Merge pull request #3210 from akhilmhdh/fix/gateway-patch-up

Gateway patch up

backend/src/db/migrations/20250305131152_add-actor-id-to-secret-versions-v2.ts

@@ -0,0 +1,45 @@
+import { Knex } from "knex";
+
+import { TableName } from "@app/db/schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretVersionV2)) {
+    const hasSecretVersionV2UserActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "userActorId");
+    const hasSecretVersionV2IdentityActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "identityActorId");
+    const hasSecretVersionV2ActorType = await knex.schema.hasColumn(TableName.SecretVersionV2, "actorType");
+
+    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
+      if (!hasSecretVersionV2UserActorId) {
+        t.uuid("userActorId");
+        t.foreign("userActorId").references("id").inTable(TableName.Users);
+      }
+      if (!hasSecretVersionV2IdentityActorId) {
+        t.uuid("identityActorId");
+        t.foreign("identityActorId").references("id").inTable(TableName.Identity);
+      }
+      if (!hasSecretVersionV2ActorType) {
+        t.string("actorType");
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretVersionV2)) {
+    const hasSecretVersionV2UserActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "userActorId");
+    const hasSecretVersionV2IdentityActorId = await knex.schema.hasColumn(TableName.SecretVersionV2, "identityActorId");
+    const hasSecretVersionV2ActorType = await knex.schema.hasColumn(TableName.SecretVersionV2, "actorType");
+
+    await knex.schema.alterTable(TableName.SecretVersionV2, (t) => {
+      if (hasSecretVersionV2UserActorId) {
+        t.dropColumn("userActorId");
+      }
+      if (hasSecretVersionV2IdentityActorId) {
+        t.dropColumn("identityActorId");
+      }
+      if (hasSecretVersionV2ActorType) {
+        t.dropColumn("actorType");
+      }
+    });
+  }
+}

backend/src/db/schemas/secret-versions-v2.ts

@@ -25,7 +25,10 @@ export const SecretVersionsV2Schema = z.object({
   folderId: z.string().uuid(),
   userId: z.string().uuid().nullable().optional(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  userActorId: z.string().uuid().nullable().optional(),
+  identityActorId: z.string().uuid().nullable().optional(),
+  actorType: z.string().nullable().optional()
 });
 
 export type TSecretVersionsV2 = z.infer<typeof SecretVersionsV2Schema>;

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -503,7 +503,7 @@ export const secretApprovalRequestServiceFactory = ({
     if (!hasMinApproval && !isSoftEnforcement)
       throw new BadRequestError({ message: "Doesn't have minimum approvals needed" });
 
-    const { botKey, shouldUseSecretV2Bridge } = await projectBotService.getBotKey(projectId);
+    const { botKey, shouldUseSecretV2Bridge, project } = await projectBotService.getBotKey(projectId);
     let mergeStatus;
     if (shouldUseSecretV2Bridge) {
       // this cycle if for bridged secrets
@@ -861,7 +861,6 @@ export const secretApprovalRequestServiceFactory = ({
 
     if (isSoftEnforcement) {
       const cfg = getConfig();
-      const project = await projectDAL.findProjectById(projectId);
       const env = await projectEnvDAL.findOne({ id: policy.envId });
       const requestedByUser = await userDAL.findOne({ id: actorId });
       const approverUsers = await userDAL.find({
@@ -1156,7 +1155,8 @@ export const secretApprovalRequestServiceFactory = ({
           environment: env.name,
           secretPath,
           projectId,
-          requestId: secretApprovalRequest.id
+          requestId: secretApprovalRequest.id,
+          secretKeys: [...new Set(Object.values(data).flatMap((arr) => arr?.map((item) => item.secretName) ?? []))]
         }
       }
     });
@@ -1456,7 +1456,8 @@ export const secretApprovalRequestServiceFactory = ({
           environment: env.name,
           secretPath,
           projectId,
-          requestId: secretApprovalRequest.id
+          requestId: secretApprovalRequest.id,
+          secretKeys: [...new Set(Object.values(data).flatMap((arr) => arr?.map((item) => item.secretKey) ?? []))]
         }
       }
     });

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts

@@ -13,6 +13,7 @@ import { NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
+import { ActorType } from "@app/services/auth/auth-type";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
@@ -332,6 +333,7 @@ export const secretRotationQueueFactory = ({
           await secretVersionV2BridgeDAL.insertMany(
             updatedSecrets.map(({ id, updatedAt, createdAt, ...el }) => ({
               ...el,
+              actorType: ActorType.PLATFORM,
               secretId: id
             })),
             tx

backend/src/ee/services/secret-snapshot/secret-snapshot-service.ts

@@ -7,6 +7,7 @@ import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { InternalServerError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
+import { ActorType } from "@app/services/auth/auth-type";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
@@ -370,7 +371,21 @@ export const secretSnapshotServiceFactory = ({
         const secrets = await secretV2BridgeDAL.insertMany(
           rollbackSnaps.flatMap(({ secretVersions, folderId }) =>
             secretVersions.map(
-              ({ latestSecretVersion, version, updatedAt, createdAt, secretId, envId, id, tags, ...el }) => ({
+              ({
+                latestSecretVersion,
+                version,
+                updatedAt,
+                createdAt,
+                secretId,
+                envId,
+                id,
+                tags,
+                // exclude the bottom fields from the secret - they are for versioning only.
+                userActorId,
+                identityActorId,
+                actorType,
+                ...el
+              }) => ({
                 ...el,
                 id: secretId,
                 version: deletedTopLevelSecsGroupById[secretId] ? latestSecretVersion + 1 : latestSecretVersion,
@@ -401,8 +416,18 @@ export const secretSnapshotServiceFactory = ({
           })),
           tx
         );
+        const userActorId = actor === ActorType.USER ? actorId : undefined;
+        const identityActorId = actor !== ActorType.USER ? actorId : undefined;
+        const actorType = actor || ActorType.PLATFORM;
+
         const secretVersions = await secretVersionV2BridgeDAL.insertMany(
-          secrets.map(({ id, updatedAt, createdAt, ...el }) => ({ ...el, secretId: id })),
+          secrets.map(({ id, updatedAt, createdAt, ...el }) => ({
+            ...el,
+            secretId: id,
+            userActorId,
+            identityActorId,
+            actorType
+          })),
           tx
         );
         await secretVersionV2TagBridgeDAL.insertMany(

backend/src/lib/gateway/index.ts

@@ -96,6 +96,7 @@ export const pingGatewayAndVerify = async ({
       error: err as Error
     });
   });
+
   for (let attempt = 1; attempt <= maxRetries; attempt += 1) {
     try {
       const stream = quicClient.connection.newStream("bidi");
@@ -108,17 +109,13 @@ export const pingGatewayAndVerify = async ({
       const { value, done } = await reader.read();
 
       if (done) {
-        throw new BadRequestError({
-          message: "Gateway closed before receiving PONG"
-        });
+        throw new Error("Gateway closed before receiving PONG");
       }
 
       const response = Buffer.from(value).toString();
 
       if (response !== "PONG\n" && response !== "PONG") {
-        throw new BadRequestError({
-          message: `Failed to Ping. Unexpected response: ${response}`
-        });
+        throw new Error(`Failed to Ping. Unexpected response: ${response}`);
       }
 
       reader.releaseLock();
@@ -146,6 +143,7 @@ interface TProxyServer {
   server: net.Server;
   port: number;
   cleanup: () => Promise<void>;
+  getProxyError: () => string;
 }
 
 const setupProxyServer = async ({
@@ -170,6 +168,7 @@ const setupProxyServer = async ({
       error: err as Error
     });
   });
+  const proxyErrorMsg = [""];
 
   return new Promise((resolve, reject) => {
     const server = net.createServer();
@@ -185,31 +184,33 @@ const setupProxyServer = async ({
         const forwardWriter = stream.writable.getWriter();
         await forwardWriter.write(Buffer.from(`FORWARD-TCP ${targetHost}:${targetPort}\n`));
         forwardWriter.releaseLock();
-        /* eslint-disable @typescript-eslint/no-misused-promises */
+
         // Set up bidirectional copy
-        const setupCopy = async () => {
+        const setupCopy = () => {
           // Client to QUIC
           // eslint-disable-next-line
           (async () => {
-            try {
-              const writer = stream.writable.getWriter();
+            const writer = stream.writable.getWriter();
 
-              // Create a handler for client data
-              clientConn.on("data", async (chunk) => {
-                await writer.write(chunk);
+            // Create a handler for client data
+            clientConn.on("data", (chunk) => {
+              writer.write(chunk).catch((err) => {
+                proxyErrorMsg.push((err as Error)?.message);
               });
+            });
 
-              // Handle client connection close
-              clientConn.on("end", async () => {
-                await writer.close();
+            // Handle client connection close
+            clientConn.on("end", () => {
+              writer.close().catch((err) => {
+                logger.error(err);
               });
+            });
 
-              clientConn.on("error", async (err) => {
-                await writer.abort(err);
+            clientConn.on("error", (clientConnErr) => {
+              writer.abort(clientConnErr?.message).catch((err) => {
+                proxyErrorMsg.push((err as Error)?.message);
               });
-            } catch (err) {
-              clientConn.destroy();
-            }
+            });
           })();
 
           // QUIC to Client
@@ -238,15 +239,18 @@ const setupProxyServer = async ({
                 }
               }
             } catch (err) {
+              proxyErrorMsg.push((err as Error)?.message);
               clientConn.destroy();
             }
           })();
         };
-        await setupCopy();
-        //
+
+        setupCopy();
         // Handle connection closure
-        clientConn.on("close", async () => {
-          await stream.destroy();
+        clientConn.on("close", () => {
+          stream.destroy().catch((err) => {
+            proxyErrorMsg.push((err as Error)?.message);
+          });
         });
 
         const cleanup = async () => {
@@ -254,13 +258,18 @@ const setupProxyServer = async ({
           await stream.destroy();
         };
 
-        clientConn.on("error", (err) => {
-          logger.error(err, "Client socket error");
-          void cleanup();
-          reject(err);
+        clientConn.on("error", (clientConnErr) => {
+          logger.error(clientConnErr, "Client socket error");
+          cleanup().catch((err) => {
+            logger.error(err, "Client conn cleanup");
+          });
         });
 
