.string().min(1).trim().describe(AUDIT_LOG_STREAMS.UPDATE.headers.value)
-          })
-          .describe(AUDIT_LOG_STREAMS.UPDATE.headers.desc)
-          .array()
-          .optional()
-      }),
-      response: {
-        200: z.object({
-          auditLogStream: SanitizedAuditLogStreamSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const auditLogStream = await server.services.auditLogStream.updateById({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        id: req.params.id,
-        url: req.body.url,
-        headers: req.body.headers
-      });
-
-      return { auditLogStream };
-    }
-  });
-
-  server.route({
-    method: "DELETE",
-    url: "/:id",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "Delete an Audit Log Stream by ID.",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        id: z.string().describe(AUDIT_LOG_STREAMS.DELETE.id)
-      }),
-      response: {
-        200: z.object({
-          auditLogStream: SanitizedAuditLogStreamSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const auditLogStream = await server.services.auditLogStream.deleteById({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        id: req.params.id
-      });
-
-      return { auditLogStream };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/:id",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "Get an Audit Log Stream by ID.",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        id: z.string().describe(AUDIT_LOG_STREAMS.GET_BY_ID.id)
-      }),
-      response: {
-        200: z.object({
-          auditLogStream: SanitizedAuditLogStreamSchema.extend({
-            headers: z
-              .object({
-                key: z.string(),
-                value: z.string()
-              })
-              .array()
-              .optional()
-          })
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const auditLogStream = await server.services.auditLogStream.getById({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        id: req.params.id
-      });
-
-      return { auditLogStream };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "List Audit Log Streams.",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      response: {
-        200: z.object({
-          auditLogStreams: SanitizedAuditLogStreamSchema.array()
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const auditLogStreams = await server.services.auditLogStream.list({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod
-      });
-
-      return { auditLogStreams };
-    }
-  });
-};

backend/src/ee/routes/v1/identity-project-additional-privilege-router.ts

@@ -1,14 +1,16 @@
-import { packRules } from "@casl/ability/extra";
+import { MongoAbility, RawRuleOf } from "@casl/ability";
+import { PackRule, packRules, unpackRules } from "@casl/ability/extra";
 import slugify from "@sindresorhus/slugify";
 import ms from "ms";
 import { z } from "zod";
 
+import { IdentityProjectAdditionalPrivilegeSchema } from "@app/db/schemas";
 import { IdentityProjectAdditionalPrivilegeTemporaryMode } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-types";
+import { ProjectPermissionSet } from "@app/ee/services/permission/project-permission";
 import { IDENTITY_ADDITIONAL_PRIVILEGE } from "@app/lib/api-docs";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { ProjectPermissionSchema, SanitizedIdentityPrivilegeSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: FastifyZodProvider) => {
@@ -39,11 +41,11 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
           })
           .optional()
           .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
-        permissions: ProjectPermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions)
+        permissions: z.any().array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions)
       }),
       response: {
         200: z.object({
-          privilege: SanitizedIdentityPrivilegeSchema
+          privilege: IdentityProjectAdditionalPrivilegeSchema
         })
       }
     },
@@ -90,7 +92,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
           })
           .optional()
           .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.slug),
-        permissions: ProjectPermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions),
+        permissions: z.any().array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.permissions),
         temporaryMode: z
           .nativeEnum(IdentityProjectAdditionalPrivilegeTemporaryMode)
           .describe(IDENTITY_ADDITIONAL_PRIVILEGE.CREATE.temporaryMode),
@@ -105,7 +107,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       }),
       response: {
         200: z.object({
-          privilege: SanitizedIdentityPrivilegeSchema
+          privilege: IdentityProjectAdditionalPrivilegeSchema
         })
       }
     },
@@ -155,7 +157,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
                 message: "Slug must be a valid slug"
               })
               .describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.newSlug),
-            permissions: ProjectPermissionSchema.array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
+            permissions: z.any().array().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.permissions),
             isTemporary: z.boolean().describe(IDENTITY_ADDITIONAL_PRIVILEGE.UPDATE.isTemporary),
             temporaryMode: z
               .nativeEnum(IdentityProjectAdditionalPrivilegeTemporaryMode)
@@ -173,7 +175,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       }),
       response: {
         200: z.object({
-          privilege: SanitizedIdentityPrivilegeSchema
+          privilege: IdentityProjectAdditionalPrivilegeSchema
         })
       }
     },
@@ -217,7 +219,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       }),
       response: {
         200: z.object({
-          privilege: SanitizedIdentityPrivilegeSchema
+          privilege: IdentityProjectAdditionalPrivilegeSchema
         })
       }
     },
@@ -258,7 +260,7 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       }),
       response: {
         200: z.object({
-          privilege: SanitizedIdentityPrivilegeSchema
+          privilege: IdentityProjectAdditionalPrivilegeSchema
         })
       }
     },
@@ -291,11 +293,16 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
       ],
       querystring: z.object({
         identityId: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.LIST.identityId),
-        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.LIST.projectSlug)
+        projectSlug: z.string().min(1).describe(IDENTITY_ADDITIONAL_PRIVILEGE.LIST.projectSlug),
+        unpacked: z
+          .enum(["false", "true"])
+          .transform((el) => el === "true")
+          .default("true")
+          .describe(IDENTITY_ADDITIONAL_PRIVILEGE.LIST.unpacked)
       }),
       response: {
         200: z.object({
-          privileges: SanitizedIdentityPrivilegeSchema.array()
+          privileges: IdentityProjectAdditionalPrivilegeSchema.array()
         })
       }
     },
@@ -308,9 +315,15 @@ export const registerIdentityProjectAdditionalPrivilegeRouter = async (server: F
         actorOrgId: req.permission.orgId,
         ...req.query
       });
-      return {
-        privileges
-      };
+      if (req.query.unpacked) {
+        return {
+          privileges: privileges.map(({ permissions, ...el }) => ({
+            ...el,
+            permissions: unpackRules(permissions as PackRule<RawRuleOf<MongoAbility<ProjectPermissionSet>>>[])
+          }))
+        };
+      }
+      return { privileges };
     }
   });
 };

backend/src/ee/routes/v1/index.ts

@@ -1,6 +1,3 @@
-import { registerAccessApprovalPolicyRouter } from "./access-approval-policy-router";
-import { registerAccessApprovalRequestRouter } from "./access-approval-request-router";
-import { registerAuditLogStreamRouter } from "./audit-log-stream-router";
 import { registerDynamicSecretLeaseRouter } from "./dynamic-secret-lease-router";
 import { registerDynamicSecretRouter } from "./dynamic-secret-router";
 import { registerGroupRouter } from "./group-router";
@@ -43,9 +40,6 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
     prefix: "/secret-rotation-providers"
   });
 
-  await server.register(registerAccessApprovalPolicyRouter, { prefix: "/access-approvals/policies" });
-  await server.register(registerAccessApprovalRequestRouter, { prefix: "/access-approvals/requests" });
-
   await server.register(
     async (dynamicSecretRouter) => {
       await dynamicSecretRouter.register(registerDynamicSecretRouter);
@@ -61,7 +55,6 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
   await server.register(registerSecretRotationRouter, { prefix: "/secret-rotations" });
   await server.register(registerSecretVersionRouter, { prefix: "/secret" });
   await server.register(registerGroupRouter, { prefix: "/groups" });
-  await server.register(registerAuditLogStreamRouter, { prefix: "/audit-log-streams" });
   await server.register(
     async (privilegeRouter) => {
       await privilegeRouter.register(registerUserAdditionalPrivilegeRouter, { prefix: "/users" });

backend/src/ee/routes/v1/ldap-router.ts

@@ -18,7 +18,6 @@ import { LdapConfigsSchema, LdapGroupMapsSchema } from "@app/db/schemas";
 import { TLDAPConfig } from "@app/ee/services/ldap-config/ldap-config-types";
 import { isValidLdapFilter, searchGroups } from "@app/ee/services/ldap-config/ldap-fns";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -53,7 +52,6 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
       // eslint-disable-next-line
       async (req: IncomingMessage, user, cb) => {
         try {
-          if (!user.email) throw new BadRequestError({ message: "Invalid request. Missing email." });
           const ldapConfig = (req as unknown as FastifyRequest).ldapConfig as TLDAPConfig;
 
           let groups: { dn: string; cn: string }[] | undefined;
@@ -76,7 +74,7 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
             username: user.uid,
             firstName: user.givenName ?? user.cn ?? "",
             lastName: user.sn ?? "",
-            email: user.mail,
+            emails: user.mail ? [user.mail] : [],
             groups,
             relayState: ((req as unknown as FastifyRequest).body as { RelayState?: string }).RelayState,
             orgId: (req as unknown as FastifyRequest).ldapConfig.organization

backend/src/ee/routes/v1/saml-router.ts

@@ -102,12 +102,12 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
           if (!profile) throw new BadRequestError({ message: "Missing profile" });
           const email = profile?.email ?? (profile?.emailAddress as string); // emailRippling is added because in Rippling the field `email` reserved
 
-          if (!email || !profile.firstName) {
+          if (!profile.email || !profile.firstName) {
             throw new BadRequestError({ message: "Invalid request. Missing email or first name" });
           }
 
           const { isUserCompleted, providerAuthToken } = await server.services.saml.samlLogin({
-            externalId: profile.nameID,
+            username: profile.nameID ?? email,
             email,
             firstName: profile.firstName as string,
             lastName: profile.lastName as string,

backend/src/ee/routes/v1/scim-router.ts

@@ -153,7 +153,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
     onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
     handler: async (req) => {
       const users = await req.server.services.scim.listScimUsers({
-        startIndex: req.query.startIndex,
+        offset: req.query.startIndex,
         limit: req.query.count,
         filter: req.query.filter,
         orgId: req.permission.orgId
@@ -163,11 +163,11 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
   });
 
   server.route({
-    url: "/Users/:orgMembershipId",
+    url: "/Users/:userId",
     method: "GET",
     schema: {
       params: z.object({
-        orgMembershipId: z.string().trim()
+        userId: z.string().trim()
       }),
       response: {
         201: z.object({
@@ -193,7 +193,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
     onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
     handler: async (req) => {
       const user = await req.server.services.scim.getScimUser({
-        orgMembershipId: req.params.orgMembershipId,
+        userId: req.params.userId,
         orgId: req.permission.orgId
       });
       return user;
@@ -249,7 +249,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
       const primaryEmail = req.body.emails?.find((email) => email.primary)?.value;
 
       const user = await req.server.services.scim.createScimUser({
-        externalId: req.body.userName,
+        username: req.body.userName,
         email: primaryEmail,
         firstName: req.body.name.givenName,
         lastName: req.body.name.familyName,
@@ -261,11 +261,11 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
   });
 
   server.route({
-    url: "/Users/:orgMembershipId",
+    url: "/Users/:userId",
     method: "DELETE",
     schema: {
       params: z.object({
-        orgMembershipId: z.string().trim()
+        userId: z.string().trim()
       }),
       response: {
         200: z.object({})
@@ -274,7 +274,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
     onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
     handler: async (req) => {
       const user = await req.server.services.scim.deleteScimUser({
-        orgMembershipId: req.params.orgMembershipId,
+        userId: req.params.userId,
         orgId: req.permission.orgId
       });
 
@@ -361,7 +361,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
     handler: async (req) => {
       const groups = await req.server.services.scim.listScimGroups({
         orgId: req.permission.orgId,
-        startIndex: req.query.startIndex,
+        offset: req.query.startIndex,
         limit: req.query.count
       });
 
@@ -416,10 +416,10 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
         displayName: z.string().trim(),
         members: z.array(
           z.object({
-            value: z.string(), // infisical orgMembershipId
+            value: z.string(), // infisical userId
             display: z.string()
           })
-        )
+        ) // note: is this where members are added to group?
       }),
       response: {
         200: z.object({
@@ -534,11 +534,11 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
   });
 
   server.route({
-    url: "/Users/:orgMembershipId",
+    url: "/Users/:userId",
     method: "PUT",
     schema: {
       params: z.object({
-        orgMembershipId: z.string().trim()
+        userId: z.string().trim()
       }),
       body: z.object({
         schemas: z.array(z.string()),
@@ -575,7 +575,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
     onRequest: verifyAuth([AuthMode.SCIM_TOKEN]),
     handler: async (req) => {
       const user = await req.server.services.scim.replaceScimUser({
-        orgMembershipId: req.params.orgMembershipId,
+        userId: req.params.userId,
         orgId: req.permission.orgId,
         active: req.body.active
       });

backend/src/ee/services/access-approval-policy/access-approval-policy-approver-dal.ts

@@ -1,10 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TAccessApprovalPolicyApproverDALFactory = ReturnType<typeof accessApprovalPolicyApproverDALFactory>;
-
-export const accessApprovalPolicyApproverDALFactory = (db: TDbClient) => {
-  const accessApprovalPolicyApproverOrm = ormify(db, TableName.AccessApprovalPolicyApprover);
-  return { ...accessApprovalPolicyApproverOrm };
-};

backend/src/ee/services/access-approval-policy/access-approval-policy-dal.ts

@@ -1,76 +0,0 @@
-import { Knex } from "knex";
-
-import { TDbClient } from "@app/db";
-import { TableName, TAccessApprovalPolicies } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
-import { buildFindFilter, mergeOneToManyRelation, ormify, selectAllTableCols, TFindFilter } from "@app/lib/knex";
-
-export type TAccessApprovalPolicyDALFactory = ReturnType<typeof accessApprovalPolicyDALFactory>;
-
-export const accessApprovalPolicyDALFactory = (db: TDbClient) => {
-  const accessApprovalPolicyOrm = ormify(db, TableName.AccessApprovalPolicy);
-
-  const accessApprovalPolicyFindQuery = async (tx: Knex, filter: TFindFilter<TAccessApprovalPolicies>) => {
-    const result = await tx(TableName.AccessApprovalPolicy)
-      // eslint-disable-next-line
-      .where(buildFindFilter(filter))
-      .join(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
-      .join(
-        TableName.AccessApprovalPolicyApprover,
-        `${TableName.AccessApprovalPolicy}.id`,
-        `${TableName.AccessApprovalPolicyApprover}.policyId`
-      )
-      .select(tx.ref("approverId").withSchema(TableName.AccessApprovalPolicyApprover))
-      .select(tx.ref("name").withSchema(TableName.Environment).as("envName"))
-      .select(tx.ref("slug").withSchema(TableName.Environment).as("envSlug"))
-      .select(tx.ref("id").withSchema(TableName.Environment).as("envId"))
-      .select(tx.ref("projectId").withSchema(TableName.Environment))
-      .select(selectAllTableCols(TableName.AccessApprovalPolicy));
-
-    return result;
-  };
-
-  const findById = async (id: string, tx?: Knex) => {
-    try {
-      const doc = await accessApprovalPolicyFindQuery(tx || db, {
-        [`${TableName.AccessApprovalPolicy}.id` as "id"]: id
-      });
-      const formatedDoc = mergeOneToManyRelation(
-        doc,
-        "id",
-        ({ approverId, envId, envName: name, envSlug: slug, ...el }) => ({
-          ...el,
-          envId,
-          environment: { id: envId, name, slug }
-        }),
-        ({ approverId }) => approverId,
-        "approvers"
-      );
-      return formatedDoc?.[0];
-    } catch (error) {
-      throw new DatabaseError({ error, name: "FindById" });
-    }
-  };
-
-  const find = async (filter: TFindFilter<TAccessApprovalPolicies & { projectId: string }>, tx?: Knex) => {
-    try {
-      const docs = await accessApprovalPolicyFindQuery(tx || db, filter);
-      const formatedDoc = mergeOneToManyRelation(
-        docs,
-        "id",
-        ({ approverId, envId, envName: name, envSlug: slug, ...el }) => ({
-          ...el,
-          envId,
-          environment: { id: envId, name, slug }
-        }),
-        ({ approverId }) => approverId,
-        "approvers"
-      );
-      return formatedDoc.map((policy) => ({ ...policy, secretPath: policy.secretPath || undefined }));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "Find" });
-    }
-  };
-
-  return { ...accessApprovalPolicyOrm, find, findById };
-};

backend/src/ee/services/access-approval-policy/access-approval-policy-fns.ts

@@ -1,36 +0,0 @@
-import { ForbiddenError, subject } from "@casl/ability";
-
-import { BadRequestError } from "@app/lib/errors";
-import { ActorType } from "@app/services/auth/auth-type";
-
-import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
-import { TVerifyApprovers } from "./access-approval-policy-types";
-
-export const verifyApprovers = async ({
-  userIds,
-  projectId,
-  orgId,
-  envSlug,
-  actorAuthMethod,
-  secretPath,
-  permissionService
-}: TVerifyApprovers) => {
-  for await (const userId of userIds) {
-    try {
-      const { permission: approverPermission } = await permissionService.getProjectPermission(
-        ActorType.USER,
-        userId,
-        projectId,
-        actorAuthMethod,
-        orgId
-      );
-
-      ForbiddenError.from(approverPermission).throwUnlessCan(
-        ProjectPermissionActions.Create,
-        subject(ProjectPermissionSub.Secrets, { environment: envSlug, secretPath })
-      );
-    } catch (err) {
-      throw new BadRequestError({ message: "One or more approvers doesn't have access to be specified secret path" });
-    }
-  }
-};

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -1,273 +0,0 @@
-import { ForbiddenError } from "@casl/ability";
-
-import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
-import { BadRequestError } from "@app/lib/errors";
-import { TProjectDALFactory } from "@app/services/project/project-dal";
-import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
-import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
-
-import { TAccessApprovalPolicyApproverDALFactory } from "./access-approval-policy-approver-dal";
-import { TAccessApprovalPolicyDALFactory } from "./access-approval-policy-dal";
-import { verifyApprovers } from "./access-approval-policy-fns";
-import {
-  TCreateAccessApprovalPolicy,
-  TDeleteAccessApprovalPolicy,
-  TGetAccessPolicyCountByEnvironmentDTO,
-  TListAccessApprovalPoliciesDTO,
-  TUpdateAccessApprovalPolicy
-} from "./access-approval-policy-types";
-
-type TSecretApprovalPolicyServiceFactoryDep = {
-  projectDAL: TProjectDALFactory;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-  accessApprovalPolicyDAL: TAccessApprovalPolicyDALFactory;
-  projectEnvDAL: Pick<TProjectEnvDALFactory, "find" | "findOne">;
-  accessApprovalPolicyApproverDAL: TAccessApprovalPolicyApproverDALFactory;
-  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find">;
-};
-
-export type TAccessApprovalPolicyServiceFactory = ReturnType<typeof accessApprovalPolicyServiceFactory>;
-
-export const accessApprovalPolicyServiceFactory = ({
-  accessApprovalPolicyDAL,
-  accessApprovalPolicyApproverDAL,
-  permissionService,
-  projectEnvDAL,
-  projectDAL,
-  projectMembershipDAL
-}: TSecretApprovalPolicyServiceFactoryDep) => {
-  const createAccessApprovalPolicy = async ({
-    name,
-    actor,
-    actorId,
-    actorOrgId,
-    secretPath,
-    actorAuthMethod,
-    approvals,
-    approvers,
-    projectSlug,
-    environment
-  }: TCreateAccessApprovalPolicy) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    if (approvals > approvers.length)
-      throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      project.id,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Create,
-      ProjectPermissionSub.SecretApproval
-    );
-    const env = await projectEnvDAL.findOne({ slug: environment, projectId: project.id });
-    if (!env) throw new BadRequestError({ message: "Environment not found" });
-
-    const secretApprovers = await projectMembershipDAL.find({
-      projectId: project.id,
-      $in: { id: approvers }
-    });
-
-    if (secretApprovers.length !== approvers.length) {
-      throw new BadRequestError({ message: "Approver not found in project" });
-    }
-
-    await verifyApprovers({
-      projectId: project.id,
-      orgId: actorOrgId,
-      envSlug: environment,
-      secretPath,
-      actorAuthMethod,
-      permissionService,
-      userIds: secretApprovers.map((approver) => approver.userId)
-    });
-
-    const accessApproval = await accessApprovalPolicyDAL.transaction(async (tx) => {
-      const doc = await accessApprovalPolicyDAL.create(
-        {
-          envId: env.id,
-          approvals,
-          secretPath,
-          name
-        },
-        tx
-      );
-      await accessApprovalPolicyApproverDAL.insertMany(
-        secretApprovers.map(({ id }) => ({
-          approverId: id,
-          policyId: doc.id
-        })),
-        tx
-      );
-      return doc;
-    });
-    return { ...accessApproval, environment: env, projectId: project.id };
-  };
-
-  const getAccessApprovalPolicyByProjectSlug = async ({
-    actorId,
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    projectSlug
-  }: TListAccessApprovalPoliciesDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    // Anyone in the project should be able to get the policies.
-    /* const { permission } = */ await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      project.id,
-      actorAuthMethod,
-      actorOrgId
-    );
-    // ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
-
-    const accessApprovalPolicies = await accessApprovalPolicyDAL.find({ projectId: project.id });
-    return accessApprovalPolicies;
-  };
-
-  const updateAccessApprovalPolicy = async ({
-    policyId,
-    approvers,
-    secretPath,
-    name,
-    actorId,
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    approvals
-  }: TUpdateAccessApprovalPolicy) => {
-    const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
-    if (!accessApprovalPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      accessApprovalPolicy.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
-
-    const updatedPolicy = await accessApprovalPolicyDAL.transaction(async (tx) => {
-      const doc = await accessApprovalPolicyDAL.updateById(
-        accessApprovalPolicy.id,
-        {
-          approvals,
-          secretPath,
-          name
-        },
-        tx
-      );
-      if (approvers) {
-        // Find the workspace project memberships of the users passed in the approvers array
-        const secretApprovers = await projectMembershipDAL.find(
-          {
-            projectId: accessApprovalPolicy.projectId,
-            $in: { id: approvers }
-          },
-          { tx }
-        );
-
-        await verifyApprovers({
-          projectId: accessApprovalPolicy.projectId,
-          orgId: actorOrgId,
-          envSlug: accessApprovalPolicy.environment.slug,
-          secretPath: doc.secretPath!,
-          actorAuthMethod,
-          permissionService,
-          userIds: secretApprovers.map((approver) => approver.userId)
-        });
-
-        if (secretApprovers.length !== approvers.length)
-          throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
-        await accessApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
-        await accessApprovalPolicyApproverDAL.insertMany(
-          secretApprovers.map(({ id }) => ({
-            approverId: id,
-            policyId: doc.id
-          })),
-          tx
-        );
-      }
-      return doc;
-    });
-    return {
-      ...updatedPolicy,
-      environment: accessApprovalPolicy.environment,
-      projectId: accessApprovalPolicy.projectId
-    };
-  };
-
-  const deleteAccessApprovalPolicy = async ({
-    policyId,
-    actor,
-    actorId,
-    actorAuthMethod,
-    actorOrgId
-  }: TDeleteAccessApprovalPolicy) => {
-    const policy = await accessApprovalPolicyDAL.findById(policyId);
-    if (!policy) throw new BadRequestError({ message: "Secret approval policy not found" });
-
-    const { permission } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      policy.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(
-      ProjectPermissionActions.Delete,
-      ProjectPermissionSub.SecretApproval
-    );
-
-    await accessApprovalPolicyDAL.deleteById(policyId);
-    return policy;
-  };
-
-  const getAccessPolicyCountByEnvSlug = async ({
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    projectSlug,
-    actorId,
-    envSlug
-  }: TGetAccessPolicyCountByEnvironmentDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-
-    if (!project) throw new BadRequestError({ message: "Project not found" });
-
-    const { membership } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      project.id,
-      actorAuthMethod,
-      actorOrgId
-    );
-    if (!membership) throw new BadRequestError({ message: "User not found in project" });
-
-    const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });
-    if (!environment) throw new BadRequestError({ message: "Environment not found" });
-
-    const policies = await accessApprovalPolicyDAL.find({ envId: environment.id, projectId: project.id });
-    if (!policies) throw new BadRequestError({ message: "No policies found" });
-
-    return { count: policies.length };
-  };
-
-  return {
-    getAccessPolicyCountByEnvSlug,
-    createAccessApprovalPolicy,
-    deleteAccessApprovalPolicy,
-    updateAccessApprovalPolicy,
-    getAccessApprovalPolicyByProjectSlug
-  };
-};

backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@@ -1,44 +0,0 @@
-import { TProjectPermission } from "@app/lib/types";
-import { ActorAuthMethod } from "@app/services/auth/auth-type";
-
-import { TPermissionServiceFactory } from "../permission/permission-service";
-
-export type TVerifyApprovers = {
-  userIds: string[];
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-  envSlug: string;
-  actorAuthMethod: ActorAuthMethod;
-  secretPath: string;
-  projectId: string;
-  orgId: string;
-};
-
-export type TCreateAccessApprovalPolicy = {
-  approvals: number;
-  secretPath: string;
-  environment: string;
-  approvers: string[];
-  projectSlug: string;
-  name: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TUpdateAccessApprovalPolicy = {
-  policyId: string;
-  approvals?: number;
-  approvers?: string[];
-  secretPath?: string;
-  name?: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TDeleteAccessApprovalPolicy = {
-  policyId: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TGetAccessPolicyCountByEnvironmentDTO = {
-  envSlug: string;
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TListAccessApprovalPoliciesDTO = {
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;

backend/src/ee/services/access-approval-request/access-approval-request-dal.ts

@@ -1,266 +0,0 @@
-import { Knex } from "knex";
-
-import { TDbClient } from "@app/db";
-import { AccessApprovalRequestsSchema, TableName, TAccessApprovalRequests } from "@app/db/schemas";
-import { DatabaseError } from "@app/lib/errors";
-import { ormify, selectAllTableCols, sqlNestRelationships, TFindFilter } from "@app/lib/knex";
-
-import { ApprovalStatus } from "./access-approval-request-types";
-
-export type TAccessApprovalRequestDALFactory = ReturnType<typeof accessApprovalRequestDALFactory>;
-
-export const accessApprovalRequestDALFactory = (db: TDbClient) => {
-  const accessApprovalRequestOrm = ormify(db, TableName.AccessApprovalRequest);
-
-  const findRequestsWithPrivilegeByPolicyIds = async (policyIds: string[]) => {
-    try {
-      const docs = await db(TableName.AccessApprovalRequest)
-        .whereIn(`${TableName.AccessApprovalRequest}.policyId`, policyIds)
-
-        .leftJoin(
-          TableName.ProjectUserAdditionalPrivilege,
-          `${TableName.AccessApprovalRequest}.privilegeId`,
-          `${TableName.ProjectUserAdditionalPrivilege}.id`
-        )
-        .leftJoin(
-          TableName.AccessApprovalPolicy,
-          `${TableName.AccessApprovalRequest}.policyId`,
-          `${TableName.AccessApprovalPolicy}.id`
-        )
-
-        .leftJoin(
-          TableName.AccessApprovalRequestReviewer,
-          `${TableName.AccessApprovalRequest}.id`,
-          `${TableName.AccessApprovalRequestReviewer}.requestId`
-        )
-        .leftJoin(
-          TableName.AccessApprovalPolicyApprover,
-          `${TableName.AccessApprovalPolicy}.id`,
-          `${TableName.AccessApprovalPolicyApprover}.policyId`
-        )
-
-        .leftJoin(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
-
-        .select(selectAllTableCols(TableName.AccessApprovalRequest))
-        .select(
-          db.ref("id").withSchema(TableName.AccessApprovalPolicy).as("policyId"),
-          db.ref("name").withSchema(TableName.AccessApprovalPolicy).as("policyName"),
-          db.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
-          db.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
-          db.ref("envId").withSchema(TableName.AccessApprovalPolicy).as("policyEnvId")
-        )
-
-        .select(db.ref("approverId").withSchema(TableName.AccessApprovalPolicyApprover))
-
-        .select(
-          db.ref("projectId").withSchema(TableName.Environment),
-          db.ref("slug").withSchema(TableName.Environment).as("envSlug"),
-          db.ref("name").withSchema(TableName.Environment).as("envName")
-        )
-
-        .select(
-          db.ref("member").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerMemberId"),
-          db.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus")
-        )
-
-        .select(
-          db
-            .ref("projectMembershipId")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("privilegeMembershipId"),
-          db.ref("isTemporary").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegeIsTemporary"),
-          db.ref("temporaryMode").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegeTemporaryMode"),
-          db.ref("temporaryRange").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegeTemporaryRange"),
-          db
-            .ref("temporaryAccessStartTime")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("privilegeTemporaryAccessStartTime"),
-          db
-            .ref("temporaryAccessEndTime")
-            .withSchema(TableName.ProjectUserAdditionalPrivilege)
-            .as("privilegeTemporaryAccessEndTime"),
-
-          db.ref("permissions").withSchema(TableName.ProjectUserAdditionalPrivilege).as("privilegePermissions")
-        )
-        .orderBy(`${TableName.AccessApprovalRequest}.createdAt`, "desc");
-
-      const formattedDocs = sqlNestRelationships({
-        data: docs,
-        key: "id",
-        parentMapper: (doc) => ({
-          ...AccessApprovalRequestsSchema.parse(doc),
-          projectId: doc.projectId,
-          environment: doc.envSlug,
-          environmentName: doc.envName,
-          policy: {
-            id: doc.policyId,
-            name: doc.policyName,
-            approvals: doc.policyApprovals,
-            secretPath: doc.policySecretPath,
-            envId: doc.policyEnvId
-          },
-          privilege: doc.privilegeId
-            ? {
-                membershipId: doc.privilegeMembershipId,
-                isTemporary: doc.privilegeIsTemporary,
-                temporaryMode: doc.privilegeTemporaryMode,
-                temporaryRange: doc.privilegeTemporaryRange,
-                temporaryAccessStartTime: doc.privilegeTemporaryAccessStartTime,
-                temporaryAccessEndTime: doc.privilegeTemporaryAccessEndTime,
-                permissions: doc.privilegePermissions
-              }
-            : null,
-
-          isApproved: !!doc.privilegeId
-        }),
-        childrenMapper: [
-          {
-            key: "reviewerMemberId",
-            label: "reviewers" as const,
-            mapper: ({ reviewerMemberId: member, reviewerStatus: status }) => (member ? { member, status } : undefined)
-          },
-          { key: "approverId", label: "approvers" as const, mapper: ({ approverId }) => approverId }
-        ]
-      });
-
-      if (!formattedDocs) return [];
-
-      return formattedDocs.map((doc) => ({
-        ...doc,
-        policy: { ...doc.policy, approvers: doc.approvers }
-      }));
-    } catch (error) {
-      throw new DatabaseError({ error, name: "FindRequestsWithPrivilege" });
-    }
-  };
-
-  const findQuery = (filter: TFindFilter<TAccessApprovalRequests>, tx: Knex) =>
-    tx(TableName.AccessApprovalRequest)
-      .where(filter)
-      .join(
-        TableName.AccessApprovalPolicy,
-        `${TableName.AccessApprovalRequest}.policyId`,
-        `${TableName.AccessApprovalPolicy}.id`
-      )
-
-      .join(
-        TableName.AccessApprovalPolicyApprover,
-        `${TableName.AccessApprovalPolicy}.id`,
-        `${TableName.AccessApprovalPolicyApprover}.policyId`
-      )
-      .leftJoin(
-        TableName.AccessApprovalRequestReviewer,
-        `${TableName.AccessApprovalRequest}.id`,
-        `${TableName.AccessApprovalRequestReviewer}.requestId`
-      )
-
-      .leftJoin(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
-      .select(selectAllTableCols(TableName.AccessApprovalRequest))
-      .select(
-        tx.ref("member").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerMemberId"),
-        tx.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus"),
-        tx.ref("id").withSchema(TableName.AccessApprovalPolicy).as("policyId"),
-        tx.ref("name").withSchema(TableName.AccessApprovalPolicy).as("policyName"),
-        tx.ref("projectId").withSchema(TableName.Environment),
-        tx.ref("slug").withSchema(TableName.Environment).as("environment"),
-        tx.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
-        tx.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
-        tx.ref("approverId").withSchema(TableName.AccessApprovalPolicyApprover)
-      );
-
-  const findById = async (id: string, tx?: Knex) => {
-    try {
-      const sql = findQuery({ [`${TableName.AccessApprovalRequest}.id` as "id"]: id }, tx || db);
-      const docs = await sql;
-      const formatedDoc = sqlNestRelationships({
-        data: docs,
-        key: "id",
-        parentMapper: (el) => ({
-          ...AccessApprovalRequestsSchema.parse(el),
-          projectId: el.projectId,
-          environment: el.environment,
-          policy: {
-            id: el.policyId,
-            name: el.policyName,
-            approvals: el.policyApprovals,
-            secretPath: el.policySecretPath
-          }
-        }),
-        childrenMapper: [
-          {
-            key: "reviewerMemberId",
-            label: "reviewers" as const,
-            mapper: ({ reviewerMemberId: member, reviewerStatus: status }) => (member ? { member, status } : undefined)
-          },
-          { key: "approverId", label: "approvers" as const, mapper: ({ approverId }) => approverId }
-        ]
-      });
-      if (!formatedDoc?.[0]) return;
-      return {
-        ...formatedDoc[0],
-        policy: { ...formatedDoc[0].policy, approvers: formatedDoc[0].approvers }
-      };
-    } catch (error) {
-      throw new DatabaseError({ error, name: "FindByIdAccessApprovalRequest" });
-    }
-  };
-
-  const getCount = async ({ projectId }: { projectId: string }) => {
-    try {
-      const accessRequests = await db(TableName.AccessApprovalRequest)
-        .leftJoin(
-          TableName.AccessApprovalPolicy,
-          `${TableName.AccessApprovalRequest}.policyId`,
-          `${TableName.AccessApprovalPolicy}.id`
-        )
-        .leftJoin(TableName.Environment, `${TableName.AccessApprovalPolicy}.envId`, `${TableName.Environment}.id`)
-        .leftJoin(
-          TableName.ProjectUserAdditionalPrivilege,
-          `${TableName.AccessApprovalRequest}.privilegeId`,
-          `${TableName.ProjectUserAdditionalPrivilege}.id`
-        )
-
-        .leftJoin(
-          TableName.AccessApprovalRequestReviewer,
-          `${TableName.AccessApprovalRequest}.id`,
-          `${TableName.AccessApprovalRequestReviewer}.requestId`
-        )
-
-        .where(`${TableName.Environment}.projectId`, projectId)
-        .select(selectAllTableCols(TableName.AccessApprovalRequest))
-        .select(db.ref("status").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerStatus"))
-        .select(db.ref("member").withSchema(TableName.AccessApprovalRequestReviewer).as("reviewerMemberId"));
-
-      const formattedRequests = sqlNestRelationships({
-        data: accessRequests,
-        key: "id",
-        parentMapper: (doc) => ({
-          ...AccessApprovalRequestsSchema.parse(doc)
-        }),
-        childrenMapper: [
-          {
-            key: "reviewerMemberId",
-            label: "reviewers" as const,
-            mapper: ({ reviewerMemberId: member, reviewerStatus: status }) => (member ? { member, status } : undefined)
-          }
-        ]
-      });
-
-      // an approval is pending if there is no reviewer rejections and no privilege ID is set
-      const pendingApprovals = formattedRequests.filter(
-        (req) => !req.privilegeId && !req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED)
-      );
-
-      // an approval is finalized if there are any rejections or a privilege ID is set
-      const finalizedApprovals = formattedRequests.filter(
-        (req) => req.privilegeId || req.reviewers.some((r) => r.status === ApprovalStatus.REJECTED)
-      );
-
-      return { pendingCount: pendingApprovals.length, finalizedCount: finalizedApprovals.length };
-    } catch (error) {
-      throw new DatabaseError({ error, name: "GetCountAccessApprovalRequest" });
-    }
-  };
-
-  return { ...accessApprovalRequestOrm, findById, findRequestsWithPrivilegeByPolicyIds, getCount };
-};

backend/src/ee/services/access-approval-request/access-approval-request-fns.ts

@@ -1,53 +0,0 @@
-import { PackRule, unpackRules } from "@casl/ability/extra";
-
-import { UnauthorizedError } from "@app/lib/errors";
-
-import { TVerifyPermission } from "./access-approval-request-types";
-
-function filterUnique(value: string, index: number, array: string[]) {
-  return array.indexOf(value) === index;
-}
-
-export const verifyRequestedPermissions = ({ permissions }: TVerifyPermission) => {
-  const permission = unpackRules(
-    permissions as PackRule<{
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      conditions?: Record<string, any>;
-      action: string;
-      subject: [string];
-    }>[]
-  );
-
-  if (!permission || !permission.length) {
-    throw new UnauthorizedError({ message: "No permission provided" });
-  }
-
-  const requestedPermissions: string[] = [];
-
-  for (const p of permission) {
-    if (p.action[0] === "read") requestedPermissions.push("Read Access");
-    if (p.action[0] === "create") requestedPermissions.push("Create Access");
-    if (p.action[0] === "delete") requestedPermissions.push("Delete Access");
-    if (p.action[0] === "edit") requestedPermissions.push("Edit Access");
-  }
-
-  const firstPermission = permission[0];
-
-  // eslint-disable-next-line @typescript-eslint/no-unused-vars, @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-member-access
-  const permissionSecretPath = firstPermission.conditions?.secretPath?.$glob;
-  // eslint-disable-next-line @typescript-eslint/no-unused-vars, @typescript-eslint/no-unsafe-assignment
-  const permissionEnv = firstPermission.conditions?.environment;
-
-  if (!permissionEnv || typeof permissionEnv !== "string") {
-    throw new UnauthorizedError({ message: "Permission environment is not a string" });
-  }
-  if (!permissionSecretPath || typeof permissionSecretPath !== "string") {
-    throw new UnauthorizedError({ message: "Permission path is not a string" });
-  }
-
-  return {
-    envSlug: permissionEnv,
-    secretPath: permissionSecretPath,
-    accessTypes: requestedPermissions.filter(filterUnique)
-  };
-};

backend/src/ee/services/access-approval-request/access-approval-request-reviewer-dal.ts

@@ -1,10 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TAccessApprovalRequestReviewerDALFactory = ReturnType<typeof accessApprovalRequestReviewerDALFactory>;
-
-export const accessApprovalRequestReviewerDALFactory = (db: TDbClient) => {
-  const secretApprovalRequestReviewerOrm = ormify(db, TableName.AccessApprovalRequestReviewer);
-  return secretApprovalRequestReviewerOrm;
-};

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -1,369 +0,0 @@
-import slugify from "@sindresorhus/slugify";
-import ms from "ms";
-
-import { ProjectMembershipRole } from "@app/db/schemas";
-import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { TProjectDALFactory } from "@app/services/project/project-dal";
-import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
-import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
-import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
-import { TUserDALFactory } from "@app/services/user/user-dal";
-
-import { TAccessApprovalPolicyApproverDALFactory } from "../access-approval-policy/access-approval-policy-approver-dal";
-import { TAccessApprovalPolicyDALFactory } from "../access-approval-policy/access-approval-policy-dal";
-import { verifyApprovers } from "../access-approval-policy/access-approval-policy-fns";
-import { TPermissionServiceFactory } from "../permission/permission-service";
-import { TProjectUserAdditionalPrivilegeDALFactory } from "../project-user-additional-privilege/project-user-additional-privilege-dal";
-import { ProjectUserAdditionalPrivilegeTemporaryMode } from "../project-user-additional-privilege/project-user-additional-privilege-types";
-import { TAccessApprovalRequestDALFactory } from "./access-approval-request-dal";
-import { verifyRequestedPermissions } from "./access-approval-request-fns";
-import { TAccessApprovalRequestReviewerDALFactory } from "./access-approval-request-reviewer-dal";
-import {
-  ApprovalStatus,
-  TCreateAccessApprovalRequestDTO,
-  TGetAccessRequestCountDTO,
-  TListApprovalRequestsDTO,
-  TReviewAccessRequestDTO
-} from "./access-approval-request-types";
-
-type TSecretApprovalRequestServiceFactoryDep = {
-  additionalPrivilegeDAL: Pick<TProjectUserAdditionalPrivilegeDALFactory, "create" | "findById">;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-  accessApprovalPolicyApproverDAL: Pick<TAccessApprovalPolicyApproverDALFactory, "find">;
-  projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
-  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus" | "findProjectBySlug">;
-  accessApprovalRequestDAL: Pick<
-    TAccessApprovalRequestDALFactory,
-    | "create"
-    | "find"
-    | "findRequestsWithPrivilegeByPolicyIds"
-    | "findById"
-    | "transaction"
-    | "updateById"
-    | "findOne"
-    | "getCount"
-  >;
-  accessApprovalPolicyDAL: Pick<TAccessApprovalPolicyDALFactory, "findOne" | "find">;
-  accessApprovalRequestReviewerDAL: Pick<
-    TAccessApprovalRequestReviewerDALFactory,
-    "create" | "find" | "findOne" | "transaction"
-  >;
-  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "findById">;
-  smtpService: Pick<TSmtpService, "sendMail">;
-  userDAL: Pick<TUserDALFactory, "findUserByProjectMembershipId" | "findUsersByProjectMembershipIds">;
-};
-
-export type TAccessApprovalRequestServiceFactory = ReturnType<typeof accessApprovalRequestServiceFactory>;
-
-export const accessApprovalRequestServiceFactory = ({
-  projectDAL,
-  projectEnvDAL,
-  permissionService,
-  accessApprovalRequestDAL,
-  accessApprovalRequestReviewerDAL,
-  projectMembershipDAL,
-  accessApprovalPolicyDAL,
-  accessApprovalPolicyApproverDAL,
-  additionalPrivilegeDAL,
-  smtpService,
-  userDAL
-}: TSecretApprovalRequestServiceFactoryDep) => {
-  const createAccessApprovalRequest = async ({
-    isTemporary,
-    temporaryRange,
-    actorId,
-    permissions: requestedPermissions,
-    actor,
-    actorOrgId,
-    actorAuthMethod,
-    projectSlug
-  }: TCreateAccessApprovalRequestDTO) => {
-    const cfg = getConfig();
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new UnauthorizedError({ message: "Project not found" });
-
-    // Anyone can create an access approval request.
-    const { membership } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      project.id,
-      actorAuthMethod,
-      actorOrgId
-    );
-    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
-
-    const requestedByUser = await userDAL.findUserByProjectMembershipId(membership.id);
-    if (!requestedByUser) throw new UnauthorizedError({ message: "User not found" });
-
-    await projectDAL.checkProjectUpgradeStatus(project.id);
-
-    const { envSlug, secretPath, accessTypes } = verifyRequestedPermissions({ permissions: requestedPermissions });
-    const environment = await projectEnvDAL.findOne({ projectId: project.id, slug: envSlug });
-
-    if (!environment) throw new UnauthorizedError({ message: "Environment not found" });
-
-    const policy = await accessApprovalPolicyDAL.findOne({
-      envId: environment.id,
-      secretPath
-    });
-    if (!policy) throw new UnauthorizedError({ message: "No policy matching criteria was found." });
-
-    const approvers = await accessApprovalPolicyApproverDAL.find({
-      policyId: policy.id
-    });
-
-    const approverUsers = await userDAL.findUsersByProjectMembershipIds(
-      approvers.map((approver) => approver.approverId)
-    );
-
-    const duplicateRequests = await accessApprovalRequestDAL.find({
-      policyId: policy.id,
-      requestedBy: membership.id,
-      permissions: JSON.stringify(requestedPermissions),
-      isTemporary
-    });
-
-    if (duplicateRequests?.length > 0) {
-      for await (const duplicateRequest of duplicateRequests) {
-        if (duplicateRequest.privilegeId) {
-          const privilege = await additionalPrivilegeDAL.findById(duplicateRequest.privilegeId);
-
-          const isExpired = new Date() > new Date(privilege.temporaryAccessEndTime || ("" as string));
-
-          if (!isExpired || !privilege.isTemporary) {
-            throw new BadRequestError({ message: "You already have an active privilege with the same criteria" });
-          }
-        } else {
-          const reviewers = await accessApprovalRequestReviewerDAL.find({
-            requestId: duplicateRequest.id
-          });
-
-          const isRejected = reviewers.some((reviewer) => reviewer.status === ApprovalStatus.REJECTED);
-
-          if (!isRejected) {
-            throw new BadRequestError({ message: "You already have a pending access request with the same criteria" });
-          }
-        }
-      }
-    }
-
-    const approval = await accessApprovalRequestDAL.transaction(async (tx) => {
-      const approvalRequest = await accessApprovalRequestDAL.create(
-        {
-          policyId: policy.id,
-          requestedBy: membership.id,
-          temporaryRange: temporaryRange || null,
-          permissions: JSON.stringify(requestedPermissions),
-          isTemporary
-        },
-        tx
-      );
-
-      await smtpService.sendMail({
-        recipients: approverUsers.filter((approver) => approver.email).map((approver) => approver.email!),
-        subjectLine: "Access Approval Request",
-
-        substitutions: {
-          projectName: project.name,
-          requesterFullName: `${requestedByUser.firstName} ${requestedByUser.lastName}`,
-          requesterEmail: requestedByUser.email,
-          isTemporary,
-          ...(isTemporary && {
-            expiresIn: ms(ms(temporaryRange || ""), { long: true })
-          }),
-          secretPath,
-          environment: envSlug,
-          permissions: accessTypes,
-          approvalUrl: `${cfg.SITE_URL}/project/${project.id}/approval`
-        },
-        template: SmtpTemplates.AccessApprovalRequest
-      });
-
-      return approvalRequest;
-    });
-
-    return { request: approval };
-  };
-
-  const listApprovalRequests = async ({
-    projectSlug,
-    authorProjectMembershipId,
-    envSlug,
-    actor,
-    actorOrgId,
-    actorId,
-    actorAuthMethod
-  }: TListApprovalRequestsDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new UnauthorizedError({ message: "Project not found" });
-
-    const { membership } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      project.id,
-      actorAuthMethod,
-      actorOrgId
-    );
-    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
-
-    const policies = await accessApprovalPolicyDAL.find({ projectId: project.id });
-    let requests = await accessApprovalRequestDAL.findRequestsWithPrivilegeByPolicyIds(policies.map((p) => p.id));
-
-    if (authorProjectMembershipId) {
-      requests = requests.filter((request) => request.requestedBy === authorProjectMembershipId);
-    }
-
-    if (envSlug) {
-      requests = requests.filter((request) => request.environment === envSlug);
-    }
-
-    return { requests };
-  };
-
-  const reviewAccessRequest = async ({
-    requestId,
-    actor,
-    status,
-    actorId,
-    actorAuthMethod,
-    actorOrgId
-  }: TReviewAccessRequestDTO) => {
-    const accessApprovalRequest = await accessApprovalRequestDAL.findById(requestId);
-    if (!accessApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
-
-    const { policy } = accessApprovalRequest;
-    const { membership, hasRole } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      accessApprovalRequest.projectId,
-      actorAuthMethod,
-      actorOrgId
-    );
-
-    if (!membership) throw new UnauthorizedError({ message: "You are not a member of this project" });
-
-    if (
-      !hasRole(ProjectMembershipRole.Admin) &&
-      accessApprovalRequest.requestedBy !== membership.id && // The request wasn't made by the current user
-      !policy.approvers.find((approverId) => approverId === membership.id) // The request isn't performed by an assigned approver
-    ) {
-      throw new UnauthorizedError({ message: "You are not authorized to approve this request" });
-    }
-
-    const reviewerProjectMembership = await projectMembershipDAL.findById(membership.id);
-
-    await verifyApprovers({
-      projectId: accessApprovalRequest.projectId,
-      orgId: actorOrgId,
-      envSlug: accessApprovalRequest.environment,
-      secretPath: accessApprovalRequest.policy.secretPath!,
-      actorAuthMethod,
-      permissionService,
-      userIds: [reviewerProjectMembership.userId]
-    });
-
-    const existingReviews = await accessApprovalRequestReviewerDAL.find({ requestId: accessApprovalRequest.id });
-    if (existingReviews.some((review) => review.status === ApprovalStatus.REJECTED)) {
-      throw new BadRequestError({ message: "The request has already been rejected by another reviewer" });
-    }
-
-    const reviewStatus = await accessApprovalRequestReviewerDAL.transaction(async (tx) => {
-      const review = await accessApprovalRequestReviewerDAL.findOne(
-        {
-          requestId: accessApprovalRequest.id,
-          member: membership.id
-        },
-        tx
-      );
-      if (!review) {
-        const newReview = await accessApprovalRequestReviewerDAL.create(
-          {
-            status,
-            requestId: accessApprovalRequest.id,
-            member: membership.id
-          },
-          tx
-        );
-
-        const allReviews = [...existingReviews, newReview];
-
-        const approvedReviews = allReviews.filter((r) => r.status === ApprovalStatus.APPROVED);
-
-        // approvals is the required number of approvals. If the number of approved reviews is equal to the number of required approvals, then the request is approved.
-        if (approvedReviews.length === policy.approvals) {
-          if (accessApprovalRequest.isTemporary && !accessApprovalRequest.temporaryRange) {
-            throw new BadRequestError({ message: "Temporary range is required for temporary access" });
-          }
-
-          let privilegeId: string | null = null;
-
-          if (!accessApprovalRequest.isTemporary && !accessApprovalRequest.temporaryRange) {
-            // Permanent access
-            const privilege = await additionalPrivilegeDAL.create(
-              {
-                projectMembershipId: accessApprovalRequest.requestedBy,
-                slug: `requested-privilege-${slugify(alphaNumericNanoId(12))}`,
-                permissions: JSON.stringify(accessApprovalRequest.permissions)
-              },
-              tx
-            );
-            privilegeId = privilege.id;
-          } else {
-            // Temporary access
-            const relativeTempAllocatedTimeInMs = ms(accessApprovalRequest.temporaryRange!);
-            const startTime = new Date();
-
-            const privilege = await additionalPrivilegeDAL.create(
-              {
-                projectMembershipId: accessApprovalRequest.requestedBy,
-                slug: `requested-privilege-${slugify(alphaNumericNanoId(12))}`,
-                permissions: JSON.stringify(accessApprovalRequest.permissions),
-                isTemporary: true,
-                temporaryMode: ProjectUserAdditionalPrivilegeTemporaryMode.Relative,
-                temporaryRange: accessApprovalRequest.temporaryRange!,
-                temporaryAccessStartTime: startTime,
-                temporaryAccessEndTime: new Date(new Date(startTime).getTime() + relativeTempAllocatedTimeInMs)
-              },
-              tx
-            );
-            privilegeId = privilege.id;
-          }
-
-          await accessApprovalRequestDAL.updateById(accessApprovalRequest.id, { privilegeId }, tx);
-        }
-
-        return newReview;
-      }
-      throw new BadRequestError({ message: "You have already reviewed this request" });
-    });
-
-    return reviewStatus;
-  };
-
-  const getCount = async ({ projectSlug, actor, actorAuthMethod, actorId, actorOrgId }: TGetAccessRequestCountDTO) => {
-    const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
-    if (!project) throw new UnauthorizedError({ message: "Project not found" });
-
-    const { membership } = await permissionService.getProjectPermission(
-      actor,
-      actorId,
-      project.id,
-      actorAuthMethod,
-      actorOrgId
-    );
-    if (!membership) throw new BadRequestError({ message: "User not found in project" });
-
-    const count = await accessApprovalRequestDAL.getCount({ projectId: project.id });
-
-    return { count };
-  };
-
-  return {
-    createAccessApprovalRequest,
-    listApprovalRequests,
-    reviewAccessRequest,
-    getCount
-  };
-};