-        clientConn.on("end", cleanup);
+        clientConn.on("end", () => {
+          cleanup().catch((err) => {
+            logger.error(err, "Client conn end");
+          });
+        });
       } catch (err) {
         logger.error(err, "Failed to establish target connection:");
         clientConn.end();
@@ -272,12 +281,12 @@ const setupProxyServer = async ({
       reject(err);
     });
 
-    server.on("close", async () => {
-      await quicClient?.destroy();
+    server.on("close", () => {
+      quicClient?.destroy().catch((err) => {
+        logger.error(err, "Failed to destroy quic client");
+      });
     });
 
-    /* eslint-enable */
-
     server.listen(0, () => {
       const address = server.address();
       if (!address || typeof address === "string") {
@@ -293,7 +302,8 @@ const setupProxyServer = async ({
         cleanup: async () => {
           server.close();
           await quicClient?.destroy();
-        }
+        },
+        getProxyError: () => proxyErrorMsg.join(",")
       });
     });
   });
@@ -316,7 +326,7 @@ export const withGatewayProxy = async (
   const { relayHost, relayPort, targetHost, targetPort, tlsOptions, identityId, orgId } = options;
 
   // Setup the proxy server
-  const { port, cleanup } = await setupProxyServer({
+  const { port, cleanup, getProxyError } = await setupProxyServer({
     targetHost,
     targetPort,
     relayPort,
@@ -330,8 +340,12 @@ export const withGatewayProxy = async (
     // Execute the callback with the allocated port
     await callback(port);
   } catch (err) {
-    logger.error(err, "Failed to proxy");
-    throw new BadRequestError({ message: (err as Error)?.message });
+    const proxyErrorMessage = getProxyError();
+    if (proxyErrorMessage) {
+      logger.error(new Error(proxyErrorMessage), "Failed to proxy");
+    }
+    logger.error(err, "Failed to do gateway");
+    throw new BadRequestError({ message: proxyErrorMessage || (err as Error)?.message });
   } finally {
     // Ensure cleanup happens regardless of success or failure
     await cleanup();

backend/src/lib/turn/credentials.ts

@@ -1,6 +1,6 @@
 import crypto from "node:crypto";
 
-const TURN_TOKEN_TTL = 60 * 60 * 1000; // 24 hours in milliseconds
+const TURN_TOKEN_TTL = 24 * 60 * 60 * 1000; // 24 hours in milliseconds
 export const getTurnCredentials = (id: string, authSecret: string, ttl = TURN_TOKEN_TTL) => {
   const timestamp = Math.floor((Date.now() + ttl) / 1000);
   const username = `${timestamp}:${id}`;

backend/src/main.ts

@@ -83,6 +83,14 @@ const run = async () => {
     process.exit(0);
   });
 
+  process.on("uncaughtException", (error) => {
+    logger.error(error, "CRITICAL ERROR: Uncaught Exception");
+  });
+
+  process.on("unhandledRejection", (error) => {
+    logger.error(error, "CRITICAL ERROR: Unhandled Promise Rejection");
+  });
+
   await server.listen({
     port: envConfig.PORT,
     host: envConfig.HOST,

backend/src/queue/queue-service.ts

@@ -21,6 +21,7 @@ import {
   TQueueSecretSyncSyncSecretsByIdDTO,
   TQueueSendSecretSyncActionFailedNotificationsDTO
 } from "@app/services/secret-sync/secret-sync-types";
+import { TWebhookPayloads } from "@app/services/webhook/webhook-types";
 
 export enum QueueName {
   SecretRotation = "secret-rotation",
@@ -107,7 +108,7 @@ export type TQueueJobTypes = {
   };
   [QueueName.SecretWebhook]: {
     name: QueueJobs.SecWebhook;
-    payload: { projectId: string; environment: string; secretPath: string; depth?: number };
+    payload: TWebhookPayloads;
   };
 
   [QueueName.AccessTokenStatusUpdate]:

backend/src/server/routes/sanitizedSchemas.ts

@@ -111,7 +111,16 @@ export const secretRawSchema = z.object({
   secretReminderRepeatDays: z.number().nullable().optional(),
   skipMultilineEncoding: z.boolean().default(false).nullable().optional(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  actor: z
+    .object({
+      actorId: z.string().nullable().optional(),
+      actorType: z.string().nullable().optional(),
+      name: z.string().nullable().optional(),
+      membershipId: z.string().nullable().optional()
+    })
+    .optional()
+    .nullable()
 });
 
 export const ProjectPermissionSchema = z.object({

backend/src/server/routes/v3/secret-router.ts

@@ -380,6 +380,48 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "GET",
+    url: "/raw/id/:secretId",
+    config: {
+      rateLimit: secretsLimit
+    },
+    schema: {
+      params: z.object({
+        secretId: z.string()
+      }),
+      response: {
+        200: z.object({
+          secret: secretRawSchema.extend({
+            secretPath: z.string(),
+            tags: SecretTagsSchema.pick({
+              id: true,
+              slug: true,
+              color: true
+            })
+              .extend({ name: z.string() })
+              .array()
+              .optional(),
+            secretMetadata: ResourceMetadataSchema.optional()
+          })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { secretId } = req.params;
+      const secret = await server.services.secret.getSecretByIdRaw({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        secretId
+      });
+
+      return { secret };
+    }
+  });
+
   server.route({
     method: "GET",
     url: "/raw/:secretName",

backend/src/services/external-migration/external-migration-fns.ts

@@ -772,6 +772,10 @@ export const importDataIntoInfisicalFn = async ({
             secretVersionDAL,
             secretTagDAL,
             secretVersionTagDAL,
+            actor: {
+              type: actor,
+              actorId
+            },
             tx
           });
         }

backend/src/services/integration-auth/integration-auth-service.ts

@@ -114,20 +114,27 @@ export const integrationAuthServiceFactory = ({
   const listOrgIntegrationAuth = async ({ actorId, actor, actorOrgId, actorAuthMethod }: TGenericPermission) => {
     const authorizations = await integrationAuthDAL.getByOrg(actorOrgId as string);
 
-    return Promise.all(
-      authorizations.filter(async (auth) => {
-        const { permission } = await permissionService.getProjectPermission({
-          actor,
-          actorId,
-          projectId: auth.projectId,
-          actorAuthMethod,
-          actorOrgId,
-          actionProjectType: ActionProjectType.SecretManager
-        });
+    const filteredAuthorizations = await Promise.all(
+      authorizations.map(async (auth) => {
+        try {
+          const { permission } = await permissionService.getProjectPermission({
+            actor,
+            actorId,
+            projectId: auth.projectId,
+            actorAuthMethod,
+            actorOrgId,
+            actionProjectType: ActionProjectType.SecretManager
+          });
 
-        return permission.can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
+          return permission.can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations) ? auth : null;
+        } catch (error) {
+          // user does not belong to the project that the integration auth belongs to
+          return null;
+        }
       })
     );
+
+    return filteredAuthorizations.filter((auth): auth is NonNullable<typeof auth> => auth !== null);
   };
 
   const getIntegrationAuth = async ({ actor, id, actorId, actorAuthMethod, actorOrgId }: TGetIntegrationAuthDTO) => {

backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts

@@ -613,6 +613,9 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
           `${TableName.SecretV2JnTag}.${TableName.SecretTag}Id`,
           `${TableName.SecretTag}.id`
         )
+
+        .leftJoin(TableName.SecretFolder, `${TableName.SecretV2}.folderId`, `${TableName.SecretFolder}.id`)
+        .leftJoin(TableName.Environment, `${TableName.SecretFolder}.envId`, `${TableName.Environment}.id`)
         .leftJoin(TableName.ResourceMetadata, `${TableName.SecretV2}.id`, `${TableName.ResourceMetadata}.secretId`)
         .select(selectAllTableCols(TableName.SecretV2))
         .select(db.ref("id").withSchema(TableName.SecretTag).as("tagId"))
@@ -622,12 +625,13 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
           db.ref("id").withSchema(TableName.ResourceMetadata).as("metadataId"),
           db.ref("key").withSchema(TableName.ResourceMetadata).as("metadataKey"),
           db.ref("value").withSchema(TableName.ResourceMetadata).as("metadataValue")
-        );
+        )
+        .select(db.ref("projectId").withSchema(TableName.Environment).as("projectId"));
 
       const docs = sqlNestRelationships({
         data: rawDocs,
         key: "id",
-        parentMapper: (el) => ({ _id: el.id, ...SecretsV2Schema.parse(el) }),
+        parentMapper: (el) => ({ _id: el.id, projectId: el.projectId, ...SecretsV2Schema.parse(el) }),
         childrenMapper: [
           {
             key: "tagId",

backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts

@@ -5,6 +5,7 @@ import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
 
+import { ActorType } from "../auth/auth-type";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { ResourceMetadataDTO } from "../resource-metadata/resource-metadata-schema";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
@@ -62,6 +63,7 @@ export const fnSecretBulkInsert = async ({
   resourceMetadataDAL,
   secretTagDAL,
   secretVersionTagDAL,
+  actor,
   tx
 }: TFnSecretBulkInsert) => {
   const sanitizedInputSecrets = inputSecrets.map(
@@ -90,6 +92,10 @@ export const fnSecretBulkInsert = async ({
     })
   );
 