backend/src/ee/services/access-approval-request/access-approval-request-types.ts

@@ -1,33 +0,0 @@
-import { TProjectPermission } from "@app/lib/types";
-
-export enum ApprovalStatus {
-  PENDING = "pending",
-  APPROVED = "approved",
-  REJECTED = "rejected"
-}
-
-export type TVerifyPermission = {
-  permissions: unknown;
-};
-
-export type TGetAccessRequestCountDTO = {
-  projectSlug: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TReviewAccessRequestDTO = {
-  requestId: string;
-  status: ApprovalStatus;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TCreateAccessApprovalRequestDTO = {
-  projectSlug: string;
-  permissions: unknown;
-  isTemporary: boolean;
-  temporaryRange?: string;
-} & Omit<TProjectPermission, "projectId">;
-
-export type TListApprovalRequestsDTO = {
-  projectSlug: string;
-  authorProjectMembershipId?: string;
-  envSlug?: string;
-} & Omit<TProjectPermission, "projectId">;

backend/src/ee/services/audit-log-stream/audit-log-stream-dal.ts

@@ -1,11 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TAuditLogStreamDALFactory = ReturnType<typeof auditLogStreamDALFactory>;
-
-export const auditLogStreamDALFactory = (db: TDbClient) => {
-  const orm = ormify(db, TableName.AuditLogStream);
-
-  return orm;
-};

backend/src/ee/services/audit-log-stream/audit-log-stream-service.ts

@@ -1,233 +0,0 @@
-import { ForbiddenError } from "@casl/ability";
-import { RawAxiosRequestHeaders } from "axios";
-
-import { SecretKeyEncoding } from "@app/db/schemas";
-import { request } from "@app/lib/config/request";
-import { infisicalSymmetricDecrypt, infisicalSymmetricEncypt } from "@app/lib/crypto/encryption";
-import { BadRequestError } from "@app/lib/errors";
-import { validateLocalIps } from "@app/lib/validator";
-
-import { AUDIT_LOG_STREAM_TIMEOUT } from "../audit-log/audit-log-queue";
-import { TLicenseServiceFactory } from "../license/license-service";
-import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
-import { TPermissionServiceFactory } from "../permission/permission-service";
-import { TAuditLogStreamDALFactory } from "./audit-log-stream-dal";
-import {
-  LogStreamHeaders,
-  TCreateAuditLogStreamDTO,
-  TDeleteAuditLogStreamDTO,
-  TGetDetailsAuditLogStreamDTO,
-  TListAuditLogStreamDTO,
-  TUpdateAuditLogStreamDTO
-} from "./audit-log-stream-types";
-
-type TAuditLogStreamServiceFactoryDep = {
-  auditLogStreamDAL: TAuditLogStreamDALFactory;
-  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
-  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-};
-
-export type TAuditLogStreamServiceFactory = ReturnType<typeof auditLogStreamServiceFactory>;
-
-export const auditLogStreamServiceFactory = ({
-  auditLogStreamDAL,
-  permissionService,
-  licenseService
-}: TAuditLogStreamServiceFactoryDep) => {
-  const create = async ({
-    url,
-    actor,
-    headers = [],
-    actorId,
-    actorOrgId,
-    actorAuthMethod
-  }: TCreateAuditLogStreamDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Missing org id from token" });
-
-    const plan = await licenseService.getPlan(actorOrgId);
-    if (!plan.auditLogStreams)
-      throw new BadRequestError({
-        message: "Failed to create audit log streams due to plan restriction. Upgrade plan to create group."
-      });
-
-    const { permission } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      actorOrgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Settings);
-
-    validateLocalIps(url);
-
-    const totalStreams = await auditLogStreamDAL.find({ orgId: actorOrgId });
-    if (totalStreams.length >= plan.auditLogStreamLimit) {
-      throw new BadRequestError({
-        message:
-          "Failed to create audit log streams due to plan limit reached. Kindly contact Infisical to add more streams."
-      });
-    }
-
-    // testing connection first
-    const streamHeaders: RawAxiosRequestHeaders = { "Content-Type": "application/json" };
-    if (headers.length)
-      headers.forEach(({ key, value }) => {
-        streamHeaders[key] = value;
-      });
-    await request
-      .post(
-        url,
-        { ping: "ok" },
-        {
-          headers: streamHeaders,
-          // request timeout
-          timeout: AUDIT_LOG_STREAM_TIMEOUT,
-          // connection timeout
-          signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
-        }
-      )
-      .catch((err) => {
-        throw new Error(`Failed to connect with the source ${(err as Error)?.message}`);
-      });
-    const encryptedHeaders = headers ? infisicalSymmetricEncypt(JSON.stringify(headers)) : undefined;
-    const logStream = await auditLogStreamDAL.create({
-      orgId: actorOrgId,
-      url,
-      ...(encryptedHeaders
-        ? {
-            encryptedHeadersCiphertext: encryptedHeaders.ciphertext,
-            encryptedHeadersIV: encryptedHeaders.iv,
-            encryptedHeadersTag: encryptedHeaders.tag,
-            encryptedHeadersAlgorithm: encryptedHeaders.algorithm,
-            encryptedHeadersKeyEncoding: encryptedHeaders.encoding
-          }
-        : {})
-    });
-    return logStream;
-  };
-
-  const updateById = async ({
-    id,
-    url,
-    actor,
-    headers = [],
-    actorId,
-    actorOrgId,
-    actorAuthMethod
-  }: TUpdateAuditLogStreamDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Missing org id from token" });
-
-    const plan = await licenseService.getPlan(actorOrgId);
-    if (!plan.auditLogStreams)
-      throw new BadRequestError({
-        message: "Failed to update audit log streams due to plan restriction. Upgrade plan to create group."
-      });
-
-    const logStream = await auditLogStreamDAL.findById(id);
-    if (!logStream) throw new BadRequestError({ message: "Audit log stream not found" });
-
-    const { orgId } = logStream;
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Settings);
-
-    if (url) validateLocalIps(url);
-
-    // testing connection first
-    const streamHeaders: RawAxiosRequestHeaders = { "Content-Type": "application/json" };
-    if (headers.length)
-      headers.forEach(({ key, value }) => {
-        streamHeaders[key] = value;
-      });
-
-    await request
-      .post(
-        url || logStream.url,
-        { ping: "ok" },
-        {
-          headers: streamHeaders,
-          // request timeout
-          timeout: AUDIT_LOG_STREAM_TIMEOUT,
-          // connection timeout
-          signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
-        }
-      )
-      .catch((err) => {
-        throw new Error(`Failed to connect with the source ${(err as Error)?.message}`);
-      });
-
-    const encryptedHeaders = headers ? infisicalSymmetricEncypt(JSON.stringify(headers)) : undefined;
-    const updatedLogStream = await auditLogStreamDAL.updateById(id, {
-      url,
-      ...(encryptedHeaders
-        ? {
-            encryptedHeadersCiphertext: encryptedHeaders.ciphertext,
-            encryptedHeadersIV: encryptedHeaders.iv,
-            encryptedHeadersTag: encryptedHeaders.tag,
-            encryptedHeadersAlgorithm: encryptedHeaders.algorithm,
-            encryptedHeadersKeyEncoding: encryptedHeaders.encoding
-          }
-        : {})
-    });
-    return updatedLogStream;
-  };
-
-  const deleteById = async ({ id, actor, actorId, actorOrgId, actorAuthMethod }: TDeleteAuditLogStreamDTO) => {
-    if (!actorOrgId) throw new BadRequestError({ message: "Missing org id from token" });
-
-    const logStream = await auditLogStreamDAL.findById(id);
-    if (!logStream) throw new BadRequestError({ message: "Audit log stream not found" });
-
-    const { orgId } = logStream;
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Settings);
-
-    const deletedLogStream = await auditLogStreamDAL.deleteById(id);
-    return deletedLogStream;
-  };
-
-  const getById = async ({ id, actor, actorId, actorOrgId, actorAuthMethod }: TGetDetailsAuditLogStreamDTO) => {
-    const logStream = await auditLogStreamDAL.findById(id);
-    if (!logStream) throw new BadRequestError({ message: "Audit log stream not found" });
-
-    const { orgId } = logStream;
-    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Settings);
-
-    const headers =
-      logStream?.encryptedHeadersCiphertext && logStream?.encryptedHeadersIV && logStream?.encryptedHeadersTag
-        ? (JSON.parse(
-            infisicalSymmetricDecrypt({
-              tag: logStream.encryptedHeadersTag,
-              iv: logStream.encryptedHeadersIV,
-              ciphertext: logStream.encryptedHeadersCiphertext,
-              keyEncoding: logStream.encryptedHeadersKeyEncoding as SecretKeyEncoding
-            })
-          ) as LogStreamHeaders[])
-        : undefined;
-
-    return { ...logStream, headers };
-  };
-
-  const list = async ({ actor, actorId, actorOrgId, actorAuthMethod }: TListAuditLogStreamDTO) => {
-    const { permission } = await permissionService.getOrgPermission(
-      actor,
-      actorId,
-      actorOrgId,
-      actorAuthMethod,
-      actorOrgId
-    );
-    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Settings);
-
-    const logStreams = await auditLogStreamDAL.find({ orgId: actorOrgId });
-    return logStreams;
-  };
-
-  return {
-    create,
-    updateById,
-    deleteById,
-    getById,
-    list
-  };
-};

backend/src/ee/services/audit-log-stream/audit-log-stream-types.ts

@@ -1,27 +0,0 @@
-import { TOrgPermission } from "@app/lib/types";
-
-export type LogStreamHeaders = {
-  key: string;
-  value: string;
-};
-
-export type TCreateAuditLogStreamDTO = Omit<TOrgPermission, "orgId"> & {
-  url: string;
-  headers?: LogStreamHeaders[];
-};
-
-export type TUpdateAuditLogStreamDTO = Omit<TOrgPermission, "orgId"> & {
-  id: string;
-  url?: string;
-  headers?: LogStreamHeaders[];
-};
-
-export type TDeleteAuditLogStreamDTO = Omit<TOrgPermission, "orgId"> & {
-  id: string;
-};
-
-export type TListAuditLogStreamDTO = Omit<TOrgPermission, "orgId">;
-
-export type TGetDetailsAuditLogStreamDTO = Omit<TOrgPermission, "orgId"> & {
-  id: string;
-};

backend/src/ee/services/audit-log/audit-log-queue.ts

@@ -1,21 +1,13 @@
-import { RawAxiosRequestHeaders } from "axios";
-
-import { SecretKeyEncoding } from "@app/db/schemas";
-import { request } from "@app/lib/config/request";
-import { infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { logger } from "@app/lib/logger";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 
-import { TAuditLogStreamDALFactory } from "../audit-log-stream/audit-log-stream-dal";
-import { LogStreamHeaders } from "../audit-log-stream/audit-log-stream-types";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { TAuditLogDALFactory } from "./audit-log-dal";
 import { TCreateAuditLogDTO } from "./audit-log-types";
 
 type TAuditLogQueueServiceFactoryDep = {
   auditLogDAL: TAuditLogDALFactory;
-  auditLogStreamDAL: Pick<TAuditLogStreamDALFactory, "find">;
   queueService: TQueueServiceFactory;
   projectDAL: Pick<TProjectDALFactory, "findById">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
@@ -23,15 +15,11 @@ type TAuditLogQueueServiceFactoryDep = {
 
 export type TAuditLogQueueServiceFactory = ReturnType<typeof auditLogQueueServiceFactory>;
 
-// keep this timeout 5s it must be fast because else the queue will take time to finish
-// audit log is a crowded queue thus needs to be fast
-export const AUDIT_LOG_STREAM_TIMEOUT = 5 * 1000;
 export const auditLogQueueServiceFactory = ({
   auditLogDAL,
   queueService,
   projectDAL,
-  licenseService,
-  auditLogStreamDAL
+  licenseService
 }: TAuditLogQueueServiceFactoryDep) => {
   const pushToLog = async (data: TCreateAuditLogDTO) => {
     await queueService.queue(QueueName.AuditLog, QueueJobs.AuditLog, data, {
@@ -59,7 +47,7 @@ export const auditLogQueueServiceFactory = ({
     // skip inserting if audit log retention is 0 meaning its not supported
     if (ttl === 0) return;
 
-    const auditLog = await auditLogDAL.create({
+    await auditLogDAL.create({
       actor: actor.type,
       actorMetadata: actor.metadata,
       userAgent,
@@ -71,46 +59,6 @@ export const auditLogQueueServiceFactory = ({
       eventMetadata: event.metadata,
       userAgentType
     });
-
-    const logStreams = orgId ? await auditLogStreamDAL.find({ orgId }) : [];
-    await Promise.allSettled(
-      logStreams.map(
-        async ({
-          url,
-          encryptedHeadersTag,
-          encryptedHeadersIV,
-          encryptedHeadersKeyEncoding,
-          encryptedHeadersCiphertext
-        }) => {
-          const streamHeaders =
-            encryptedHeadersIV && encryptedHeadersCiphertext && encryptedHeadersTag
-              ? (JSON.parse(
-                  infisicalSymmetricDecrypt({
-                    keyEncoding: encryptedHeadersKeyEncoding as SecretKeyEncoding,
-                    iv: encryptedHeadersIV,
-                    tag: encryptedHeadersTag,
-                    ciphertext: encryptedHeadersCiphertext
-                  })
-                ) as LogStreamHeaders[])
-              : [];
-
-          const headers: RawAxiosRequestHeaders = { "Content-Type": "application/json" };
-
-          if (streamHeaders.length)
-            streamHeaders.forEach(({ key, value }) => {
-              headers[key] = value;
-            });
-
-          return request.post(url, auditLog, {
-            headers,
-            // request timeout
-            timeout: AUDIT_LOG_STREAM_TIMEOUT,
-            // connection timeout
-            signal: AbortSignal.timeout(AUDIT_LOG_STREAM_TIMEOUT)
-          });
-        }
-      )
-    );
   });
 
   queueService.start(QueueName.AuditLogPrune, async () => {

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -51,7 +51,6 @@ export enum EventType {
   UNAUTHORIZE_INTEGRATION = "unauthorize-integration",
   CREATE_INTEGRATION = "create-integration",
   DELETE_INTEGRATION = "delete-integration",
-  MANUAL_SYNC_INTEGRATION = "manual-sync-integration",
   ADD_TRUSTED_IP = "add-trusted-ip",
   UPDATE_TRUSTED_IP = "update-trusted-ip",
   DELETE_TRUSTED_IP = "delete-trusted-ip",
@@ -64,21 +63,9 @@ export enum EventType {
   ADD_IDENTITY_UNIVERSAL_AUTH = "add-identity-universal-auth",
   UPDATE_IDENTITY_UNIVERSAL_AUTH = "update-identity-universal-auth",
   GET_IDENTITY_UNIVERSAL_AUTH = "get-identity-universal-auth",
-  LOGIN_IDENTITY_KUBERNETES_AUTH = "login-identity-kubernetes-auth",
-  ADD_IDENTITY_KUBERNETES_AUTH = "add-identity-kubernetes-auth",
-  UPDATE_IDENTITY_KUBENETES_AUTH = "update-identity-kubernetes-auth",
-  GET_IDENTITY_KUBERNETES_AUTH = "get-identity-kubernetes-auth",
   CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
   REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "revoke-identity-universal-auth-client-secret",
   GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
-  LOGIN_IDENTITY_GCP_AUTH = "login-identity-gcp-auth",
-  ADD_IDENTITY_GCP_AUTH = "add-identity-gcp-auth",
-  UPDATE_IDENTITY_GCP_AUTH = "update-identity-gcp-auth",
-  GET_IDENTITY_GCP_AUTH = "get-identity-gcp-auth",
-  LOGIN_IDENTITY_AWS_AUTH = "login-identity-aws-auth",
-  ADD_IDENTITY_AWS_AUTH = "add-identity-aws-auth",
-  UPDATE_IDENTITY_AWS_AUTH = "update-identity-aws-auth",
-  GET_IDENTITY_AWS_AUTH = "get-identity-aws-auth",
   CREATE_ENVIRONMENT = "create-environment",
   UPDATE_ENVIRONMENT = "update-environment",
   DELETE_ENVIRONMENT = "delete-environment",
@@ -282,25 +269,6 @@ interface DeleteIntegrationEvent {
   };
 }
 
-interface ManualSyncIntegrationEvent {
-  type: EventType.MANUAL_SYNC_INTEGRATION;
-  metadata: {
-    integrationId: string;
-    integration: string;
-    environment: string;
-    secretPath: string;
-    url?: string;
-    app?: string;
-    appId?: string;
-    targetEnvironment?: string;
-    targetEnvironmentId?: string;
-    targetService?: string;
-    targetServiceId?: string;
-    path?: string;
-    region?: string;
-  };
-}
-
 interface AddTrustedIPEvent {
   type: EventType.ADD_TRUSTED_IP;
   metadata: {
@@ -415,50 +383,6 @@ interface GetIdentityUniversalAuthEvent {
   };
 }
 
-interface LoginIdentityKubernetesAuthEvent {
-  type: EventType.LOGIN_IDENTITY_KUBERNETES_AUTH;
-  metadata: {
-    identityId: string;
-    identityKubernetesAuthId: string;
-    identityAccessTokenId: string;
-  };
-}
-
-interface AddIdentityKubernetesAuthEvent {
-  type: EventType.ADD_IDENTITY_KUBERNETES_AUTH;
-  metadata: {
-    identityId: string;
-    kubernetesHost: string;
-    allowedNamespaces: string;
-    allowedNames: string;
-    accessTokenTTL: number;
-    accessTokenMaxTTL: number;
-    accessTokenNumUsesLimit: number;
-    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface UpdateIdentityKubernetesAuthEvent {
-  type: EventType.UPDATE_IDENTITY_KUBENETES_AUTH;
-  metadata: {
-    identityId: string;
-    kubernetesHost?: string;
-    allowedNamespaces?: string;
-    allowedNames?: string;
-    accessTokenTTL?: number;
-    accessTokenMaxTTL?: number;
-    accessTokenNumUsesLimit?: number;
-    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface GetIdentityKubernetesAuthEvent {
-  type: EventType.GET_IDENTITY_KUBERNETES_AUTH;
-  metadata: {
-    identityId: string;
-  };
-}
-
 interface CreateIdentityUniversalAuthClientSecretEvent {
   type: EventType.CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET;
   metadata: {
@@ -482,96 +406,6 @@ interface RevokeIdentityUniversalAuthClientSecretEvent {
   };
 }
 