+  const userActorId = actor && actor.type === ActorType.USER ? actor.actorId : undefined;
+  const identityActorId = actor && actor.type !== ActorType.USER ? actor.actorId : undefined;
+  const actorType = actor?.type || ActorType.PLATFORM;
+
   const newSecrets = await secretDAL.insertMany(
     sanitizedInputSecrets.map((el) => ({ ...el, folderId })),
     tx
@@ -106,6 +112,9 @@ export const fnSecretBulkInsert = async ({
     sanitizedInputSecrets.map((el) => ({
       ...el,
       folderId,
+      userActorId,
+      identityActorId,
+      actorType,
       secretId: newSecretGroupedByKeyName[el.key][0].id
     })),
     tx
@@ -157,8 +166,13 @@ export const fnSecretBulkUpdate = async ({
   secretVersionDAL,
   secretTagDAL,
   secretVersionTagDAL,
-  resourceMetadataDAL
+  resourceMetadataDAL,
+  actor
 }: TFnSecretBulkUpdate) => {
+  const userActorId = actor && actor?.type === ActorType.USER ? actor?.actorId : undefined;
+  const identityActorId = actor && actor?.type !== ActorType.USER ? actor?.actorId : undefined;
+  const actorType = actor?.type || ActorType.PLATFORM;
+
   const sanitizedInputSecrets = inputSecrets.map(
     ({
       filter,
@@ -216,7 +230,10 @@ export const fnSecretBulkUpdate = async ({
         encryptedValue,
         reminderRepeatDays,
         folderId,
-        secretId
+        secretId,
+        userActorId,
+        identityActorId,
+        actorType
       })
     ),
     tx
@@ -616,6 +633,12 @@ export const reshapeBridgeSecret = (
   secret: Omit<TSecretsV2, "encryptedValue" | "encryptedComment"> & {
     value: string;
     comment: string;
+    userActorName?: string | null;
+    identityActorName?: string | null;
+    userActorId?: string | null;
+    identityActorId?: string | null;
+    membershipId?: string | null;
+    actorType?: string | null;
     tags?: {
       id: string;
       slug: string;
@@ -636,6 +659,14 @@ export const reshapeBridgeSecret = (
   _id: secret.id,
   id: secret.id,
   user: secret.userId,
+  actor: secret.actorType
+    ? {
+        actorType: secret.actorType,
+        actorId: secret.userActorId || secret.identityActorId,
+        name: secret.identityActorName || secret.userActorName,
+        membershipId: secret.membershipId
+      }
+    : undefined,
   tags: secret.tags,
   skipMultilineEncoding: secret.skipMultilineEncoding,
   secretReminderRepeatDays: secret.reminderRepeatDays,

backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts

@@ -28,6 +28,7 @@ import { KmsDataKey } from "../kms/kms-types";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TResourceMetadataDALFactory } from "../resource-metadata/resource-metadata-dal";
 import { TSecretQueueFactory } from "../secret/secret-queue";
+import { TGetASecretByIdDTO } from "../secret/secret-types";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
 import { TSecretImportDALFactory } from "../secret-import/secret-import-dal";
 import { fnSecretsV2FromImports } from "../secret-import/secret-import-fns";
@@ -73,7 +74,13 @@ type TSecretV2BridgeServiceFactoryDep = {
   projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne" | "findBySlugs">;
   folderDAL: Pick<
     TSecretFolderDALFactory,
-    "findBySecretPath" | "updateById" | "findById" | "findByManySecretPath" | "find" | "findBySecretPathMultiEnv"
+    | "findBySecretPath"
+    | "updateById"
+    | "findById"
+    | "findByManySecretPath"
+    | "find"
+    | "findBySecretPathMultiEnv"
+    | "findSecretPathByFolderIds"
   >;
   secretImportDAL: Pick<TSecretImportDALFactory, "find" | "findByFolderIds">;
   secretQueueService: Pick<TSecretQueueFactory, "syncSecrets" | "handleSecretReminder" | "removeSecretReminder">;
@@ -301,6 +308,10 @@ export const secretV2BridgeServiceFactory = ({
         secretVersionDAL,
         secretTagDAL,
         secretVersionTagDAL,
+        actor: {
+          type: actor,
+          actorId
+        },
         tx
       })
     );
@@ -483,6 +494,10 @@ export const secretV2BridgeServiceFactory = ({
         secretVersionDAL,
         secretTagDAL,
         secretVersionTagDAL,
+        actor: {
+          type: actor,
+          actorId
+        },
         tx
       })
     );
@@ -947,6 +962,73 @@ export const secretV2BridgeServiceFactory = ({
     };
   };
 
+  const getSecretById = async ({ actorId, actor, actorOrgId, actorAuthMethod, secretId }: TGetASecretByIdDTO) => {
+    const secret = await secretDAL.findOneWithTags({
+      [`${TableName.SecretV2}.id` as "id"]: secretId
+    });
+
+    if (!secret) {
+      throw new NotFoundError({
+        message: `Secret with ID '${secretId}' not found`,
+        name: "GetSecretById"
+      });
+    }
+
+    const [folderWithPath] = await folderDAL.findSecretPathByFolderIds(secret.projectId, [secret.folderId]);
+
+    if (!folderWithPath) {
+      throw new NotFoundError({
+        message: `Folder with id '${secret.folderId}' not found`,
+        name: "GetSecretById"
+      });
+    }
+
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: secret.projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      subject(ProjectPermissionSub.Secrets, {
+        environment: folderWithPath.environmentSlug,
+        secretPath: folderWithPath.path,
+        secretName: secret.key,
+        secretTags: secret.tags.map((i) => i.slug)
+      })
+    );
+
+    if (secret.type === SecretType.Personal && secret.userId !== actorId) {
+      throw new ForbiddenRequestError({
+        message: "You are not allowed to access this secret",
+        name: "GetSecretById"
+      });
+    }
+
+    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.SecretManager,
+      projectId: secret.projectId
+    });
+
+    const secretValue = secret.encryptedValue
+      ? secretManagerDecryptor({ cipherTextBlob: secret.encryptedValue }).toString()
+      : "";
+
+    const secretComment = secret.encryptedComment
+      ? secretManagerDecryptor({ cipherTextBlob: secret.encryptedComment }).toString()
+      : "";
+
+    return reshapeBridgeSecret(secret.projectId, folderWithPath.environmentSlug, folderWithPath.path, {
+      ...secret,
+      value: secretValue,
+      comment: secretComment
+    });
+  };
+
   const getSecretByName = async ({
     actorId,
     actor,
@@ -1230,6 +1312,10 @@ export const secretV2BridgeServiceFactory = ({
         secretVersionDAL,
         secretTagDAL,
         secretVersionTagDAL,
+        actor: {
+          type: actor,
+          actorId
+        },
         tx
       })
     );
@@ -1490,6 +1576,10 @@ export const secretV2BridgeServiceFactory = ({
           secretVersionDAL,
           secretTagDAL,
           secretVersionTagDAL,
+          actor: {
+            type: actor,
+            actorId
+          },
           resourceMetadataDAL
         });
         updatedSecrets.push(...bulkUpdatedSecrets.map((el) => ({ ...el, secretPath: folder.path })));
@@ -1522,6 +1612,10 @@ export const secretV2BridgeServiceFactory = ({
             secretVersionDAL,
             secretTagDAL,
             secretVersionTagDAL,
+            actor: {
+              type: actor,
+              actorId
+            },
             tx
           });
           updatedSecrets.push(...bulkInsertedSecrets.map((el) => ({ ...el, secretPath: folder.path })));
@@ -1689,14 +1783,19 @@ export const secretV2BridgeServiceFactory = ({
       type: KmsDataKey.SecretManager,
       projectId: folder.projectId
     });
-    const secretVersions = await secretVersionDAL.find({ secretId }, { offset, limit, sort: [["createdAt", "desc"]] });
-    return secretVersions.map((el) =>
-      reshapeBridgeSecret(folder.projectId, folder.environment.envSlug, "/", {
+    const secretVersions = await secretVersionDAL.findVersionsBySecretIdWithActors(secretId, folder.projectId, {
+      offset,
+      limit,
+      sort: [["createdAt", "desc"]]
+    });
+
+    return secretVersions.map((el) => {
+      return reshapeBridgeSecret(folder.projectId, folder.environment.envSlug, "/", {
         ...el,
         value: el.encryptedValue ? secretManagerDecryptor({ cipherTextBlob: el.encryptedValue }).toString() : "",
         comment: el.encryptedComment ? secretManagerDecryptor({ cipherTextBlob: el.encryptedComment }).toString() : ""
-      })
-    );
+      });
+    });
   };
 
   // this is a backfilling API for secret references
@@ -1956,6 +2055,10 @@ export const secretV2BridgeServiceFactory = ({
             secretTagDAL,
             resourceMetadataDAL,
             secretVersionTagDAL,
+            actor: {
+              type: actor,
+              actorId
+            },
             inputSecrets: locallyCreatedSecrets.map((doc) => {
               return {
                 type: doc.type,
@@ -1982,6 +2085,10 @@ export const secretV2BridgeServiceFactory = ({
             tx,
             secretTagDAL,
             secretVersionTagDAL,
+            actor: {
+              type: actor,
+              actorId
+            },
             inputSecrets: locallyUpdatedSecrets.map((doc) => {
               return {
                 filter: {
@@ -2204,6 +2311,7 @@ export const secretV2BridgeServiceFactory = ({
     getSecretsCountMultiEnv,
     getSecretsMultiEnv,
     getSecretReferenceTree,
-    getSecretsByFolderMappings
+    getSecretsByFolderMappings,
+    getSecretById
   };
 };

backend/src/services/secret-v2-bridge/secret-v2-bridge-types.ts

@@ -168,6 +168,10 @@ export type TFnSecretBulkInsert = {
   secretVersionDAL: Pick<TSecretVersionV2DALFactory, "insertMany">;
   secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecretV2">;
   secretVersionTagDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany">;
+  actor?: {
+    type: string;
+    actorId: string;
+  };
 };
 
 type TRequireReferenceIfValue =
@@ -192,6 +196,10 @@ export type TFnSecretBulkUpdate = {
   secretVersionDAL: Pick<TSecretVersionV2DALFactory, "insertMany">;
   secretTagDAL: Pick<TSecretTagDALFactory, "saveTagsToSecretV2" | "deleteTagsToSecretV2">;
   secretVersionTagDAL: Pick<TSecretVersionV2TagDALFactory, "insertMany">;
+  actor?: {
+    type: string;
+    actorId: string;
+  };
   tx?: Knex;
 };
 

backend/src/services/secret-v2-bridge/secret-version-dal.ts

@@ -1,9 +1,10 @@
+/* eslint-disable @typescript-eslint/no-unsafe-assignment */
 import { Knex } from "knex";
 
 import { TDbClient } from "@app/db";
 import { TableName, TSecretVersionsV2, TSecretVersionsV2Update } from "@app/db/schemas";
 import { BadRequestError, DatabaseError } from "@app/lib/errors";
-import { ormify, selectAllTableCols } from "@app/lib/knex";
+import { ormify, selectAllTableCols, TFindOpt } from "@app/lib/knex";
 import { logger } from "@app/lib/logger";
 import { QueueName } from "@app/queue";
 
@@ -119,11 +120,67 @@ export const secretVersionV2BridgeDALFactory = (db: TDbClient) => {
     logger.info(`${QueueName.DailyResourceCleanUp}: pruning secret version v2 completed`);
   };
 