-interface LoginIdentityGcpAuthEvent {
-  type: EventType.LOGIN_IDENTITY_GCP_AUTH;
-  metadata: {
-    identityId: string;
-    identityGcpAuthId: string;
-    identityAccessTokenId: string;
-  };
-}
-
-interface AddIdentityGcpAuthEvent {
-  type: EventType.ADD_IDENTITY_GCP_AUTH;
-  metadata: {
-    identityId: string;
-    type: string;
-    allowedServiceAccounts: string;
-    allowedProjects: string;
-    allowedZones: string;
-    accessTokenTTL: number;
-    accessTokenMaxTTL: number;
-    accessTokenNumUsesLimit: number;
-    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface UpdateIdentityGcpAuthEvent {
-  type: EventType.UPDATE_IDENTITY_GCP_AUTH;
-  metadata: {
-    identityId: string;
-    type?: string;
-    allowedServiceAccounts?: string;
-    allowedProjects?: string;
-    allowedZones?: string;
-    accessTokenTTL?: number;
-    accessTokenMaxTTL?: number;
-    accessTokenNumUsesLimit?: number;
-    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface GetIdentityGcpAuthEvent {
-  type: EventType.GET_IDENTITY_GCP_AUTH;
-  metadata: {
-    identityId: string;
-  };
-}
-
-interface LoginIdentityAwsAuthEvent {
-  type: EventType.LOGIN_IDENTITY_AWS_AUTH;
-  metadata: {
-    identityId: string;
-    identityAwsAuthId: string;
-    identityAccessTokenId: string;
-  };
-}
-
-interface AddIdentityAwsAuthEvent {
-  type: EventType.ADD_IDENTITY_AWS_AUTH;
-  metadata: {
-    identityId: string;
-    stsEndpoint: string;
-    allowedPrincipalArns: string;
-    allowedAccountIds: string;
-    accessTokenTTL: number;
-    accessTokenMaxTTL: number;
-    accessTokenNumUsesLimit: number;
-    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface UpdateIdentityAwsAuthEvent {
-  type: EventType.UPDATE_IDENTITY_AWS_AUTH;
-  metadata: {
-    identityId: string;
-    stsEndpoint?: string;
-    allowedPrincipalArns?: string;
-    allowedAccountIds?: string;
-    accessTokenTTL?: number;
-    accessTokenMaxTTL?: number;
-    accessTokenNumUsesLimit?: number;
-    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
-  };
-}
-
-interface GetIdentityAwsAuthEvent {
-  type: EventType.GET_IDENTITY_AWS_AUTH;
-  metadata: {
-    identityId: string;
-  };
-}
-
 interface CreateEnvironmentEvent {
   type: EventType.CREATE_ENVIRONMENT;
   metadata: {
@@ -811,7 +645,6 @@ export type Event =
   | UnauthorizeIntegrationEvent
   | CreateIntegrationEvent
   | DeleteIntegrationEvent
-  | ManualSyncIntegrationEvent
   | AddTrustedIPEvent
   | UpdateTrustedIPEvent
   | DeleteTrustedIPEvent
@@ -824,21 +657,9 @@ export type Event =
   | AddIdentityUniversalAuthEvent
   | UpdateIdentityUniversalAuthEvent
   | GetIdentityUniversalAuthEvent
-  | LoginIdentityKubernetesAuthEvent
-  | AddIdentityKubernetesAuthEvent
-  | UpdateIdentityKubernetesAuthEvent
-  | GetIdentityKubernetesAuthEvent
   | CreateIdentityUniversalAuthClientSecretEvent
   | GetIdentityUniversalAuthClientSecretsEvent
   | RevokeIdentityUniversalAuthClientSecretEvent
-  | LoginIdentityGcpAuthEvent
-  | AddIdentityGcpAuthEvent
-  | UpdateIdentityGcpAuthEvent
-  | GetIdentityGcpAuthEvent
-  | LoginIdentityAwsAuthEvent
-  | AddIdentityAwsAuthEvent
-  | UpdateIdentityAwsAuthEvent
-  | GetIdentityAwsAuthEvent
   | CreateEnvironmentEvent
   | UpdateEnvironmentEvent
   | DeleteEnvironmentEvent

backend/src/ee/services/dynamic-secret/providers/aws-iam.ts

@@ -1,194 +0,0 @@
-import {
-  AddUserToGroupCommand,
-  AttachUserPolicyCommand,
-  CreateAccessKeyCommand,
-  CreateUserCommand,
-  DeleteAccessKeyCommand,
-  DeleteUserCommand,
-  DeleteUserPolicyCommand,
-  DetachUserPolicyCommand,
-  GetUserCommand,
-  IAMClient,
-  ListAccessKeysCommand,
-  ListAttachedUserPoliciesCommand,
-  ListGroupsForUserCommand,
-  ListUserPoliciesCommand,
-  PutUserPolicyCommand,
-  RemoveUserFromGroupCommand
-} from "@aws-sdk/client-iam";
-import { z } from "zod";
-
-import { BadRequestError } from "@app/lib/errors";
-import { alphaNumericNanoId } from "@app/lib/nanoid";
-
-import { DynamicSecretAwsIamSchema, TDynamicProviderFns } from "./models";
-
-const generateUsername = () => {
-  return alphaNumericNanoId(32);
-};
-
-export const AwsIamProvider = (): TDynamicProviderFns => {
-  const validateProviderInputs = async (inputs: unknown) => {
-    const providerInputs = await DynamicSecretAwsIamSchema.parseAsync(inputs);
-    return providerInputs;
-  };
-
-  const getClient = async (providerInputs: z.infer<typeof DynamicSecretAwsIamSchema>) => {
-    const client = new IAMClient({
-      region: providerInputs.region,
-      credentials: {
-        accessKeyId: providerInputs.accessKey,
-        secretAccessKey: providerInputs.secretAccessKey
-      }
-    });
-
-    return client;
-  };
-
-  const validateConnection = async (inputs: unknown) => {
-    const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
-
-    const isConnected = await client.send(new GetUserCommand({})).then(() => true);
-    return isConnected;
-  };
-
-  const create = async (inputs: unknown) => {
-    const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
-
-    const username = generateUsername();
-    const { policyArns, userGroups, policyDocument, awsPath, permissionBoundaryPolicyArn } = providerInputs;
-    const createUserRes = await client.send(
-      new CreateUserCommand({
-        Path: awsPath,
-        PermissionsBoundary: permissionBoundaryPolicyArn || undefined,
-        Tags: [{ Key: "createdBy", Value: "infisical-dynamic-secret" }],
-        UserName: username
-      })
-    );
-    if (!createUserRes.User) throw new BadRequestError({ message: "Failed to create AWS IAM User" });
-    if (userGroups) {
-      await Promise.all(
-        userGroups
-          .split(",")
-          .filter(Boolean)
-          .map((group) =>
-            client.send(new AddUserToGroupCommand({ UserName: createUserRes?.User?.UserName, GroupName: group }))
-          )
-      );
-    }
-    if (policyArns) {
-      await Promise.all(
-        policyArns
-          .split(",")
-          .filter(Boolean)
-          .map((policyArn) =>
-            client.send(new AttachUserPolicyCommand({ UserName: createUserRes?.User?.UserName, PolicyArn: policyArn }))
-          )
-      );
-    }
-    if (policyDocument) {
-      await client.send(
-        new PutUserPolicyCommand({
-          UserName: createUserRes.User.UserName,
-          PolicyName: `infisical-dynamic-policy-${alphaNumericNanoId(4)}`,
-          PolicyDocument: policyDocument
-        })
-      );
-    }
-
-    const createAccessKeyRes = await client.send(
-      new CreateAccessKeyCommand({
-        UserName: createUserRes.User.UserName
-      })
-    );
-    if (!createAccessKeyRes.AccessKey)
-      throw new BadRequestError({ message: "Failed to create AWS IAM User access key" });
-
-    return {
-      entityId: username,
-      data: {
-        ACCESS_KEY: createAccessKeyRes.AccessKey.AccessKeyId,
-        SECRET_ACCESS_KEY: createAccessKeyRes.AccessKey.SecretAccessKey,
-        USERNAME: username
-      }
-    };
-  };
-
-  const revoke = async (inputs: unknown, entityId: string) => {
-    const providerInputs = await validateProviderInputs(inputs);
-    const client = await getClient(providerInputs);
-
-    const username = entityId;
-
-    // remove user from groups
-    const userGroups = await client.send(new ListGroupsForUserCommand({ UserName: username }));
-    await Promise.all(
-      (userGroups.Groups || []).map(({ GroupName }) =>
-        client.send(
-          new RemoveUserFromGroupCommand({
-            GroupName,
-            UserName: username
-          })
-        )
-      )
-    );
-
-    // remove user access keys
-    const userAccessKeys = await client.send(new ListAccessKeysCommand({ UserName: username }));
-    await Promise.all(
-      (userAccessKeys.AccessKeyMetadata || []).map(({ AccessKeyId }) =>
-        client.send(
-          new DeleteAccessKeyCommand({
-            AccessKeyId,
-            UserName: username
-          })
-        )
-      )
-    );
-
-    // remove user inline policies
-    const userInlinePolicies = await client.send(new ListUserPoliciesCommand({ UserName: username }));
-    await Promise.all(
-      (userInlinePolicies.PolicyNames || []).map((policyName) =>
-        client.send(
-          new DeleteUserPolicyCommand({
-            PolicyName: policyName,
-            UserName: username
-          })
-        )
-      )
-    );
-
-    // remove user attached  policies
-    const userAttachedPolicies = await client.send(new ListAttachedUserPoliciesCommand({ UserName: username }));
-    await Promise.all(
-      (userAttachedPolicies.AttachedPolicies || []).map((policy) =>
-        client.send(
-          new DetachUserPolicyCommand({
-            PolicyArn: policy.PolicyArn,
-            UserName: username
-          })
-        )
-      )
-    );
-
-    await client.send(new DeleteUserCommand({ UserName: username }));
-    return { entityId: username };
-  };
-
-  const renew = async (_inputs: unknown, entityId: string) => {
-    // do nothing
-    const username = entityId;
-    return { entityId: username };
-  };
-
-  return {
-    validateProviderInputs,
-    validateConnection,
-    create,
-    revoke,
-    renew
-  };
-};

backend/src/ee/services/dynamic-secret/providers/index.ts

@@ -1,10 +1,8 @@
-import { AwsIamProvider } from "./aws-iam";
 import { CassandraProvider } from "./cassandra";
 import { DynamicSecretProviders } from "./models";
 import { SqlDatabaseProvider } from "./sql-database";
 
 export const buildDynamicSecretProviders = () => ({
   [DynamicSecretProviders.SqlDatabase]: SqlDatabaseProvider(),
-  [DynamicSecretProviders.Cassandra]: CassandraProvider(),
-  [DynamicSecretProviders.AwsIam]: AwsIamProvider()
+  [DynamicSecretProviders.Cassandra]: CassandraProvider()
 });

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -8,51 +8,38 @@ export enum SqlProviders {
 
 export const DynamicSecretSqlDBSchema = z.object({
   client: z.nativeEnum(SqlProviders),
-  host: z.string().trim().toLowerCase(),
+  host: z.string().toLowerCase(),
   port: z.number(),
-  database: z.string().trim(),
-  username: z.string().trim(),
-  password: z.string().trim(),
-  creationStatement: z.string().trim(),
-  revocationStatement: z.string().trim(),
-  renewStatement: z.string().trim().optional(),
+  database: z.string(),
+  username: z.string(),
+  password: z.string(),
+  creationStatement: z.string(),
+  revocationStatement: z.string(),
+  renewStatement: z.string().optional(),
   ca: z.string().optional()
 });
 
 export const DynamicSecretCassandraSchema = z.object({
-  host: z.string().trim().toLowerCase(),
+  host: z.string().toLowerCase(),
   port: z.number(),
-  localDataCenter: z.string().trim().min(1),
-  keyspace: z.string().trim().optional(),
-  username: z.string().trim(),
-  password: z.string().trim(),
-  creationStatement: z.string().trim(),
-  revocationStatement: z.string().trim(),
-  renewStatement: z.string().trim().optional(),
+  localDataCenter: z.string().min(1),
+  keyspace: z.string().optional(),
+  username: z.string(),
+  password: z.string(),
+  creationStatement: z.string(),
+  revocationStatement: z.string(),
+  renewStatement: z.string().optional(),
   ca: z.string().optional()
 });
 
-export const DynamicSecretAwsIamSchema = z.object({
-  accessKey: z.string().trim().min(1),
-  secretAccessKey: z.string().trim().min(1),
-  region: z.string().trim().min(1),
-  awsPath: z.string().trim().optional(),
-  permissionBoundaryPolicyArn: z.string().trim().optional(),
-  policyDocument: z.string().trim().optional(),
-  userGroups: z.string().trim().optional(),
-  policyArns: z.string().trim().optional()
-});
-
 export enum DynamicSecretProviders {
   SqlDatabase = "sql-database",
-  Cassandra = "cassandra",
-  AwsIam = "aws-iam"
+  Cassandra = "cassandra"
 }
 
 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
   z.object({ type: z.literal(DynamicSecretProviders.SqlDatabase), inputs: DynamicSecretSqlDBSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.Cassandra), inputs: DynamicSecretCassandraSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.AwsIam), inputs: DynamicSecretAwsIamSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.Cassandra), inputs: DynamicSecretCassandraSchema })
 ]);
 
 export type TDynamicProviderFns = {

backend/src/ee/services/group/group-fns.ts

@@ -1,6 +1,6 @@
 import { Knex } from "knex";
 
-import { SecretKeyEncoding, TableName, TUsers } from "@app/db/schemas";
+import { SecretKeyEncoding, TUsers } from "@app/db/schemas";
 import { decryptAsymmetric, encryptAsymmetric, infisicalSymmetricDecrypt } from "@app/lib/crypto/encryption";
 import { BadRequestError, ScimRequestError } from "@app/lib/errors";
 
@@ -188,9 +188,9 @@ export const addUsersToGroupByUserIds = async ({
     // check if all user(s) are part of the organization
     const existingUserOrgMemberships = await orgDAL.findMembership(
       {
-        [`${TableName.OrgMembership}.orgId` as "orgId"]: group.orgId,
+        orgId: group.orgId,
         $in: {
-          [`${TableName.OrgMembership}.userId` as "userId"]: userIds
+          userId: userIds
         }
       },
       { tx }

backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts

@@ -1,7 +1,5 @@
-import { ForbiddenError, MongoAbility, RawRuleOf } from "@casl/ability";
-import { PackRule, unpackRules } from "@casl/ability/extra";
+import { ForbiddenError } from "@casl/ability";
 import ms from "ms";
-import { z } from "zod";
 
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";
@@ -10,7 +8,7 @@ import { TIdentityProjectDALFactory } from "@app/services/identity-project/ident
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { ProjectPermissionActions, ProjectPermissionSet, ProjectPermissionSub } from "../permission/project-permission";
+import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TIdentityProjectAdditionalPrivilegeDALFactory } from "./identity-project-additional-privilege-dal";
 import {
   IdentityProjectAdditionalPrivilegeTemporaryMode,
@@ -32,27 +30,6 @@ export type TIdentityProjectAdditionalPrivilegeServiceFactory = ReturnType<
   typeof identityProjectAdditionalPrivilegeServiceFactory
 >;
 
-// TODO(akhilmhdh): move this to more centralized
-export const UnpackedPermissionSchema = z.object({
-  subject: z.union([z.string().min(1), z.string().array()]).optional(),
-  action: z.union([z.string().min(1), z.string().array()]),
-  conditions: z
-    .object({
-      environment: z.string().optional(),
-      secretPath: z
-        .object({
-          $glob: z.string().min(1)
-        })
-        .optional()
-    })
-    .optional()
-});
-
-const unpackPermissions = (permissions: unknown) =>
-  UnpackedPermissionSchema.array().parse(
-    unpackRules((permissions || []) as PackRule<RawRuleOf<MongoAbility<ProjectPermissionSet>>>[])
-  );
-
 export const identityProjectAdditionalPrivilegeServiceFactory = ({
   identityProjectAdditionalPrivilegeDAL,
   identityProjectDAL,
@@ -109,10 +86,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
         slug,
         permissions: customPermission
       });
-      return {
-        ...additionalPrivilege,
-        permissions: unpackPermissions(additionalPrivilege.permissions)
-      };
+      return additionalPrivilege;
     }
 
     const relativeTempAllocatedTimeInMs = ms(dto.temporaryRange);
@@ -126,10 +100,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       temporaryAccessStartTime: new Date(dto.temporaryAccessStartTime),
       temporaryAccessEndTime: new Date(new Date(dto.temporaryAccessStartTime).getTime() + relativeTempAllocatedTimeInMs)
     });
-    return {
-      ...additionalPrivilege,
-      permissions: unpackPermissions(additionalPrivilege.permissions)
-    };
+    return additionalPrivilege;
   };
 
   const updateBySlug = async ({
@@ -192,11 +163,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
         temporaryAccessStartTime: new Date(temporaryAccessStartTime || ""),
         temporaryAccessEndTime: new Date(new Date(temporaryAccessStartTime || "").getTime() + ms(temporaryRange || ""))
       });
-      return {
-        ...additionalPrivilege,
-
-        permissions: unpackPermissions(additionalPrivilege.permissions)
-      };
+      return additionalPrivilege;
     }
 
     const additionalPrivilege = await identityProjectAdditionalPrivilegeDAL.updateById(identityPrivilege.id, {
@@ -207,11 +174,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       temporaryRange: null,
       temporaryMode: null
     });
-    return {
-      ...additionalPrivilege,
-
-      permissions: unpackPermissions(additionalPrivilege.permissions)
-    };
+    return additionalPrivilege;
   };
 
   const deleteBySlug = async ({
@@ -257,11 +220,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     if (!identityPrivilege) throw new BadRequestError({ message: "Identity additional privilege not found" });
 
     const deletedPrivilege = await identityProjectAdditionalPrivilegeDAL.deleteById(identityPrivilege.id);
-    return {
-      ...deletedPrivilege,
-
-      permissions: unpackPermissions(deletedPrivilege.permissions)
-    };
+    return deletedPrivilege;
   };
 
   const getPrivilegeDetailsBySlug = async ({
@@ -295,10 +254,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     });
     if (!identityPrivilege) throw new BadRequestError({ message: "Identity additional privilege not found" });
 
-    return {
-      ...identityPrivilege,
-      permissions: unpackPermissions(identityPrivilege.permissions)
-    };
+    return identityPrivilege;
   };
 
   const listIdentityProjectPrivileges = async ({
@@ -328,11 +284,7 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     const identityPrivileges = await identityProjectAdditionalPrivilegeDAL.find({
       projectMembershipId: identityProjectMembership.id
     });
-    return identityPrivileges.map((el) => ({
-      ...el,
-
-      permissions: unpackPermissions(el.permissions)
-    }));
+    return identityPrivileges;
   };
 
   return {

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -1,14 +1,7 @@
 import { ForbiddenError } from "@casl/ability";
 import jwt from "jsonwebtoken";
 
-import {
-  OrgMembershipRole,
-  OrgMembershipStatus,
-  SecretKeyEncoding,
-  TableName,
-  TLdapConfigsUpdate,
-  TUsers
-} from "@app/db/schemas";
+import { OrgMembershipRole, OrgMembershipStatus, SecretKeyEncoding, TLdapConfigsUpdate } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee/services/group/group-fns";
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
@@ -26,15 +19,12 @@ import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
-import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
 import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal";
-import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 import { normalizeUsername } from "@app/services/user/user-fns";
 import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
-import { UserAliasType } from "@app/services/user-alias/user-alias-types";
 
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
@@ -56,7 +46,6 @@ import { TLdapGroupMapDALFactory } from "./ldap-group-map-dal";
 type TLdapConfigServiceFactoryDep = {
   ldapConfigDAL: Pick<TLdapConfigDALFactory, "create" | "update" | "findOne">;
   ldapGroupMapDAL: Pick<TLdapGroupMapDALFactory, "find" | "create" | "delete" | "findLdapGroupMapsByLdapConfigId">;
-  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "create">;
   orgDAL: Pick<
     TOrgDALFactory,
     "createMembership" | "updateMembershipById" | "findMembership" | "findOrgById" | "findOne" | "updateById"
@@ -86,7 +75,6 @@ export const ldapConfigServiceFactory = ({
   ldapConfigDAL,
   ldapGroupMapDAL,
   orgDAL,
-  orgMembershipDAL,
   orgBotDAL,
   groupDAL,
   groupProjectDAL,
@@ -391,17 +379,16 @@ export const ldapConfigServiceFactory = ({
     username,
     firstName,
     lastName,
-    email,
+    emails,
     groups,
     orgId,
     relayState
   }: TLdapLoginDTO) => {
     const appCfg = getConfig();
-    const serverCfg = await getServerCfg();
     let userAlias = await userAliasDAL.findOne({
       externalId,
       orgId,
-      aliasType: UserAliasType.LDAP
+      aliasType: AuthMethod.LDAP
     });
 
     const organization = await orgDAL.findOrgById(orgId);
@@ -409,13 +396,7 @@ export const ldapConfigServiceFactory = ({
 
     if (userAlias) {
       await userDAL.transaction(async (tx) => {
-        const [orgMembership] = await orgDAL.findMembership(
-          {
-            [`${TableName.OrgMembership}.userId` as "userId"]: userAlias.userId,
-            [`${TableName.OrgMembership}.orgId` as "id"]: orgId
-          },
-          { tx }
-        );
+        const [orgMembership] = await orgDAL.findMembership({ userId: userAlias.userId }, { tx });
         if (!orgMembership) {
           await orgDAL.createMembership(
             {
@@ -438,75 +419,40 @@ export const ldapConfigServiceFactory = ({
       });
     } else {
       userAlias = await userDAL.transaction(async (tx) => {
-        let newUser: TUsers | undefined;
-        if (serverCfg.trustSamlEmails) {
-          newUser = await userDAL.findOne(
-            {
-              email,
-              isEmailVerified: true
-            },
-            tx
-          );
-        }
-
-        if (!newUser) {
-          const uniqueUsername = await normalizeUsername(username, userDAL);
-          newUser = await userDAL.create(
-            {
-              username: serverCfg.trustLdapEmails ? email : uniqueUsername,
-              email,
-              isEmailVerified: serverCfg.trustLdapEmails,
-              firstName,
-              lastName,
-              authMethods: [],
-              isGhost: false
-            },
-            tx
-          );
-        }
-
+        const uniqueUsername = await normalizeUsername(username, userDAL);
+        const newUser = await userDAL.create(
+          {
+            username: uniqueUsername,
+            email: emails[0],
+            firstName,
+            lastName,
+            authMethods: [AuthMethod.LDAP],
+            isGhost: false
+          },
+          tx
+        );
         const newUserAlias = await userAliasDAL.create(
           {
             userId: newUser.id,
             username,
-            aliasType: UserAliasType.LDAP,
+            aliasType: AuthMethod.LDAP,
             externalId,
-            emails: [email],
+            emails,
             orgId
           },
           tx
         );
 
-        const [orgMembership] = await orgDAL.findMembership(
+        await orgDAL.createMembership(
           {
-            [`${TableName.OrgMembership}.userId` as "userId"]: newUser.id,
-            [`${TableName.OrgMembership}.orgId` as "id"]: orgId
+            userId: newUser.id,
+            orgId,
+            role: OrgMembershipRole.Member,
+            status: OrgMembershipStatus.Invited
           },
-          { tx }
+          tx
         );
 
-        if (!orgMembership) {
-          await orgMembershipDAL.create(
-            {
-              userId: userAlias.userId,
-              inviteEmail: email,
-              orgId,
-              role: OrgMembershipRole.Member,
-              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
-            },
-            tx
-          );
-          // Only update the membership to Accepted if the user account is already completed.
-        } else if (orgMembership.status === OrgMembershipStatus.Invited && newUser.isAccepted) {
-          await orgDAL.updateMembershipById(
-            orgMembership.id,
-            {
-              status: OrgMembershipStatus.Accepted
-            },
-            tx
-          );
-        }
-
         return newUserAlias;
       });
     }
@@ -597,14 +543,11 @@ export const ldapConfigServiceFactory = ({
         authTokenType: AuthTokenType.PROVIDER_TOKEN,
         userId: user.id,
         username: user.username,
-        ...(user.email && { email: user.email, isEmailVerified: user.isEmailVerified }),
         firstName,
         lastName,
         organizationName: organization.name,
         organizationId: organization.id,
-        organizationSlug: organization.slug,
         authMethod: AuthMethod.LDAP,
-        authType: UserAliasType.LDAP,
         isUserCompleted,
         ...(relayState
           ? {

backend/src/ee/services/ldap-config/ldap-config-types.ts

@@ -51,7 +51,7 @@ export type TLdapLoginDTO = {
   username: string;
   firstName: string;
   lastName: string;
-  email: string;
+  emails: string[];
   orgId: string;
   groups?: {
     dn: string;

backend/src/ee/services/license/licence-fns.ts

@@ -24,8 +24,6 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   customAlerts: false,
   auditLogs: false,
   auditLogsRetentionDays: 0,
-  auditLogStreams: false,
-  auditLogStreamLimit: 3,
   samlSSO: false,
   scim: false,
   ldap: false,

backend/src/ee/services/license/license-service.ts

@@ -121,8 +121,8 @@ export const licenseServiceFactory = ({
 
         if (isValidOfflineLicense) {
           onPremFeatures = contents.license.features;
-          instanceType = InstanceType.EnterpriseOnPremOffline;
-          logger.info(`Instance type: ${InstanceType.EnterpriseOnPremOffline}`);
+          instanceType = InstanceType.EnterpriseOnPrem;
+          logger.info(`Instance type: ${InstanceType.EnterpriseOnPrem}`);
           isValidLicense = true;
           return;
         }

backend/src/ee/services/license/license-types.ts

@@ -3,7 +3,6 @@ import { TOrgPermission } from "@app/lib/types";
 export enum InstanceType {
   OnPrem = "self-hosted",
   EnterpriseOnPrem = "enterprise-self-hosted",
-  EnterpriseOnPremOffline = "enterprise-self-hosted-offline",
   Cloud = "cloud"
 }
 
@@ -41,8 +40,6 @@ export type TFeatureSet = {
   customAlerts: false;
   auditLogs: false;
   auditLogsRetentionDays: 0;
-  auditLogStreams: false;
-  auditLogStreamLimit: 3;
   samlSSO: false;
   scim: false;
   ldap: false;