+  const findVersionsBySecretIdWithActors = async (
+    secretId: string,
+    projectId: string,
+    { offset, limit, sort = [["createdAt", "desc"]] }: TFindOpt<TSecretVersionsV2> = {},
+    tx?: Knex
+  ) => {
+    try {
+      const query = (tx || db)(TableName.SecretVersionV2)
+        .leftJoin(TableName.Users, `${TableName.Users}.id`, `${TableName.SecretVersionV2}.userActorId`)
+        .leftJoin(
+          TableName.ProjectMembership,
+          `${TableName.ProjectMembership}.userId`,
+          `${TableName.SecretVersionV2}.userActorId`
+        )
+        .leftJoin(TableName.Identity, `${TableName.Identity}.id`, `${TableName.SecretVersionV2}.identityActorId`)
+        .where((qb) => {
+          void qb.where(`${TableName.SecretVersionV2}.secretId`, secretId);
+          void qb.where(`${TableName.ProjectMembership}.projectId`, projectId);
+        })
+        .orWhere((qb) => {
+          void qb.where(`${TableName.SecretVersionV2}.secretId`, secretId);
+          void qb.whereNull(`${TableName.ProjectMembership}.projectId`);
+        })
+        .select(
+          selectAllTableCols(TableName.SecretVersionV2),
+          `${TableName.Users}.username as userActorName`,
+          `${TableName.Identity}.name as identityActorName`,
+          `${TableName.ProjectMembership}.id as membershipId`
+        );
+
+      if (limit) void query.limit(limit);
+      if (offset) void query.offset(offset);
+      if (sort) {
+        void query.orderBy(
+          sort.map(([column, order, nulls]) => ({
+            column: `${TableName.SecretVersionV2}.${column as string}`,
+            order,
+            nulls
+          }))
+        );
+      }
+
+      const docs: Array<
+        TSecretVersionsV2 & {
+          userActorName: string | undefined | null;
+          identityActorName: string | undefined | null;
+          membershipId: string | undefined | null;
+        }
+      > = await query;
+      return docs;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "FindVersionsBySecretIdWithActors" });
+    }
+  };
+
   return {
     ...secretVersionV2Orm,
     pruneExcessVersions,
     findLatestVersionMany,
     bulkUpdate,
-    findLatestVersionByFolderId
+    findLatestVersionByFolderId,
+    findVersionsBySecretIdWithActors
   };
 };

backend/src/services/secret/secret-fns.ts

@@ -579,6 +579,7 @@ export const fnSecretBulkInsert = async ({
       [`${TableName.Secret}Id` as const]: newSecretGroupByBlindIndex[secretBlindIndex as string][0].id
     }))
   );
+
   const secretVersions = await secretVersionDAL.insertMany(
     sanitizedInputSecrets.map((el) => ({
       ...el,

backend/src/services/secret/secret-queue.ts

@@ -61,6 +61,7 @@ import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
 import { TUserDALFactory } from "../user/user-dal";
 import { TWebhookDALFactory } from "../webhook/webhook-dal";
 import { fnTriggerWebhook } from "../webhook/webhook-fns";
+import { WebhookEvents } from "../webhook/webhook-types";
 import { TSecretDALFactory } from "./secret-dal";
 import { interpolateSecrets } from "./secret-fns";
 import {
@@ -623,7 +624,14 @@ export const secretQueueFactory = ({
     await queueService.queue(
       QueueName.SecretWebhook,
       QueueJobs.SecWebhook,
-      { environment, projectId, secretPath },
+      {
+        type: WebhookEvents.SecretModified,
+        payload: {
+          environment,
+          projectId,
+          secretPath
+        }
+      },
       {
         jobId: `secret-webhook-${environment}-${projectId}-${secretPath}`,
         removeOnFail: { count: 5 },
@@ -1055,6 +1063,8 @@ export const secretQueueFactory = ({
 
     const organization = await orgDAL.findOrgByProjectId(projectId);
     const project = await projectDAL.findById(projectId);
+    const secret = await secretV2BridgeDAL.findById(data.secretId);
+    const [folder] = await folderDAL.findSecretPathByFolderIds(project.id, [secret.folderId]);
 
     if (!organization) {
       logger.info(`secretReminderQueue.process: [secretDocument=${data.secretId}] no organization found`);
@@ -1083,6 +1093,19 @@ export const secretQueueFactory = ({
         organizationName: organization.name
       }
     });
+
+    await queueService.queue(QueueName.SecretWebhook, QueueJobs.SecWebhook, {
+      type: WebhookEvents.SecretReminderExpired,
+      payload: {
+        projectName: project.name,
+        projectId: project.id,
+        secretPath: folder?.path,
+        environment: folder?.environmentSlug || "",
+        reminderNote: data.note,
+        secretName: secret?.key,
+        secretId: data.secretId
+      }
+    });
   });
 
   const startSecretV2Migration = async (projectId: string) => {
@@ -1490,14 +1513,17 @@ export const secretQueueFactory = ({
   queueService.start(QueueName.SecretWebhook, async (job) => {
     const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
       type: KmsDataKey.SecretManager,
-      projectId: job.data.projectId
+      projectId: job.data.payload.projectId
     });
 
     await fnTriggerWebhook({
-      ...job.data,
+      projectId: job.data.payload.projectId,
+      environment: job.data.payload.environment,
+      secretPath: job.data.payload.secretPath || "/",
       projectEnvDAL,
-      webhookDAL,
       projectDAL,
+      webhookDAL,
+      event: job.data,
       secretManagerDecryptor: (value) => secretManagerDecryptor({ cipherTextBlob: value }).toString()
     });
   });

backend/src/services/secret/secret-service.ts

@@ -71,6 +71,7 @@ import {
   TDeleteManySecretRawDTO,
   TDeleteSecretDTO,
   TDeleteSecretRawDTO,
+  TGetASecretByIdRawDTO,
   TGetASecretDTO,
   TGetASecretRawDTO,
   TGetSecretAccessListDTO,
@@ -95,7 +96,7 @@ type TSecretServiceFactoryDep = {
   projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
   folderDAL: Pick<
     TSecretFolderDALFactory,
-    "findBySecretPath" | "updateById" | "findById" | "findByManySecretPath" | "find"
+    "findBySecretPath" | "updateById" | "findById" | "findByManySecretPath" | "find" | "findSecretPathByFolderIds"
   >;
   secretV2BridgeService: TSecretV2BridgeServiceFactory;
   secretBlindIndexDAL: TSecretBlindIndexDALFactory;
@@ -1382,6 +1383,18 @@ export const secretServiceFactory = ({
     };
   };
 
+  const getSecretByIdRaw = async ({ secretId, actorId, actor, actorOrgId, actorAuthMethod }: TGetASecretByIdRawDTO) => {
+    const secret = await secretV2BridgeService.getSecretById({
+      secretId,
+      actorId,
+      actor,
+      actorOrgId,
+      actorAuthMethod
+    });
+
+    return secret;
+  };
+
   const getSecretByNameRaw = async ({
     type,
     path,
@@ -3088,6 +3101,7 @@ export const secretServiceFactory = ({
     getSecretsRawMultiEnv,
     getSecretReferenceTree,
     getSecretsRawByFolderMappings,
-    getSecretAccessList
+    getSecretAccessList,
+    getSecretByIdRaw
   };
 };

backend/src/services/secret/secret-types.ts

@@ -121,6 +121,10 @@ export type TGetASecretDTO = {
   version?: number;
 } & TProjectPermission;
 
+export type TGetASecretByIdDTO = {
+  secretId: string;
+} & Omit<TProjectPermission, "projectId">;
+
 export type TCreateBulkSecretDTO = {
   path: string;
   environment: string;
@@ -213,6 +217,10 @@ export type TGetASecretRawDTO = {
   projectId?: string;
 } & Omit<TProjectPermission, "projectId">;
 
+export type TGetASecretByIdRawDTO = {
+  secretId: string;
+} & Omit<TProjectPermission, "projectId">;
+
 export type TCreateSecretRawDTO = TProjectPermission & {
   secretName: string;
   secretPath: string;

backend/src/services/slack/slack-fns.ts

@@ -50,6 +50,7 @@ const buildSlackPayload = (notification: TSlackNotification) => {
       const messageBody = `A secret approval request has been opened by ${payload.userEmail}.
 *Environment*: ${payload.environment}
 *Secret path*: ${payload.secretPath || "/"}
+*Secret Key${payload.secretKeys.length > 1 ? "s" : ""}*: ${payload.secretKeys.join(", ")}
 
 View the complete details <${appCfg.SITE_URL}/secret-manager/${payload.projectId}/approval?requestId=${
         payload.requestId

backend/src/services/slack/slack-types.ts

@@ -62,6 +62,7 @@ export type TSlackNotification =
         secretPath: string;
         requestId: string;
         projectId: string;
+        secretKeys: string[];
       };
     }
   | {

backend/src/services/webhook/webhook-fns.ts

@@ -11,7 +11,7 @@ import { logger } from "@app/lib/logger";
 import { TProjectDALFactory } from "../project/project-dal";
 import { TProjectEnvDALFactory } from "../project-env/project-env-dal";
 import { TWebhookDALFactory } from "./webhook-dal";
-import { WebhookType } from "./webhook-types";
+import { TWebhookPayloads, WebhookEvents, WebhookType } from "./webhook-types";
 
 const WEBHOOK_TRIGGER_TIMEOUT = 15 * 1000;
 
@@ -54,29 +54,64 @@ export const triggerWebhookRequest = async (
   return req;
 };
 