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -7,8 +7,7 @@ import {
   SecretKeyEncoding,
   TableName,
   TSamlConfigs,
-  TSamlConfigsUpdate,
-  TUsers
+  TSamlConfigsUpdate
 } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
 import {
@@ -20,18 +19,10 @@ import {
   infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
 import { BadRequestError } from "@app/lib/errors";
-import { AuthTokenType } from "@app/services/auth/auth-type";
-import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
-import { TokenType } from "@app/services/auth-token/auth-token-types";
+import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
-import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
-import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
-import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
-import { normalizeUsername } from "@app/services/user/user-fns";
-import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
-import { UserAliasType } from "@app/services/user-alias/user-alias-types";
 
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
@@ -40,19 +31,15 @@ import { TSamlConfigDALFactory } from "./saml-config-dal";
 import { TCreateSamlCfgDTO, TGetSamlCfgDTO, TSamlLoginDTO, TUpdateSamlCfgDTO } from "./saml-config-types";
 
 type TSamlConfigServiceFactoryDep = {
-  samlConfigDAL: Pick<TSamlConfigDALFactory, "create" | "findOne" | "update" | "findById">;
-  userDAL: Pick<TUserDALFactory, "create" | "findOne" | "transaction" | "updateById" | "findById">;
-  userAliasDAL: Pick<TUserAliasDALFactory, "create" | "findOne">;
+  samlConfigDAL: TSamlConfigDALFactory;
+  userDAL: Pick<TUserDALFactory, "create" | "findOne" | "transaction" | "updateById">;
   orgDAL: Pick<
     TOrgDALFactory,
     "createMembership" | "updateMembershipById" | "findMembership" | "findOrgById" | "findOne" | "updateById"
   >;
-  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "create">;
   orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "create" | "transaction">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
-  tokenService: Pick<TAuthTokenServiceFactory, "createTokenForUser">;
-  smtpService: Pick<TSmtpService, "sendMail">;
 };
 
 export type TSamlConfigServiceFactory = ReturnType<typeof samlConfigServiceFactory>;
@@ -61,13 +48,9 @@ export const samlConfigServiceFactory = ({
   samlConfigDAL,
   orgBotDAL,
   orgDAL,
-  orgMembershipDAL,
   userDAL,
-  userAliasDAL,
   permissionService,
-  licenseService,
-  tokenService,
-  smtpService
+  licenseService
 }: TSamlConfigServiceFactoryDep) => {
   const createSamlCfg = async ({
     cert,
@@ -322,7 +305,7 @@ export const samlConfigServiceFactory = ({
   };
 
   const samlLogin = async ({
-    externalId,
+    username,
     email,
     firstName,
     lastName,
@@ -331,40 +314,38 @@ export const samlConfigServiceFactory = ({
     relayState
   }: TSamlLoginDTO) => {
     const appCfg = getConfig();
-    const serverCfg = await getServerCfg();
-    const userAlias = await userAliasDAL.findOne({
-      externalId,
-      orgId,
-      aliasType: UserAliasType.SAML
-    });
+    let user = await userDAL.findOne({ username });
 
     const organization = await orgDAL.findOrgById(orgId);
     if (!organization) throw new BadRequestError({ message: "Org not found" });
 
-    let user: TUsers;
-    if (userAlias) {
-      user = await userDAL.transaction(async (tx) => {
-        const foundUser = await userDAL.findById(userAlias.userId, tx);
+    // TODO(dangtony98): remove this after aliases update
+    if (authProvider === AuthMethod.KEYCLOAK_SAML && appCfg.LICENSE_SERVER_KEY) {
+      throw new BadRequestError({ message: "Keycloak SAML is not yet available on Infisical Cloud" });
+    }
+
+    if (user) {
+      await userDAL.transaction(async (tx) => {
         const [orgMembership] = await orgDAL.findMembership(
           {
-            [`${TableName.OrgMembership}.userId` as "userId"]: foundUser.id,
+            userId: user.id,
             [`${TableName.OrgMembership}.orgId` as "id"]: orgId
           },
           { tx }
         );
         if (!orgMembership) {
-          await orgMembershipDAL.create(
+          await orgDAL.createMembership(
             {
-              userId: userAlias.userId,
-              inviteEmail: email,
+              userId: user.id,
               orgId,
+              inviteEmail: email,
               role: OrgMembershipRole.Member,
-              status: foundUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
             },
             tx
           );
           // Only update the membership to Accepted if the user account is already completed.
-        } else if (orgMembership.status === OrgMembershipStatus.Invited && foundUser.isAccepted) {
+        } else if (orgMembership.status === OrgMembershipStatus.Invited && user.isAccepted) {
           await orgDAL.updateMembershipById(
             orgMembership.id,
             {
@@ -373,97 +354,40 @@ export const samlConfigServiceFactory = ({
             tx
           );
         }
-
-        return foundUser;
       });
     } else {
       user = await userDAL.transaction(async (tx) => {
-        let newUser: TUsers | undefined;
-        if (serverCfg.trustSamlEmails) {
-          newUser = await userDAL.findOne(
-            {
-              email,
-              isEmailVerified: true
-            },
-            tx
-          );
-        }
-
-        if (!newUser) {
-          const uniqueUsername = await normalizeUsername(`${firstName ?? ""}-${lastName ?? ""}`, userDAL);
-          newUser = await userDAL.create(
-            {
-              username: serverCfg.trustSamlEmails ? email : uniqueUsername,
-              email,
-              isEmailVerified: serverCfg.trustSamlEmails,
-              firstName,
-              lastName,
-              authMethods: [],
-              isGhost: false
-            },
-            tx
-          );
-        }
-
-        await userAliasDAL.create(
+        const newUser = await userDAL.create(
           {
-            userId: newUser.id,
-            aliasType: UserAliasType.SAML,
-            externalId,
-            emails: email ? [email] : [],
-            orgId
+            username,
+            email,
+            firstName,
+            lastName,
+            authMethods: [AuthMethod.EMAIL],
+            isGhost: false
           },
           tx
         );
-
-        const [orgMembership] = await orgDAL.findMembership(
-          {
-            [`${TableName.OrgMembership}.userId` as "userId"]: newUser.id,
-            [`${TableName.OrgMembership}.orgId` as "id"]: orgId
-          },
-          { tx }
-        );
-
-        if (!orgMembership) {
-          await orgMembershipDAL.create(
-            {
-              userId: newUser.id,
-              inviteEmail: email,
-              orgId,
-              role: OrgMembershipRole.Member,
-              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
-            },
-            tx
-          );
-          // Only update the membership to Accepted if the user account is already completed.
-        } else if (orgMembership.status === OrgMembershipStatus.Invited && newUser.isAccepted) {
-          await orgDAL.updateMembershipById(
-            orgMembership.id,
-            {
-              status: OrgMembershipStatus.Accepted
-            },
-            tx
-          );
-        }
-
+        await orgDAL.createMembership({
+          inviteEmail: email,
+          orgId,
+          role: OrgMembershipRole.Member,
+          status: OrgMembershipStatus.Invited
+        });
         return newUser;
       });
     }
-
     const isUserCompleted = Boolean(user.isAccepted);
     const providerAuthToken = jwt.sign(
       {
         authTokenType: AuthTokenType.PROVIDER_TOKEN,
         userId: user.id,
         username: user.username,
-        ...(user.email && { email: user.email, isEmailVerified: user.isEmailVerified }),
         firstName,
         lastName,
         organizationName: organization.name,
         organizationId: organization.id,
-        organizationSlug: organization.slug,
         authMethod: authProvider,
-        authType: UserAliasType.SAML,
         isUserCompleted,
         ...(relayState
           ? {
@@ -479,22 +403,6 @@ export const samlConfigServiceFactory = ({
 
     await samlConfigDAL.update({ orgId }, { lastUsed: new Date() });
 
-    if (user.email && !user.isEmailVerified) {
-      const token = await tokenService.createTokenForUser({
-        type: TokenType.TOKEN_EMAIL_VERIFICATION,
-        userId: user.id
-      });
-
-      await smtpService.sendMail({
-        template: SmtpTemplates.EmailVerification,
-        subjectLine: "Infisical confirmation code",
-        recipients: [user.email],
-        substitutions: {
-          code: token
-        }
-      });
-    }
-
     return { isUserCompleted, providerAuthToken };
   };
 

backend/src/ee/services/saml-config/saml-config-types.ts

@@ -45,8 +45,8 @@ export type TGetSamlCfgDTO =
     };
 
 export type TSamlLoginDTO = {
-  externalId: string;
-  email: string;
+  username: string;
+  email?: string;
   firstName: string;
   lastName?: string;
   authProvider: string;

backend/src/ee/services/scim/scim-fns.ts

@@ -2,31 +2,31 @@ import { TListScimGroups, TListScimUsers, TScimGroup, TScimUser } from "./scim-t
 
 export const buildScimUserList = ({
   scimUsers,
-  startIndex,
+  offset,
   limit
 }: {
   scimUsers: TScimUser[];
-  startIndex: number;
+  offset: number;
   limit: number;
 }): TListScimUsers => {
   return {
     Resources: scimUsers,
     itemsPerPage: limit,
     schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
-    startIndex,
+    startIndex: offset,
     totalResults: scimUsers.length
   };
 };
 
 export const buildScimUser = ({
-  orgMembershipId,
+  userId,
   username,
   email,
   firstName,
   lastName,
   active
 }: {
-  orgMembershipId: string;
+  userId: string;
   username: string;
   email?: string | null;
   firstName: string;
@@ -35,7 +35,7 @@ export const buildScimUser = ({
 }): TScimUser => {
   const scimUser = {
     schemas: ["urn:ietf:params:scim:schemas:core:2.0:User"],
-    id: orgMembershipId,
+    id: userId,
     userName: username,
     displayName: `${firstName} ${lastName}`,
     name: {
@@ -65,18 +65,18 @@ export const buildScimUser = ({
 
 export const buildScimGroupList = ({
   scimGroups,
-  startIndex,
+  offset,
   limit
 }: {
   scimGroups: TScimGroup[];
-  startIndex: number;
+  offset: number;
   limit: number;
 }): TListScimGroups => {
   return {
     Resources: scimGroups,
     itemsPerPage: limit,
     schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
-    startIndex,
+    startIndex: offset,
     totalResults: scimGroups.length
   };
 };

backend/src/ee/services/scim/scim-service.ts

@@ -2,7 +2,7 @@ import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
 import jwt from "jsonwebtoken";
 
-import { OrgMembershipRole, OrgMembershipStatus, TableName, TGroups, TOrgMemberships, TUsers } from "@app/db/schemas";
+import { OrgMembershipRole, OrgMembershipStatus, TableName, TGroups } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee/services/group/group-fns";
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
@@ -11,21 +11,16 @@ import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ScimRequestError, UnauthorizedError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TOrgPermission } from "@app/lib/types";
-import { AuthTokenType } from "@app/services/auth/auth-type";
+import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
-import { deleteOrgMembershipFn } from "@app/services/org/org-fns";
-import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
+import { deleteOrgMembership } from "@app/services/org/org-fns";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
 import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
 import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
-import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
-import { normalizeUsername } from "@app/services/user/user-fns";
-import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
-import { UserAliasType } from "@app/services/user-alias/user-alias-types";
 
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
@@ -52,32 +47,24 @@ import {
 
 type TScimServiceFactoryDep = {
   scimDAL: Pick<TScimDALFactory, "create" | "find" | "findById" | "deleteById">;
-  userDAL: Pick<
-    TUserDALFactory,
-    "find" | "findOne" | "create" | "transaction" | "findUserEncKeyByUserIdsBatch" | "findById"
-  >;
-  userAliasDAL: Pick<TUserAliasDALFactory, "findOne" | "create" | "delete">;
+  userDAL: Pick<TUserDALFactory, "find" | "findOne" | "create" | "transaction" | "findUserEncKeyByUserIdsBatch">;
   orgDAL: Pick<
     TOrgDALFactory,
-    "createMembership" | "findById" | "findMembership" | "deleteMembershipById" | "transaction" | "updateMembershipById"
+    "createMembership" | "findById" | "findMembership" | "deleteMembershipById" | "transaction"
   >;
-  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find" | "findOne" | "create" | "updateById">;
   projectDAL: Pick<TProjectDALFactory, "find" | "findProjectGhostUser">;
-  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find" | "delete" | "findProjectMembershipsByUserId">;
+  projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find" | "delete">;
   groupDAL: Pick<
     TGroupDALFactory,
     "create" | "findOne" | "findAllGroupMembers" | "update" | "delete" | "findGroups" | "transaction"
   >;
   groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
-  userGroupMembershipDAL: Pick<
-    TUserGroupMembershipDALFactory,
-    "find" | "transaction" | "insertMany" | "filterProjectsByUserMembership" | "delete"
-  >;
+  userGroupMembershipDAL: TUserGroupMembershipDALFactory; // TODO: Pick
   projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany" | "delete">;
   projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
-  licenseService: Pick<TLicenseServiceFactory, "getPlan" | "updateSubscriptionOrgMemberCount">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
-  smtpService: Pick<TSmtpService, "sendMail">;
+  smtpService: TSmtpService;
 };
 
 export type TScimServiceFactory = ReturnType<typeof scimServiceFactory>;
@@ -86,9 +73,7 @@ export const scimServiceFactory = ({
   licenseService,
   scimDAL,
   userDAL,
-  userAliasDAL,
   orgDAL,
-  orgMembershipDAL,
   projectDAL,
   projectMembershipDAL,
   groupDAL,
@@ -175,7 +160,7 @@ export const scimServiceFactory = ({
   };
 
   // SCIM server endpoints
-  const listScimUsers = async ({ startIndex, limit, filter, orgId }: TListScimUsersDTO): Promise<TListScimUsers> => {
+  const listScimUsers = async ({ offset, limit, filter, orgId }: TListScimUsersDTO): Promise<TListScimUsers> => {
     const org = await orgDAL.findById(orgId);
 
     if (!org.scimEnabled)
@@ -193,11 +178,11 @@ export const scimServiceFactory = ({
         attributeName = "email";
       }
 
-      return { [attributeName]: parsedValue.replace(/"/g, "") };
+      return { [attributeName]: parsedValue };
     };
 
     const findOpts = {
-      ...(startIndex && { offset: startIndex - 1 }),
+      ...(offset && { offset }),
       ...(limit && { limit })
     };
 
@@ -209,10 +194,10 @@ export const scimServiceFactory = ({
       findOpts
     );
 
-    const scimUsers = users.map(({ id, externalId, username, firstName, lastName, email }) =>
+    const scimUsers = users.map(({ userId, username, firstName, lastName, email }) =>
       buildScimUser({
-        orgMembershipId: id ?? "",
-        username: externalId ?? username,
+        userId: userId ?? "",
+        username,
         firstName: firstName ?? "",
         lastName: lastName ?? "",
         email,
@@ -222,16 +207,16 @@ export const scimServiceFactory = ({
 
     return buildScimUserList({
       scimUsers,
-      startIndex,
+      offset,
       limit
     });
   };
 
-  const getScimUser = async ({ orgMembershipId, orgId }: TGetScimUserDTO) => {
+  const getScimUser = async ({ userId, orgId }: TGetScimUserDTO) => {
     const [membership] = await orgDAL
       .findMembership({
-        [`${TableName.OrgMembership}.id` as "id"]: orgMembershipId,
-        [`${TableName.OrgMembership}.orgId` as "orgId"]: orgId
+        userId,
+        [`${TableName.OrgMembership}.orgId` as "id"]: orgId
       })
       .catch(() => {
         throw new ScimRequestError({
@@ -253,8 +238,8 @@ export const scimServiceFactory = ({
       });
 
     return buildScimUser({
-      orgMembershipId: membership.id,
-      username: membership.externalId ?? membership.username,
+      userId: membership.userId as string,
+      username: membership.username,
       email: membership.email ?? "",
       firstName: membership.firstName as string,
       lastName: membership.lastName as string,
@@ -262,9 +247,7 @@ export const scimServiceFactory = ({
     });
   };
 
-  const createScimUser = async ({ externalId, email, firstName, lastName, orgId }: TCreateScimUserDTO) => {
-    if (!email) throw new ScimRequestError({ detail: "Invalid request. Missing email.", status: 400 });
-
+  const createScimUser = async ({ username, email, firstName, lastName, orgId }: TCreateScimUserDTO) => {
     const org = await orgDAL.findById(orgId);
 
     if (!org)
@@ -279,121 +262,67 @@ export const scimServiceFactory = ({
         status: 403
       });
 
-    const appCfg = getConfig();
-    const serverCfg = await getServerCfg();
-
-    const userAlias = await userAliasDAL.findOne({
-      externalId,
-      orgId,
-      aliasType: UserAliasType.SAML
+    let user = await userDAL.findOne({
+      username
     });
 
-    const { user: createdUser, orgMembership: createdOrgMembership } = await userDAL.transaction(async (tx) => {
-      let user: TUsers | undefined;
-      let orgMembership: TOrgMemberships;
-      if (userAlias) {
-        user = await userDAL.findById(userAlias.userId, tx);
-        orgMembership = await orgMembershipDAL.findOne(
+    if (user) {
+      await userDAL.transaction(async (tx) => {
+        const [orgMembership] = await orgDAL.findMembership(
           {
             userId: user.id,
-            orgId
-          },
-          tx
-        );
-
-        if (!orgMembership) {
-          orgMembership = await orgMembershipDAL.create(
-            {
-              userId: userAlias.userId,
-              inviteEmail: email,
-              orgId,
-              role: OrgMembershipRole.Member,
-              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
-            },
-            tx
-          );
-        } else if (orgMembership.status === OrgMembershipStatus.Invited && user.isAccepted) {
-          orgMembership = await orgMembershipDAL.updateById(
-            orgMembership.id,
-            {
-              status: OrgMembershipStatus.Accepted
-            },
-            tx
-          );
-        }
-      } else {
-        if (serverCfg.trustSamlEmails) {
-          user = await userDAL.findOne(
-            {
-              email,
-              isEmailVerified: true
-            },
-            tx
-          );
-        }
-
-        if (!user) {
-          const uniqueUsername = await normalizeUsername(`${firstName}-${lastName}`, userDAL);
-          user = await userDAL.create(
-            {
-              username: serverCfg.trustSamlEmails ? email : uniqueUsername,
-              email,
-              isEmailVerified: serverCfg.trustSamlEmails,
-              firstName,
-              lastName,
-              authMethods: [],
-              isGhost: false
-            },
-            tx
-          );
-        }
-
-        await userAliasDAL.create(
-          {
-            userId: user.id,
-            aliasType: UserAliasType.SAML,
-            externalId,
-            emails: email ? [email] : [],
-            orgId
-          },
-          tx
-        );
-
-        const [foundOrgMembership] = await orgDAL.findMembership(
-          {
-            [`${TableName.OrgMembership}.userId` as "userId"]: user.id,
             [`${TableName.OrgMembership}.orgId` as "id"]: orgId
           },
           { tx }
         );
-
-        orgMembership = foundOrgMembership;
+        if (orgMembership)
+          throw new ScimRequestError({
+            detail: "User already exists in the database",
+            status: 409
+          });
 
         if (!orgMembership) {
-          orgMembership = await orgMembershipDAL.create(
+          await orgDAL.createMembership(
             {
               userId: user.id,
-              inviteEmail: email,
               orgId,
+              inviteEmail: email,
               role: OrgMembershipRole.Member,
-              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
-            },
-            tx
-          );
-          // Only update the membership to Accepted if the user account is already completed.
-        } else if (orgMembership.status === OrgMembershipStatus.Invited && user.isAccepted) {
-          orgMembership = await orgDAL.updateMembershipById(
-            orgMembership.id,
-            {
-              status: OrgMembershipStatus.Accepted
+              status: OrgMembershipStatus.Invited
             },
             tx
           );
         }
-      }
+      });
+    } else {
+      user = await userDAL.transaction(async (tx) => {
+        const newUser = await userDAL.create(
+          {
+            username,
+            email,
+            firstName,
+            lastName,
+            authMethods: [AuthMethod.EMAIL],
+            isGhost: false
+          },
+          tx
+        );
 
-      return { user, orgMembership };
-    });
+        await orgDAL.createMembership(
+          {
+            inviteEmail: email,
+            orgId,
+            userId: newUser.id,
+            role: OrgMembershipRole.Member,
+            status: OrgMembershipStatus.Invited
+          },
+          tx
+        );
+        return newUser;
+      });
+    }
+
+    const appCfg = getConfig();
 
     if (email) {
       await smtpService.sendMail({
@@ -408,20 +337,20 @@ export const scimServiceFactory = ({
     }
 
     return buildScimUser({
-      orgMembershipId: createdOrgMembership.id,
-      username: externalId,
-      firstName: createdUser.firstName as string,
-      lastName: createdUser.lastName as string,
-      email: createdUser.email ?? "",
+      userId: user.id,
+      username: user.username,
+      firstName: user.firstName as string,
+      lastName: user.lastName as string,
+      email: user.email ?? "",
       active: true
     });
   };
 
-  const updateScimUser = async ({ orgMembershipId, orgId, operations }: TUpdateScimUserDTO) => {
+  const updateScimUser = async ({ userId, orgId, operations }: TUpdateScimUserDTO) => {
     const [membership] = await orgDAL
       .findMembership({
-        [`${TableName.OrgMembership}.id` as "id"]: orgMembershipId,
-        [`${TableName.OrgMembership}.orgId` as "orgId"]: orgId
+        userId,
+        [`${TableName.OrgMembership}.orgId` as "id"]: orgId
       })
       .catch(() => {
         throw new ScimRequestError({
@@ -457,20 +386,18 @@ export const scimServiceFactory = ({
     });
 
     if (!active) {
-      await deleteOrgMembershipFn({
+      await deleteOrgMembership({
         orgMembershipId: membership.id,
         orgId: membership.orgId,
         orgDAL,
-        projectMembershipDAL,
-        projectKeyDAL,
-        userAliasDAL,
-        licenseService
+        projectDAL,
+        projectMembershipDAL
       });
     }
 
     return buildScimUser({
-      orgMembershipId: membership.id,
-      username: membership.externalId ?? membership.username,
+      userId: membership.userId as string,
+      username: membership.username,
       email: membership.email,
       firstName: membership.firstName as string,
       lastName: membership.lastName as string,
@@ -478,11 +405,11 @@ export const scimServiceFactory = ({
     });
   };
 
-  const replaceScimUser = async ({ orgMembershipId, active, orgId }: TReplaceScimUserDTO) => {
+  const replaceScimUser = async ({ userId, active, orgId }: TReplaceScimUserDTO) => {
     const [membership] = await orgDAL
       .findMembership({
-        [`${TableName.OrgMembership}.id` as "id"]: orgMembershipId,
-        [`${TableName.OrgMembership}.orgId` as "orgId"]: orgId
+        userId,
+        [`${TableName.OrgMembership}.orgId` as "id"]: orgId
       })
       .catch(() => {
         throw new ScimRequestError({
@@ -504,20 +431,19 @@ export const scimServiceFactory = ({
       });
 
     if (!active) {
-      await deleteOrgMembershipFn({
+      // tx
+      await deleteOrgMembership({
         orgMembershipId: membership.id,
         orgId: membership.orgId,
         orgDAL,
-        projectMembershipDAL,
-        projectKeyDAL,
-        userAliasDAL,
-        licenseService
+        projectDAL,
+        projectMembershipDAL
       });
     }
 
     return buildScimUser({
-      orgMembershipId: membership.id,
-      username: membership.externalId ?? membership.username,
+      userId: membership.userId as string,
+      username: membership.username,
       email: membership.email,
       firstName: membership.firstName as string,
       lastName: membership.lastName as string,
@@ -525,11 +451,18 @@ export const scimServiceFactory = ({
     });
   };
 