-export const getWebhookPayload = (
-  eventName: string,
-  details: {
-    workspaceName: string;
-    workspaceId: string;
-    environment: string;
-    secretPath?: string;
-    type?: string | null;
+export const getWebhookPayload = (event: TWebhookPayloads) => {
+  if (event.type === WebhookEvents.SecretModified) {
+    const { projectName, projectId, environment, secretPath, type } = event.payload;
+
+    switch (type) {
+      case WebhookType.SLACK:
+        return {
+          text: "A secret value has been added or modified.",
+          attachments: [
+            {
+              color: "#E7F256",
+              fields: [
+                {
+                  title: "Project",
+                  value: projectName,
+                  short: false
+                },
+                {
+                  title: "Environment",
+                  value: environment,
+                  short: false
+                },
+                {
+                  title: "Secret Path",
+                  value: secretPath,
+                  short: false
+                }
+              ]
+            }
+          ]
+        };
+      case WebhookType.GENERAL:
+      default:
+        return {
+          event: event.type,
+          project: {
+            workspaceId: projectId,
+            projectName,
+            environment,
+            secretPath
+          }
+        };
+    }
   }
-) => {
-  const { workspaceName, workspaceId, environment, secretPath, type } = details;
+
+  const { projectName, projectId, environment, secretPath, type, reminderNote, secretName } = event.payload;
 
   switch (type) {
     case WebhookType.SLACK:
       return {
-        text: "A secret value has been added or modified.",
+        text: "You have a secret reminder",
         attachments: [
           {
             color: "#E7F256",
             fields: [
               {
                 title: "Project",
-                value: workspaceName,
+                value: projectName,
                 short: false
               },
               {
@@ -88,6 +123,16 @@ export const getWebhookPayload = (
                 title: "Secret Path",
                 value: secretPath,
                 short: false
+              },
+              {
+                title: "Secret Name",
+                value: secretName,
+                short: false
+              },
+              {
+                title: "Reminder Note",
+                value: reminderNote,
+                short: false
               }
             ]
           }
@@ -96,11 +141,14 @@ export const getWebhookPayload = (
     case WebhookType.GENERAL:
     default:
       return {
-        event: eventName,
+        event: event.type,
         project: {
-          workspaceId,
+          workspaceId: projectId,
+          projectName,
           environment,
-          secretPath
+          secretPath,
+          secretName,
+          reminderNote
         }
       };
   }
@@ -110,6 +158,7 @@ export type TFnTriggerWebhookDTO = {
   projectId: string;
   secretPath: string;
   environment: string;
+  event: TWebhookPayloads;
   webhookDAL: Pick<TWebhookDALFactory, "findAllWebhooks" | "transaction" | "update" | "bulkUpdate">;
   projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
   projectDAL: Pick<TProjectDALFactory, "findById">;
@@ -124,8 +173,9 @@ export const fnTriggerWebhook = async ({
   projectId,
   webhookDAL,
   projectEnvDAL,
-  projectDAL,
-  secretManagerDecryptor
+  event,
+  secretManagerDecryptor,
+  projectDAL
 }: TFnTriggerWebhookDTO) => {
   const webhooks = await webhookDAL.findAllWebhooks(projectId, environment);
   const toBeTriggeredHooks = webhooks.filter(
@@ -134,21 +184,20 @@ export const fnTriggerWebhook = async ({
   );
   if (!toBeTriggeredHooks.length) return;
   logger.info({ environment, secretPath, projectId }, "Secret webhook job started");
-  const project = await projectDAL.findById(projectId);
+  let { projectName } = event.payload;
+  if (!projectName) {
+    const project = await projectDAL.findById(event.payload.projectId);
+    projectName = project.name;
+  }
+
   const webhooksTriggered = await Promise.allSettled(
-    toBeTriggeredHooks.map((hook) =>
-      triggerWebhookRequest(
-        hook,
-        secretManagerDecryptor,
-        getWebhookPayload("secrets.modified", {
-          workspaceName: project.name,
-          workspaceId: projectId,
-          environment,
-          secretPath,
-          type: hook.type
-        })
-      )
-    )
+    toBeTriggeredHooks.map((hook) => {
+      const formattedEvent = {
+        type: event.type,
+        payload: { ...event.payload, type: hook.type, projectName }
+      } as TWebhookPayloads;
+      return triggerWebhookRequest(hook, secretManagerDecryptor, getWebhookPayload(formattedEvent));
+    })
   );
 
   // filter hooks by status

backend/src/services/webhook/webhook-service.ts

@@ -16,7 +16,8 @@ import {
   TDeleteWebhookDTO,
   TListWebhookDTO,
   TTestWebhookDTO,
-  TUpdateWebhookDTO
+  TUpdateWebhookDTO,
+  WebhookEvents
 } from "./webhook-types";
 
 type TWebhookServiceFactoryDep = {
@@ -144,12 +145,15 @@ export const webhookServiceFactory = ({
       await triggerWebhookRequest(
         webhook,
         (value) => secretManagerDecryptor({ cipherTextBlob: value }).toString(),
-        getWebhookPayload("test", {
-          workspaceName: project.name,
-          workspaceId: webhook.projectId,
-          environment: webhook.environment.slug,
-          secretPath: webhook.secretPath,
-          type: webhook.type
+        getWebhookPayload({
+          type: "test" as WebhookEvents.SecretModified,
+          payload: {
+            projectName: project.name,
+            projectId: webhook.projectId,
+            environment: webhook.environment.slug,
+            secretPath: webhook.secretPath,
+            type: webhook.type
+          }
         })
       );
     } catch (err) {

backend/src/services/webhook/webhook-types.ts

@@ -30,3 +30,36 @@ export enum WebhookType {
   GENERAL = "general",
   SLACK = "slack"
 }
+
+export enum WebhookEvents {
+  SecretModified = "secrets.modified",
+  SecretReminderExpired = "secrets.reminder-expired",
+  TestEvent = "test"
+}
+
+type TWebhookSecretModifiedEventPayload = {
+  type: WebhookEvents.SecretModified;
+  payload: {
+    projectName?: string;
+    projectId: string;
+    environment: string;
+    secretPath?: string;
+    type?: string | null;
+  };
+};
+
+type TWebhookSecretReminderEventPayload = {
+  type: WebhookEvents.SecretReminderExpired;
+  payload: {
+    projectName?: string;
+    projectId: string;
+    environment: string;
+    secretPath?: string;
+    type?: string | null;
+    secretName: string;
+    secretId: string;
+    reminderNote?: string | null;
+  };
+};
+
+export type TWebhookPayloads = TWebhookSecretModifiedEventPayload | TWebhookSecretReminderEventPayload;

cli/go.mod

@@ -29,9 +29,9 @@ require (
 	github.com/spf13/cobra v1.6.1
 	github.com/spf13/viper v1.8.1
 	github.com/stretchr/testify v1.10.0
-	golang.org/x/crypto v0.35.0
-	golang.org/x/sys v0.30.0
-	golang.org/x/term v0.29.0
+	golang.org/x/crypto v0.36.0
+	golang.org/x/sys v0.31.0
+	golang.org/x/term v0.30.0
 	gopkg.in/yaml.v2 v2.4.0
 )
 
@@ -115,8 +115,8 @@ require (
 	golang.org/x/mod v0.23.0 // indirect
 	golang.org/x/net v0.35.0 // indirect
 	golang.org/x/oauth2 v0.21.0 // indirect
-	golang.org/x/sync v0.11.0 // indirect
-	golang.org/x/text v0.22.0 // indirect
+	golang.org/x/sync v0.12.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
 	golang.org/x/time v0.6.0 // indirect
 	golang.org/x/tools v0.30.0 // indirect
 	google.golang.org/api v0.188.0 // indirect

cli/go.sum

@@ -486,6 +486,8 @@ golang.org/x/crypto v0.0.0-20211215165025-cf75a172585e/go.mod h1:P+XmwS30IXTQdn5
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs=
 golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -592,6 +594,8 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
 golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -642,9 +646,13 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
 golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
 golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
+golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -656,6 +664,8 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
 golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

cli/packages/gateway/gateway.go

@@ -14,6 +14,7 @@ import (
 	"github.com/Infisical/infisical-merge/packages/api"
 	"github.com/Infisical/infisical-merge/packages/systemd"
 	"github.com/go-resty/resty/v2"
+	"github.com/pion/dtls/v3"
 	"github.com/pion/logging"
 	"github.com/pion/turn/v4"
 	"github.com/rs/zerolog/log"
@@ -54,26 +55,6 @@ func (g *Gateway) ConnectWithRelay() error {
 		return err
 	}
 	relayAddress, relayPort := strings.Split(relayDetails.TurnServerAddress, ":")[0], strings.Split(relayDetails.TurnServerAddress, ":")[1]
-	var conn net.Conn
-
-	// Dial TURN Server
-	if relayPort == "5349" {
-		log.Info().Msgf("Provided relay port %s. Using TLS", relayPort)
-		conn, err = tls.Dial("tcp", relayDetails.TurnServerAddress, &tls.Config{
-			ServerName: relayAddress,
-		})
-	} else {
-		log.Info().Msgf("Provided relay port %s. Using non TLS connection.", relayPort)
-		peerAddr, errPeer := net.ResolveTCPAddr("tcp", relayDetails.TurnServerAddress)
-		if errPeer != nil {
-			return fmt.Errorf("Failed to parse turn server address: %w", err)
-		}
-		conn, err = net.DialTCP("tcp", nil, peerAddr)
-	}
-
-	if err != nil {
-		return fmt.Errorf("Failed to connect with relay server: %w", err)
-	}
 
 	// Start a new TURN Client and wrap our net.Conn in a STUNConn
 	// This allows us to simulate datagram based communication over a net.Conn
@@ -81,17 +62,46 @@ func (g *Gateway) ConnectWithRelay() error {
 	if os.Getenv("LOG_LEVEL") == "debug" {
 		logger.DefaultLogLevel = logging.LogLevelDebug
 	}
-	cfg := &turn.ClientConfig{
+
+	turnClientCfg := &turn.ClientConfig{
 		STUNServerAddr: relayDetails.TurnServerAddress,
 		TURNServerAddr: relayDetails.TurnServerAddress,
-		Conn:           turn.NewSTUNConn(conn),
 		Username:       relayDetails.TurnServerUsername,
 		Password:       relayDetails.TurnServerPassword,
 		Realm:          relayDetails.TurnServerRealm,
 		LoggerFactory:  logger,
 	}
 
-	client, err := turn.NewClient(cfg)
+	turnAddr, err := net.ResolveUDPAddr("udp4", relayDetails.TurnServerAddress)
+	if err != nil {
+		return fmt.Errorf("Failed to parse turn server address: %w", err)
+	}
+
+	// Dial TURN Server
+	if relayPort == "5349" {
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM([]byte(g.config.CertificateChain))
+
+		log.Info().Msgf("Provided relay port %s. Using TLS", relayPort)
+		conn, err := dtls.Dial("udp", turnAddr, &dtls.Config{
+			ServerName: relayAddress,
+			RootCAs:    caCertPool,
+		})
+		if err != nil {
+			return fmt.Errorf("Failed to connect with relay server: %w", err)
+		}
+		turnClientCfg.Conn = turn.NewSTUNConn(conn)
+	} else {
+		log.Info().Msgf("Provided relay port %s. Using non TLS connection.", relayPort)
+		conn, err := net.ListenPacket("udp4", turnAddr.String())
+		if err != nil {
+			return fmt.Errorf("Failed to connect with relay server: %w", err)
+		}
+
+		turnClientCfg.Conn = conn
+	}
+
+	client, err := turn.NewClient(turnClientCfg)
 	if err != nil {
 		return fmt.Errorf("Failed to create relay client: %w", err)
 	}
@@ -168,7 +178,6 @@ func (g *Gateway) Listen(ctx context.Context) error {
 		ClientAuth:   tls.RequireAndVerifyClientCert,
 		NextProtos:   []string{"infisical-gateway"},
 	}
-
 	// Setup QUIC listener on the relayConn
 	quicConfig := &quic.Config{
 		EnableDatagrams: true,
@@ -176,7 +185,6 @@ func (g *Gateway) Listen(ctx context.Context) error {
 		KeepAlivePeriod: 2 * time.Second,
 	}
 
-	g.registerRelayIsActive(ctx, errCh)
 	quicListener, err := quic.Listen(relayUdpConnection, tlsConfig, quicConfig)
 	if err != nil {
 		return fmt.Errorf("Failed to listen for QUIC: %w", err)
@@ -185,6 +193,8 @@ func (g *Gateway) Listen(ctx context.Context) error {
 
 	log.Printf("Listener started on %s", quicListener.Addr())
 
+	g.registerRelayIsActive(ctx, quicListener.Addr().String(), errCh)
+
 	log.Info().Msg("Gateway started successfully")
 
 	var wg sync.WaitGroup
@@ -320,13 +330,12 @@ func (g *Gateway) createPermissionForStaticIps(staticIps string) error {
 	return nil
 }
 
-func (g *Gateway) registerRelayIsActive(ctx context.Context, errCh chan error) error {
+func (g *Gateway) registerRelayIsActive(ctx context.Context, addr string, errCh chan error) error {
 	ticker := time.NewTicker(15 * time.Second)
 	maxFailures := 3
 	failures := 0
 
 	log.Info().Msg("Starting relay connection health check")
-
 	go func() {
 		time.Sleep(5 * time.Second)
 		for {
@@ -335,36 +344,26 @@ func (g *Gateway) registerRelayIsActive(ctx context.Context, errCh chan error) e
 				log.Info().Msg("Stopping relay connection health check")
 				return
 			case <-ticker.C:
-				func() {
-					log.Debug().Msg("Performing relay connection health check")
-
-					if g.client == nil {
-						failures++
-						log.Warn().Int("failures", failures).Msg("TURN client is nil")
-						if failures >= maxFailures {
-							errCh <- fmt.Errorf("relay connection check failed: TURN client is nil")
-						}
+				log.Debug().Msg("Performing relay connection health check")
+				ctxTimeout, cancel := context.WithTimeout(ctx, 5*time.Second)
+				defer cancel()
+				// Try to establish a QUIC connection
+				conn, err := quic.DialAddr(ctxTimeout, addr, &tls.Config{
+					InsecureSkipVerify: false, // Skip certificate verification
+					NextProtos:         []string{"infisical-gateway"},
+				}, nil)
+				if err != nil && !strings.Contains(err.Error(), "tls:") {
+					failures++
+					log.Warn().Err(err).Int("failures", failures).Msg("Failed to refresh TURN permissions")
+					if failures >= maxFailures {
+						errCh <- fmt.Errorf("relay connection check failed: %w", err)
 						return
 					}
-
-					// we try to refresh permissions - this is a lightweight operation
-					// that will fail immediately if the UDP connection is broken. good for health check
-					log.Debug().Msg("Refreshing TURN permissions to verify connection")
-					if err := g.createPermissionForStaticIps(g.config.InfisicalStaticIp); err != nil {
-						failures++
-						log.Warn().Err(err).Int("failures", failures).Msg("Failed to refresh TURN permissions")
-						if failures >= maxFailures {
-							errCh <- fmt.Errorf("relay connection check failed: %w", err)
-						}
-						return
-					}
-
-					log.Debug().Msg("Successfully refreshed TURN permissions - connection is healthy")
-					if failures > 0 {
-						log.Info().Int("previous_failures", failures).Msg("Relay connection restored")
-						failures = 0
-					}
-				}()
+					continue
+				}
+				if conn != nil {
+					defer conn.CloseWithError(0, "All good")
+				}
 			}
 		}
 	}()

cli/packages/gateway/relay.go

@@ -4,7 +4,6 @@
 package gateway
 
 import (
-	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"errors"
@@ -12,12 +11,13 @@ import (
 	"net"
 	"os"
 	"os/signal"
-	"runtime"
+
+	// "runtime"
 	"strconv"
 	"syscall"
 
-	udplistener "github.com/Infisical/infisical-merge/packages/gateway/udp_listener"
 	"github.com/Infisical/infisical-merge/packages/systemd"
+	"github.com/pion/dtls/v3"
 	"github.com/pion/logging"
 	"github.com/pion/turn/v4"
 	"github.com/rs/zerolog/log"
@@ -108,7 +108,7 @@ func NewGatewayRelay(configFilePath string) (*GatewayRelay, error) {
 }
 
 func (g *GatewayRelay) Run() error {
-	addr, err := net.ResolveTCPAddr("tcp", "0.0.0.0:"+strconv.Itoa(g.Config.Port))
+	addr, err := net.ResolveUDPAddr("udp", "0.0.0.0:"+strconv.Itoa(g.Config.Port))
 	if err != nil {
 		return fmt.Errorf("Failed to parse server address: %s", err)
 	}
@@ -117,13 +117,6 @@ func (g *GatewayRelay) Run() error {
 	// and process them yourself.
 	logger := logging.NewDefaultLeveledLoggerForScope("lt-creds", logging.LogLevelTrace, os.Stdout)
 
-	// Create `numThreads` UDP listeners to pass into pion/turn
-	// pion/turn itself doesn't allocate any UDP sockets, but lets the user pass them in
-	// this allows us to add logging, storage or modify inbound/outbound traffic
-	// UDP listeners share the same local address:port with setting SO_REUSEPORT and the kernel
-	// will load-balance received packets per the IP 5-tuple
-	listenerConfig := udplistener.SetupListenerConfig()
-
 	publicIP := g.Config.PublicIP
 	relayAddressGenerator := &turn.RelayAddressGeneratorPortRange{
 		RelayAddress: net.ParseIP(publicIP), // Claim that we are listening on IP passed by user
@@ -132,49 +125,54 @@ func (g *GatewayRelay) Run() error {
 		MaxPort:      g.Config.RelayMaxPort,
 	}
 
-	threadNum := runtime.NumCPU()
-	listenerConfigs := make([]turn.ListenerConfig, threadNum)
-	var connAddress string
-	for i := 0; i < threadNum; i++ {
-		conn, listErr := listenerConfig.Listen(context.Background(), addr.Network(), addr.String())
-		if listErr != nil {
-			return fmt.Errorf("Failed to allocate TCP listener at %s:%s %s", addr.Network(), addr.String(), listErr)
-		}
-
-		listenerConfigs[i] = turn.ListenerConfig{
-			RelayAddressGenerator: relayAddressGenerator,
-		}
-
-		if g.Config.isTlsEnabled {
-			caCertPool := x509.NewCertPool()
-			caCertPool.AppendCertsFromPEM([]byte(g.Config.tlsCa))
-
-			listenerConfigs[i].Listener = tls.NewListener(conn, &tls.Config{
-				Certificates: []tls.Certificate{g.Config.tls},
-				ClientCAs:    caCertPool,
-			})
-		} else {
-			listenerConfigs[i].Listener = conn
-		}
-		connAddress = conn.Addr().String()
-	}
-
 	loggerF := logging.NewDefaultLoggerFactory()
 	loggerF.DefaultLogLevel = logging.LogLevelDebug
 
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM([]byte(g.Config.tlsCa))
+
+	listenerConfigs := make([]turn.ListenerConfig, 0)
+	packetConfigs := make([]turn.PacketConnConfig, 0)
+
+	if g.Config.isTlsEnabled {
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM([]byte(g.Config.tlsCa))
+		dtlsServer, err := dtls.Listen("udp", addr, &dtls.Config{
+			Certificates: []tls.Certificate{g.Config.tls},
+			ClientCAs:    caCertPool,
+		})
+		if err != nil {
+			return fmt.Errorf("Failed to start dtls server: %w", err)
+		}
+		listenerConfigs = append(listenerConfigs, turn.ListenerConfig{
+			RelayAddressGenerator: relayAddressGenerator,
+			Listener:              dtlsServer,
+		})
+	} else {
+		udpListener, err := net.ListenPacket("udp4", "0.0.0.0:"+strconv.Itoa(g.Config.Port))
+		if err != nil {
+			return fmt.Errorf("Failed to relay udp listener: %w", err)
+		}
+		packetConfigs = append(packetConfigs, turn.PacketConnConfig{
+			RelayAddressGenerator: relayAddressGenerator,
+			PacketConn:            udpListener,
+		})
+	}
+
 	server, err := turn.NewServer(turn.ServerConfig{
 		Realm:       g.Config.Realm,
 		AuthHandler: turn.LongTermTURNRESTAuthHandler(g.Config.AuthSecret, logger),
 		// PacketConnConfigs is a list of UDP Listeners and the configuration around them
-		ListenerConfigs: listenerConfigs,
-		LoggerFactory:   loggerF,
+		ListenerConfigs:   listenerConfigs,
+		PacketConnConfigs: packetConfigs,
+		LoggerFactory:     loggerF,
 	})
 
 	if err != nil {
 		return fmt.Errorf("Failed to start server: %w", err)
 	}
 
-	log.Info().Msgf("Relay listening on %s\n", connAddress)
+	log.Info().Msgf("Relay listening on %d\n", g.Config.Port)
 
 	// make this compatiable with systemd notify mode
 	systemd.SdNotify(false, systemd.SdNotifyReady)

company/handbook/meetings.mdx

@@ -10,6 +10,10 @@ Being a remote-first company, we try to be as async as possible. When an issue a
 
 In other words, we have almost no (recurring) meetings and prefer written communication or quick Slack huddles.
 