-  const deleteScimUser = async ({ orgMembershipId, orgId }: TDeleteScimUserDTO) => {
-    const [membership] = await orgDAL.findMembership({
-      [`${TableName.OrgMembership}.id` as "id"]: orgMembershipId,
-      [`${TableName.OrgMembership}.orgId` as "orgId"]: orgId
-    });
+  const deleteScimUser = async ({ userId, orgId }: TDeleteScimUserDTO) => {
+    const [membership] = await orgDAL
+      .findMembership({
+        userId,
+        [`${TableName.OrgMembership}.orgId` as "id"]: orgId
+      })
+      .catch(() => {
+        throw new ScimRequestError({
+          detail: "User not found",
+          status: 404
+        });
+      });
 
     if (!membership)
       throw new ScimRequestError({
@@ -544,20 +477,18 @@ export const scimServiceFactory = ({
       });
     }
 
-    await deleteOrgMembershipFn({
+    await deleteOrgMembership({
       orgMembershipId: membership.id,
       orgId: membership.orgId,
       orgDAL,
-      projectMembershipDAL,
-      projectKeyDAL,
-      userAliasDAL,
-      licenseService
+      projectDAL,
+      projectMembershipDAL
     });
 
     return {}; // intentionally return empty object upon success
   };
 
-  const listScimGroups = async ({ orgId, startIndex, limit }: TListScimGroupsDTO) => {
+  const listScimGroups = async ({ orgId, offset, limit }: TListScimGroupsDTO) => {
     const plan = await licenseService.getPlan(orgId);
     if (!plan.groups)
       throw new BadRequestError({
@@ -578,27 +509,21 @@ export const scimServiceFactory = ({
         status: 403
       });
 
-    const groups = await groupDAL.findGroups(
-      {
-        orgId
-      },
-      {
-        offset: startIndex - 1,
-        limit
-      }
-    );
+    const groups = await groupDAL.findGroups({
+      orgId
+    });
 
     const scimGroups = groups.map((group) =>
       buildScimGroup({
         groupId: group.id,
         name: group.name,
-        members: [] // does this need to be populated?
+        members: []
       })
     );
 
     return buildScimGroupList({
       scimGroups,
-      startIndex,
+      offset,
       limit
     });
   };
@@ -637,15 +562,9 @@ export const scimServiceFactory = ({
       );
 
       if (members && members.length) {
-        const orgMemberships = await orgMembershipDAL.find({
-          $in: {
-            id: members.map((member) => member.value)
-          }
-        });
-
         const newMembers = await addUsersToGroupByUserIds({
           group,
-          userIds: orgMemberships.map((membership) => membership.userId as string),
+          userIds: members.map((member) => member.value),
           userDAL,
           userGroupMembershipDAL,
           orgDAL,
@@ -662,19 +581,12 @@ export const scimServiceFactory = ({
       return { group, newMembers: [] };
     });
 
-    const orgMemberships = await orgDAL.findMembership({
-      [`${TableName.OrgMembership}.orgId` as "orgId"]: orgId,
-      $in: {
-        [`${TableName.OrgMembership}.userId` as "userId"]: newGroup.newMembers.map((member) => member.id)
-      }
-    });
-
     return buildScimGroup({
       groupId: newGroup.group.id,
       name: newGroup.group.name,
-      members: orgMemberships.map(({ id, firstName, lastName }) => ({
-        value: id,
-        display: `${firstName} ${lastName}`
+      members: newGroup.newMembers.map((member) => ({
+        value: member.id,
+        display: `${member.firstName} ${member.lastName}`
       }))
     });
   };
@@ -703,22 +615,15 @@ export const scimServiceFactory = ({
       groupId: group.id
     });
 
-    const orgMemberships = await orgDAL.findMembership({
-      [`${TableName.OrgMembership}.orgId` as "orgId"]: orgId,
-      $in: {
-        [`${TableName.OrgMembership}.userId` as "userId"]: users
-          .filter((user) => user.isPartOfGroup)
-          .map((user) => user.id)
-      }
-    });
-
     return buildScimGroup({
       groupId: group.id,
       name: group.name,
-      members: orgMemberships.map(({ id, firstName, lastName }) => ({
-        value: id,
-        display: `${firstName} ${lastName}`
-      }))
+      members: users
+        .filter((user) => user.isPartOfGroup)
+        .map((user) => ({
+          value: user.id,
+          display: `${user.firstName} ${user.lastName}`
+        }))
     });
   };
 
@@ -762,13 +667,7 @@ export const scimServiceFactory = ({
       }
 
       if (members) {
-        const orgMemberships = await orgMembershipDAL.find({
-          $in: {
-            id: members.map((member) => member.value)
-          }
-        });
-
-        const membersIdsSet = new Set(orgMemberships.map((orgMembership) => orgMembership.userId));
+        const membersIdsSet = new Set(members.map((member) => member.value));
 
         const directMemberUserIds = (
           await userGroupMembershipDAL.find({
@@ -787,13 +686,13 @@ export const scimServiceFactory = ({
         const allMembersUserIds = directMemberUserIds.concat(pendingGroupAdditionsUserIds);
         const allMembersUserIdsSet = new Set(allMembersUserIds);
 
-        const toAddUserIds = orgMemberships.filter((member) => !allMembersUserIdsSet.has(member.userId as string));
+        const toAddUserIds = members.filter((member) => !allMembersUserIdsSet.has(member.value));
         const toRemoveUserIds = allMembersUserIds.filter((userId) => !membersIdsSet.has(userId));
 
         if (toAddUserIds.length) {
           await addUsersToGroupByUserIds({
             group,
-            userIds: toAddUserIds.map((member) => member.userId as string),
+            userIds: toAddUserIds.map((member) => member.value),
             userDAL,
             userGroupMembershipDAL,
             orgDAL,

backend/src/ee/services/scim/scim-types.ts

@@ -12,7 +12,7 @@ export type TDeleteScimTokenDTO = {
 // SCIM server endpoint types
 
 export type TListScimUsersDTO = {
-  startIndex: number;
+  offset: number;
   limit: number;
   filter?: string;
   orgId: string;
@@ -27,12 +27,12 @@ export type TListScimUsers = {
 };
 
 export type TGetScimUserDTO = {
-  orgMembershipId: string;
+  userId: string;
   orgId: string;
 };
 
 export type TCreateScimUserDTO = {
-  externalId: string;
+  username: string;
   email?: string;
   firstName: string;
   lastName: string;
@@ -40,7 +40,7 @@ export type TCreateScimUserDTO = {
 };
 
 export type TUpdateScimUserDTO = {
-  orgMembershipId: string;
+  userId: string;
   orgId: string;
   operations: {
     op: string;
@@ -54,18 +54,18 @@ export type TUpdateScimUserDTO = {
 };
 
 export type TReplaceScimUserDTO = {
-  orgMembershipId: string;
+  userId: string;
   active: boolean;
   orgId: string;
 };
 
 export type TDeleteScimUserDTO = {
-  orgMembershipId: string;
+  userId: string;
   orgId: string;
 };
 
 export type TListScimGroupsDTO = {
-  startIndex: number;
+  offset: number;
   limit: number;
   orgId: string;
 };

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -7,15 +7,12 @@ import {
   SecretType,
   TSecretApprovalRequestsSecretsInsert
 } from "@app/db/schemas";
-import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { groupBy, pick, unique } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
-import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
-import { getAllNestedSecretReferences } from "@app/services/secret/secret-fns";
 import { TSecretQueueFactory } from "@app/services/secret/secret-queue";
 import { TSecretServiceFactory } from "@app/services/secret/secret-service";
 import { TSecretVersionDALFactory } from "@app/services/secret/secret-version-dal";
@@ -56,7 +53,6 @@ type TSecretApprovalRequestServiceFactoryDep = {
   secretVersionDAL: Pick<TSecretVersionDALFactory, "findLatestVersionMany" | "insertMany">;
   secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "insertMany">;
   projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus">;
-  projectBotService: Pick<TProjectBotServiceFactory, "getBotKey">;
   secretService: Pick<
     TSecretServiceFactory,
     | "fnSecretBulkInsert"
@@ -84,8 +80,7 @@ export const secretApprovalRequestServiceFactory = ({
   snapshotService,
   secretService,
   secretVersionDAL,
-  secretQueueService,
-  projectBotService
+  secretQueueService
 }: TSecretApprovalRequestServiceFactoryDep) => {
   const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
     if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
@@ -357,7 +352,7 @@ export const secretApprovalRequestServiceFactory = ({
     }
 
     const secretDeletionCommits = secretApprovalSecrets.filter(({ op }) => op === CommitType.Delete);
-    const botKey = await projectBotService.getBotKey(projectId).catch(() => null);
+
     const mergeStatus = await secretApprovalRequestDAL.transaction(async (tx) => {
       const newSecrets = secretCreationCommits.length
         ? await secretService.fnSecretBulkInsert({
@@ -384,17 +379,7 @@ export const secretApprovalRequestServiceFactory = ({
               ]),
               tags: el?.tags.map(({ id }) => id),
               version: 1,
-              type: SecretType.Shared,
-              references: botKey
-                ? getAllNestedSecretReferences(
-                    decryptSymmetric128BitHexKeyUTF8({
-                      ciphertext: el.secretValueCiphertext,
-                      iv: el.secretValueIV,
-                      tag: el.secretValueTag,
-                      key: botKey
-                    })
-                  )
-                : undefined
+              type: SecretType.Shared
             })),
             secretDAL,
             secretVersionDAL,
@@ -429,17 +414,7 @@ export const secretApprovalRequestServiceFactory = ({
                   "secretReminderNote",
                   "secretReminderRepeatDays",
                   "secretBlindIndex"
-                ]),
-                references: botKey
-                  ? getAllNestedSecretReferences(
-                      decryptSymmetric128BitHexKeyUTF8({
-                        ciphertext: el.secretValueCiphertext,
-                        iv: el.secretValueIV,
-                        tag: el.secretValueTag,
-                        key: botKey
-                      })
-                    )
-                  : undefined
+                ])
               }
             })),
             secretDAL,

backend/src/ee/services/secret-scanning/secret-scanning-service.ts

@@ -90,17 +90,15 @@ export const secretScanningServiceFactory = ({
     const {
       data: { repositories }
     } = await octokit.apps.listReposAccessibleToInstallation();
-    if (!appCfg.DISABLE_SECRET_SCANNING) {
-      await Promise.all(
-        repositories.map(({ id, full_name }) =>
-          secretScanningQueue.startFullRepoScan({
-            organizationId: session.orgId,
-            installationId,
-            repository: { id, fullName: full_name }
-          })
-        )
-      );
-    }
+    await Promise.all(
+      repositories.map(({ id, full_name }) =>
+        secretScanningQueue.startFullRepoScan({
+          organizationId: session.orgId,
+          installationId,
+          repository: { id, fullName: full_name }
+        })
+      )
+    );
     return { installatedApp };
   };
 
@@ -153,7 +151,6 @@ export const secretScanningServiceFactory = ({
   };
 
   const handleRepoPushEvent = async (payload: WebhookEventMap["push"]) => {
-    const appCfg = getConfig();
     const { commits, repository, installation, pusher } = payload;
     if (!commits || !repository || !installation || !pusher) {
       return;
@@ -164,15 +161,13 @@ export const secretScanningServiceFactory = ({
     });
     if (!installationLink) return;
 
-    if (!appCfg.DISABLE_SECRET_SCANNING) {
-      await secretScanningQueue.startPushEventScan({
-        commits,
-        pusher: { name: pusher.name, email: pusher.email },
-        repository: { fullName: repository.full_name, id: repository.id },
-        organizationId: installationLink.orgId,
-        installationId: String(installation?.id)
-      });
-    }
+    await secretScanningQueue.startPushEventScan({
+      commits,
+      pusher: { name: pusher.name, email: pusher.email },
+      repository: { fullName: repository.full_name, id: repository.id },
+      organizationId: installationLink.orgId,
+      installationId: String(installation?.id)
+    });
   };
 
   const handleRepoDeleteEvent = async (installationId: string, repositoryIds: string[]) => {

backend/src/lib/api-docs/constants.ts

@@ -89,21 +89,6 @@ export const UNIVERSAL_AUTH = {
   },
   RENEW_ACCESS_TOKEN: {
     accessToken: "The access token to renew."
-  },
-  REVOKE_ACCESS_TOKEN: {
-    accessToken: "The access token to revoke."
-  }
-} as const;
-
-export const AWS_AUTH = {
-  LOGIN: {
-    identityId: "The ID of the identity to login.",
-    iamHttpRequestMethod: "The HTTP request method used in the signed request.",
-    iamRequestUrl:
-      "The base64-encoded HTTP URL used in the signed request. Most likely, the base64-encoding of https://sts.amazonaws.com/",
-    iamRequestBody:
-      "The base64-encoded body of the signed request. Most likely, the base64-encoding of Action=GetCallerIdentity&Version=2011-06-15.",
-    iamRequestHeaders: "The base64-encoded headers of the sts:GetCallerIdentity signed request."
   }
 } as const;
 
@@ -148,6 +133,36 @@ export const PROJECTS = {
     name: "The new name of the project.",
     autoCapitalization: "Disable or enable auto-capitalization for the project."
   },
+  INVITE_MEMBER: {
+    projectId: "The ID of the project to invite the member to.",
+    emails: "A list of organization member emails to invite to the project.",
+    usernames: "A list of usernames to invite to the project."
+  },
+  REMOVE_MEMBER: {
+    projectId: "The ID of the project to remove the member from.",
+    emails: "A list of organization member emails to remove from the project.",
+    usernames: "A list of usernames to remove from the project."
+  },
+  GET_USER_MEMBERSHIPS: {
+    workspaceId: "The ID of the project to get memberships from."
+  },
+  UPDATE_USER_MEMBERSHIP: {
+    workspaceId: "The ID of the project to update the membership for.",
+    membershipId: "The ID of the membership to update.",
+    roles: "A list of roles to update the membership to."
+  },
+  LIST_IDENTITY_MEMBERSHIPS: {
+    projectId: "The ID of the project to get identity memberships from."
+  },
+  UPDATE_IDENTITY_MEMBERSHIP: {
+    projectId: "The ID of the project to update the identity membership for.",
+    identityId: "The ID of the identity to update the membership for.",
+    roles: "A list of roles to update the membership to."
+  },
+  DELETE_IDENTITY_MEMBERSHIP: {
+    projectId: "The ID of the project to delete the identity membership from.",
+    identityId: "The ID of the identity to delete the membership from."
+  },
   GET_KEY: {
     workspaceId: "The ID of the project to get the key from."
   },
@@ -186,70 +201,6 @@ export const PROJECTS = {
   }
 } as const;
 
-export const PROJECT_USERS = {
-  INVITE_MEMBER: {
-    projectId: "The ID of the project to invite the member to.",
-    emails: "A list of organization member emails to invite to the project.",
-    usernames: "A list of usernames to invite to the project."
-  },
-  REMOVE_MEMBER: {
-    projectId: "The ID of the project to remove the member from.",
-    emails: "A list of organization member emails to remove from the project.",
-    usernames: "A list of usernames to remove from the project."
-  },
-  GET_USER_MEMBERSHIPS: {
-    workspaceId: "The ID of the project to get memberships from."
-  },
-  GET_USER_MEMBERSHIP: {
-    workspaceId: "The ID of the project to get memberships from.",
-    username: "The username to get project membership of. Email is the default username."
-  },
-  UPDATE_USER_MEMBERSHIP: {
-    workspaceId: "The ID of the project to update the membership for.",
-    membershipId: "The ID of the membership to update.",
-    roles: "A list of roles to update the membership to."
-  }
-};
-
-export const PROJECT_IDENTITIES = {
-  LIST_IDENTITY_MEMBERSHIPS: {
-    projectId: "The ID of the project to get identity memberships from."
-  },
-  GET_IDENTITY_MEMBERSHIP_BY_ID: {
-    identityId: "The ID of the identity to get the membership for.",
-    projectId: "The ID of the project to get the identity membership for."
-  },
-  UPDATE_IDENTITY_MEMBERSHIP: {
-    projectId: "The ID of the project to update the identity membership for.",
-    identityId: "The ID of the identity to update the membership for.",
-    roles: {
-      description: "A list of role slugs to assign to the identity project membership.",
-      role: "The role slug to assign to the newly created identity project membership.",
-      isTemporary: "Whether the assigned role is temporary.",
-      temporaryMode: "Type of temporary expiry.",
-      temporaryRange: "Expiry time for temporary access. In relative mode it could be 1s,2m,3h",
-      temporaryAccessStartTime: "Time to which the temporary access starts"
-    }
-  },
-  DELETE_IDENTITY_MEMBERSHIP: {
-    projectId: "The ID of the project to delete the identity membership from.",
-    identityId: "The ID of the identity to delete the membership from."
-  },
-  CREATE_IDENTITY_MEMBERSHIP: {
-    projectId: "The ID of the project to create the identity membership from.",
-    identityId: "The ID of the identity to create the membership from.",
-    role: "The role slug to assign to the newly created identity project membership.",
-    roles: {
-      description: "A list of role slugs to assign to the newly created identity project membership.",
-      role: "The role slug to assign to the newly created identity project membership.",
-      isTemporary: "Whether the assigned role is temporary.",
-      temporaryMode: "Type of temporary expiry.",
-      temporaryRange: "Expiry time for temporary access. In relative mode it could be 1s,2m,3h",
-      temporaryAccessStartTime: "Time to which the temporary access starts"
-    }
-  }
-};
-
 export const ENVIRONMENTS = {
   CREATE: {
     workspaceId: "The ID of the project to create the environment in.",
@@ -289,7 +240,6 @@ export const FOLDERS = {
     name: "The new name of the folder.",
     path: "The path of the folder to update.",
     directory: "The new directory of the folder to update. (Deprecated in favor of path)",
-    projectSlug: "The slug of the project where the folder is located.",
     workspaceId: "The ID of the project where the folder is located."
   },
   DELETE: {
@@ -322,12 +272,10 @@ export const SECRETS = {
 
 export const RAW_SECRETS = {
   LIST: {
-    expand: "Whether or not to expand secret references",
     recursive:
       "Whether or not to fetch all secrets from the specified base path, and all of its subdirectories. Note, the max depth is 20 deep.",
     workspaceId: "The ID of the project to list secrets from.",
-    workspaceSlug:
-      "The slug of the project to list secrets from. This parameter is only applicable by machine identities.",
+    workspaceSlug: "The slug of the project to list secrets from. This parameter is only usable by machine identities.",
     environment: "The slug of the environment to list secrets from.",
     secretPath: "The secret path to list secrets from.",
     includeImports: "Weather to include imported secrets or not."
@@ -346,7 +294,6 @@ export const RAW_SECRETS = {
   GET: {
     secretName: "The name of the secret to get.",
     workspaceId: "The ID of the project to get the secret from.",
-    workspaceSlug: "The slug of the project to get the secret from.",
     environment: "The slug of the environment to get the secret from.",
     secretPath: "The path of the secret to get.",
     version: "The version of the secret to get.",
@@ -517,21 +464,12 @@ export const SECRET_TAGS = {
 export const IDENTITY_ADDITIONAL_PRIVILEGE = {
   CREATE: {
     projectSlug: "The slug of the project of the identity in.",
-    identityId: "The ID of the identity to create.",
+    identityId: "The ID of the identity to delete.",
     slug: "The slug of the privilege to create.",
     permissions: `The permission object for the privilege.
-- Read secrets
-\`\`\`
-{ "permissions": [{"action": "read", "subject": "secrets"]}
-\`\`\`
-- Read and Write secrets
-\`\`\`
-{ "permissions": [{"action": "read", "subject": "secrets"], {"action": "write", "subject": "secrets"]}
-\`\`\`
-- Read secrets scoped to an environment and secret path
-\`\`\`
-- { "permissions": [{"action": "read", "subject": "secrets", "conditions": { "environment": "dev", "secretPath": { "$glob": "/" } }}] }
-\`\`\`
+1. [["read", "secrets", {environment: "dev", secretPath: {$glob: "/"}}]]
+2. [["read", "secrets", {environment: "dev"}], ["create", "secrets", {environment: "dev"}]]
+2. [["read", "secrets", {environment: "dev"}]]
 `,
     isPackPermission: "Whether the server should pack(compact) the permission object.",
     isTemporary: "Whether the privilege is temporary.",
@@ -545,19 +483,11 @@ export const IDENTITY_ADDITIONAL_PRIVILEGE = {
     slug: "The slug of the privilege to update.",
     newSlug: "The new slug of the privilege to update.",
     permissions: `The permission object for the privilege.
-- Read secrets
-\`\`\`
-{ "permissions": [{"action": "read", "subject": "secrets"]}
-\`\`\`
-- Read and Write secrets
-\`\`\`
-{ "permissions": [{"action": "read", "subject": "secrets"], {"action": "write", "subject": "secrets"]}
-\`\`\`
-- Read secrets scoped to an environment and secret path
-\`\`\`
-- { "permissions": [{"action": "read", "subject": "secrets", "conditions": { "environment": "dev", "secretPath": { "$glob": "/" } }}] }
-\`\`\`
+1. [["read", "secrets", {environment: "dev", secretPath: {$glob: "/"}}]]
+2. [["read", "secrets", {environment: "dev"}], ["create", "secrets", {environment: "dev"}]]
+2. [["read", "secrets", {environment: "dev"}]]
 `,
+    isPackPermission: "Whether the server should pack(compact) the permission object.",
     isTemporary: "Whether the privilege is temporary.",
     temporaryMode: "Type of temporary access given. Types: relative",
     temporaryRange: "TTL for the temporay time. Eg: 1m, 1h, 1d",
@@ -662,12 +592,10 @@ export const INTEGRATION = {
       secretPrefix: "The prefix for the saved secret. Used by GCP.",
       secretSuffix: "The suffix for the saved secret. Used by GCP.",
       initialSyncBehavoir: "Type of syncing behavoir with the integration.",
-      mappingBehavior: "The mapping behavior of the integration.",
       shouldAutoRedeploy: "Used by Render to trigger auto deploy.",
       secretGCPLabel: "The label for GCP secrets.",
       secretAWSTag: "The tags for AWS secrets.",
-      kmsKeyId: "The ID of the encryption key from AWS KMS.",
-      shouldDisableDelete: "The flag to disable deletion of secrets in AWS Parameter Store."
+      kmsKeyId: "The ID of the encryption key from AWS KMS."
     }
   },
   UPDATE: {
@@ -684,34 +612,5 @@ export const INTEGRATION = {
   },
   DELETE: {
     integrationId: "The ID of the integration object."
-  },
-  SYNC: {
-    integrationId: "The ID of the integration object to manually sync"
-  }
-};
-
-export const AUDIT_LOG_STREAMS = {
-  CREATE: {
-    url: "The HTTP URL to push logs to.",
-    headers: {
-      desc: "The HTTP headers attached for the external prrovider requests.",
-      key: "The HTTP header key name.",
-      value: "The HTTP header value."
-    }
-  },
-  UPDATE: {
-    id: "The ID of the audit log stream to update.",
-    url: "The HTTP URL to push logs to.",
-    headers: {
-      desc: "The HTTP headers attached for the external prrovider requests.",
-      key: "The HTTP header key name.",
-      value: "The HTTP header value."
-    }
-  },
-  DELETE: {
-    id: "The ID of the audit log stream to delete."
-  },
-  GET_BY_ID: {
-    id: "The ID of the audit log stream to get details."
   }
 };

backend/src/lib/config/env.ts

@@ -13,10 +13,6 @@ const zodStrBool = z
 const envSchema = z
   .object({
     PORT: z.coerce.number().default(4000),
-    DISABLE_SECRET_SCANNING: z
-      .enum(["true", "false"])
-      .default("false")
-      .transform((el) => el === "true"),
     REDIS_URL: zpStr(z.string()),
     HOST: zpStr(z.string().default("localhost")),
     DB_CONNECTION_URI: zpStr(z.string().describe("Postgres database connection string")).default(
@@ -123,7 +119,6 @@ const envSchema = z
   })
   .transform((data) => ({
     ...data,
-    isCloud: Boolean(data.LICENSE_SERVER_KEY),
     isSmtpConfigured: Boolean(data.SMTP_HOST),
     isRedisConfigured: Boolean(data.REDIS_URL),
     isDevelopmentMode: data.NODE_ENV === "development",

backend/src/lib/logger/logger.ts

@@ -30,37 +30,6 @@ const loggerConfig = z.object({
   NODE_ENV: z.enum(["development", "test", "production"]).default("production")
 });
 