+## Daily Standup
+
+Towards the end of each day, everyone on the Engineering and GTM teams should document their progress in the respective Slack standup channels, ensuring the team stays informed of important updates. On the engineering side, if you are working on something that takes longer than 1-2 days, please add an estimated completion date (ECD) for that item in standup specifying when it will be pushed to production. 
+
 ## Weekly All-hands
 
-All-hands is the single recurring meeting that we run every Monday at 8:30am PT. Typically, we would discuss everything important that happened during the previous week and plan out the week ahead. This is also an opportunity to bring up any important topics in front of the whole company (but feel free to post those in Slack too).
+All-hands is the single recurring meeting that we run every Monday at 8:00am PT. Typically, we would discuss everything important that happened during the previous week and plan out the week ahead. This is also an opportunity to bring up any important topics in front of the whole company (but feel free to post those in Slack too).

docs/documentation/platform/webhooks.mdx

@@ -36,3 +36,18 @@ If the signature in the header matches the signature that you generated, then yo
   "timestamp": ""
 }
 ```
+
+```json
+{
+  "event": "secrets.reminder-expired",
+  "project": {
+    "workspaceId": "the workspace id",
+    "environment": "project environment",
+    "secretPath": "project folder path",
+    "secretName": "name of the secret",
+    "secretId": "id of the secret",
+    "reminderNote": "reminder note of the secret"
+  },
+  "timestamp": ""
+}
+```

frontend/src/components/projects/NewProjectModal.tsx

@@ -14,7 +14,6 @@ import {
   AccordionItem,
   AccordionTrigger,
   Button,
-  Checkbox,
   FormControl,
   Input,
   Modal,
@@ -33,13 +32,7 @@ import {
   useUser
 } from "@app/context";
 import { getProjectHomePage } from "@app/helpers/project";
-import {
-  fetchOrgUsers,
-  useAddUserToWsNonE2EE,
-  useCreateWorkspace,
-  useGetExternalKmsList,
-  useGetUserWorkspaces
-} from "@app/hooks/api";
+import { useCreateWorkspace, useGetExternalKmsList, useGetUserWorkspaces } from "@app/hooks/api";
 import { INTERNAL_KMS_KEY_ID } from "@app/hooks/api/kms/types";
 import { InfisicalProjectTemplate, useListProjectTemplates } from "@app/hooks/api/projectTemplates";
 import { ProjectType } from "@app/hooks/api/workspace/types";
@@ -51,7 +44,6 @@ const formSchema = z.object({
     .trim()
     .max(256, "Description too long, max length is 256 characters")
     .optional(),
-  addMembers: z.boolean(),
   kmsKeyId: z.string(),
   template: z.string()
 });
@@ -73,7 +65,6 @@ const NewProjectForm = ({ onOpenChange, projectType }: NewProjectFormProps) => {
   const { user } = useUser();
   const createWs = useCreateWorkspace();
   const { refetch: refetchWorkspaces } = useGetUserWorkspaces();
-  const addUsersToProject = useAddUserToWsNonE2EE();
   const { subscription } = useSubscription();
 
   const canReadProjectTemplates = permission.can(
@@ -111,7 +102,6 @@ const NewProjectForm = ({ onOpenChange, projectType }: NewProjectFormProps) => {
   const onCreateProject = async ({
     name,
     description,
-    addMembers,
     kmsKeyId,
     template
   }: TAddProjectFormData) => {
@@ -128,21 +118,6 @@ const NewProjectForm = ({ onOpenChange, projectType }: NewProjectFormProps) => {
         template,
         type: projectType
       });
-      const { id: newProjectId } = project;
-
-      if (addMembers) {
-        const orgUsers = await fetchOrgUsers(currentOrg.id);
-        await addUsersToProject.mutateAsync({
-          usernames: orgUsers
-            .filter(
-              (member) => member.user.username !== user.username && member.status === "accepted"
-            )
-            .map((member) => member.user.username),
-          projectId: newProjectId,
-          orgId: currentOrg.id
-        });
-      }
-
       await refetchWorkspaces();
 
       createNotification({ text: "Project created", type: "success" });
@@ -246,31 +221,7 @@ const NewProjectForm = ({ onOpenChange, projectType }: NewProjectFormProps) => {
           )}
         />
       </div>
-      <div className="mt-4 pl-1">
-        <Controller
-          control={control}
-          name="addMembers"
-          defaultValue={false}
-          render={({ field: { onBlur, value, onChange } }) => (
-            <OrgPermissionCan I={OrgPermissionActions.Read} a={OrgPermissionSubjects.Member}>
-              {(isAllowed) => (
-                <div>
-                  <Checkbox
-                    id="add-project-layout"
-                    isChecked={value}
-                    onCheckedChange={onChange}
-                    isDisabled={!isAllowed}
-                    onBlur={onBlur}
-                  >
-                    Add all members of my organization to this project
-                  </Checkbox>
-                </div>
-              )}
-            </OrgPermissionCan>
-          )}
-        />
-      </div>
-      <div className="mt-14 flex">
+      <div className="mt-4 flex">
         <Accordion type="single" collapsible className="w-full">
           <AccordionItem value="advance-settings" className="data-[state=open]:border-none">
             <AccordionTrigger className="h-fit flex-none pl-1 text-sm">

frontend/src/hooks/api/secrets/types.ts

@@ -101,6 +101,12 @@ export type SecretVersions = {
   skipMultilineEncoding?: boolean;
   createdAt: string;
   updatedAt: string;
+  actor?: {
+    actorId?: string | null;
+    actorType?: string | null;
+    name?: string | null;
+    membershipId?: string | null;
+  } | null;
 };
 
 // dto

frontend/src/pages/secret-manager/SecretDashboardPage/components/DynamicSecretListView/EditDynamicSecretForm/EditDynamicSecretSqlProviderForm.tsx

@@ -36,7 +36,7 @@ const formSchema = z.object({
       revocationStatement: z.string().min(1),
       renewStatement: z.string().optional(),
       ca: z.string().optional(),
-      projectGatewayId: z.string().optional()
+      projectGatewayId: z.string().optional().nullable()
     })
     .partial(),
   defaultTTL: z.string().superRefine((val, ctx) => {
@@ -207,7 +207,7 @@ export const EditDynamicSecretSqlProviderForm = ({
                 helperText=""
               >
                 <Select
-                  value={value}
+                  value={value || undefined}
                   onValueChange={onChange}
                   className="w-full border border-mineshaft-500"
                   dropdownContainerClassName="max-w-none"

frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretDetailSidebar.tsx

@@ -5,15 +5,19 @@ import {
   faArrowRotateRight,
   faCheckCircle,
   faClock,
+  faCopy,
+  faDesktop,
   faEyeSlash,
   faPlus,
+  faServer,
   faShare,
   faTag,
-  faTrash
+  faTrash,
+  faUser
 } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { zodResolver } from "@hookform/resolvers/zod";
-import { Link } from "@tanstack/react-router";
+import { Link, useNavigate } from "@tanstack/react-router";
 import { format } from "date-fns";
 
 import { UpgradePlanModal } from "@app/components/license/UpgradePlanModal";
@@ -46,6 +50,7 @@ import {
 } from "@app/context";
 import { usePopUp, useToggle } from "@app/hooks";
 import { useGetSecretVersion } from "@app/hooks/api";
+import { ActorType } from "@app/hooks/api/auditLogs/enums";
 import { useGetSecretAccessList } from "@app/hooks/api/secrets/queries";
 import { SecretV3RawSanitized, WsTag } from "@app/hooks/api/types";
 import { ProjectType } from "@app/hooks/api/workspace/types";
@@ -120,6 +125,7 @@ export const SecretDetailSidebar = ({
     {}
   );
   const selectTagSlugs = selectedTags.map((i) => i.slug);
+  const navigate = useNavigate();
 
   const cannotEditSecret = permission.cannot(
     ProjectPermissionActions.Edit,
@@ -192,15 +198,73 @@ export const SecretDetailSidebar = ({
     await onSaveSecret(secret, { ...secret, ...data }, () => reset());
   };
 
-  const handleReminderSubmit = async (reminderRepeatDays: number | null | undefined, reminderNote: string | null | undefined) => {
-    await onSaveSecret(secret, { ...secret, reminderRepeatDays, reminderNote, isReminderEvent: true }, () => { });
-  }
+  const handleReminderSubmit = async (
+    reminderRepeatDays: number | null | undefined,
+    reminderNote: string | null | undefined
+  ) => {
+    await onSaveSecret(
+      secret,
+      { ...secret, reminderRepeatDays, reminderNote, isReminderEvent: true },
+      () => {}
+    );
+  };
 
   const [createReminderFormOpen, setCreateReminderFormOpen] = useToggle(false);
 
   const secretReminderRepeatDays = watch("reminderRepeatDays");
   const secretReminderNote = watch("reminderNote");
 
+  const getModifiedByIcon = (userType: string | undefined | null) => {
+    switch (userType) {
+      case ActorType.USER:
+        return faUser;
+      case ActorType.IDENTITY:
+        return faDesktop;
+      default:
+        return faServer;
+    }
+  };
+
+  const getModifiedByName = (
+    userType: string | undefined | null,
+    userName: string | null | undefined
+  ) => {
+    switch (userType) {
+      case ActorType.PLATFORM:
+        return "System-generated";
+      default:
+        return userName;
+    }
+  };
+
+  const getLinkToModifyHistoryEntity = (
+    actorId: string,
+    actorType: string,
+    membershipId: string | null = ""
+  ) => {
+    switch (actorType) {
+      case ActorType.USER:
+        return `/${ProjectType.SecretManager}/${currentWorkspace.id}/members/${membershipId}`;
+      case ActorType.IDENTITY:
+        return `/${ProjectType.SecretManager}/${currentWorkspace.id}/identities/${actorId}`;
+      default:
+        return null;
+    }
+  };
+
+  const onModifyHistoryClick = (
+    actorId: string | undefined | null,
+    actorType: string | undefined | null,
+    membershipId: string | undefined | null
+  ) => {
+    if (actorType && actorId && actorType !== ActorType.PLATFORM) {
+      const redirectLink = getLinkToModifyHistoryEntity(actorId, actorType, membershipId);
+      if (redirectLink) {
+        navigate({ to: redirectLink });
+      }
+    }
+  };
+
   return (
     <>
       <CreateReminderForm
@@ -213,7 +277,7 @@ export const SecretDetailSidebar = ({
           if (data) {
             setValue("reminderRepeatDays", data.days, { shouldDirty: false });
             setValue("reminderNote", data.note, { shouldDirty: false });
-            handleReminderSubmit(data.days, data.note)
+            handleReminderSubmit(data.days, data.note);
           }
         }}
       />
@@ -618,7 +682,7 @@ export const SecretDetailSidebar = ({
               <div className="mb-4flex-grow dark cursor-default text-sm text-bunker-300">
                 <div className="mb-2 pl-1">Version History</div>
                 <div className="thin-scrollbar flex h-48 flex-col space-y-2 overflow-y-auto overflow-x-hidden rounded-md border border-mineshaft-600 bg-mineshaft-900 p-4 dark:[color-scheme:dark]">
-                  {secretVersion?.map(({ createdAt, secretValue, version, id }) => (
+                  {secretVersion?.map(({ createdAt, secretValue, version, id, actor }) => (
                     <div className="flex flex-row">
                       <div key={id} className="flex w-full flex-col space-y-1">
                         <div className="flex items-center">
@@ -633,36 +697,42 @@ export const SecretDetailSidebar = ({
                           <div className="relative w-10">
                             <div className="absolute bottom-0 left-3 top-0 mt-0.5 border-l border-mineshaft-400/60" />
                           </div>
-                          <div className="flex flex-row">
-                            <div className="h-min w-fit rounded-sm bg-primary-500/10 px-1 text-primary-300/70">
-                              Value:
-                            </div>
-                            <div className="group break-all pl-1 font-mono">
-                              <div className="relative hidden cursor-pointer transition-all duration-200 group-[.show-value]:inline">
-                                <button
-                                  type="button"
-                                  className="select-none"
-                                  onClick={(e) => {
-                                    navigator.clipboard.writeText(secretValue || "");
-                                    const target = e.currentTarget;
-                                    target.style.borderBottom = "1px dashed";
-                                    target.style.paddingBottom = "-1px";
-
-                                    // Create and insert popup
-                                    const popup = document.createElement("div");
-                                    popup.className =
-                                      "w-16 flex justify-center absolute top-6 left-0 text-xs text-primary-100 bg-mineshaft-800 px-1 py-0.5 rounded-md border border-primary-500/50";
-                                    popup.textContent = "Copied!";
-                                    target.parentElement?.appendChild(popup);