-const redactedKeys = [
-  "accessToken",
-  "authToken",
-  "serviceToken",
-  "identityAccessToken",
-  "token",
-  "privateKey",
-  "serverPrivateKey",
-  "plainPrivateKey",
-  "plainProjectKey",
-  "encryptedPrivateKey",
-  "userPrivateKey",
-  "protectedKey",
-  "decryptKey",
-  "encryptedProjectKey",
-  "encryptedSymmetricKey",
-  "encryptedPrivateKey",
-  "backupPrivateKey",
-  "secretKey",
-  "SecretKey",
-  "botPrivateKey",
-  "encryptedKey",
-  "plaintextProjectKey",
-  "accessKey",
-  "botKey",
-  "decryptedSecret",
-  "secrets",
-  "key",
-  "password"
-];
-
 export const initLogger = async () => {
   const cfg = loggerConfig.parse(process.env);
   const targets: pino.TransportMultiOptions["targets"][number][] = [
@@ -105,9 +74,7 @@ export const initLogger = async () => {
           hostname: bindings.hostname
           // node_version: process.version
         })
-      },
-      // redact until depth of three
-      redact: [...redactedKeys, ...redactedKeys.map((key) => `*.${key}`), ...redactedKeys.map((key) => `*.*.${key}`)]
+      }
     },
     // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
     transport

backend/src/lib/types/index.ts

@@ -17,7 +17,7 @@ export type TOrgPermission = {
   actorId: string;
   orgId: string;
   actorAuthMethod: ActorAuthMethod;
-  actorOrgId: string;
+  actorOrgId: string | undefined;
 };
 
 export type TProjectPermission = {

backend/src/lib/validator/index.ts

@@ -1,2 +1 @@
 export { isDisposableEmail } from "./validate-email";
-export { validateLocalIps } from "./validate-url";

backend/src/lib/validator/validate-url.ts

@@ -1,18 +0,0 @@
-import { getConfig } from "../config/env";
-import { BadRequestError } from "../errors";
-
-export const validateLocalIps = (url: string) => {
-  const validUrl = new URL(url);
-  const appCfg = getConfig();
-  // on cloud local ips are not allowed
-  if (
-    appCfg.isCloud &&
-    (validUrl.host === "host.docker.internal" ||
-      validUrl.host.match(/^10\.\d+\.\d+\.\d+/) ||
-      validUrl.host.match(/^192\.168\.\d+\.\d+/))
-  )
-    throw new BadRequestError({ message: "Local IPs not allowed as URL" });
-
-  if (validUrl.host === "localhost" || validUrl.host === "127.0.0.1")
-    throw new BadRequestError({ message: "Localhost not allowed" });
-};

backend/src/queue/queue-service.ts

@@ -65,13 +65,7 @@ export type TQueueJobTypes = {
   };
   [QueueName.IntegrationSync]: {
     name: QueueJobs.IntegrationSync;
-    payload: {
-      projectId: string;
-      environment: string;
-      secretPath: string;
-      depth?: number;
-      deDupeQueue?: Record<string, boolean>;
-    };
+    payload: { projectId: string; environment: string; secretPath: string; depth?: number };
   };
   [QueueName.SecretFullRepoScan]: {
     name: QueueJobs.SecretScan;

backend/src/server/config/rateLimiter.ts

@@ -36,7 +36,7 @@ export const writeLimit: RateLimitOptions = {
 export const secretsLimit: RateLimitOptions = {
   // secrets, folders, secret imports
   timeWindow: 60 * 1000,
-  max: 60,
+  max: 600,
   keyGenerator: (req) => req.realIp
 };
 

backend/src/server/plugins/auth/inject-identity.ts

@@ -108,7 +108,6 @@ export const injectIdentity = fp(async (server: FastifyZodProvider) => {
     if (req.url.includes("/api/v3/auth/")) {
       return;
     }
-
     if (!authMode) return;
 
     switch (authMode) {

backend/src/server/plugins/auth/inject-permission.ts

@@ -1,6 +1,5 @@
 import fp from "fastify-plugin";
 
-import { logger } from "@app/lib/logger";
 import { ActorType } from "@app/services/auth/auth-type";
 
 // inject permission type needed based on auth extracted
@@ -16,10 +15,6 @@ export const injectPermission = fp(async (server) => {
         orgId: req.auth.orgId, // if the req.auth.authMode is AuthMode.API_KEY, the orgId will be "API_KEY"
         authMethod: req.auth.authMethod // if the req.auth.authMode is AuthMode.API_KEY, the authMethod will be null
       };
-
-      logger.info(
-        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.userId}] [type=${ActorType.USER}]`
-      );
     } else if (req.auth.actor === ActorType.IDENTITY) {
       req.permission = {
         type: ActorType.IDENTITY,
@@ -27,10 +22,6 @@ export const injectPermission = fp(async (server) => {
         orgId: req.auth.orgId,
         authMethod: null
       };
-
-      logger.info(
-        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.identityId}] [type=${ActorType.IDENTITY}]`
-      );
     } else if (req.auth.actor === ActorType.SERVICE) {
       req.permission = {
         type: ActorType.SERVICE,
@@ -38,10 +29,6 @@ export const injectPermission = fp(async (server) => {
         orgId: req.auth.orgId,
         authMethod: null
       };
-
-      logger.info(
-        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.serviceTokenId}] [type=${ActorType.SERVICE}]`
-      );
     } else if (req.auth.actor === ActorType.SCIM_CLIENT) {
       req.permission = {
         type: ActorType.SCIM_CLIENT,
@@ -49,10 +36,6 @@ export const injectPermission = fp(async (server) => {
         orgId: req.auth.orgId,
         authMethod: null
       };
-
-      logger.info(
-        `injectPermission: Injecting permissions for [permissionsForIdentity=${req.auth.scimTokenId}] [type=${ActorType.SCIM_CLIENT}]`
-      );
     }
   });
 });

backend/src/server/plugins/maintenanceMode.ts

@@ -5,13 +5,8 @@ import { getConfig } from "@app/lib/config/env";
 export const maintenanceMode = fp(async (fastify) => {
   fastify.addHook("onRequest", async (req) => {
     const serverEnvs = getConfig();
-    if (serverEnvs.MAINTENANCE_MODE) {
-      // skip if its universal auth login or renew
-      if (req.url === "/api/v1/auth/universal-auth/login" && req.method === "POST") return;
-      if (req.url === "/api/v1/auth/token/renew" && req.method === "POST") return;
-      if (req.url !== "/api/v1/auth/checkAuth" && req.method !== "GET") {
-        throw new Error("Infisical is in maintenance mode. Please try again later.");
-      }
+    if (req.url !== "/api/v1/auth/checkAuth" && req.method !== "GET" && serverEnvs.MAINTENANCE_MODE) {
+      throw new Error("Infisical is in maintenance mode. Please try again later.");
     }
   });
 });

backend/src/server/routes/index.ts

@@ -2,17 +2,9 @@ import { Knex } from "knex";
 import { z } from "zod";
 
 import { registerV1EERoutes } from "@app/ee/routes/v1";
-import { accessApprovalPolicyApproverDALFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-approver-dal";
-import { accessApprovalPolicyDALFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-dal";
-import { accessApprovalPolicyServiceFactory } from "@app/ee/services/access-approval-policy/access-approval-policy-service";
-import { accessApprovalRequestDALFactory } from "@app/ee/services/access-approval-request/access-approval-request-dal";
-import { accessApprovalRequestReviewerDALFactory } from "@app/ee/services/access-approval-request/access-approval-request-reviewer-dal";
-import { accessApprovalRequestServiceFactory } from "@app/ee/services/access-approval-request/access-approval-request-service";
 import { auditLogDALFactory } from "@app/ee/services/audit-log/audit-log-dal";
 import { auditLogQueueServiceFactory } from "@app/ee/services/audit-log/audit-log-queue";
 import { auditLogServiceFactory } from "@app/ee/services/audit-log/audit-log-service";
-import { auditLogStreamDALFactory } from "@app/ee/services/audit-log-stream/audit-log-stream-dal";
-import { auditLogStreamServiceFactory } from "@app/ee/services/audit-log-stream/audit-log-stream-service";
 import { dynamicSecretDALFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-dal";
 import { dynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-service";
 import { buildDynamicSecretProviders } from "@app/ee/services/dynamic-secret/providers";
@@ -78,12 +70,6 @@ import { identityOrgDALFactory } from "@app/services/identity/identity-org-dal";
 import { identityServiceFactory } from "@app/services/identity/identity-service";
 import { identityAccessTokenDALFactory } from "@app/services/identity-access-token/identity-access-token-dal";
 import { identityAccessTokenServiceFactory } from "@app/services/identity-access-token/identity-access-token-service";
-import { identityAwsAuthDALFactory } from "@app/services/identity-aws-auth/identity-aws-auth-dal";
-import { identityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/identity-aws-auth-service";
-import { identityGcpAuthDALFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-dal";
-import { identityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
-import { identityKubernetesAuthDALFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-dal";
-import { identityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { identityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { identityProjectMembershipRoleDALFactory } from "@app/services/identity-project/identity-project-membership-role-dal";
 import { identityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
@@ -100,7 +86,6 @@ import { orgDALFactory } from "@app/services/org/org-dal";
 import { orgRoleDALFactory } from "@app/services/org/org-role-dal";
 import { orgRoleServiceFactory } from "@app/services/org/org-role-service";
 import { orgServiceFactory } from "@app/services/org/org-service";
-import { orgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 import { projectDALFactory } from "@app/services/project/project-dal";
 import { projectQueueFactory } from "@app/services/project/project-queue";
 import { projectServiceFactory } from "@app/services/project/project-service";
@@ -160,10 +145,7 @@ export const registerRoutes = async (
     keyStore
   }: { db: Knex; smtp: TSmtpService; queue: TQueueServiceFactory; keyStore: TKeyStoreFactory }
 ) => {
-  const appCfg = getConfig();
-  if (!appCfg.DISABLE_SECRET_SCANNING) {
-    await server.register(registerSecretScannerGhApp, { prefix: "/ss-webhook" });
-  }
+  await server.register(registerSecretScannerGhApp, { prefix: "/ss-webhook" });
 
   // db layers
   const userDAL = userDALFactory(db);
@@ -171,7 +153,6 @@ export const registerRoutes = async (
   const authDAL = authDALFactory(db);
   const authTokenDAL = tokenDALFactory(db);
   const orgDAL = orgDALFactory(db);
-  const orgMembershipDAL = orgMembershipDALFactory(db);
   const orgBotDAL = orgBotDALFactory(db);
   const incidentContactDAL = incidentContactDALFactory(db);
   const orgRoleDAL = orgRoleDALFactory(db);
@@ -209,14 +190,9 @@ export const registerRoutes = async (
   const identityProjectAdditionalPrivilegeDAL = identityProjectAdditionalPrivilegeDALFactory(db);
 
   const identityUaDAL = identityUaDALFactory(db);
-  const identityKubernetesAuthDAL = identityKubernetesAuthDALFactory(db);
   const identityUaClientSecretDAL = identityUaClientSecretDALFactory(db);
-  const identityAwsAuthDAL = identityAwsAuthDALFactory(db);
-
-  const identityGcpAuthDAL = identityGcpAuthDALFactory(db);
 
   const auditLogDAL = auditLogDALFactory(db);
-  const auditLogStreamDAL = auditLogStreamDALFactory(db);
   const trustedIpDAL = trustedIpDALFactory(db);
   const telemetryDAL = telemetryDALFactory(db);
 
@@ -226,12 +202,6 @@ export const registerRoutes = async (
   const scimDAL = scimDALFactory(db);
   const ldapConfigDAL = ldapConfigDALFactory(db);
   const ldapGroupMapDAL = ldapGroupMapDALFactory(db);
-
-  const accessApprovalPolicyDAL = accessApprovalPolicyDALFactory(db);
-  const accessApprovalRequestDAL = accessApprovalRequestDALFactory(db);
-  const accessApprovalPolicyApproverDAL = accessApprovalPolicyApproverDALFactory(db);
-  const accessApprovalRequestReviewerDAL = accessApprovalRequestReviewerDALFactory(db);
-
   const sapApproverDAL = secretApprovalPolicyApproverDALFactory(db);
   const secretApprovalPolicyDAL = secretApprovalPolicyDALFactory(db);
   const secretApprovalRequestDAL = secretApprovalRequestDALFactory(db);
@@ -273,15 +243,9 @@ export const registerRoutes = async (
     auditLogDAL,
     queueService,
     projectDAL,
-    licenseService,
-    auditLogStreamDAL
+    licenseService
   });
   const auditLogService = auditLogServiceFactory({ auditLogDAL, permissionService, auditLogQueue });
-  const auditLogStreamService = auditLogStreamServiceFactory({
-    licenseService,
-    permissionService,
-    auditLogStreamDAL
-  });
   const sapService = secretApprovalPolicyServiceFactory({
     projectMembershipDAL,
     projectEnvDAL,
@@ -289,19 +253,13 @@ export const registerRoutes = async (
     permissionService,
     secretApprovalPolicyDAL
   });
-  const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL });
-
   const samlService = samlConfigServiceFactory({
     permissionService,
     orgBotDAL,
     orgDAL,
-    orgMembershipDAL,
     userDAL,
-    userAliasDAL,
     samlConfigDAL,
-    licenseService,
-    tokenService,
-    smtpService
+    licenseService
   });
   const groupService = groupServiceFactory({
     userDAL,
@@ -330,9 +288,7 @@ export const registerRoutes = async (
     licenseService,
     scimDAL,
     userDAL,
-    userAliasDAL,
     orgDAL,
-    orgMembershipDAL,
     projectDAL,
     projectMembershipDAL,
     groupDAL,
@@ -348,7 +304,6 @@ export const registerRoutes = async (
     ldapConfigDAL,
     ldapGroupMapDAL,
     orgDAL,
-    orgMembershipDAL,
     orgBotDAL,
     groupDAL,
     groupProjectDAL,
@@ -372,13 +327,8 @@ export const registerRoutes = async (
     queueService
   });
 
-  const userService = userServiceFactory({
-    userDAL,
-    userAliasDAL,
-    orgMembershipDAL,
-    tokenService,
-    smtpService
-  });
+  const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL });
+  const userService = userServiceFactory({ userDAL });
   const loginService = authLoginServiceFactory({ userDAL, smtpService, tokenService, orgDAL, tokenDAL: authTokenDAL });
   const passwordService = authPaswordServiceFactory({
     tokenService,
@@ -387,7 +337,6 @@ export const registerRoutes = async (
     userDAL
   });
   const orgService = orgServiceFactory({
-    userAliasDAL,
     licenseService,
     samlConfigDAL,
     orgRoleDAL,
@@ -548,10 +497,8 @@ export const registerRoutes = async (
     folderDAL,
     folderVersionDAL,
     projectEnvDAL,
-    snapshotService,
-    projectDAL
+    snapshotService
   });
-
   const integrationAuthService = integrationAuthServiceFactory({
     integrationAuthDAL,
     integrationDAL,
@@ -610,7 +557,6 @@ export const registerRoutes = async (
   });
   const sarService = secretApprovalRequestServiceFactory({
     permissionService,
-    projectBotService,
     folderDAL,
     secretDAL,
     secretTagDAL,
@@ -625,30 +571,6 @@ export const registerRoutes = async (
     secretVersionTagDAL,
     secretQueueService
   });
-
-  const accessApprovalPolicyService = accessApprovalPolicyServiceFactory({
-    accessApprovalPolicyDAL,
-    accessApprovalPolicyApproverDAL,
-    permissionService,
-    projectEnvDAL,
-    projectMembershipDAL,
-    projectDAL
-  });
-
-  const accessApprovalRequestService = accessApprovalRequestServiceFactory({
-    projectDAL,
-    permissionService,
-    accessApprovalRequestReviewerDAL,
-    additionalPrivilegeDAL: projectUserAdditionalPrivilegeDAL,
-    projectMembershipDAL,
-    accessApprovalPolicyDAL,
-    accessApprovalRequestDAL,
-    projectEnvDAL,
-    userDAL,
-    smtpService,
-    accessApprovalPolicyApproverDAL
-  });
-
   const secretRotationQueue = secretRotationQueueFactory({
     telemetryService,
     secretRotationDAL,
@@ -715,32 +637,6 @@ export const registerRoutes = async (
     identityUaDAL,
     licenseService
   });
-  const identityKubernetesAuthService = identityKubernetesAuthServiceFactory({
-    identityKubernetesAuthDAL,
-    identityOrgMembershipDAL,
-    identityAccessTokenDAL,
-    identityDAL,
-    orgBotDAL,
-    permissionService,
-    licenseService
-  });
-  const identityGcpAuthService = identityGcpAuthServiceFactory({
-    identityGcpAuthDAL,
-    identityOrgMembershipDAL,
-    identityAccessTokenDAL,
-    identityDAL,
-    permissionService,
-    licenseService
-  });
-
-  const identityAwsAuthService = identityAwsAuthServiceFactory({
-    identityAccessTokenDAL,
-    identityAwsAuthDAL,
-    identityOrgMembershipDAL,
-    identityDAL,
-    licenseService,
-    permissionService
-  });
 
   const dynamicSecretProviders = buildDynamicSecretProviders();
   const dynamicSecretQueueService = dynamicSecretLeaseQueueServiceFactory({
@@ -810,12 +706,7 @@ export const registerRoutes = async (
     identityAccessToken: identityAccessTokenService,
     identityProject: identityProjectService,
     identityUa: identityUaService,
-    identityKubernetesAuth: identityKubernetesAuthService,
-    identityGcpAuth: identityGcpAuthService,
-    identityAwsAuth: identityAwsAuthService,
     secretApprovalPolicy: sapService,
-    accessApprovalPolicy: accessApprovalPolicyService,
-    accessApprovalRequest: accessApprovalRequestService,
     secretApprovalRequest: sarService,
     secretRotation: secretRotationService,
     dynamicSecret: dynamicSecretService,
@@ -824,7 +715,6 @@ export const registerRoutes = async (
     saml: samlService,
     ldap: ldapService,
     auditLog: auditLogService,
-    auditLogStream: auditLogStreamService,
     secretScanning: secretScanningService,
     license: licenseService,
     trustedIp: trustedIpService,

backend/src/server/routes/sanitizedSchemas.ts

@@ -2,13 +2,10 @@ import { z } from "zod";
 
 import {
   DynamicSecretsSchema,
-  IdentityProjectAdditionalPrivilegeSchema,
   IntegrationAuthsSchema,
   SecretApprovalPoliciesSchema,
   UsersSchema
 } from "@app/db/schemas";
-import { UnpackedPermissionSchema } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
-import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 
 // sometimes the return data must be santizied to avoid leaking important values
 // always prefer pick over omit in zod
@@ -65,33 +62,6 @@ export const secretRawSchema = z.object({
   secretComment: z.string().optional()
 });
 
-export const ProjectPermissionSchema = z.object({
-  action: z
-    .nativeEnum(ProjectPermissionActions)
-    .describe("Describe what action an entity can take. Possible actions: create, edit, delete, and read"),
-  subject: z
-    .nativeEnum(ProjectPermissionSub)
-    .describe("The entity this permission pertains to. Possible options: secrets, environments"),
-  conditions: z
-    .object({
-      environment: z.string().describe("The environment slug this permission should allow.").optional(),
-      secretPath: z
-        .object({
-          $glob: z
-            .string()
-            .min(1)
-            .describe("The secret path this permission should allow. Can be a glob pattern such as /folder-name/*/** ")
-        })
-        .optional()
-    })
-    .describe("When specified, only matching conditions will be allowed to access given resource.")
-    .optional()
-});
-
-export const SanitizedIdentityPrivilegeSchema = IdentityProjectAdditionalPrivilegeSchema.extend({
-  permissions: UnpackedPermissionSchema.array()
-});
-
 export const SanitizedDynamicSecretSchema = DynamicSecretsSchema.omit({
   inputIV: true,
   inputTag: true,
@@ -99,10 +69,3 @@ export const SanitizedDynamicSecretSchema = DynamicSecretsSchema.omit({
   keyEncoding: true,
   algorithm: true
 });
-
-export const SanitizedAuditLogStreamSchema = z.object({
-  id: z.string(),
-  url: z.string(),
-  createdAt: z.date(),
-  updatedAt: z.date()
-});

backend/src/server/routes/v1/admin-router.ts

@@ -20,23 +20,16 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
     schema: {
       response: {
         200: z.object({
-          config: SuperAdminSchema.omit({ createdAt: true, updatedAt: true }).extend({
-            isMigrationModeOn: z.boolean(),
-            isSecretScanningDisabled: z.boolean()
-          })
+          config: SuperAdminSchema.omit({ createdAt: true, updatedAt: true }).merge(
+            z.object({ isMigrationModeOn: z.boolean() })
+          )
         })
       }
     },
     handler: async () => {
       const config = await getServerCfg();
       const serverEnvs = getConfig();
-      return {
-        config: {
-          ...config,
-          isMigrationModeOn: serverEnvs.MAINTENANCE_MODE,
-          isSecretScanningDisabled: serverEnvs.DISABLE_SECRET_SCANNING
-        }
-      };
+      return { config: { ...config, isMigrationModeOn: serverEnvs.MAINTENANCE_MODE } };
     }
   });
 
@@ -49,9 +42,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
     schema: {
       body: z.object({
         allowSignUp: z.boolean().optional(),
-        allowedSignUpDomain: z.string().optional().nullable(),
-        trustSamlEmails: z.boolean().optional(),
-        trustLdapEmails: z.boolean().optional()
+        allowedSignUpDomain: z.string().optional().nullable()
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/identity-access-token-router.ts