-
-                                    // Remove popup and border after delay
-                                    setTimeout(() => {
-                                      popup.remove();
-                                      target.style.borderBottom = "none";
-                                    }, 3000);
-                                  }}
-                                  onKeyDown={(e) => {
-                                    if (e.key === "Enter" || e.key === " ") {
+                          <div className="flex w-full cursor-default flex-col">
+                            {actor && (
+                              <div className="flex flex-row">
+                                <div className="flex w-fit flex-row text-sm">
+                                  Modified by:
+                                  <Tooltip content={getModifiedByName(actor.actorType, actor.name)}>
+                                    {/* eslint-disable-next-line jsx-a11y/click-events-have-key-events, jsx-a11y/no-static-element-interactions */}
+                                    <div
+                                      onClick={() =>
+                                        onModifyHistoryClick(
+                                          actor.actorId,
+                                          actor.actorType,
+                                          actor.membershipId
+                                        )
+                                      }
+                                      className="cursor-pointer"
+                                    >
+                                      <FontAwesomeIcon
+                                        icon={getModifiedByIcon(actor.actorType)}
+                                        className="ml-2"
+                                      />
+                                    </div>
+                                  </Tooltip>
+                                </div>
+                              </div>
+                            )}
+                            <div className="flex flex-row">
+                              <div className="h-min w-fit rounded-sm bg-primary-500/10 px-1 text-primary-300/70">
+                                Value:
+                              </div>
+                              <div className="group break-all pl-1 font-mono">
+                                <div className="relative hidden cursor-pointer transition-all duration-200 group-[.show-value]:inline">
+                                  <button
+                                    type="button"
+                                    className="select-none text-left"
+                                    onClick={(e) => {
                                       navigator.clipboard.writeText(secretValue || "");
                                       const target = e.currentTarget;
                                       target.style.borderBottom = "1px dashed";
@@ -680,51 +750,74 @@ export const SecretDetailSidebar = ({
                                         popup.remove();
                                         target.style.borderBottom = "none";
                                       }, 3000);
-                                    }
-                                  }}
-                                >
-                                  {secretValue}
-                                </button>
-                                <button
-                                  type="button"
-                                  className="ml-1 cursor-pointer"
-                                  onClick={(e) => {
-                                    e.stopPropagation();
-                                    e.currentTarget
-                                      .closest(".group")
-                                      ?.classList.remove("show-value");
-                                  }}
-                                  onKeyDown={(e) => {
-                                    if (e.key === "Enter" || e.key === " ") {
+                                    }}
+                                    onKeyDown={(e) => {
+                                      if (e.key === "Enter" || e.key === " ") {
+                                        navigator.clipboard.writeText(secretValue || "");
+                                        const target = e.currentTarget;
+                                        target.style.borderBottom = "1px dashed";
+                                        target.style.paddingBottom = "-1px";
+
+                                        // Create and insert popup
+                                        const popup = document.createElement("div");
+                                        popup.className =
+                                          "w-16 flex justify-center absolute top-6 left-0 text-xs text-primary-100 bg-mineshaft-800 px-1 py-0.5 rounded-md border border-primary-500/50";
+                                        popup.textContent = "Copied!";
+                                        target.parentElement?.appendChild(popup);
+
+                                        // Remove popup and border after delay
+                                        setTimeout(() => {
+                                          popup.remove();
+                                          target.style.borderBottom = "none";
+                                        }, 3000);
+                                      }
+                                    }}
+                                  >
+                                    {secretValue}
+                                  </button>
+                                  <button
+                                    type="button"
+                                    className="ml-1 cursor-pointer"
+                                    onClick={(e) => {
                                       e.stopPropagation();
                                       e.currentTarget
                                         .closest(".group")
                                         ?.classList.remove("show-value");
-                                    }
-                                  }}
-                                >
-                                  <FontAwesomeIcon icon={faEyeSlash} />
-                                </button>
-                              </div>
-                              <span className="group-[.show-value]:hidden">
-                                {secretValue?.replace(/./g, "*")}
-                                <button
-                                  type="button"
-                                  className="ml-1 cursor-pointer"
-                                  onClick={(e) => {
-                                    e.currentTarget.closest(".group")?.classList.add("show-value");
-                                  }}
-                                  onKeyDown={(e) => {
-                                    if (e.key === "Enter" || e.key === " ") {
+                                    }}
+                                    onKeyDown={(e) => {
+                                      if (e.key === "Enter" || e.key === " ") {
+                                        e.stopPropagation();
+                                        e.currentTarget
+                                          .closest(".group")
+                                          ?.classList.remove("show-value");
+                                      }
+                                    }}
+                                  >
+                                    <FontAwesomeIcon icon={faEyeSlash} />
+                                  </button>
+                                </div>
+                                <span className="group-[.show-value]:hidden">
+                                  {secretValue?.replace(/./g, "*")}
+                                  <button
+                                    type="button"
+                                    className="ml-1 cursor-pointer"
+                                    onClick={(e) => {
                                       e.currentTarget
                                         .closest(".group")
                                         ?.classList.add("show-value");
-                                    }
-                                  }}
-                                >
-                                  <FontAwesomeIcon icon={faEye} />
-                                </button>
-                              </span>
+                                    }}
+                                    onKeyDown={(e) => {
+                                      if (e.key === "Enter" || e.key === " ") {
+                                        e.currentTarget
+                                          .closest(".group")
+                                          ?.classList.add("show-value");
+                                      }
+                                    }}
+                                  >
+                                    <FontAwesomeIcon icon={faEye} />
+                                  </button>
+                                </span>
+                              </div>
                             </div>
                           </div>
                         </div>
@@ -898,29 +991,49 @@ export const SecretDetailSidebar = ({
                       </Button>
                     )}
                   </ProjectPermissionCan>
-                  <ProjectPermissionCan
-                    I={ProjectPermissionActions.Delete}
-                    a={subject(ProjectPermissionSub.Secrets, {
-                      environment,
-                      secretPath,
-                      secretName: secretKey,
-                      secretTags: selectTagSlugs
-                    })}
-                  >
-                    {(isAllowed) => (
+                  <div className="flex items-center gap-2">
+                    <Tooltip content="Copy Secret ID">
                       <IconButton
-                        colorSchema="danger"
-                        ariaLabel="Delete Secret"
-                        className="border border-mineshaft-600 bg-mineshaft-700 hover:border-red-500/70 hover:bg-red-600/20"
-                        isDisabled={!isAllowed}
-                        onClick={onDeleteSecret}
+                        variant="outline_bg"
+                        ariaLabel="Copy Secret ID"
+                        onClick={async () => {
+                          await navigator.clipboard.writeText(secret.id);
+
+                          createNotification({
+                            title: "Secret ID Copied",
+                            text: "The secret ID has been copied to your clipboard.",
+                            type: "success"
+                          });
+                        }}
                       >
-                        <Tooltip content="Delete Secret">
-                          <FontAwesomeIcon icon={faTrash} />
-                        </Tooltip>
+                        <FontAwesomeIcon icon={faCopy} />
                       </IconButton>
-                    )}
-                  </ProjectPermissionCan>
+                    </Tooltip>
+                    <ProjectPermissionCan
+                      I={ProjectPermissionActions.Delete}
+                      a={subject(ProjectPermissionSub.Secrets, {
+                        environment,
+                        secretPath,
+                        secretName: secretKey,
+                        secretTags: selectTagSlugs
+                      })}
+                    >
+                      {(isAllowed) => (
+                        <Tooltip content="Delete Secret">
+                          <IconButton
+                            colorSchema="danger"
+                            variant="outline_bg"
+                            ariaLabel="Delete Secret"
+                            className="border border-mineshaft-600 bg-mineshaft-700 hover:border-red-500/70 hover:bg-red-600/20"
+                            isDisabled={!isAllowed}
+                            onClick={onDeleteSecret}
+                          >
+                            <FontAwesomeIcon icon={faTrash} />
+                          </IconButton>
+                        </Tooltip>
+                      )}
+                    </ProjectPermissionCan>
+                  </div>
                 </div>
               </div>
             </div>

frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretListView.tsx

@@ -238,10 +238,12 @@ export const SecretListView = ({
         if (!isReminderEvent) {
           handlePopUpClose("secretDetail");
         }
-        
+
         let successMessage;
         if (isReminderEvent) {
-          successMessage = reminderRepeatDays ? "Successfully saved secret reminder" : "Successfully deleted secret reminder";
+          successMessage = reminderRepeatDays 
+            ? "Successfully saved secret reminder" 
+            : "Successfully deleted secret reminder";
         } else {
           successMessage = "Successfully saved secrets";
         }