@@ -36,29 +36,4 @@ export const registerIdentityAccessTokenRouter = async (server: FastifyZodProvid
       };
     }
   });
-
-  server.route({
-    url: "/token/revoke",
-    method: "POST",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Revoke access token",
-      body: z.object({
-        accessToken: z.string().trim().describe(UNIVERSAL_AUTH.REVOKE_ACCESS_TOKEN.accessToken)
-      }),
-      response: {
-        200: z.object({
-          message: z.string()
-        })
-      }
-    },
-    handler: async (req) => {
-      await server.services.identityAccessToken.revokeAccessToken(req.body.accessToken);
-      return {
-        message: "Successfully revoked access token"
-      };
-    }
-  });
 };

backend/src/server/routes/v1/identity-aws-iam-auth-router.ts

@@ -1,269 +0,0 @@
-import { z } from "zod";
-
-import { IdentityAwsAuthsSchema } from "@app/db/schemas";
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { AWS_AUTH } from "@app/lib/api-docs";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
-import {
-  validateAccountIds,
-  validatePrincipalArns
-} from "@app/services/identity-aws-auth/identity-aws-auth-validators";
-
-export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/aws-auth/login",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Login with AWS Auth",
-      body: z.object({
-        identityId: z.string().describe(AWS_AUTH.LOGIN.identityId),
-        iamHttpRequestMethod: z.string().default("POST").describe(AWS_AUTH.LOGIN.iamHttpRequestMethod),
-        iamRequestBody: z.string().describe(AWS_AUTH.LOGIN.iamRequestBody),
-        iamRequestHeaders: z.string().describe(AWS_AUTH.LOGIN.iamRequestHeaders)
-      }),
-      response: {
-        200: z.object({
-          accessToken: z.string(),
-          expiresIn: z.coerce.number(),
-          accessTokenMaxTTL: z.coerce.number(),
-          tokenType: z.literal("Bearer")
-        })
-      }
-    },
-    handler: async (req) => {
-      const { identityAwsAuth, accessToken, identityAccessToken, identityMembershipOrg } =
-        await server.services.identityAwsAuth.login(req.body);
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityMembershipOrg?.orgId,
-        event: {
-          type: EventType.LOGIN_IDENTITY_AWS_AUTH,
-          metadata: {
-            identityId: identityAwsAuth.identityId,
-            identityAccessTokenId: identityAccessToken.id,
-            identityAwsAuthId: identityAwsAuth.id
-          }
-        }
-      });
-
-      return {
-        accessToken,
-        tokenType: "Bearer" as const,
-        expiresIn: identityAwsAuth.accessTokenTTL,
-        accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL
-      };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/aws-auth/identities/:identityId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Attach AWS Auth configuration onto identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string().trim()
-      }),
-      body: z.object({
-        stsEndpoint: z.string().trim().min(1).default("https://sts.amazonaws.com/"),
-        allowedPrincipalArns: validatePrincipalArns,
-        allowedAccountIds: validateAccountIds,
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
-        accessTokenTTL: z
-          .number()
-          .int()
-          .min(1)
-          .refine((value) => value !== 0, {
-            message: "accessTokenTTL must have a non zero number"
-          })
-          .default(2592000),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .default(2592000),
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
-      }),
-      response: {
-        200: z.object({
-          identityAwsAuth: IdentityAwsAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityAwsAuth = await server.services.identityAwsAuth.attachAwsAuth({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body,
-        identityId: req.params.identityId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityAwsAuth.orgId,
-        event: {
-          type: EventType.ADD_IDENTITY_AWS_AUTH,
-          metadata: {
-            identityId: identityAwsAuth.identityId,
-            stsEndpoint: identityAwsAuth.stsEndpoint,
-            allowedPrincipalArns: identityAwsAuth.allowedPrincipalArns,
-            allowedAccountIds: identityAwsAuth.allowedAccountIds,
-            accessTokenTTL: identityAwsAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityAwsAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityAwsAuth.accessTokenNumUsesLimit
-          }
-        }
-      });
-
-      return { identityAwsAuth };
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/aws-auth/identities/:identityId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Update AWS Auth configuration on identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string()
-      }),
-      body: z.object({
-        stsEndpoint: z.string().trim().min(1).optional(),
-        allowedPrincipalArns: validatePrincipalArns,
-        allowedAccountIds: validateAccountIds,
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .optional(),
-        accessTokenTTL: z.number().int().min(0).optional(),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .optional()
-      }),
-      response: {
-        200: z.object({
-          identityAwsAuth: IdentityAwsAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityAwsAuth = await server.services.identityAwsAuth.updateAwsAuth({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body,
-        identityId: req.params.identityId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityAwsAuth.orgId,
-        event: {
-          type: EventType.UPDATE_IDENTITY_AWS_AUTH,
-          metadata: {
-            identityId: identityAwsAuth.identityId,
-            stsEndpoint: identityAwsAuth.stsEndpoint,
-            allowedPrincipalArns: identityAwsAuth.allowedPrincipalArns,
-            allowedAccountIds: identityAwsAuth.allowedAccountIds,
-            accessTokenTTL: identityAwsAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityAwsAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityAwsAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityAwsAuth.accessTokenNumUsesLimit
-          }
-        }
-      });
-
-      return { identityAwsAuth };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/aws-auth/identities/:identityId",
-    config: {
-      rateLimit: readLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Retrieve AWS Auth configuration on identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string()
-      }),
-      response: {
-        200: z.object({
-          identityAwsAuth: IdentityAwsAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityAwsAuth = await server.services.identityAwsAuth.getAwsAuth({
-        identityId: req.params.identityId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityAwsAuth.orgId,
-        event: {
-          type: EventType.GET_IDENTITY_AWS_AUTH,
-          metadata: {
-            identityId: identityAwsAuth.identityId
-          }
-        }
-      });
-      return { identityAwsAuth };
-    }
-  });
-};

backend/src/server/routes/v1/identity-gcp-auth-router.ts

@@ -1,268 +0,0 @@
-import { z } from "zod";
-
-import { IdentityGcpAuthsSchema } from "@app/db/schemas";
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
-import { validateGcpAuthField } from "@app/services/identity-gcp-auth/identity-gcp-auth-validators";
-
-export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/gcp-auth/login",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Login with GCP Auth",
-      body: z.object({
-        identityId: z.string(),
-        jwt: z.string()
-      }),
-      response: {
-        200: z.object({
-          accessToken: z.string(),
-          expiresIn: z.coerce.number(),
-          accessTokenMaxTTL: z.coerce.number(),
-          tokenType: z.literal("Bearer")
-        })
-      }
-    },
-    handler: async (req) => {
-      const { identityGcpAuth, accessToken, identityAccessToken, identityMembershipOrg } =
-        await server.services.identityGcpAuth.login(req.body);
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityMembershipOrg?.orgId,
-        event: {
-          type: EventType.LOGIN_IDENTITY_GCP_AUTH,
-          metadata: {
-            identityId: identityGcpAuth.identityId,
-            identityAccessTokenId: identityAccessToken.id,
-            identityGcpAuthId: identityGcpAuth.id
-          }
-        }
-      });
-
-      return {
-        accessToken,
-        tokenType: "Bearer" as const,
-        expiresIn: identityGcpAuth.accessTokenTTL,
-        accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL
-      };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/gcp-auth/identities/:identityId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Attach GCP Auth configuration onto identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string().trim()
-      }),
-      body: z.object({
-        type: z.enum(["iam", "gce"]),
-        allowedServiceAccounts: validateGcpAuthField,
-        allowedProjects: validateGcpAuthField,
-        allowedZones: validateGcpAuthField,
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
-        accessTokenTTL: z
-          .number()
-          .int()
-          .min(1)
-          .refine((value) => value !== 0, {
-            message: "accessTokenTTL must have a non zero number"
-          })
-          .default(2592000),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .default(2592000),
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
-      }),
-      response: {
-        200: z.object({
-          identityGcpAuth: IdentityGcpAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityGcpAuth = await server.services.identityGcpAuth.attachGcpAuth({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body,
-        identityId: req.params.identityId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityGcpAuth.orgId,
-        event: {
-          type: EventType.ADD_IDENTITY_GCP_AUTH,
-          metadata: {
-            identityId: identityGcpAuth.identityId,
-            type: identityGcpAuth.type,
-            allowedServiceAccounts: identityGcpAuth.allowedServiceAccounts,
-            allowedProjects: identityGcpAuth.allowedProjects,
-            allowedZones: identityGcpAuth.allowedZones,
-            accessTokenTTL: identityGcpAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityGcpAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityGcpAuth.accessTokenNumUsesLimit
-          }
-        }
-      });
-
-      return { identityGcpAuth };
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/gcp-auth/identities/:identityId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Update GCP Auth configuration on identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string().trim()
-      }),
-      body: z.object({
-        type: z.enum(["iam", "gce"]).optional(),
-        allowedServiceAccounts: validateGcpAuthField,
-        allowedProjects: validateGcpAuthField,
-        allowedZones: validateGcpAuthField,
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .optional(),
-        accessTokenTTL: z.number().int().min(0).optional(),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .optional()
-      }),
-      response: {
-        200: z.object({
-          identityGcpAuth: IdentityGcpAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityGcpAuth = await server.services.identityGcpAuth.updateGcpAuth({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod,
-        ...req.body,
-        identityId: req.params.identityId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityGcpAuth.orgId,
-        event: {
-          type: EventType.UPDATE_IDENTITY_GCP_AUTH,
-          metadata: {
-            identityId: identityGcpAuth.identityId,
-            type: identityGcpAuth.type,
-            allowedServiceAccounts: identityGcpAuth.allowedServiceAccounts,
-            allowedProjects: identityGcpAuth.allowedProjects,
-            allowedZones: identityGcpAuth.allowedZones,
-            accessTokenTTL: identityGcpAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityGcpAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityGcpAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityGcpAuth.accessTokenNumUsesLimit
-          }
-        }
-      });
-
-      return { identityGcpAuth };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/gcp-auth/identities/:identityId",
-    config: {
-      rateLimit: readLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Retrieve GCP Auth configuration on identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string()
-      }),
-      response: {
-        200: z.object({
-          identityGcpAuth: IdentityGcpAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityGcpAuth = await server.services.identityGcpAuth.getGcpAuth({
-        identityId: req.params.identityId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityGcpAuth.orgId,
-        event: {
-          type: EventType.GET_IDENTITY_GCP_AUTH,
-          metadata: {
-            identityId: identityGcpAuth.identityId
-          }
-        }
-      });
-
-      return { identityGcpAuth };
-    }
-  });
-};

backend/src/server/routes/v1/identity-kubernetes-auth-router.ts

@@ -1,283 +0,0 @@
-import { z } from "zod";
-
-import { IdentityKubernetesAuthsSchema } from "@app/db/schemas";
-import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
-import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMode } from "@app/services/auth/auth-type";
-import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
-
-const IdentityKubernetesAuthResponseSchema = IdentityKubernetesAuthsSchema.omit({
-  encryptedCaCert: true,
-  caCertIV: true,
-  caCertTag: true,
-  encryptedTokenReviewerJwt: true,
-  tokenReviewerJwtIV: true,
-  tokenReviewerJwtTag: true
-}).extend({
-  caCert: z.string(),
-  tokenReviewerJwt: z.string()
-});
-
-export const registerIdentityKubernetesRouter = async (server: FastifyZodProvider) => {
-  server.route({
-    method: "POST",
-    url: "/kubernetes-auth/login",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Login with Kubernetes Auth",
-      body: z.object({
-        identityId: z.string().trim(),
-        jwt: z.string().trim()
-      }),
-      response: {
-        200: z.object({
-          accessToken: z.string(),
-          expiresIn: z.coerce.number(),
-          accessTokenMaxTTL: z.coerce.number(),
-          tokenType: z.literal("Bearer")
-        })
-      }
-    },
-    handler: async (req) => {
-      const { identityKubernetesAuth, accessToken, identityAccessToken, identityMembershipOrg } =
-        await server.services.identityKubernetesAuth.login({
-          identityId: req.body.identityId,
-          jwt: req.body.jwt
-        });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityMembershipOrg?.orgId,
-        event: {
-          type: EventType.LOGIN_IDENTITY_KUBERNETES_AUTH,
-          metadata: {
-            identityId: identityKubernetesAuth.identityId,
-            identityAccessTokenId: identityAccessToken.id,
-            identityKubernetesAuthId: identityKubernetesAuth.id
-          }
-        }
-      });
-      return {
-        accessToken,
-        tokenType: "Bearer" as const,
-        expiresIn: identityKubernetesAuth.accessTokenTTL,
-        accessTokenMaxTTL: identityKubernetesAuth.accessTokenMaxTTL
-      };
-    }
-  });
-
-  server.route({
-    method: "POST",
-    url: "/kubernetes-auth/identities/:identityId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Attach Kubernetes Auth configuration onto identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string().trim()
-      }),
-      body: z.object({
-        kubernetesHost: z.string().trim().min(1),
-        caCert: z.string().trim().default(""),
-        tokenReviewerJwt: z.string().trim().min(1),
-        allowedNamespaces: z.string(), // TODO: validation
-        allowedNames: z.string(),
-        allowedAudience: z.string(),
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
-        accessTokenTTL: z
-          .number()
-          .int()
-          .min(1)
-          .refine((value) => value !== 0, {
-            message: "accessTokenTTL must have a non zero number"
-          })
-          .default(2592000),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .default(2592000),
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
-      }),
-      response: {
-        200: z.object({
-          identityKubernetesAuth: IdentityKubernetesAuthResponseSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityKubernetesAuth = await server.services.identityKubernetesAuth.attachKubernetesAuth({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body,
-        identityId: req.params.identityId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityKubernetesAuth.orgId,
-        event: {
-          type: EventType.ADD_IDENTITY_KUBERNETES_AUTH,
-          metadata: {
-            identityId: identityKubernetesAuth.identityId,
-            kubernetesHost: identityKubernetesAuth.kubernetesHost,
-            allowedNamespaces: identityKubernetesAuth.allowedNamespaces,
-            allowedNames: identityKubernetesAuth.allowedNames,
-            accessTokenTTL: identityKubernetesAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityKubernetesAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityKubernetesAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityKubernetesAuth.accessTokenNumUsesLimit
-          }
-        }
-      });
-
-      return { identityKubernetesAuth: IdentityKubernetesAuthResponseSchema.parse(identityKubernetesAuth) };
-    }
-  });
-
-  server.route({
-    method: "PATCH",
-    url: "/kubernetes-auth/identities/:identityId",
-    config: {
-      rateLimit: writeLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Update Kubernetes Auth configuration on identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string()
-      }),
-      body: z.object({
-        kubernetesHost: z.string().trim().min(1).optional(),
-        caCert: z.string().trim().optional(),
-        tokenReviewerJwt: z.string().trim().min(1).optional(),
-        allowedNamespaces: z.string().optional(), // TODO: validation
-        allowedNames: z.string().optional(),
-        allowedAudience: z.string().optional(),
-        accessTokenTrustedIps: z
-          .object({
-            ipAddress: z.string().trim()
-          })
-          .array()
-          .min(1)
-          .optional(),
-        accessTokenTTL: z.number().int().min(0).optional(),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
-        accessTokenMaxTTL: z
-          .number()
-          .int()
-          .refine((value) => value !== 0, {
-            message: "accessTokenMaxTTL must have a non zero number"
-          })
-          .optional()
-      }),
-      response: {
-        200: z.object({
-          identityKubernetesAuth: IdentityKubernetesAuthsSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityKubernetesAuth = await server.services.identityKubernetesAuth.updateKubernetesAuth({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        ...req.body,
-        identityId: req.params.identityId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityKubernetesAuth.orgId,
-        event: {
-          type: EventType.UPDATE_IDENTITY_KUBENETES_AUTH,
-          metadata: {
-            identityId: identityKubernetesAuth.identityId,
-            kubernetesHost: identityKubernetesAuth.kubernetesHost,
-            allowedNamespaces: identityKubernetesAuth.allowedNamespaces,
-            allowedNames: identityKubernetesAuth.allowedNames,
-            accessTokenTTL: identityKubernetesAuth.accessTokenTTL,
-            accessTokenMaxTTL: identityKubernetesAuth.accessTokenMaxTTL,
-            accessTokenTrustedIps: identityKubernetesAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityKubernetesAuth.accessTokenNumUsesLimit
-          }
-        }
-      });
-
-      return { identityKubernetesAuth };
-    }
-  });
-
-  server.route({
-    method: "GET",
-    url: "/kubernetes-auth/identities/:identityId",
-    config: {
-      rateLimit: readLimit
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    schema: {
-      description: "Retrieve Kubernetes Auth configuration on identity",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        identityId: z.string()
-      }),
-      response: {
-        200: z.object({
-          identityKubernetesAuth: IdentityKubernetesAuthResponseSchema
-        })
-      }
-    },
-    handler: async (req) => {
-      const identityKubernetesAuth = await server.services.identityKubernetesAuth.getKubernetesAuth({
-        identityId: req.params.identityId,
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorOrgId: req.permission.orgId,
-        actorAuthMethod: req.permission.authMethod
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        orgId: identityKubernetesAuth.orgId,
-        event: {
-          type: EventType.GET_IDENTITY_KUBERNETES_AUTH,
-          metadata: {
-            identityId: identityKubernetesAuth.identityId
-          }
-        }
-      });
-
-      return { identityKubernetesAuth: IdentityKubernetesAuthResponseSchema.parse(identityKubernetesAuth) };
-    }
-  });
-};

backend/src/server/routes/v1/index.ts

@@ -2,9 +2,6 @@ import { registerAdminRouter } from "./admin-router";
 import { registerAuthRoutes } from "./auth-router";
 import { registerProjectBotRouter } from "./bot-router";
 import { registerIdentityAccessTokenRouter } from "./identity-access-token-router";
-import { registerIdentityAwsAuthRouter } from "./identity-aws-iam-auth-router";
-import { registerIdentityGcpAuthRouter } from "./identity-gcp-auth-router";
-import { registerIdentityKubernetesRouter } from "./identity-kubernetes-auth-router";
 import { registerIdentityRouter } from "./identity-router";
 import { registerIdentityUaRouter } from "./identity-ua";
 import { registerIntegrationAuthRouter } from "./integration-auth-router";
@@ -30,10 +27,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
     async (authRouter) => {
       await authRouter.register(registerAuthRoutes);
       await authRouter.register(registerIdentityUaRouter);
-      await authRouter.register(registerIdentityKubernetesRouter);
-      await authRouter.register(registerIdentityGcpAuthRouter);
       await authRouter.register(registerIdentityAccessTokenRouter);
-      await authRouter.register(registerIdentityAwsAuthRouter);
     },
     { prefix: "/auth" }
   );

backend/src/server/routes/v1/integration-router.ts

@@ -8,7 +8,6 @@ import { writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { IntegrationMappingBehavior } from "@app/services/integration-auth/integration-list";
 import { PostHogEventTypes, TIntegrationCreatedEvent } from "@app/services/telemetry/telemetry-types";
 
 export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
@@ -50,10 +49,6 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
             secretPrefix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretPrefix),
             secretSuffix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretSuffix),
             initialSyncBehavior: z.string().optional().describe(INTEGRATION.CREATE.metadata.initialSyncBehavoir),
-            mappingBehavior: z
-              .nativeEnum(IntegrationMappingBehavior)
-              .optional()
-              .describe(INTEGRATION.CREATE.metadata.mappingBehavior),
             shouldAutoRedeploy: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldAutoRedeploy),
             secretGCPLabel: z
               .object({
@@ -71,8 +66,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
               )
               .optional()
               .describe(INTEGRATION.CREATE.metadata.secretAWSTag),
-            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId),
-            shouldDisableDelete: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldDisableDelete)
+            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId)
           })
           .default({})
       }),
@@ -148,8 +142,8 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
         integrationId: z.string().trim().describe(INTEGRATION.UPDATE.integrationId)
       }),
       body: z.object({
-        app: z.string().trim().optional().describe(INTEGRATION.UPDATE.app),
-        appId: z.string().trim().optional().describe(INTEGRATION.UPDATE.appId),
+        app: z.string().trim().describe(INTEGRATION.UPDATE.app),
+        appId: z.string().trim().describe(INTEGRATION.UPDATE.appId),
         isActive: z.boolean().describe(INTEGRATION.UPDATE.isActive),
         secretPath: z
           .string()
@@ -159,34 +153,7 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
           .describe(INTEGRATION.UPDATE.secretPath),
         targetEnvironment: z.string().trim().describe(INTEGRATION.UPDATE.targetEnvironment),
         owner: z.string().trim().describe(INTEGRATION.UPDATE.owner),
-        environment: z.string().trim().describe(INTEGRATION.UPDATE.environment),
-        metadata: z
-          .object({
-            secretPrefix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretPrefix),
-            secretSuffix: z.string().optional().describe(INTEGRATION.CREATE.metadata.secretSuffix),
-            initialSyncBehavior: z.string().optional().describe(INTEGRATION.CREATE.metadata.initialSyncBehavoir),
-            mappingBehavior: z.string().optional().describe(INTEGRATION.CREATE.metadata.mappingBehavior),
-            shouldAutoRedeploy: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldAutoRedeploy),
-            secretGCPLabel: z
-              .object({
-                labelName: z.string(),
-                labelValue: z.string()
-              })
-              .optional()
-              .describe(INTEGRATION.CREATE.metadata.secretGCPLabel),
-            secretAWSTag: z
-              .array(
-                z.object({
-                  key: z.string(),
-                  value: z.string()
-                })
-              )
-              .optional()
-              .describe(INTEGRATION.CREATE.metadata.secretAWSTag),
-            kmsKeyId: z.string().optional().describe(INTEGRATION.CREATE.metadata.kmsKeyId),
-            shouldDisableDelete: z.boolean().optional().describe(INTEGRATION.CREATE.metadata.shouldDisableDelete)
-          })
-          .optional()
+        environment: z.string().trim().describe(INTEGRATION.UPDATE.environment)
       }),
       response: {
         200: z.object({
@@ -268,64 +235,5 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
     }
   });
 
-  server.route({
-    method: "POST",
-    url: "/:integrationId/sync",
-    config: {
-      rateLimit: writeLimit
-    },
-    schema: {
-      description: "Manually trigger sync of an integration by integration id",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        integrationId: z.string().trim().describe(INTEGRATION.SYNC.integrationId)
-      }),
-      response: {
-        200: z.object({
-          integration: IntegrationsSchema
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const integration = await server.services.integration.syncIntegration({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        id: req.params.integrationId
-      });
-
-      await server.services.auditLog.createAuditLog({
-        ...req.auditLogInfo,
-        projectId: integration.projectId,
-        event: {
-          type: EventType.MANUAL_SYNC_INTEGRATION,
-          // eslint-disable-next-line
-          metadata: shake({
-            integrationId: integration.id,
-            integration: integration.integration,
-            environment: integration.environment.slug,
-            secretPath: integration.secretPath,
-            url: integration.url,
-            app: integration.app,
-            appId: integration.appId,
-            targetEnvironment: integration.targetEnvironment,
-            targetEnvironmentId: integration.targetEnvironmentId,
-            targetService: integration.targetService,
-            targetServiceId: integration.targetServiceId,
-            path: integration.path,
-            region: integration.region
-            // eslint-disable-next-line
-          }) as any
-        }
-      });
-
-      return { integration };
-    }
-  });
+  // TODO(akhilmhdh-pg): manual sync
 };

backend/src/server/routes/v1/project-membership-router.ts

@@ -9,7 +9,7 @@ import {
   UsersSchema
 } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
-import { PROJECT_USERS } from "@app/lib/api-docs";
+import { PROJECTS } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -30,7 +30,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECT_USERS.GET_USER_MEMBERSHIPS.workspaceId)
+        workspaceId: z.string().trim().describe(PROJECTS.GET_USER_MEMBERSHIPS.workspaceId)
       }),
       response: {
         200: z.object({
@@ -74,66 +74,6 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
     }
   });
 
-  server.route({
-    method: "POST",
-    url: "/:workspaceId/memberships/details",
-    config: {
-      rateLimit: readLimit
-    },
-    schema: {
-      description: "Return project user memberships",
-      security: [
-        {
-          bearerAuth: []
-        }
-      ],
-      params: z.object({
-        workspaceId: z.string().min(1).trim().describe(PROJECT_USERS.GET_USER_MEMBERSHIP.workspaceId)
-      }),
-      body: z.object({
-        username: z.string().min(1).trim().describe(PROJECT_USERS.GET_USER_MEMBERSHIP.username)
-      }),
-      response: {
-        200: z.object({
-          membership: ProjectMembershipsSchema.extend({
-            user: UsersSchema.pick({
-              email: true,
-              firstName: true,
-              lastName: true,
-              id: true
-            }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
-            roles: z.array(
-              z.object({
-                id: z.string(),
-                role: z.string(),
-                customRoleId: z.string().optional().nullable(),
-                customRoleName: z.string().optional().nullable(),
-                customRoleSlug: z.string().optional().nullable(),
-                isTemporary: z.boolean(),
-                temporaryMode: z.string().optional().nullable(),
-                temporaryRange: z.string().nullable().optional(),
-                temporaryAccessStartTime: z.date().nullable().optional(),
-                temporaryAccessEndTime: z.date().nullable().optional()
-              })
-            )
-          }).omit({ createdAt: true, updatedAt: true })
-        })
-      }
-    },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
-    handler: async (req) => {
-      const membership = await server.services.projectMembership.getProjectMembershipByUsername({
-        actorId: req.permission.id,
-        actor: req.permission.type,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        projectId: req.params.workspaceId,
-        username: req.body.username
-      });
-      return { membership };
-    }
-  });
-
   server.route({
     method: "POST",
     url: "/:workspaceId/memberships",
@@ -202,8 +142,8 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        workspaceId: z.string().trim().describe(PROJECT_USERS.UPDATE_USER_MEMBERSHIP.workspaceId),
-        membershipId: z.string().trim().describe(PROJECT_USERS.UPDATE_USER_MEMBERSHIP.membershipId)
+        workspaceId: z.string().trim().describe(PROJECTS.UPDATE_USER_MEMBERSHIP.workspaceId),
+        membershipId: z.string().trim().describe(PROJECTS.UPDATE_USER_MEMBERSHIP.membershipId)
       }),
       body: z.object({
         roles: z
@@ -224,7 +164,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
           )
           .min(1)
           .refine((data) => data.some(({ isTemporary }) => !isTemporary), "At least one long lived role is required")
-          .describe(PROJECT_USERS.UPDATE_USER_MEMBERSHIP.roles)
+          .describe(PROJECTS.UPDATE_USER_MEMBERSHIP.roles)
       }),
       response: {
         200: z.object({